ALERTS PHISHING
HOME APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
DATE | NAME | CATEGORY | SUBCATE | INFO |
1.11.24 | Phishing Campaign Distributing XWorm RAT | ALERTS | PHISHING | Researchers have recently uncovered a malicious campaign spreading the XWorm RAT trojan via fake emails posing as official communications from Namirial, a software and service company. The emails prompt users to open a password-protected PDF, and if it fails, directs them to a Dropbox link that downloads a ZIP file containing a URL that would connect to the attacker's servers and download additional malicious scripts, enabling control over the victim's machine. |
27.10.24 | Phishing Campaign Delivering Wiper Malware | ALERTS | PHISHING | A recent campaign was observed by researchers where threat actors were seen targeting Israeli organizations, by impersonating a certain antivirus vendor and sending out phishing emails warning of state-backed threats. The emails include a link to a fake program that downloads a malware called Wiper, designed to erase data. |
27.10.24 | Phishing attack aims at Meta Ads Professionals with Quasar RAT | ALERTS | PHISHING | A malware campaign targeting job seekers and digital marketing professionals has been reported. The campaign specifically focuses on Meta Ads professionals and is believed to be driven by a Vietnamese Threat Actor. The attack chain begins with a phishing email containing an archive attachment that disguises a malicious LNK file as a PDF. When opened, the LNK file triggers PowerShell commands that lead to the download and execution of additional scripts, ultimately resulting in the delivery of the Quasar RAT payload. This gives attackers full control over the compromised system for activities such as data theft, surveillance and distributing more malware. The malware possesses anti-VM and anti-debug capabilities and establishes persistence by hiding in system directories. |
27.10.24 | Attackers still using SHTML files to target recipients with phishing | ALERTS | PHISHING | Symantec has recently observed a new phishing campaign using attached SHTML files disguised as import and or payment forms. The messages attempt to entice users to open the attached files to resolve import or billing issues. If the recipient opens the form they are greeted with a fake 'DHL' login page the exfiltrates the entered credentials to a private Telegram channel for the attacker to use later. |
13.9.24 | New Phishing Campaign Exploiting CapCut | PHISHING | CapCut, a popular video editor, is being exploited in phishing attacks. The latest campaign involves a malicious package that includes a legitimate CapCut app, JamPlus build utility, and a harmful ".lua" script. Running the app triggers JamPlus to execute the script, which then downloads and runs a final payload from a remote server. | |
31.8.24 | Phishing campaign targets Japan Labor Union Workers | PHISHING | A phishing campaign targeting Japanese workers affiliated with labor unions has been observed. The e-crime actor is impersonating 労働金庫 (Rōdō Kinko), commonly known as Rokin, and the 全国労働金庫協会 (National Association of Labour Banks or Zenkoku Rōdō Kinko Kyōkai), which are part of Japan's unique financial system designed to serve the financial needs of workers. The email (subject:【労働金庫】【要返信】お客様の直近の取引における重要な確認について) warns about suspicious transactions and urging the recipient to verify their account via fraudulent links – an attempt designed to steal personal information. | |
29.8.24 | US voters targeted in phishing campaign | PHISHING | With the US Presidential Election just a few months away and the press reporting allegations of cyber intrusions affecting the campaigns, we reviewed new domains registered between 1 May and 12 August 2024 containing strings "harris", "walz", or "trump" in the domain. Domains with "vance" in them were excluded due to that string being found in many English words and domains unrelated to the election. Our research revealed 216 domains with phishing behavior and 66 domains hosting malicious content that are likely related to the Democratic or Republican candidates. | |
23.8.24 | Toll Road Smishing Scams Increasingly Target U.S. Drivers | PHISHING | The U.S. has an extensive network of toll roads, bridges, and tunnels, and toll services are used to fund the maintenance and development of infrastructure without relying solely on state and federal taxes. | |
16.8.24 | Phishing Attack Delivers 0bj3ctivity Stealer via Discord CDN | PHISHING | A phishing attack has been reported involving the 0bj3ctivity Stealer, facilitated by the Ande Loader. The attack uses a Discord CDN link containing a malicious JavaScript file with an embedded PowerShell script to deploy additional payloads. The Ande Loader is used for both initial infection and persistence. The stealer exfiltrates sensitive data from browsers to either Telegram or a C2 server and includes anti-debug and anti-VM capabilities. | |
16.8.24 | Phishers targeting users in South Korea with tax receipts | PHISHING | Symantec has observed a phishing campaign targeting users in South Korea. The attack attempts to impersonate major account firms sending tax receipts/invoices in order to lure recipients into opening the attachment. The attachment, likely in a bid to fool intended victims, also shares a name with the Nation Tax Service in South Korea, 'NTS_eTaxInvoice.html' | |
9.8.24 | Phish emails impersonate UK's Health and Safety Executive (HSE) to lure email users | PHISHING | Health and Safety Executive (HSE) is a British public provider of health and safety solutions to various professionals and organizations. Lately, Symantec has observed phish runs that impersonate Health and Safety Executive (HSE) guidelines, especially the strategy outlined for 2022-2032, to steal credentials. | |
7.8.24 | XDSpy phishing campaign targets organizations in Russia and Moldova | PHISHING | A phishing malware campaign by a threat actor dubbed XDSpy has been reported targeting organizations in Russia and Moldova. The attack chains typically use spear-phishing emails with archive attachments containing agreement-related lures to deploy a primary malware module called XDDown. | |
2.8.24 | Phishing Campaign: Malicious HTML attachment mimics OneDrive to deploy malware Scripts | PHISHING | A new phishing campaign using image files that mimic a Microsoft OneDrive page has been reported. Users are targeted through phishing emails with HTML attachments. When these attachments are opened, they display an image resembling a OneDrive page and show an error indicating a connection issue with the OneDrive cloud service. | |
27.7.24 | Phishing campaign targeted at users in India attributed to the Smishing Triad group | ALERTS | PHISHING | Fortinet researchers reported on a recent phishing operation targeting mobile users in India. The attack has been attributed to a threat group known as the Smishing Triad, known previously to be targeting various countries across the world with similar smishing runs. |
24.7.24 | Protection Highlight: ScriptNN | ALERTS | PHISHING | Phishing is an all-too-common type of social engineering attack that attempts to steal user data by sending fraudulent communications, usually via email or SMS, which appear to come from a legitimate source. Phishing is predominantly employed at the first stage in a malware attack, whether the ultimate objective is reconnaissance or compromise. |
19.7.24 | Phishing malware campaign targeting Ukrainian Government entities linked to Russian Threat Actor UNC4814 | ALERTS | PHISHING | Symantec has observed a phishing malware campaign targeting government entities in Ukraine. Based on the attack vector and behavior, Symantec believes UNC4814, a suspected Russian threat actor, is responsible for the campaign. The threat actor initiates attacks by sending phishing emails with HTA files attached, masquerading as bills and payment notifications. |
28.6.24 | Latrodectus malware campaign: Phishing with Firebase URLs and remote access tactics | ALERTS | PHISHING | Latrodectus is a popular loader utilized by threat actors to download payloads and execute arbitrary commands. Phishing emails are the most common attack vector for distributing the Latrodectus malware. |
26.6.24 | Fake Employee evaluation reports from Human Resources (HR) appear in new phish run | ALERTS | PHISHING | Threat actors continue masquerading as members of Human resources (HR) department in efforts to spread a new wave of phish emails. In a recent phishing run observed by Symantec, emails containing phishing URLs and disguised as "Employee evaluation" reports are sent to the targeted recipients. The email subjects contain "Important" keyword - a common technique to lure the recipient into opening the email while the body of the email contains a description of the key highlights included in the evaluation report. In order to access the evaluation report, the recipient needs to click on the phishing URL armored to steal credentials. |
26.6.24 | Fake Employee evaluation reports from Human Resources (HR) appear in new phish run | ALERTS | PHISHING | Threat actors continue masquerading as members of Human resources (HR) department in efforts to spread a new wave of phish emails. In a recent phishing run observed by Symantec, emails containing phishing URLs and disguised as "Employee evaluation" reports are sent to the targeted recipients. The email subjects contain "Important" keyword - a common technique to lure the recipient into opening the email while the body of the email contains a description of the key highlights included in the evaluation report. In order to access the evaluation report, the recipient needs to click on the phishing URL armored to steal credentials. |
12.6.24 | Protection Highlight: Phishers Ramp Up Exploitation of Telegram Bot API | ALERTS | PHISHING | Over the past few months, more and more phishing actors via malicious HTML have been following in the footsteps of Infostealers and RATs, and are now also abusing the Telegram Bot API to harvest users' credentials and other sensitive information such as credit cards details. Activities are being observed worldwide and these can cause significant financial losses, operational disruptions, and reputational damage for enterprises. Attackers use stolen credentials for account takeovers, identity / financial theft, and additional attacks, often selling stolen data on the dark web. |
30.5.24 | Fraudulent PDF Viewer Login Pages Phishing for User Credentials | ALERTS | PHISHING | A phishing campaign was recently observed where a malicious HTML attachment masquerading as a PDF Viewer login page prompts users to verify their password to access a document. Meanwhile, hidden in the background, a malicious JavaScript will attempt to steal the victim's credentials. |
28.5.24 | Phishing campaign targeting financial institutions impersonates medical center | ALERTS | PHISHING | A phishing campaign targeting European and US financial institutions has been reported. The attacks involve sending emails impersonating a medical center, with SCR files disguised as financial documents to trick victims into downloading and executing them. These files contain code from a Python clone of the Minesweeper game, along with malicious Python code that downloads additional scripts from a remote source. The scripts are then used to extract and run a legitimate remote computer management program called SuperOps RMM which provides unauthorized remote access to victims' computers. |
22.5.24 | Smishing: Fake IRS Scare Tactic to Snatch Cryptowallets' 12-Word Recovery Phrases | ALERTS | PHISHING | Symantec has recently observed a malicious SMS campaign in the US targeting mobile users' cryptowallet 12-word recovery phrases. The actors are impersonating the IRS and using a scare tactic related to cryptocurrency holdings declaration. |
8.4.24 | New phishing run spoofs International Card Services (ICS) | ALERTS | PHISHING | Symantec has observed a new wave of phish runs spoofing International Card Services BV to steal credentials. In this run, threat actors have not hyperlinked the phishing URL but included it in plain text along with the email content. As the call to action in this phishing run, the email recipients are asked to to validate their email address. Interestingly for this supposed email validation process, the victims are required to copy and paste the actual phishing URL in the browser or type manually. The victims are served with credential harvesting webpages once the phishing URL opens in web browser. |
8.4.24 | Spoofed Adobe Creative Cloud email notifications appear in phish runs | ALERTS | PHISHING | Adobe Creative Cloud provides a collection of applications for graphic design, video editing, web development, photography and more. Lately, Symantec has observed phishing runs that impersonate Adobe Creative Cloud and entice users to open fake notifications emails. The email body content is kept short and mentions a pending document stored in the cloud. These phish emails make an attempt to lure users to open and click on phish URLs. Upon clicking on the phish URLs presented in the email content, the victims are served with credential harvesting webpages. |
8.4.24 | Truist Bank users targeted with new phishing emails | ALERTS | PHISHING | Truist Bank is one of the top U.S. commercial banks headquartered in Charlotte, North Carolina. Recently, Symantec has observed a new wave of phish runs spoofing Truist Bank services with fake account notifications. The email content mentions about a "temporary hold" placed on your account that can be lifted after a proper verification is completed. It entices the user to click on the "Verify now" phish URL ready to steal credentials. |
8.4.24 | New phishing run spoofs Mexican Postal Service (Correos de Mexico) | ALERTS | PHISHING | Symantec has observed a new wave of phish runs spoofing Mexican Postal Service (Correos de Mexico) to steal credentials. The email content is kept specific and mentions an undelivered package. The reason for not delivering the package is stated as "failure to pay custom duties". |
8.4.24 | "No One Was Home" themed Evri phishing emails are making the rounds | ALERTS | PHISHING | Evri is a parcel delivery company based in United Kingdom. As the holiday season has started, spoofed emails masqueraded as Evri parcel notifications have been observed. These emails entice the users to click phishing URLs in order to reschedule the delivery as "no one was home". The phishing URLs are constructed using hijacked domains and with a sole purpose of stealing credentials. |