phishing campaigns Archives

Tech Optimizer

May 26, 2025

This Stealthy Malware Takes Control of Your Computer to Steal Your Data

Skitnet is a new malware that targets personal data by stealthily infiltrating computer systems. It is used by hackers to steal sensitive information through advanced methods, including the insertion of invisible malicious code in emails and the creation of fraudulent websites. Cybersecurity experts from PRODAFT have revealed that Skitnet is often employed by ransomware groups and can remotely control infected computers using services like AnyDesk. The malware operates discreetly, monitoring user actions without detection for extended periods, making it difficult for victims to realize they are infected until after data theft occurs. To protect against such threats, security specialists recommend identifying suspicious emails, using reliable antivirus software, and enhancing account security with two-step verification and strong passwords.

Winsage

May 22, 2025

Microsoft says 394,000 Windows computers infected by Lumma malware

Microsoft announced the dismantling of the Lumma Stealer malware project in collaboration with global law enforcement. Over 394,000 Windows computers were identified as infected by Lumma between March 16 and May 16. The malware is known for stealing sensitive information such as passwords and credit card details. Microsoft, with a court order, dismantled the web domains supporting Lumma's infrastructure, while the U.S. Department of Justice took control of its central command structure. More than 1,300 domains were seized or transferred to Microsoft, with 300 acted upon by law enforcement and Europol. Other tech firms like Cloudflare and Lumen assisted in this effort. Since 2022, hackers have been acquiring Lumma through underground forums, and it has been used in phishing campaigns and attacks on various sectors, including gaming, education, and critical infrastructure.

Winsage

April 19, 2025

Windows vulnerability with NTLM hash abuse exploited for phishing

A vulnerability in Windows, identified as CVE-2025-24054, is being exploited in phishing campaigns targeting government and private organizations. Initially considered low-risk, it was addressed in Microsoft's March 2025 Patch Tuesday updates. Following the release of these patches, Check Point observed a rise in exploitation attempts, particularly linked to the Russian group APT28. Attackers sent phishing emails with Dropbox links containing .library-ms files, which, when accessed, connected to an external SMB server controlled by the attackers, allowing interception of NTLM hashes. A subsequent wave of attacks involved .library-ms files sent as direct attachments, requiring minimal user interaction to exploit the vulnerability. The malicious ZIP archive also contained files exploiting older NTLM vulnerabilities. Check Point identified the attackers' SMB servers with specific IP addresses. Despite being classified as medium-severity, the vulnerability's potential impact is significant, prompting organizations to apply the March 2025 updates and consider disabling NTLM authentication if not essential.

Winsage

April 17, 2025

Windows NTLM hash leak flaw exploited in phishing attacks on governments

A vulnerability in Windows, identified as CVE-2025-24054, is being actively exploited in phishing campaigns targeting government and private sectors. Initially addressed in Microsoft's March 2025 Patch Tuesday, it was not considered actively exploited at that time. Researchers from Check Point reported increased exploitation activities shortly after the patches were released, particularly between March 20 and 25, 2025. Some attacks were linked to the Russian state-sponsored group APT28, but definitive attribution is lacking. The vulnerability allows attackers to capture NTLM hashes through phishing emails containing manipulated .library-ms files that trigger the flaw when interacted with. Check Point noted that subsequent attacks involved .library-ms files sent directly, requiring minimal user interaction to exploit. The malicious files also included additional components that exploit older vulnerabilities related to NTLM hash leaks. The attacker-controlled SMB servers were traced to specific IP addresses. Although rated as medium severity, the potential for authentication bypass and privilege escalation makes it a significant concern, prompting recommendations for organizations to install updates and disable NTLM authentication if not necessary.

Winsage

February 19, 2025

This high-risk keylogger malware is a growing threat to Windows users

Recent reports indicate a surge in the activity of the Snake keylogger, also known as the 404 Keylogger, linked to over 280 million attack attempts since the start of the year. At its peak, it was responsible for as many as 14 million infection attempts in a single day. The malware can log keystrokes and extract personally identifiable information, including geolocation data, transmitting this data back to its command server through channels like SMTP, Telegram bots, and HTTP post requests. The Snake keylogger operates on the AutoIT framework, creating a copy of itself in the Windows Startup folder to ensure execution upon every system restart. It employs advanced obfuscation techniques to evade detection by antivirus software, hiding its malicious code within processes recognized as legitimate by the operating system. The keylogger primarily spreads through sophisticated phishing attacks.

Winsage

February 14, 2025

Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is being actively exploited by the Chinese APT group Mustang Panda. This low-severity vulnerability affects how Windows processes files from compressed RAR archives, making extracted files invisible in the Windows Explorer GUI while still accessible via command-line tools. Mustang Panda uses this vulnerability to hide malicious files within archives, facilitating stealthy attacks through phishing campaigns. Despite its exploitation, Microsoft has rated the vulnerability as low-severity, which may indicate limited potential damage. Cybersecurity experts warn that such vulnerabilities can have significant implications when used in larger attack strategies.

Tech Optimizer

February 6, 2025

Beware of Nova Stealer Malware Sold for $50 on Hacking Forums

Nova Stealer is a malware operating under the Malware-as-a-Service (MaaS) model, available for a low cost for a 30-day license. It is a modified version of the SnakeLogger malware designed to extract sensitive information from compromised systems. Its distribution primarily occurs through aggressive phishing campaigns targeting sectors such as finance, retail, and IT, especially in regions like Russia. Nova Stealer infiltrates systems via phishing emails disguised as legitimate documents and employs techniques like steganography and process hollowing to evade detection. It can harvest data including saved credentials, keystrokes, clipboard contents, screenshots, cryptocurrency wallet information, and session cookies from platforms like Discord and Steam. The stolen data is transmitted through channels such as SMTP, FTP, or Telegram APIs. The malware's developers offer additional services, including cryptors to bypass antivirus detection, and a Telegram group for promotion and technical support. The MaaS model lowers entry barriers for cybercriminals, enabling those with minimal experience to conduct sophisticated attacks. Organizations are advised to implement strong email security measures, educate employees on phishing recognition, and utilize endpoint detection and response solutions to monitor unusual activities. Regular updates to antivirus software and operating systems are also recommended to mitigate vulnerabilities.

AppWizard

November 8, 2024

Godfather Is A Risk To Android Users Worldwide As 500 Apps Targeted

A new variant of the Godfather banking trojan is targeting over 500 Android banking and cryptocurrency applications globally. Initially focused in the U.S., U.K., and Europe, its reach has expanded to countries including Azerbaijan, Greece, Japan, and Singapore. The malware has transitioned from Java to native code, enhancing its ability to exploit Android’s accessibility services and mimic user actions through gesture automation commands. It employs social engineering tactics, such as a fraudulent website posing as the official MyGov site of the Australian Government, to distribute malicious files. Once installed, the malware communicates with a control server, collects device information, and replaces legitimate banking applications with phishing pages to steal credentials. The Godfather malware has become more difficult to analyze and poses a significant threat to users worldwide.

Winsage

October 26, 2024

Russia’s APT29 Mimics AWS to Steal Windows Credentials

APT29, a Russian advanced persistent threat group, has been targeting military, governmental, and corporate organizations through phishing campaigns. This group, associated with the Russian Federation's Foreign Intelligence Service (SVR), is known for significant breaches, including those involving SolarWinds and the Democratic National Committee. Recently, APT29 breached Microsoft's codebase and targeted political entities across Europe and Africa. The Computer Emergency Response Team of Ukraine (CERT-UA) discovered APT29's phishing attempts aimed at extracting Windows credentials from various sectors in Ukraine. The phishing campaign, which began in August, used malicious domain names resembling Amazon Web Services (AWS) to send emails with attachments that contained configuration files for Remote Desktop, enabling attackers to establish connections to compromised systems. Although APT29 did not use legitimate AWS domains, Amazon disrupted the campaign by taking down the malicious imitations. CERT-UA recommends organizations monitor network logs for APT29-related IP addresses and block RDP files at email gateways to mitigate risks.

Tech Optimizer

October 18, 2024

Cyber security recognized

The Mifflin County Commissioners declared October 21-27 as Cybersecurity Awareness Week to enhance digital security, addressing threats from automated cyber attacks. County Management Information Systems Director Aaron Felker emphasized the collective responsibility of all employees in maintaining digital defenses, particularly against phishing emails. The county has implemented simulated phishing campaigns for staff education and has a multi-layered defense system in place for handling breaches, including antivirus software and intrusion detection systems. In election updates, 4,116 mail-in ballot applications have been processed, with critical deadlines for voter registration changes and mail-in ballot applications set for October 21 and October 29, respectively. The commissioners approved a grant of ,344 for the Mifflin County Correctional Facility’s Vivitrol program, which supports inmates with opioid use disorders by providing education, screening, and medication to prevent relapses. Additionally, the commissioners approved several measures, including a ,400 renewal for GIS software maintenance, liquid fuels allocations for Armagh and Granville Townships, acceptance of Hazardous Material Response Fund grants, renewal of the county employee vision plan, and personnel changes including new hires and a transfer.