phishing campaign Archives

Winsage

May 22, 2025

Microsoft says 394,000 Windows computers infected by Lumma malware

Microsoft announced the dismantling of the Lumma Stealer malware project in collaboration with global law enforcement. Over 394,000 Windows computers were identified as infected by Lumma between March 16 and May 16. The malware is known for stealing sensitive information such as passwords and credit card details. Microsoft, with a court order, dismantled the web domains supporting Lumma's infrastructure, while the U.S. Department of Justice took control of its central command structure. More than 1,300 domains were seized or transferred to Microsoft, with 300 acted upon by law enforcement and Europol. Other tech firms like Cloudflare and Lumen assisted in this effort. Since 2022, hackers have been acquiring Lumma through underground forums, and it has been used in phishing campaigns and attacks on various sectors, including gaming, education, and critical infrastructure.

AppWizard

April 24, 2025

Trojanized Alpine Quest app geolocates Russian soldiers

Russian soldiers are facing a digital threat from a modified Android application, Alpine Quest, which has been tampered with to track their locations and extract sensitive information. The malware, known as Android.Spy.1292.origin, was embedded in an older version of the app and distributed as a free upgrade to Alpine Quest Pro via a fraudulent Telegram channel. Once installed, the trojan collects various types of information, including geolocation, downloaded files, phone numbers, and app versions, and can download additional modules to exfiltrate specific files. Additionally, researchers at Kaspersky discovered a backdoor hidden in counterfeit software updates for ViPNet, a secure networking suite. The malware, disguised as msinfo32.exe, connects to a command-and-control server to steal files and deploy more malicious components. On the Ukrainian side, Russian operatives are conducting a phishing campaign targeting Ukrainian officials and allies, using social engineering tactics to hijack Microsoft 365 accounts. Attackers contact victims via messaging apps, invite them to video calls, and trick them into providing OAuth codes, granting access to their accounts.

Winsage

December 17, 2024

Hackers Exploit Microsoft Management Console to Drop Backdoor Payloads on Windows

The Securonix Threat Research team has identified a phishing campaign called the “FLUX#CONSOLE campaign,” which targets tax-related themes using Microsoft Common Console Document (MSC) files to deliver a backdoor payload. The attack begins with a phishing email containing a decoy PDF titled “Income-Tax-Deduction-and-Rebates202441712.pdf,” which conceals an MSC file that executes malicious payloads. The campaign employs various tactics, including tax-themed lures, exploitation of MSC files, DLL sideloading using DISM.exe, persistence through scheduled tasks, and advanced obfuscation techniques. The attack chain involves tricking users into opening a malicious MSC file disguised as a PDF, which contains XML commands to download or extract a malicious DLL named DismCore.dll. The DLL is sideloaded using Dism.exe, and the malware communicates with a Command-and-Control server at “hxxps://siasat[.]top,” exfiltrating data via encrypted HTTPS traffic. The attackers maintained access for about 24 hours, targeting victims in Pakistan. The tactics used do not align with known advanced persistent threat groups, highlighting the growing threat of MSC files as a delivery method for malware. Indicators of Compromise (IOCs) include the C2 address siasat[.]top and analyzed file hashes for the malicious files involved in the campaign.

Tech Optimizer

December 16, 2024

Novel phishing campaign uses corrupted Word documents to evade security

A recent phishing campaign exploits Microsoft’s Word file recovery feature by sending corrupted Word documents as email attachments, which can bypass conventional security measures. Identified by the malware hunting firm Any.Run, these documents appear to be legitimate communications from payroll and human resources, featuring themes related to employee benefits and bonuses. The filenames of the attachments include variations such as "AnnualBenefits&Bonusfor[name]IyNURVhUTlVNUkFORE9NNDUjIw.docx" and "Due&Paymentfor[name]IyNURVhUTlVNUkFORE9NNDUjIw_.docx.bin." Each document contains a base64 encoded string that decodes to "##TEXTNUMRANDOM45##." When opened, Microsoft Word prompts the user about unreadable content and offers recovery options. Upon recovery, users are instructed to scan a QR code, which leads to a phishing site mimicking a Microsoft login page to harvest credentials. These documents often feature company logos to enhance credibility and have been successful due to their ability to evade detection by security solutions, with many returning "clean" results on VirusTotal. Users are advised to exercise caution with unknown emails and verify attachments' legitimacy.

Tech Optimizer

December 7, 2024

Eset Premium review: 2024 improvements aren’t enough

Eset Premium is a cybersecurity solution launched in 2024, noted for its speed and effectiveness as an antivirus. It offers excellent malware protection, flexible plans for multiple devices, a quick installation process, and live chat support available 11 hours on weekdays. However, it has a poor track record prior to 2024, relatively high pricing, and issues with chatbot errors regarding live agent availability. Eset Premium supports multiple platforms including Windows, macOS, Linux, iOS, and Android, and offers three subscription tiers: Essential, Premium, and Ultimate, with varying features and pricing. The Essential plan provides real-time malware protection, while the Premium tier adds a password manager and ransomware protection. The Ultimate plan includes additional features like an unlimited VPN and dark web monitoring. The installation process is user-friendly, allowing for customization and an initial scan for malware. Eset Premium's design is clean, but the options can be overwhelming. Independent tests show strong performance in 2024, but the software had a weak track record in previous years, earning only a single star in real-time malware protection tests conducted in mid-2023. Eset provides 24/7 technical support through an AI chatbot, with live chat support available during business hours. The company assures users that their data is used solely for service provision, although there was a reported breach involving a partner company that targeted Eset customers.

Tech Optimizer

December 4, 2024

How hackers are using corrupted Microsoft Office files to fool everyone

Corrupted Microsoft Office documents and ZIP files are being used in a phishing campaign that evades antivirus detection, as reported by cybersecurity firm ANY.RUN. This tactic, active since at least August 2024, involves corrupting files to bypass email security protocols while allowing harmful content recovery. The documents are designed to avoid detection by email filters and antivirus software, using QR codes to direct users to fake Microsoft account login pages. Analysis shows these attachments often do not trigger alerts on VirusTotal, as they exploit Microsoft Word and WinRAR's recovery features. This method is categorized as a potential zero-day exploit, aiming to deceive users into opening the files and activating the QR codes for credential harvesting or malware delivery. Security experts stress the importance of user awareness and training to identify phishing attempts, while organizations are enhancing email filtering to detect file corruption patterns. The rise of QR code phishing, or "quishing," adds complexity, as many users are unaware of the risks of scanning codes.

Winsage

November 12, 2024

Watch out, that Excel document could be infected with dangerous malware

A new phishing campaign is using an Excel file to distribute a fileless version of the Remcos Remote Access Trojan (RAT). Researchers from Fortinet found that attackers are sending purchase order emails with an Excel attachment that exploits a remote code execution vulnerability in Office (CVE-2017-0199). Activating the file downloads an HTML Application (HTA) file from a remote server, which is launched via mshta.exe.malware. Remcos can log keystrokes, capture screenshots, and execute commands on compromised systems. This variant operates without leaving traditional file traces, making detection more difficult. Email phishing is a common method for cybercriminals to infect devices and steal sensitive information. Users are advised to be cautious with emails and attachments.

Winsage

November 3, 2024

New Microsoft Windows Attacks—Stop Doing This Now, US Government Warns Users

The FBI has warned users about vulnerabilities in popular webmail accounts, highlighting risks to passwords and multifactor authentication (MFA) due to emerging cyber threats. The Cybersecurity and Infrastructure Security Agency (CISA) has advised Windows users to reconsider SMS-based MFA. CISA's guidance targets Chief Information Security Officers (CISOs) and enterprise users, emphasizing a sophisticated spear-phishing campaign affecting various sectors, including government and IT. Spear phishing, although less than 0.1% of phishing emails, accounts for 66% of successful breaches, with average costs of USD 4.76 million and potential losses up to USD 100 million. CISA notes that foreign threat actors often impersonate trusted entities and use malicious remote desktop protocol (RDP) files to gain unauthorized access. CISA has recommended ten security measures for organizations, including restricting outbound RDP connections, blocking RDP files, enabling MFA, and adopting phishing-resistant authentication methods. CISA advises against SMS-based MFA due to its vulnerability to SIM-jacking attacks. Kaspersky has raised concerns about SIM swap fraud, particularly in areas with high smartphone usage. Organizations are encouraged to use stronger MFA alternatives, such as software authenticators or passkeys.

Winsage

October 26, 2024

Russia’s APT29 Mimics AWS to Steal Windows Credentials

APT29, a Russian advanced persistent threat group, has been targeting military, governmental, and corporate organizations through phishing campaigns. This group, associated with the Russian Federation's Foreign Intelligence Service (SVR), is known for significant breaches, including those involving SolarWinds and the Democratic National Committee. Recently, APT29 breached Microsoft's codebase and targeted political entities across Europe and Africa. The Computer Emergency Response Team of Ukraine (CERT-UA) discovered APT29's phishing attempts aimed at extracting Windows credentials from various sectors in Ukraine. The phishing campaign, which began in August, used malicious domain names resembling Amazon Web Services (AWS) to send emails with attachments that contained configuration files for Remote Desktop, enabling attackers to establish connections to compromised systems. Although APT29 did not use legitimate AWS domains, Amazon disrupted the campaign by taking down the malicious imitations. CERT-UA recommends organizations monitor network logs for APT29-related IP addresses and block RDP files at email gateways to mitigate risks.

Winsage

September 20, 2024

This Windows PowerShell Phish Has Scary Potential – Krebs on Security

Many GitHub users received a phishing email impersonating GitHub's security team, warning them of vulnerabilities in their repositories and directing them to a malicious link. Clicking the link led to a deceptive CAPTCHA that initiated a download of password-stealing malware. The process involved pressing the Windows key and "R" to open the Run prompt, followed by "CTRL" and "V" to paste malicious code, and then pressing "Enter" to execute a PowerShell command that downloaded a file named “l6e.exe,” known as Lumma Stealer, which extracts stored credentials. Microsoft advises against disabling PowerShell, as it is essential for system processes, and modifying its settings can be complex.