phishing emails Archives

Tech Optimizer

June 9, 2025

Cryptostealing Malware Found in Printer Software Highlights Growing Supply Chain Threat

A cybersecurity incident involving Procolored printers revealed vulnerabilities in everyday hardware, as users may have downloaded malware capable of stealing cryptocurrencies like Bitcoin. Tech content creator Cameron Coward reported an antivirus alert linked to Procolored printer software, prompting an investigation by G Data researchers who found malicious code in installation files on the manufacturer's website. The identified threats included a remote access tool (Win32.Backdoor.XRedRAT.A) and a cryptocurrency wallet stealer (MSIL.Trojan-Stealer.CoinStealer.H). Compromised files were last updated in October 2024 and distributed through official channels. The company initially denied the issue but later removed the downloads from their website in May 2025 and acknowledged the malware might have been introduced via USB transfers. An analysis of an attacker’s wallet showed a total of 9.3 BTC accumulated across 330 transactions before it was emptied. Cybersecurity experts recommend that users conduct antivirus scans and consider reformatting drives and reinstalling operating systems if infections are suspected.

Tech Optimizer

May 29, 2025

Xanthorox, the AI that promotes itself as an easy resource for committing cybercrimes

Xanthorox is an AI developed in 2023 by an anonymous creator, claiming to surpass WormGPT and EvilGPT. It promotes itself as a tool for illicit online activities, offering features like ransomware creation, deepfake generation, phishing email production, and malware development. The AI operates on open-source models without typical security measures, allowing for unregulated content generation. Its pricing includes a free tier for limited features and negotiable rates for full access. Security experts note that while Xanthorox is effective, its actual impact on large-scale cybercrime is uncertain. The legality of Xanthorox stems from its open-source nature, which allows for its use as long as it does not violate laws, although using it for illegal activities remains unlawful.

Tech Optimizer

May 29, 2025

Antivirus alone won’t protect you: The real danger is social engineering

Social engineering is a manipulation tactic that exploits human trust to obtain sensitive information or access, posing a significant cybersecurity threat. Unlike traditional cyber threats that rely on malware, social engineering targets individuals through deception, often invoking emotions like fear or urgency. Common examples include fraudulent phone calls, phishing emails, and deceptive text messages. Antivirus software primarily protects against malware but is ineffective against social engineering attacks, which do not involve malicious code. The consequences of falling victim to such attacks can include financial losses, identity theft, and compromised networks. Effective defenses against social engineering include skepticism towards unsolicited contact, verifying requests independently, never disclosing sensitive information, using strong passwords, and enabling two-factor authentication. Awareness and education are crucial in combating these threats.

Winsage

May 28, 2025

All Windows users must ‘watch out’ and delete ‘Microsoft’ updates now

Windows 10 and Windows 11 users are experiencing a rise in phishing emails that appear to be from Microsoft, according to Action Fraud, the UK's national fraud and cybercrime reporting center. Over 250 users have reported receiving fraudulent messages claiming their devices are infected with malware, often encouraging them to click on malicious links. These emails may look credible, sometimes using legitimate Microsoft addresses. Action Fraud advises users to verify messages directly with organizations using official contact details and warns that legitimate institutions will never request personal information via email. Microsoft also states it does not send unsolicited emails or calls for personal information and recommends downloading software only from official sources.

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

Winsage

May 4, 2025

Do Not Open This PDF On A Microsoft Windows PC

Microsoft has warned about the increasing use of PDF attachments in cyberattacks, particularly during the U.S. tax season. Attackers have been using PDFs with embedded links that redirect users to counterfeit pages, such as a fake DocuSign site. TrustWave SpiderLabs has identified a new campaign involving a fake payment SWIFT copy that leads to a malicious PDF containing obfuscated JavaScript, which downloads a script that conceals the RemcosRAT payload using steganography. This technique involves hiding links within images, making them difficult to detect. The latest attacks begin with phishing emails containing malicious PDFs that direct victims to harmful webpages, facilitating the delivery of RemcosRAT, a trojan that allows remote control of compromised systems. Users are advised to be cautious of emails labeled “SWIFT Copy” and to delete suspicious emails immediately.

Winsage

April 19, 2025

Windows vulnerability with NTLM hash abuse exploited for phishing

A vulnerability in Windows, identified as CVE-2025-24054, is being exploited in phishing campaigns targeting government and private organizations. Initially considered low-risk, it was addressed in Microsoft's March 2025 Patch Tuesday updates. Following the release of these patches, Check Point observed a rise in exploitation attempts, particularly linked to the Russian group APT28. Attackers sent phishing emails with Dropbox links containing .library-ms files, which, when accessed, connected to an external SMB server controlled by the attackers, allowing interception of NTLM hashes. A subsequent wave of attacks involved .library-ms files sent as direct attachments, requiring minimal user interaction to exploit the vulnerability. The malicious ZIP archive also contained files exploiting older NTLM vulnerabilities. Check Point identified the attackers' SMB servers with specific IP addresses. Despite being classified as medium-severity, the vulnerability's potential impact is significant, prompting organizations to apply the March 2025 updates and consider disabling NTLM authentication if not essential.

Winsage

April 17, 2025

Windows NTLM hash leak flaw exploited in phishing attacks on governments

A vulnerability in Windows, identified as CVE-2025-24054, is being actively exploited in phishing campaigns targeting government and private sectors. Initially addressed in Microsoft's March 2025 Patch Tuesday, it was not considered actively exploited at that time. Researchers from Check Point reported increased exploitation activities shortly after the patches were released, particularly between March 20 and 25, 2025. Some attacks were linked to the Russian state-sponsored group APT28, but definitive attribution is lacking. The vulnerability allows attackers to capture NTLM hashes through phishing emails containing manipulated .library-ms files that trigger the flaw when interacted with. Check Point noted that subsequent attacks involved .library-ms files sent directly, requiring minimal user interaction to exploit. The malicious files also included additional components that exploit older vulnerabilities related to NTLM hash leaks. The attacker-controlled SMB servers were traced to specific IP addresses. Although rated as medium severity, the potential for authentication bypass and privilege escalation makes it a significant concern, prompting recommendations for organizations to install updates and disable NTLM authentication if not necessary.

Winsage

April 17, 2025

Hackers Exploiting NTLM Spoofing Vulnerability in Wild to Compromise Systems

Cybercriminals are exploiting a vulnerability in Windows systems known as CVE-2025-24054, which involves NTLM hash disclosure through spoofing techniques. This flaw allows attackers to leak NTLM hashes, leading to privilege escalation and lateral movement within networks. It is triggered when a user extracts a ZIP archive containing a malicious .library-ms file, causing Windows Explorer to initiate SMB authentication requests that expose NTLMv2-SSP hashes. Exploitation of this vulnerability began shortly after a security patch was released on March 11, 2025, with campaigns targeting government and private institutions in Poland and Romania. These campaigns utilized spear-phishing emails containing malicious ZIP archives, which, when interacted with, leaked NTLM hashes. The malicious files included various types designed to initiate SMB connections to attacker-controlled servers, allowing for pass-the-hash attacks and privilege escalation. The stolen hashes were sent to servers in several countries, indicating potential links to state-sponsored groups. One campaign involved Dropbox links that exploited the vulnerability upon user interaction. Microsoft has recommended immediate patching, enhancing network defenses, user education, network segmentation, and regular security audits to mitigate risks associated with this vulnerability.

Winsage

April 17, 2025

Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)

CVE-2025-24054 is a vulnerability that allows attackers to capture NTLMv2-SSP hashes from a victim's machine during authentication requests to an attacker-controlled SMB server. Active exploitation of this vulnerability has been observed since March 19, 2025, targeting government and private sectors in Poland and Romania. The attacks involve phishing emails that lead victims to download an archive file containing exploits designed to leak NTLMv2-SSP hashes. Microsoft has released patches for this vulnerability, but users on older, unsupported versions may need to consider micropatching.