#credentialharvesting — Public Fediverse posts

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Malware Worm Eliminates Rival, Seizes Control

Meet the malware worm with a ruthless streak - it not only eliminates rival malware from infected systems, but also seizes control and claims the compromised credentials for itself. This cunning worm is taking over, leaving other malicious operators with nothing.

https://osintsights.com/malware-worm-eliminates-rival-seizes-control?utm_source=mastodon&utm_medium=social

#MalwareOperations #RivalMalwareElimination #CredentialHarvesting #Worm #EmergingThreats

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare

A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.

Pulse ID: 69fc841d0cbc4c199d708315
Pulse Link: https://otx.alienvault.com/pulse/69fc841d0cbc4c199d708315
Pulse Author: AlienVault
Created: 2026-05-07 12:22:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataBreach #HTTP #HTTPS #Healthcare #HongKong #InfoSec #LNK #Malware #Military #OTX #OpenThreatExchange #PDF #Philippines #Phishing #RAT #SpearPhishing #Telecom #Telecommunication #UK #Vietnam #Windows #bot #AlienVault

Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare

A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.

Pulse ID: 69fc841d0cbc4c199d708315
Pulse Link: https://otx.alienvault.com/pulse/69fc841d0cbc4c199d708315
Pulse Author: AlienVault
Created: 2026-05-07 12:22:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataBreach #HTTP #HTTPS #Healthcare #HongKong #InfoSec #LNK #Malware #Military #OTX #OpenThreatExchange #PDF #Philippines #Phishing #RAT #SpearPhishing #Telecom #Telecommunication #UK #Vietnam #Windows #bot #AlienVault

Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare

A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.

Pulse ID: 69fc841d0cbc4c199d708315
Pulse Link: https://otx.alienvault.com/pulse/69fc841d0cbc4c199d708315
Pulse Author: AlienVault
Created: 2026-05-07 12:22:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataBreach #HTTP #HTTPS #Healthcare #HongKong #InfoSec #LNK #Malware #Military #OTX #OpenThreatExchange #PDF #Philippines #Phishing #RAT #SpearPhishing #Telecom #Telecommunication #UK #Vietnam #Windows #bot #AlienVault

Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare

A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.

Pulse ID: 69fc841d0cbc4c199d708315
Pulse Link: https://otx.alienvault.com/pulse/69fc841d0cbc4c199d708315
Pulse Author: AlienVault
Created: 2026-05-07 12:22:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataBreach #HTTP #HTTPS #Healthcare #HongKong #InfoSec #LNK #Malware #Military #OTX #OpenThreatExchange #PDF #Philippines #Phishing #RAT #SpearPhishing #Telecom #Telecommunication #UK #Vietnam #Windows #bot #AlienVault

Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare

A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.

Pulse ID: 69fc841d0cbc4c199d708315
Pulse Link: https://otx.alienvault.com/pulse/69fc841d0cbc4c199d708315
Pulse Author: AlienVault
Created: 2026-05-07 12:22:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataBreach #HTTP #HTTPS #Healthcare #HongKong #InfoSec #LNK #Malware #Military #OTX #OpenThreatExchange #PDF #Philippines #Phishing #RAT #SpearPhishing #Telecom #Telecommunication #UK #Vietnam #Windows #bot #AlienVault

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

Pulse ID: 69f3a95eda9a5492f5d1b6f4
Pulse Link: https://otx.alienvault.com/pulse/69f3a95eda9a5492f5d1b6f4
Pulse Author: AlienVault
Created: 2026-04-30 19:11:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

Pulse ID: 69f3a95eda9a5492f5d1b6f4
Pulse Link: https://otx.alienvault.com/pulse/69f3a95eda9a5492f5d1b6f4
Pulse Author: AlienVault
Created: 2026-04-30 19:11:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

Pulse ID: 69f3a95eda9a5492f5d1b6f4
Pulse Link: https://otx.alienvault.com/pulse/69f3a95eda9a5492f5d1b6f4
Pulse Author: AlienVault
Created: 2026-04-30 19:11:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

Pulse ID: 69f3a95eda9a5492f5d1b6f4
Pulse Link: https://otx.alienvault.com/pulse/69f3a95eda9a5492f5d1b6f4
Pulse Author: AlienVault
Created: 2026-04-30 19:11:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

Pulse ID: 69f3a95eda9a5492f5d1b6f4
Pulse Link: https://otx.alienvault.com/pulse/69f3a95eda9a5492f5d1b6f4
Pulse Author: AlienVault
Created: 2026-04-30 19:11:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

Large Scale Smishing & Credential Harvesting Campaign using Phoenix PhaaS

Phishing as a Service platform called Phoenix provides ready made tools and infrastructure which enables large scale smishing campaigns.

Pulse ID: 69f64e5ad6a8f740297614e5
Pulse Link: https://otx.alienvault.com/pulse/69f64e5ad6a8f740297614e5
Pulse Author: cryptocti
Created: 2026-05-02 19:19:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #Smishing #bot #cryptocti

Large Scale Smishing & Credential Harvesting Campaign using Phoenix PhaaS

Phishing as a Service platform called Phoenix provides ready made tools and infrastructure which enables large scale smishing campaigns.

Pulse ID: 69f64e5ad6a8f740297614e5
Pulse Link: https://otx.alienvault.com/pulse/69f64e5ad6a8f740297614e5
Pulse Author: cryptocti
Created: 2026-05-02 19:19:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #Smishing #bot #cryptocti

Large Scale Smishing & Credential Harvesting Campaign using Phoenix PhaaS

Phishing as a Service platform called Phoenix provides ready made tools and infrastructure which enables large scale smishing campaigns.

Pulse ID: 69f64e5ad6a8f740297614e5
Pulse Link: https://otx.alienvault.com/pulse/69f64e5ad6a8f740297614e5
Pulse Author: cryptocti
Created: 2026-05-02 19:19:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #Smishing #bot #cryptocti

Large Scale Smishing & Credential Harvesting Campaign using Phoenix PhaaS

Phishing as a Service platform called Phoenix provides ready made tools and infrastructure which enables large scale smishing campaigns.

Pulse ID: 69f64e5ad6a8f740297614e5
Pulse Link: https://otx.alienvault.com/pulse/69f64e5ad6a8f740297614e5
Pulse Author: cryptocti
Created: 2026-05-02 19:19:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #Smishing #bot #cryptocti

Large Scale Smishing & Credential Harvesting Campaign using Phoenix PhaaS

Phishing as a Service platform called Phoenix provides ready made tools and infrastructure which enables large scale smishing campaigns.

Pulse ID: 69f64e5ad6a8f740297614e5
Pulse Link: https://otx.alienvault.com/pulse/69f64e5ad6a8f740297614e5
Pulse Author: cryptocti
Created: 2026-05-02 19:19:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #Smishing #bot #cryptocti

User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command

A ClickFix-style phishing campaign leveraged social engineering to trick users into executing obfuscated PowerShell commands that downloaded and installed a malicious MSI payload from a remote server. The attack employed a sophisticated multi-stage infection chain utilizing DLL sideloading techniques with renamed legitimate binaries to execute malicious components. The final payload deployed HijackLoader to deliver a Lumma-style information stealer designed for credential harvesting and data exfiltration. The campaign utilized multiple command-and-control domains and infrastructure hosted on specific IP addresses. Mitigation measures include blocking identified artifacts, enhancing user awareness about ClickFix social engineering tactics, implementing endpoint detection for suspicious PowerShell activity and unsigned DLL sideloading, and isolating compromised systems for remediation.

Pulse ID: 69f1de85544538ce8b03332a
Pulse Link: https://otx.alienvault.com/pulse/69f1de85544538ce8b03332a
Pulse Author: AlienVault
Created: 2026-04-29 10:33:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #Endpoint #HijackLoader #ICS #InfoSec #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #SideLoading #SocialEngineering #bot #AlienVault

Inside a Fake DHL Campaign Built to Steal Credentials

A consumer-targeted credential theft operation uses DHL brand impersonation combined with a fake OTP verification mechanism to harvest passwords from victims. The attack employs an 11-step chain beginning with spoofed shipment notification emails, leading victims through a client-side generated OTP page that creates false trust, then directing them to a DHL-branded credential harvesting portal. The kit captures passwords alongside victim telemetry including IP address, device details, browser fingerprinting, and geolocation data. Exfiltration occurs through EmailJS, a legitimate client-side email service, sending stolen credentials to an attacker-controlled Tutamail address. The campaign concludes by redirecting victims to the legitimate DHL website to avoid suspicion, demonstrating how familiar workflows and brand trust can be weaponized without technical sophistication.

Pulse ID: 69f11f15737a6a70e077e9d7
Pulse Link: https://otx.alienvault.com/pulse/69f11f15737a6a70e077e9d7
Pulse Author: AlienVault
Created: 2026-04-28 20:56:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Password #Passwords #RAT #Rust #Troll #Word #bot #AlienVault

Tall Tales: How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression

In collaboration with the International Consortium of Investigative Journalists (ICIJ), two distinct actor clusters aligned with the People's Republic of China were identified targeting journalists and civil society members. GLITTER CARP conducted widespread credential harvesting campaigns against Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists, as well as journalists covering these communities, employing digital impersonation and fake security alerts while frequently reusing infrastructure. SEQUIN CARP specifically targeted journalists involved in ICIJ's China Targets investigation using sophisticated OAuth consent phishing attacks with well-developed personas based on co-opted narratives, though operational mistakes revealed poor persona management. Both campaigns demonstrate China's Military-Civil Fusion system leveraging private contractors to conduct digital transnational repression at scale, with targeting intensifying following the China Targets publication that exposed Chinese governme...

Pulse ID: 69f05d291d899793ddba04f9
Pulse Link: https://otx.alienvault.com/pulse/69f05d291d899793ddba04f9
Pulse Author: AlienVault
Created: 2026-04-28 07:09:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #Chinese #CredentialHarvesting #CyberSecurity #HongKong #InfoSec #Military #OTX #OpenThreatExchange #Phishing #RAT #Tibet #bot #AlienVault

A Third Vultr Seoul Box: 60+ Kimsuky Domains, 18 Months of DDNS Rotation, and a 5-Year Infrastructure Trail

This analysis documents a third Vultr Seoul VPS (158.247.210.58) associated with Kimsuky operations, featuring over 60 domains across an 18-month period of systematic credential harvesting infrastructure. The actor demonstrates deliberate rotation through seven DDNS providers to evade blocklisting while maintaining the same backend VPS since at least September 2020. The domains systematically impersonate Naver, Korean National Tax Service (HomeTax), and government portals using prefixes like nid-user, n-store, nts-auth, and htax-login. Currently, 31 domains actively resolve while web ports remain closed, indicating a parked and ready operational posture. The infrastructure sits in AS20473 alongside two previously documented Vultr Seoul boxes, demonstrating the actor's clear preference for this provider and geographic proximity to South Korean targets.

Pulse ID: 69f06a838f5dae965dd8cbfd
Pulse Link: https://otx.alienvault.com/pulse/69f06a838f5dae965dd8cbfd
Pulse Author: AlienVault
Created: 2026-04-28 08:06:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #DNS #Government #InfoSec #Kimsuky #Korea #OTX #OpenThreatExchange #RAT #SouthKorea #UK #Vultr #bot #AlienVault

Extortion in the Enterprise: Defending Against BlackFile Attacks

Since February 2026, multiple incidents involving data theft and extortion have been attributed to activity cluster CL-CRI-1116, also known as BlackFile, UNC6671, and Cordial Spider. These financially-motivated attackers, likely associated with "The Com" collective, employ voice-based phishing combined with credential harvesting through fraudulent login pages. They impersonate IT support staff to steal credentials and bypass multi-factor authentication. The attackers focus on Living Off the Land techniques, abusing legitimate APIs like Microsoft Graph to access SharePoint sites and Salesforce data. They search for confidential information and employee data within SaaS environments, then exfiltrate it through browser downloads or API exports. To pressure victims into paying seven-figure ransoms, attackers send demands via Gmail and compromised email accounts, sometimes employing SWATting tactics against executives.

Pulse ID: 69ef8ab862c07db686ca4572
Pulse Link: https://otx.alienvault.com/pulse/69ef8ab862c07db686ca4572
Pulse Author: AlienVault
Created: 2026-04-27 16:11:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataTheft #Email #Extortion #ICS #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #RAT #RCE #bot #AlienVault

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

Pulse ID: 69eaf8302d013c66b8a8493c
Pulse Link: https://otx.alienvault.com/pulse/69eaf8302d013c66b8a8493c
Pulse Author: Tr1sa111
Created: 2026-04-24 04:57:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #ScreenConnect #bot #Tr1sa111

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

Pulse ID: 69eaf8302d013c66b8a8493c
Pulse Link: https://otx.alienvault.com/pulse/69eaf8302d013c66b8a8493c
Pulse Author: Tr1sa111
Created: 2026-04-24 04:57:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #ScreenConnect #bot #Tr1sa111

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

Pulse ID: 69eaf8302d013c66b8a8493c
Pulse Link: https://otx.alienvault.com/pulse/69eaf8302d013c66b8a8493c
Pulse Author: Tr1sa111
Created: 2026-04-24 04:57:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #ScreenConnect #bot #Tr1sa111

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

Pulse ID: 69eaf8302d013c66b8a8493c
Pulse Link: https://otx.alienvault.com/pulse/69eaf8302d013c66b8a8493c
Pulse Author: Tr1sa111
Created: 2026-04-24 04:57:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #ScreenConnect #bot #Tr1sa111

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

Pulse ID: 69eaf8302d013c66b8a8493c
Pulse Link: https://otx.alienvault.com/pulse/69eaf8302d013c66b8a8493c
Pulse Author: Tr1sa111
Created: 2026-04-24 04:57:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #ScreenConnect #bot #Tr1sa111

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

A phishing campaign utilized a fraudulent Adobe-themed website to trick victims into downloading and executing ScreenConnect remote access software. Once initial access was established, threat actors conducted interactive operations deploying multiple malicious binaries including a credential harvesting tool named password.exe. The attackers also exploited the ms-phone URI handler to launch the Phone Link application, attempting to socially engineer victims into linking their mobile devices to potentially capture notifications, authentication prompts, and sensitive information. The attack demonstrates a multi-stage compromise focusing on persistence establishment, credential theft, and preparation for potential lateral movement across the victim's network infrastructure.

Pulse ID: 69e9d7f4b00e56e9ebb52338
Pulse Link: https://otx.alienvault.com/pulse/69e9d7f4b00e56e9ebb52338
Pulse Author: AlienVault
Created: 2026-04-23 08:27:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Password #Phishing #RAT #ScreenConnect #Word #bot #AlienVault

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

A phishing campaign utilized a fraudulent Adobe-themed website to trick victims into downloading and executing ScreenConnect remote access software. Once initial access was established, threat actors conducted interactive operations deploying multiple malicious binaries including a credential harvesting tool named password.exe. The attackers also exploited the ms-phone URI handler to launch the Phone Link application, attempting to socially engineer victims into linking their mobile devices to potentially capture notifications, authentication prompts, and sensitive information. The attack demonstrates a multi-stage compromise focusing on persistence establishment, credential theft, and preparation for potential lateral movement across the victim's network infrastructure.

Pulse ID: 69e9d7f4b00e56e9ebb52338
Pulse Link: https://otx.alienvault.com/pulse/69e9d7f4b00e56e9ebb52338
Pulse Author: AlienVault
Created: 2026-04-23 08:27:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Password #Phishing #RAT #ScreenConnect #Word #bot #AlienVault

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

A phishing campaign utilized a fraudulent Adobe-themed website to trick victims into downloading and executing ScreenConnect remote access software. Once initial access was established, threat actors conducted interactive operations deploying multiple malicious binaries including a credential harvesting tool named password.exe. The attackers also exploited the ms-phone URI handler to launch the Phone Link application, attempting to socially engineer victims into linking their mobile devices to potentially capture notifications, authentication prompts, and sensitive information. The attack demonstrates a multi-stage compromise focusing on persistence establishment, credential theft, and preparation for potential lateral movement across the victim's network infrastructure.

Pulse ID: 69e9d7f4b00e56e9ebb52338
Pulse Link: https://otx.alienvault.com/pulse/69e9d7f4b00e56e9ebb52338
Pulse Author: AlienVault
Created: 2026-04-23 08:27:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Password #Phishing #RAT #ScreenConnect #Word #bot #AlienVault

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

A phishing campaign utilized a fraudulent Adobe-themed website to trick victims into downloading and executing ScreenConnect remote access software. Once initial access was established, threat actors conducted interactive operations deploying multiple malicious binaries including a credential harvesting tool named password.exe. The attackers also exploited the ms-phone URI handler to launch the Phone Link application, attempting to socially engineer victims into linking their mobile devices to potentially capture notifications, authentication prompts, and sensitive information. The attack demonstrates a multi-stage compromise focusing on persistence establishment, credential theft, and preparation for potential lateral movement across the victim's network infrastructure.

Pulse ID: 69e9d7f4b00e56e9ebb52338
Pulse Link: https://otx.alienvault.com/pulse/69e9d7f4b00e56e9ebb52338
Pulse Author: AlienVault
Created: 2026-04-23 08:27:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Password #Phishing #RAT #ScreenConnect #Word #bot #AlienVault

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

A phishing campaign utilized a fraudulent Adobe-themed website to trick victims into downloading and executing ScreenConnect remote access software. Once initial access was established, threat actors conducted interactive operations deploying multiple malicious binaries including a credential harvesting tool named password.exe. The attackers also exploited the ms-phone URI handler to launch the Phone Link application, attempting to socially engineer victims into linking their mobile devices to potentially capture notifications, authentication prompts, and sensitive information. The attack demonstrates a multi-stage compromise focusing on persistence establishment, credential theft, and preparation for potential lateral movement across the victim's network infrastructure.

Pulse ID: 69e9d7f4b00e56e9ebb52338
Pulse Link: https://otx.alienvault.com/pulse/69e9d7f4b00e56e9ebb52338
Pulse Author: AlienVault
Created: 2026-04-23 08:27:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Password #Phishing #RAT #ScreenConnect #Word #bot #AlienVault

macOS ClickFix Attacks Harvest Credentials via AppleScript Stealers

macOS users beware: a sneaky ClickFix campaign is using AppleScript stealers to harvest credentials from 14 browsers, 16 cryptocurrency wallets, and over 200 extensions. This targeted attack has already made off with a staggering amount of sensitive info - and it's still on the loose.

https://osintsights.com/macos-clickfix-attacks-harvest-credentials-via-applescript-stealers?utm_source=mastodon&utm_medium=social

#Macos #Clickfix #Applescript #Infostealer #CredentialHarvesting

Is Your Bank Really Texting You? 3 Red Flags of a Phishing Message.

2,483 words, 13 minutes read time.

The Psychological Architecture of the Smishing Epidemic

The mobile phone is the most intimate piece of hardware in the modern world, a device that lives in our pockets and demands our immediate attention with every haptic buzz and notification chime. This proximity creates a dangerous psychological feedback loop where the user is conditioned to respond to SMS messages with a level of trust that they would never afford an unsolicited email. While email has decades of junk mail filters and visible header data to warn us of danger, the SMS interface is deceptively clean and stripped of context. When a text arrives claiming to be from a major financial institution, it enters a high-trust environment where the barrier between a legitimate service alert and a criminally organized credential harvest is virtually non-existent. Analyzing the current threat landscape, it is clear that the surge in smishing is not merely a technical failure of our telecommunications infrastructure, but a masterful exploitation of human neurobiology. Attackers understand that by bypassing the corporate firewall and landing directly on a victim’s personal device, they are catching the user in a state of cognitive vulnerability, often while they are distracted, tired, or multi-tasking.

The sheer volume of these attacks indicates a shift toward the industrialization of mobile deception. According to recent data, bank impersonation via text message has skyrocketed to become one of the most reported scams, primarily because the return on investment is staggering compared to traditional phishing. It costs almost nothing for an adversary to blast out thousands of messages using automated scripts and cheap gateway services, yet the potential payoff is total access to a victim’s financial life. This is not a hobbyist’s game; it is a highly refined business model that relies on the trusted screen effect. We have been trained to view our phone numbers as a secure second factor for authentication, which ironically makes us more susceptible to the very messages that seek to undermine that security. Consequently, the first step in defending against these attacks is to dismantle the inherent trust we place in the SMS protocol, recognizing that the medium itself is fundamentally insecure and easily manipulated by anyone with a malicious intent and a basic understanding of social engineering.

Red Flag #1: The False Sense of Urgency and Emotional Manipulation

The most potent weapon in a smisher’s arsenal is not a sophisticated zero-day exploit, but the manufactured crisis. Every successful bank-themed phishing message is designed to trigger a physiological response that prioritizes immediate action over rational analysis. When you receive a text stating that your account has been suspended due to suspicious activity or that a large transfer is pending your approval, the attacker is forcing you into a high-stakes decision window. They know that a panicked user is unlikely to look for the subtle technical flaws in the message because their primary focus is on resolving the perceived threat to their financial stability. This artificial urgency is a deliberate tactic to bypass the critical thinking filters that would otherwise identify the message as fraudulent. In the world of social engineering, time is the enemy of the victim and the best friend of the predator. By imposing a deadline, the adversary effectively shuts down the user’s ability to verify the claim through official channels.

Furthermore, these messages often utilize a push-pull dynamic of fear and relief. The initial fear of a compromised account is immediately followed by the perceived relief of a simple solution provided in the form of a link. This emotional roller coaster is a hallmark of sophisticated phishing kits where the goal is to drive the victim toward a pre-built landing page that mimics the bank’s actual login portal. I see this pattern repeated across thousands of observed samples: the language is always direct, the consequence is always severe, and the solution is always a single click away. Professionals must understand that a legitimate financial institution will never use a medium as volatile and insecure as SMS to demand immediate, high-stakes action involving sensitive credentials. If a message makes your heart rate spike before you’ve even finished reading the first sentence, that is not a customer service alert; it is a psychological exploit in progress. The grit of the situation is that these attackers are betting on your human instinct to protect what is yours, and they are winning because our biological hardware hasn’t evolved as fast as their social engineering software.

Red Flag #2: Deconstructing the Malicious URL and Domain Spoofing

The technical linchpin of a bank impersonation scam is the hyperlink, a digital trapdoor designed to look like a bridge to safety. In a legitimate banking environment, URLs are predictable, branded, and hosted on top-level domains that the institution has spent millions of dollars securing. However, attackers rely on the fact that the average mobile user rarely inspects the full string of a URL on a five-inch screen. To obscure their intent, they leverage URL shorteners or link-in-bio services that strip away the destination’s identity, replacing a recognizable bank domain with a sanitized, high-trust string of characters. When you see a link that begins with a generic shortening service, you are looking at a deliberate attempt to hide a malicious redirection chain. This infrastructure is often backed by sophisticated Phishing-as-a-Service platforms which generate unique, one-time-use links for every target. This makes it significantly harder for automated security filters to flag the domain as malicious because the URL effectively dies after it has been clicked by the intended victim, leaving no trail for threat researchers to follow in real-time.

Beyond simple shortening, more advanced adversaries utilize typosquatting or punycode attacks to create a visual illusion of legitimacy. They might register a domain that replaces a lowercase letter with a similarly shaped number, or they use international character sets that look identical to the English alphabet but lead to an entirely different server in a jurisdiction where law enforcement is non-existent. These spoofed domains are often hosted on legitimate cloud infrastructure, which allows them to bypass reputation-based filters that only look for bad neighborhoods on the internet. Once you click that link, you aren’t just visiting a website; you are entering a controlled environment where every pixel has been engineered to mirror your bank’s actual interface. The gritty reality is that by the time you realize the URL in the address bar is off by a single character, your keystrokes have already been captured by a headless browser or an Adversary-in-the-Middle proxy. Analyzing these landing pages reveals a level of craft that includes working help links and legitimate-looking privacy policies, all designed to keep you in the trust zone just long enough to hand over your credentials.

Red Flag #3: Inconsistencies in Delivery Architecture and Metadata

If you want to spot a fraudster, you have to look at the plumbing of the message itself. Legitimate financial institutions invest heavily in Short Code registries—those five or six-digit numbers that are strictly regulated and vetted by telecommunications carriers. When a bank sends an automated alert, it almost always originates from one of these verified short codes because they allow for high-throughput, reliable delivery that is difficult for scammers to spoof at scale. In contrast, most smishing attacks originate from standard ten-digit Long Codes or, increasingly, from email addresses masquerading as phone numbers via the SMS gateway. If a message claiming to be from a multi-billion dollar global bank arrives from a random area code in a different state or a Gmail address, the architecture of the delivery is screaming that it is a fraud. These long codes are essentially burner numbers, bought in bulk through VoIP providers or generated via automated botnets of compromised mobile devices. The disconnect between the supposed sender and the technical origin of the message is a massive red flag that is hiding in plain sight.

Furthermore, the metadata and lack of personalization provide critical clues to the message’s illegitimacy. A real bank notification is tied to a specific account and a specific customer profile; it will often include a partial account number or use a specific format that matches previous interactions you have had with that institution. Smishing messages, however, are designed for the spray and pray method. They use generic salutations like “Dear Customer” or “Valued Member” because the attacker doesn’t actually know who you are; they only know that your phone number was part of a massive data leak from a social media breach or a compromised e-commerce database. These messages are sent to thousands of people simultaneously, betting on the statistical probability that a certain percentage will actually have an account with the bank being impersonated. This lack of specificity is a hallmark of industrial-scale social engineering. When you receive a text that feels like a form letter with an artificial sense of emergency, it is a clear sign that you are being targeted by an automated script rather than a legitimate service department. The absence of your name or specific account details isn’t just a lapse in customer service; it is a fundamental technical indicator of a malicious campaign.

The Failure of Traditional MFA against Modern Smishing

The most dangerous misconception in modern personal security is the belief that Multi-Factor Authentication (MFA) via SMS is an impenetrable shield. While having any MFA is better than none, the grit of the current threat landscape is that smishing has evolved to bypass these secondary layers with ease. Modern phishing kits are no longer static pages that just steal a password; they are dynamic proxies that facilitate Adversary-in-the-Middle (AiTM) attacks. When a victim enters their credentials into a fraudulent bank portal, the attacker’s server passes those credentials to the real bank’s login page in real-time. The bank then sends a legitimate MFA code to the victim’s phone. The victim, thinking they are on the real site, enters that code into the attacker’s portal. The attacker then intercepts that code and uses it to complete the login on the real site, effectively hijacking the session. Within seconds, the adversary has bypassed the very security measure designed to stop them, proving that SMS-based codes are a liability in a world of proxied attacks.

This technical reality necessitates a shift toward more robust authentication standards. Analyzing the successful breaches of the last few years, it is evident that the only reliable defense against smishing-induced MFA bypass is the implementation of hardware-backed security keys or FIDO2/WebAuthn standards. These methods use public-key cryptography to ensure that the authentication attempt is tied to the specific, legitimate domain of the service provider. If an attacker directs a victim to a spoofed domain, the security key will simply refuse to authenticate because the domain signature doesn’t match. Consequently, relying on “text-to-verify” is essentially building a house of cards in a hurricane. We must move toward a zero-trust model for mobile interactions where no incoming text message is considered valid until it is verified through a separate, trusted out-of-band channel, such as calling the official number on the back of your physical debit card or using the bank’s official, sandboxed mobile application.

Hardening the Human and Technical Perimeter

Defeating the smishing threat requires more than just a sharp eye for typos; it requires a fundamental change in how we interact with our mobile devices. The first line of defense is a technical one: treat every unsolicited message as a potential payload. This means never clicking a link in an SMS, regardless of how legitimate it looks or how much pressure the message applies. Instead, the standard operating procedure should be to close the messaging app and navigate directly to the bank’s official website by typing the address into the browser yourself, or by opening the official app. This simple act of “breaking the chain” completely neutralizes the attacker’s redirection infrastructure. Furthermore, users should take advantage of mobile threat defense (MTD) tools and carrier-level spam reporting features. By forwarding suspicious messages to the “7726” (SPAM) short code used by most major carriers, you are contributing to a global database that helps telecommunications providers block these malicious origin points before they reach the next victim.

Ultimately, we have to accept that the SMS protocol was never designed with security in mind; it was designed for convenience. In a professional context, this means that organizations must stop using SMS for sensitive customer communications and move toward encrypted, authenticated in-app messaging. For the individual, it means adopting a mindset of aggressive skepticism. If your bank really needs to reach you, they will use a secure channel or a verified notification system that doesn’t rely on a fragile, easily spoofed text message. The gritty truth is that as long as people keep clicking, criminals will keep texting. By identifying these red flags—the manufactured urgency, the mangled URLs,

Call to Action

The digital battlefield is no longer confined to server rooms and encrypted tunnels; it is in the palm of your hand, vibrating in your pocket every time a predator decides to test your defenses. You can no longer afford to treat an SMS as a “simple text.” In an era where organized crime syndicates use automated botnets to exploit human fear, your only real firewall is a shift in mindset. You have the technical red flags—the artificial urgency, the mangled URLs, and the broken delivery architecture. Now, you have to use them.

Don’t wait until your balance hits zero to start taking mobile security seriously. Audit your accounts today. If you’re still relying on SMS-based two-factor authentication for your primary banking, you are leaving the door unlocked for any adversary with a proxy kit. Switch to a hardware-backed security key or an authenticator app immediately. The next time you receive a “critical alert” from your bank, don’t click. Don’t reply. Delete the message, open your browser, and go to the source yourself. The criminals are betting that you’ll be too distracted to notice the trap; prove them wrong by staying relentlessly skeptical. Your data is your responsibility—defend it like it.

D. Bryan King

Sources

• Verizon 2024 Data Breach Investigations Report (DBIR)
• CISA: Identifying and Mitigating SMS Phishing (Smishing)
• NIST: Behavioral Science and Cybersecurity Phishing Research
• MITRE: Strategies for Stopping Phishing Attacks
• Krebs on Security: The Era of Easy Smishing
• FCC: New Rules on Combating Illegal Robotexts and Smishing
• MITRE ATT&CK: Phishing: Forging Communications (SMS)
• Proofpoint: The Smishing Landscape and Mobile Threat Trends
• Zscaler: The Rise of Phishing-as-a-Service (PhaaS)
• Microsoft Security: Evolving Trends in Smishing
• FTC: Reports of Phishing Texts Top All Other Impersonation Scams
• Scamwatch: Deep Dive into Bank Impersonation Tactics
• ENISA Threat Landscape: Social Engineering and Phishing Trends

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Rate this:

FlowerStorm Phishing Kit Targeting Microsoft Credentials via Cloudflare-Backed Infrastructure

IOCs related to FlowerStorm phishing‑kit–driven campaign that delivers fake Microsoft authentication pages via compromised domains fronted by Cloudflare. The activity abuses legitimate cloud and CDN services for delivery while credential harvesting occurs on attacker‑controlled infrastructure, with incidental contact to Microsoft services during normal browser behavior. that uses its own web servers to target victims' login credentials and access to their personal details and login details on its servers.

Pulse ID: 69e628228cf9938a05a3c669
Pulse Link: https://otx.alienvault.com/pulse/69e628228cf9938a05a3c669
Pulse Author: AlienVault
Created: 2026-04-20 13:20:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CDN #Cloud #CredentialHarvesting #CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #Troll #bot #AlienVault

Untangling a Linux Incident With an OpenAI Twist

A technology sector organization experienced a multi-actor compromise on a Linux endpoint where cryptominers were deployed and credential harvesting occurred. The incident became complex when the legitimate user attempted to troubleshoot suspected malicious activity using OpenAI's Codex AI agent while threat actors remained active on the system. The EDR agent was installed mid-compromise, limiting historical visibility. Codex-generated commands created investigative challenges as they mimicked attacker techniques, triggering security detections and complicating the distinction between legitimate troubleshooting and malicious activity. While Codex helped terminate some malicious processes, it failed to provide complete remediation, allowing threat actors to continue exfiltrating credentials, tokens, and cloud metadata through multiple persistence mechanisms.

Pulse ID: 69e2417e5e4fdd5f16c75dbe
Pulse Link: https://otx.alienvault.com/pulse/69e2417e5e4fdd5f16c75dbe
Pulse Author: AlienVault
Created: 2026-04-17 14:19:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CredentialHarvesting #CryptoMiner #CyberSecurity #EDR #Endpoint #InfoSec #Linux #Mimic #OTX #OpenThreatExchange #RAT #SMS #bot #AlienVault

Using KATA and KEDR to detect the AdaptixC2 agent

AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command-and-control channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption throughout. It implements sophisticated evasion techniques targeting both network detection systems and endpoint defenses. Despite advanced obfuscation capabilities, network-level detection remains viable through analysis of distinctive communication patterns, header structures, and behavioral indicators. The framework supports credential harvesting via LSASS dumping, LAPS exploitation, and Kerberos attacks, alongside defense evasion through process injection and lateral movement via WinRM and PsExec. Combined NDR and EDR solutions provide effective multi-layered detection coverage against AdaptixC2 operations across network ...

Pulse ID: 69e2824daddc65cc4bab207d
Pulse Link: https://otx.alienvault.com/pulse/69e2824daddc65cc4bab207d
Pulse Author: AlienVault
Created: 2026-04-17 18:56:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #DNS #EDR #Encryption #Endpoint #HTTP #InfoSec #Linux #Mac #MacOS #OTX #OpenThreatExchange #PsExec #RAT #RCE #RansomWare #SMB #TCP #TLS #Windows #bot #AlienVault

Using KATA and KEDR to detect the AdaptixC2 agent

AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command-and-control channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption throughout. It implements sophisticated evasion techniques targeting both network detection systems and endpoint defenses. Despite advanced obfuscation capabilities, network-level detection remains viable through analysis of distinctive communication patterns, header structures, and behavioral indicators. The framework supports credential harvesting via LSASS dumping, LAPS exploitation, and Kerberos attacks, alongside defense evasion through process injection and lateral movement via WinRM and PsExec. Combined NDR and EDR solutions provide effective multi-layered detection coverage against AdaptixC2 operations across network ...

Pulse ID: 69e2824daddc65cc4bab207d
Pulse Link: https://otx.alienvault.com/pulse/69e2824daddc65cc4bab207d
Pulse Author: AlienVault
Created: 2026-04-17 18:56:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #DNS #EDR #Encryption #Endpoint #HTTP #InfoSec #Linux #Mac #MacOS #OTX #OpenThreatExchange #PsExec #RAT #RCE #RansomWare #SMB #TCP #TLS #Windows #bot #AlienVault

Using KATA and KEDR to detect the AdaptixC2 agent

AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command-and-control channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption throughout. It implements sophisticated evasion techniques targeting both network detection systems and endpoint defenses. Despite advanced obfuscation capabilities, network-level detection remains viable through analysis of distinctive communication patterns, header structures, and behavioral indicators. The framework supports credential harvesting via LSASS dumping, LAPS exploitation, and Kerberos attacks, alongside defense evasion through process injection and lateral movement via WinRM and PsExec. Combined NDR and EDR solutions provide effective multi-layered detection coverage against AdaptixC2 operations across network ...

Pulse ID: 69e2824daddc65cc4bab207d
Pulse Link: https://otx.alienvault.com/pulse/69e2824daddc65cc4bab207d
Pulse Author: AlienVault
Created: 2026-04-17 18:56:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #DNS #EDR #Encryption #Endpoint #HTTP #InfoSec #Linux #Mac #MacOS #OTX #OpenThreatExchange #PsExec #RAT #RCE #RansomWare #SMB #TCP #TLS #Windows #bot #AlienVault

Using KATA and KEDR to detect the AdaptixC2 agent

AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command-and-control channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption throughout. It implements sophisticated evasion techniques targeting both network detection systems and endpoint defenses. Despite advanced obfuscation capabilities, network-level detection remains viable through analysis of distinctive communication patterns, header structures, and behavioral indicators. The framework supports credential harvesting via LSASS dumping, LAPS exploitation, and Kerberos attacks, alongside defense evasion through process injection and lateral movement via WinRM and PsExec. Combined NDR and EDR solutions provide effective multi-layered detection coverage against AdaptixC2 operations across network ...

Pulse ID: 69e2824daddc65cc4bab207d
Pulse Link: https://otx.alienvault.com/pulse/69e2824daddc65cc4bab207d
Pulse Author: AlienVault
Created: 2026-04-17 18:56:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #DNS #EDR #Encryption #Endpoint #HTTP #InfoSec #Linux #Mac #MacOS #OTX #OpenThreatExchange #PsExec #RAT #RCE #RansomWare #SMB #TCP #TLS #Windows #bot #AlienVault

Using KATA and KEDR to detect the AdaptixC2 agent

AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command-and-control channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption throughout. It implements sophisticated evasion techniques targeting both network detection systems and endpoint defenses. Despite advanced obfuscation capabilities, network-level detection remains viable through analysis of distinctive communication patterns, header structures, and behavioral indicators. The framework supports credential harvesting via LSASS dumping, LAPS exploitation, and Kerberos attacks, alongside defense evasion through process injection and lateral movement via WinRM and PsExec. Combined NDR and EDR solutions provide effective multi-layered detection coverage against AdaptixC2 operations across network ...

Pulse ID: 69e2824daddc65cc4bab207d
Pulse Link: https://otx.alienvault.com/pulse/69e2824daddc65cc4bab207d
Pulse Author: AlienVault
Created: 2026-04-17 18:56:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #DNS #EDR #Encryption #Endpoint #HTTP #InfoSec #Linux #Mac #MacOS #OTX #OpenThreatExchange #PsExec #RAT #RCE #RansomWare #SMB #TCP #TLS #Windows #bot #AlienVault