#spearphishing — Public Fediverse posts

Disclosing new PebbleDash-based tools

Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...

Pulse ID: 6a05af0979e3cc1214a50d4e
Pulse Link: https://otx.alienvault.com/pulse/6a05af0979e3cc1214a50d4e
Pulse Author: AlienVault
Created: 2026-05-14 11:16:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AppleSeed #BackDoor #Brazil #Cloud #CyberSecurity #Dropbox #Germany #GitHub #Government #HTTP #InfoSec #Kaspersky #Kimsuky #Korea #Malware #OTX #OpenThreatExchange #Phishing #RAT #Rust #SouthKorea #SpearPhishing #UK #bot #AlienVault

Disclosing new PebbleDash-based tools

Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...

Pulse ID: 6a05af0979e3cc1214a50d4e
Pulse Link: https://otx.alienvault.com/pulse/6a05af0979e3cc1214a50d4e
Pulse Author: AlienVault
Created: 2026-05-14 11:16:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AppleSeed #BackDoor #Brazil #Cloud #CyberSecurity #Dropbox #Germany #GitHub #Government #HTTP #InfoSec #Kaspersky #Kimsuky #Korea #Malware #OTX #OpenThreatExchange #Phishing #RAT #Rust #SouthKorea #SpearPhishing #UK #bot #AlienVault

Disclosing new PebbleDash-based tools

Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...

Pulse ID: 6a05af0979e3cc1214a50d4e
Pulse Link: https://otx.alienvault.com/pulse/6a05af0979e3cc1214a50d4e
Pulse Author: AlienVault
Created: 2026-05-14 11:16:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AppleSeed #BackDoor #Brazil #Cloud #CyberSecurity #Dropbox #Germany #GitHub #Government #HTTP #InfoSec #Kaspersky #Kimsuky #Korea #Malware #OTX #OpenThreatExchange #Phishing #RAT #Rust #SouthKorea #SpearPhishing #UK #bot #AlienVault

Disclosing new PebbleDash-based tools

Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...

Pulse ID: 6a05af0979e3cc1214a50d4e
Pulse Link: https://otx.alienvault.com/pulse/6a05af0979e3cc1214a50d4e
Pulse Author: AlienVault
Created: 2026-05-14 11:16:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AppleSeed #BackDoor #Brazil #Cloud #CyberSecurity #Dropbox #Germany #GitHub #Government #HTTP #InfoSec #Kaspersky #Kimsuky #Korea #Malware #OTX #OpenThreatExchange #Phishing #RAT #Rust #SouthKorea #SpearPhishing #UK #bot #AlienVault

Disclosing new PebbleDash-based tools

Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...

Pulse ID: 6a05af0979e3cc1214a50d4e
Pulse Link: https://otx.alienvault.com/pulse/6a05af0979e3cc1214a50d4e
Pulse Author: AlienVault
Created: 2026-05-14 11:16:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AppleSeed #BackDoor #Brazil #Cloud #CyberSecurity #Dropbox #Germany #GitHub #Government #HTTP #InfoSec #Kaspersky #Kimsuky #Korea #Malware #OTX #OpenThreatExchange #Phishing #RAT #Rust #SouthKorea #SpearPhishing #UK #bot #AlienVault

Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

https://www.europesays.com/britain/35998/ UK SMEs better at email security than North America #AttackSurfaceManagement #Brokers #BusinessContinuity #BusinessEmailCompromise #Canada #CyberInsurance #CyberResilience #CyberRisk #Cybersecurity #DMARC #EmailSecurity #Infosec #ITGovernance #KYND #Patching #Phishing #Ransomware #RemoteAccess #Risk&Compliance #RiskManagement #SecurityPosture #SmallBusiness(SMB) #SpearPhishing #UK #UnitedKingdom #UnitedKingdom(UK) #UnitedStates(US)

From Cyberwar to Cognitive Warfare: The Geopolitical Impact on Cybersecurity in Africa

We’ve long defi…
#UnitedStates #US #USA #america #anti-phishingtraining #cryptolocker #Florida #geopolitics #hackers #Hacking #kevinmitnick #knowbe4 #on-linetraining #phish-prone #phishing #Politics #ransomware #securityawarenesstraining #SocialEngineering #spearphishing #stusjouwerman #tampabay #training #unitedstatesofamerica #UnitedStatesPolitics #USPolitics #usapolitics
https://www.europesays.com/2974703/

📬 Stalkerware-GAU: 86.859 private Screenshots lagen offen im Netz
#Cyberangriffe #Datenschutz #CloudRepository #Cocospy #KontrollApp #SpearPhishing #Spyic #Spyzie #StalkerwareGAU https://sc.tarnkappe.info/ecf82b

Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare

A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.

Pulse ID: 69fc841d0cbc4c199d708315
Pulse Link: https://otx.alienvault.com/pulse/69fc841d0cbc4c199d708315
Pulse Author: AlienVault
Created: 2026-05-07 12:22:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataBreach #HTTP #HTTPS #Healthcare #HongKong #InfoSec #LNK #Malware #Military #OTX #OpenThreatExchange #PDF #Philippines #Phishing #RAT #SpearPhishing #Telecom #Telecommunication #UK #Vietnam #Windows #bot #AlienVault

Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare

A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.

Pulse ID: 69fc841d0cbc4c199d708315
Pulse Link: https://otx.alienvault.com/pulse/69fc841d0cbc4c199d708315
Pulse Author: AlienVault
Created: 2026-05-07 12:22:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataBreach #HTTP #HTTPS #Healthcare #HongKong #InfoSec #LNK #Malware #Military #OTX #OpenThreatExchange #PDF #Philippines #Phishing #RAT #SpearPhishing #Telecom #Telecommunication #UK #Vietnam #Windows #bot #AlienVault

Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare

A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.

Pulse ID: 69fc841d0cbc4c199d708315
Pulse Link: https://otx.alienvault.com/pulse/69fc841d0cbc4c199d708315
Pulse Author: AlienVault
Created: 2026-05-07 12:22:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataBreach #HTTP #HTTPS #Healthcare #HongKong #InfoSec #LNK #Malware #Military #OTX #OpenThreatExchange #PDF #Philippines #Phishing #RAT #SpearPhishing #Telecom #Telecommunication #UK #Vietnam #Windows #bot #AlienVault

Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare

A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.

Pulse ID: 69fc841d0cbc4c199d708315
Pulse Link: https://otx.alienvault.com/pulse/69fc841d0cbc4c199d708315
Pulse Author: AlienVault
Created: 2026-05-07 12:22:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataBreach #HTTP #HTTPS #Healthcare #HongKong #InfoSec #LNK #Malware #Military #OTX #OpenThreatExchange #PDF #Philippines #Phishing #RAT #SpearPhishing #Telecom #Telecommunication #UK #Vietnam #Windows #bot #AlienVault

Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare

A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.

Pulse ID: 69fc841d0cbc4c199d708315
Pulse Link: https://otx.alienvault.com/pulse/69fc841d0cbc4c199d708315
Pulse Author: AlienVault
Created: 2026-05-07 12:22:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataBreach #HTTP #HTTPS #Healthcare #HongKong #InfoSec #LNK #Malware #Military #OTX #OpenThreatExchange #PDF #Philippines #Phishing #RAT #SpearPhishing #Telecom #Telecommunication #UK #Vietnam #Windows #bot #AlienVault

Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned Aviation Sector Ahead of Moscow Summit

A sophisticated spear phishing campaign targets professionals in the Eurasian unmanned aviation sector, timed to coincide with the XIII Eurasian International Forum 'Unmanned Aviation 2026' in Moscow. The attack delivers malicious archives containing Rust-based executables disguised as legitimate documents from the Russian Aeronautical Information Center. The malware displays aviation-themed decoy documents in Russian while collecting system information including hostnames, volume serial numbers, network adapter details, and environment variables. Collected data is encrypted via XOR and exfiltrated to a C2 server over HTTPS. The malware subsequently downloads and executes a second-stage payload using AES-256 decryption. The campaign demonstrates targeted social engineering with realistic aviation order documents, translation certificates, and product summaries to compromise victims in Russia, Tajikistan, Central Asia, Middle East and Europe.

Pulse ID: 69fb57e600c03f5a6ac63de0
Pulse Link: https://otx.alienvault.com/pulse/69fb57e600c03f5a6ac63de0
Pulse Author: AlienVault
Created: 2026-05-06 15:01:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CentralAsia #CyberSecurity #Europe #HTTP #HTTPS #InfoSec #Malware #MiddleEast #OTX #OpenThreatExchange #Phishing #RAT #Russia #Rust #SocialEngineering #SpearPhishing #bot #AlienVault

Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned Aviation Sector Ahead of Moscow Summit

A sophisticated spear phishing campaign targets professionals in the Eurasian unmanned aviation sector, timed to coincide with the XIII Eurasian International Forum 'Unmanned Aviation 2026' in Moscow. The attack delivers malicious archives containing Rust-based executables disguised as legitimate documents from the Russian Aeronautical Information Center. The malware displays aviation-themed decoy documents in Russian while collecting system information including hostnames, volume serial numbers, network adapter details, and environment variables. Collected data is encrypted via XOR and exfiltrated to a C2 server over HTTPS. The malware subsequently downloads and executes a second-stage payload using AES-256 decryption. The campaign demonstrates targeted social engineering with realistic aviation order documents, translation certificates, and product summaries to compromise victims in Russia, Tajikistan, Central Asia, Middle East and Europe.

Pulse ID: 69fb57e600c03f5a6ac63de0
Pulse Link: https://otx.alienvault.com/pulse/69fb57e600c03f5a6ac63de0
Pulse Author: AlienVault
Created: 2026-05-06 15:01:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CentralAsia #CyberSecurity #Europe #HTTP #HTTPS #InfoSec #Malware #MiddleEast #OTX #OpenThreatExchange #Phishing #RAT #Russia #Rust #SocialEngineering #SpearPhishing #bot #AlienVault

Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned Aviation Sector Ahead of Moscow Summit

A sophisticated spear phishing campaign targets professionals in the Eurasian unmanned aviation sector, timed to coincide with the XIII Eurasian International Forum 'Unmanned Aviation 2026' in Moscow. The attack delivers malicious archives containing Rust-based executables disguised as legitimate documents from the Russian Aeronautical Information Center. The malware displays aviation-themed decoy documents in Russian while collecting system information including hostnames, volume serial numbers, network adapter details, and environment variables. Collected data is encrypted via XOR and exfiltrated to a C2 server over HTTPS. The malware subsequently downloads and executes a second-stage payload using AES-256 decryption. The campaign demonstrates targeted social engineering with realistic aviation order documents, translation certificates, and product summaries to compromise victims in Russia, Tajikistan, Central Asia, Middle East and Europe.

Pulse ID: 69fb57e600c03f5a6ac63de0
Pulse Link: https://otx.alienvault.com/pulse/69fb57e600c03f5a6ac63de0
Pulse Author: AlienVault
Created: 2026-05-06 15:01:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CentralAsia #CyberSecurity #Europe #HTTP #HTTPS #InfoSec #Malware #MiddleEast #OTX #OpenThreatExchange #Phishing #RAT #Russia #Rust #SocialEngineering #SpearPhishing #bot #AlienVault

Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned Aviation Sector Ahead of Moscow Summit

A sophisticated spear phishing campaign targets professionals in the Eurasian unmanned aviation sector, timed to coincide with the XIII Eurasian International Forum 'Unmanned Aviation 2026' in Moscow. The attack delivers malicious archives containing Rust-based executables disguised as legitimate documents from the Russian Aeronautical Information Center. The malware displays aviation-themed decoy documents in Russian while collecting system information including hostnames, volume serial numbers, network adapter details, and environment variables. Collected data is encrypted via XOR and exfiltrated to a C2 server over HTTPS. The malware subsequently downloads and executes a second-stage payload using AES-256 decryption. The campaign demonstrates targeted social engineering with realistic aviation order documents, translation certificates, and product summaries to compromise victims in Russia, Tajikistan, Central Asia, Middle East and Europe.

Pulse ID: 69fb57e600c03f5a6ac63de0
Pulse Link: https://otx.alienvault.com/pulse/69fb57e600c03f5a6ac63de0
Pulse Author: AlienVault
Created: 2026-05-06 15:01:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CentralAsia #CyberSecurity #Europe #HTTP #HTTPS #InfoSec #Malware #MiddleEast #OTX #OpenThreatExchange #Phishing #RAT #Russia #Rust #SocialEngineering #SpearPhishing #bot #AlienVault

Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned Aviation Sector Ahead of Moscow Summit

A sophisticated spear phishing campaign targets professionals in the Eurasian unmanned aviation sector, timed to coincide with the XIII Eurasian International Forum 'Unmanned Aviation 2026' in Moscow. The attack delivers malicious archives containing Rust-based executables disguised as legitimate documents from the Russian Aeronautical Information Center. The malware displays aviation-themed decoy documents in Russian while collecting system information including hostnames, volume serial numbers, network adapter details, and environment variables. Collected data is encrypted via XOR and exfiltrated to a C2 server over HTTPS. The malware subsequently downloads and executes a second-stage payload using AES-256 decryption. The campaign demonstrates targeted social engineering with realistic aviation order documents, translation certificates, and product summaries to compromise victims in Russia, Tajikistan, Central Asia, Middle East and Europe.

Pulse ID: 69fb57e600c03f5a6ac63de0
Pulse Link: https://otx.alienvault.com/pulse/69fb57e600c03f5a6ac63de0
Pulse Author: AlienVault
Created: 2026-05-06 15:01:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #CentralAsia #CyberSecurity #Europe #HTTP #HTTPS #InfoSec #Malware #MiddleEast #OTX #OpenThreatExchange #Phishing #RAT #Russia #Rust #SocialEngineering #SpearPhishing #bot #AlienVault

Analysis of Attack Activities Using SSH+TOR Tunnels to Achieve Covert Persistence

APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage operations. The organization recently deployed malicious campaigns using nested SSH and TOR tunnel infrastructure to establish covert remote access channels. Attackers distribute ZIP archives containing weaponized LNK files via spearphishing emails, which extract and execute payloads that create scheduled tasks disguised as legitimate software. The attack establishes dual-encrypted anonymous tunnels using obfs4 protocol to bypass deep packet inspection, while mapping sensitive ports (SMB/445, RDP/3389) to Onion domains for persistent backdoor access. The campaign leverages sophisticated anti-analysis techniques including sandbox detection, file disguise, and process masquerading to evade detection and maintain long-term unauthorized control over compromised systems for intelligence collection.

Pulse ID: 69f1f50a5410ca637c84368c
Pulse Link: https://otx.alienvault.com/pulse/69f1f50a5410ca637c84368c
Pulse Author: AlienVault
Created: 2026-04-29 12:09:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Email #Espionage #InfoSec #LNK #OTX #Onion #OpenThreatExchange #Phishing #RAT #RDP #SMB #SSH #Sandworm #SpearPhishing #Worm #ZIP #bot #AlienVault

Attack Activity Analysis Using SSH+TOR Tunnels for Covert Persistence

APT-C-13 (Sandworm), also known as FROZENBARENTS, is a state-sponsored advanced persistent threat group conducting global cyber espionage targeting government agencies, diplomatic departments, energy enterprises, and research organizations. Recently detected samples reveal the group's use of nested SSH and TOR tunnel architecture to establish covert communication channels. The attack begins with spear-phishing emails delivering malicious LNK files disguised as PDF documents. Upon execution, the payload deploys TOR hidden services mapping internal ports (SMB/445, RDP/3389) to onion domains, while SSH services with public key authentication provide encrypted remote access. The malware employs obfs4 protocol to obfuscate TOR traffic, evading deep packet inspection. Persistence is achieved through scheduled tasks masquerading as legitimate applications like Opera GX and Dropbox, establishing an anonymous shadow management infrastructure for sustained intelligence collection.

Pulse ID: 69f06b1eeeb1fca735cb0bb8
Pulse Link: https://otx.alienvault.com/pulse/69f06b1eeeb1fca735cb0bb8
Pulse Author: AlienVault
Created: 2026-04-28 08:09:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Dropbox #Email #Espionage #Government #InfoSec #LNK #Malware #OTX #Onion #OpenThreatExchange #Opera #PDF #Phishing #RDP #SMB #SSH #Sandworm #SpearPhishing #Worm #bot #AlienVault

#Signal reagiert auf deutsche Probleme | heise online https://www.heise.de/news/Signal-Angriffe-Signal-raet-zu-Obacht-und-Registrierungssperre-11274258.html #phishing #SocialEngineering #SpearPhishing #CyberCrime @signalapp

Operation PhantomCLR: Stealth Execution via AppDomain Hijacking and In-Memory .NET Abuse

A highly sophisticated multi-stage post-exploitation framework targeting organizations in the Middle East and EMEA financial sectors exploits legitimate digitally signed Intel utilities through .NET AppDomainManager mechanism abuse. The attack leverages trusted binary proxy execution, bypassing EDR and antivirus solutions through JIT-based memory execution and sandbox evasion using computational delays and cryptographic key derivation loops. Initial access occurs via spear-phishing with Arabic-language decoys impersonating Saudi government documents. Once executed, the framework establishes command-and-control communication through Amazon CloudFront CDN domain fronting, employing reflective DLL loading, direct syscall usage, and anti-forensic memory cleanup techniques. The modular plugin-based architecture demonstrates capabilities consistent with advanced persistent threat actors, featuring sophisticated evasion mechanisms including PEB-based API resolution, custom PE export walking, and heap-walking cont...

Pulse ID: 69e389bd5760ef67b7f37472
Pulse Link: https://otx.alienvault.com/pulse/69e389bd5760ef67b7f37472
Pulse Author: AlienVault
Created: 2026-04-18 13:40:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Amazon #Arabic #CDN #Cloud #CyberSecurity #EDR #Government #InfoSec #MiddleEast #NET #OTX #OpenThreatExchange #Phishing #Proxy #RAT #Rust #SMS #SpearPhishing #bot #AlienVault

https://www.europesays.com/africa/177662/ Hack-for-hire spyware campaign targets journalists in Middle East, North Africa #AccessNow #Africa #android #bitter #CommitteeToProtectJournalists #Egypt #eset #HackForHire #india #Lebanon #lookout #MiddleEast #privacy #prospy #smex #spearphishing #Spyware #UnitedArabEmirates(UAE)

Фейковый грант от NED: анатомия таргетированного фишинга

18 февраля 2026 года сотрудник НКО получил таргетированное фишинговое письмо якобы от National Endowment for Democracy — американского фонда поддержки демократии. Обращение по полному имени, ссылка на «предыдущую заявку на грант» (которой никогда не было), и упоминание документа, которого физически нет в письме — классическая техника «фантомного вложения», при которой первое письмо устанавливает доверие, а вредоносный файл приходит уже в ответ на реакцию жертвы. В этой статье — разбор атаки по заголовкам, инфраструктуре и социальной инженерии. Материал будет полезен аналитикам SOC и сотрудникам НКО: в конце — IOC, kill chain и рекомендации для администраторов почты.

https://habr.com/ru/articles/1004156/

#информационная_безопасность #фишинг #spearphishing #threat_intelligence #социальная_инженерия #email_security

Фейковый грант от NED: анатомия таргетированного фишинга

18 февраля 2026 года сотрудник НКО получил таргетированное фишинговое письмо якобы от National Endowment for Democracy — американского фонда поддержки демократии. Обращение по полному имени, ссылка на «предыдущую заявку на грант» (которой никогда не было), и упоминание документа, которого физически нет в письме — классическая техника «фантомного вложения», при которой первое письмо устанавливает доверие, а вредоносный файл приходит уже в ответ на реакцию жертвы. В этой статье — разбор атаки по заголовкам, инфраструктуре и социальной инженерии. Материал будет полезен аналитикам SOC и сотрудникам НКО: в конце — IOC, kill chain и рекомендации для администраторов почты.

https://habr.com/ru/articles/1004156/

#информационная_безопасность #фишинг #spearphishing #threat_intelligence #социальная_инженерия #email_security

Фейковый грант от NED: анатомия таргетированного фишинга

18 февраля 2026 года сотрудник НКО получил таргетированное фишинговое письмо якобы от National Endowment for Democracy — американского фонда поддержки демократии. Обращение по полному имени, ссылка на «предыдущую заявку на грант» (которой никогда не было), и упоминание документа, которого физически нет в письме — классическая техника «фантомного вложения», при которой первое письмо устанавливает доверие, а вредоносный файл приходит уже в ответ на реакцию жертвы. В этой статье — разбор атаки по заголовкам, инфраструктуре и социальной инженерии. Материал будет полезен аналитикам SOC и сотрудникам НКО: в конце — IOC, kill chain и рекомендации для администраторов почты.

https://habr.com/ru/articles/1004156/

#информационная_безопасность #фишинг #spearphishing #threat_intelligence #социальная_инженерия #email_security

Фейковый грант от NED: анатомия таргетированного фишинга

18 февраля 2026 года сотрудник НКО получил таргетированное фишинговое письмо якобы от National Endowment for Democracy — американского фонда поддержки демократии. Обращение по полному имени, ссылка на «предыдущую заявку на грант» (которой никогда не было), и упоминание документа, которого физически нет в письме — классическая техника «фантомного вложения», при которой первое письмо устанавливает доверие, а вредоносный файл приходит уже в ответ на реакцию жертвы. В этой статье — разбор атаки по заголовкам, инфраструктуре и социальной инженерии. Материал будет полезен аналитикам SOC и сотрудникам НКО: в конце — IOC, kill chain и рекомендации для администраторов почты.

https://habr.com/ru/articles/1004156/

#информационная_безопасность #фишинг #spearphishing #threat_intelligence #социальная_инженерия #email_security

Фишинг под видом Meta: SPF pass, DKIM pass, входящие Gmail

2 марта 2026 года я получил на анализ фишинговое письмо. Отправитель - «M e t a», тема - «[Требуется действие] Завершите проверку, чтобы восстановить показ объявлений». SPF pass, DKIM pass, ARC pass - письмо прошло все проверки и лежало во входящих Gmail. Ключ - цепочка Resend.com → Amazon SES → Gmail, где каждый элемент легитимен. Разбираю, как атакующие этого добились и почему это работает.

https://habr.com/ru/articles/1005750/

#информационная_безопасность #фишинг #spearphishing #threat_intelligence #социальная_инженерия #email_security

Фишинг под видом Meta: SPF pass, DKIM pass, входящие Gmail

2 марта 2026 года я получил на анализ фишинговое письмо. Отправитель - «M e t a», тема - «[Требуется действие] Завершите проверку, чтобы восстановить показ объявлений». SPF pass, DKIM pass, ARC pass - письмо прошло все проверки и лежало во входящих Gmail. Ключ - цепочка Resend.com → Amazon SES → Gmail, где каждый элемент легитимен. Разбираю, как атакующие этого добились и почему это работает.

https://habr.com/ru/articles/1005750/

#информационная_безопасность #фишинг #spearphishing #threat_intelligence #социальная_инженерия #email_security

Фишинг под видом Meta: SPF pass, DKIM pass, входящие Gmail

2 марта 2026 года я получил на анализ фишинговое письмо. Отправитель - «M e t a», тема - «[Требуется действие] Завершите проверку, чтобы восстановить показ объявлений». SPF pass, DKIM pass, ARC pass - письмо прошло все проверки и лежало во входящих Gmail. Ключ - цепочка Resend.com → Amazon SES → Gmail, где каждый элемент легитимен. Разбираю, как атакующие этого добились и почему это работает.

https://habr.com/ru/articles/1005750/

#информационная_безопасность #фишинг #spearphishing #threat_intelligence #социальная_инженерия #email_security

Фишинг под видом Meta: SPF pass, DKIM pass, входящие Gmail

2 марта 2026 года я получил на анализ фишинговое письмо. Отправитель - «M e t a», тема - «[Требуется действие] Завершите проверку, чтобы восстановить показ объявлений». SPF pass, DKIM pass, ARC pass - письмо прошло все проверки и лежало во входящих Gmail. Ключ - цепочка Resend.com → Amazon SES → Gmail, где каждый элемент легитимен. Разбираю, как атакующие этого добились и почему это работает.

https://habr.com/ru/articles/1005750/

#информационная_безопасность #фишинг #spearphishing #threat_intelligence #социальная_инженерия #email_security

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Rate this:

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Rate this:

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

1. Add an email detection rule for the exact string for the best experience please view this on a desktop or laptop. At time of writing this rule has a 0% false positive rate.
2. Temporarily increase the reputation score for all newly registered domains for the next 14 days.
3. Add this exact lure to your phishing simulation program immediately. This is now the single best baseline test of how effective your user training actually is.
4. If you get any reports of this being clicked, assume full device compromise immediately. Do not waste time triaging. Isolate the host.

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Rate this:

Krasser Scheiß: Pine64 (ein Lieferant von uns) hat mich grad darüber informiert, dass anscheinend eine #spearPhishing attacke auf uns vorbereitet worden ist (zumindest stellt es sich mir so dar).

"Tom Milton" hat sich bei dem Lieferanten als neuer "Lead Accountant" vorgestellt.

ich gehe davon aus, dass der liebe Tom dann gefälschte Rechnungen an uns geschickt hätte....

Was denkt ihr?

#hacking #phishing #krasserScheiß #security

One in Ten UK Companies Wouldn’t Survive a Major Cyberattack

A new survey by Vodafone Business found that more than 10% of companies in the UK would likely…
#UnitedKingdom #UK #Europe #EU #anti-phishingtraining #cryptolocker #Florida #GreatBritain #hackers #Hacking #kevinmitnick #knowbe4 #on-linetraining #phish-prone #phishing #ransomware #securityawarenesstraining #SocialEngineering #spearphishing #stusjouwerman #tampabay #training
https://www.europesays.com/2754659/

A five-month spearphishing operation discovered by Socket has transformed the npm registry into a durable hosting layer for AiTM credential theft, specifically targeting sales teams in the manufacturing and healthcare industries.

Read More: https://www.security.land/npm-registry-weaponized-in-spearphishing-campaign-against-critical-infrastructure/

#SecurityLand #Cybersecurity #Research #NPM #Phishing #CriticalInfrastructure #AiTM #Spearphishing #Dev

There's a new look to modern day #ransomware attacks (no) thanks to the Ransomware-as-a-Service (#RaaS) ecosystem. As attackers continue to automate spear #phishing and other processes, identifying and mitigating these email threats becomes both more important and more challenging. 😓 So, let's talk about how your team can improve their risk mitigation strategies.

In this article we review:
🎣 Phishing, spear phishing, and whaling
📧 Why ransomware email threats are so successful
🛡️ Best practices for mitigating these threats

Dig into the details of implementing email security, centralizing security data, integrating threat intelligence, identifying very attacked persons (VAPs), and more.

https://graylog.org/post/understanding-ransomware-email-threats/ #SpearPhishing #ThreatIntel #SIEM #CyberSecurity

There's a new look to modern day #ransomware attacks (no) thanks to the Ransomware-as-a-Service (#RaaS) ecosystem. As attackers continue to automate spear #phishing and other processes, identifying and mitigating these email threats becomes both more important and more challenging. 😓 So, let's talk about how your team can improve their risk mitigation strategies.

In this article we review:
🎣 Phishing, spear phishing, and whaling
📧 Why ransomware email threats are so successful
🛡️ Best practices for mitigating these threats

Dig into the details of implementing email security, centralizing security data, integrating threat intelligence, identifying very attacked persons (VAPs), and more.

https://graylog.org/post/understanding-ransomware-email-threats/ #SpearPhishing #ThreatIntel #SIEM #CyberSecurity

There's a new look to modern day #ransomware attacks (no) thanks to the Ransomware-as-a-Service (#RaaS) ecosystem. As attackers continue to automate spear #phishing and other processes, identifying and mitigating these email threats becomes both more important and more challenging. 😓 So, let's talk about how your team can improve their risk mitigation strategies.

In this article we review:
🎣 Phishing, spear phishing, and whaling
📧 Why ransomware email threats are so successful
🛡️ Best practices for mitigating these threats

Dig into the details of implementing email security, centralizing security data, integrating threat intelligence, identifying very attacked persons (VAPs), and more.

https://graylog.org/post/understanding-ransomware-email-threats/ #SpearPhishing #ThreatIntel #SIEM #CyberSecurity

There's a new look to modern day #ransomware attacks (no) thanks to the Ransomware-as-a-Service (#RaaS) ecosystem. As attackers continue to automate spear #phishing and other processes, identifying and mitigating these email threats becomes both more important and more challenging. 😓 So, let's talk about how your team can improve their risk mitigation strategies.

In this article we review:
🎣 Phishing, spear phishing, and whaling
📧 Why ransomware email threats are so successful
🛡️ Best practices for mitigating these threats

Dig into the details of implementing email security, centralizing security data, integrating threat intelligence, identifying very attacked persons (VAPs), and more.

https://graylog.org/post/understanding-ransomware-email-threats/ #SpearPhishing #ThreatIntel #SIEM #CyberSecurity

There's a new look to modern day #ransomware attacks (no) thanks to the Ransomware-as-a-Service (#RaaS) ecosystem. As attackers continue to automate spear #phishing and other processes, identifying and mitigating these email threats becomes both more important and more challenging. 😓 So, let's talk about how your team can improve their risk mitigation strategies.

In this article we review:
🎣 Phishing, spear phishing, and whaling
📧 Why ransomware email threats are so successful
🛡️ Best practices for mitigating these threats

Dig into the details of implementing email security, centralizing security data, integrating threat intelligence, identifying very attacked persons (VAPs), and more.

https://graylog.org/post/understanding-ransomware-email-threats/ #SpearPhishing #ThreatIntel #SIEM #CyberSecurity

🚨 The OpenAI/Mixpanel breach is not just a "vendor issue"—it's a systemic failure. We analyzed 3 years of security incidents at OpenAI and compared them to the fortified architectures of Google Gemini and Anthropic Claude.

#SecurityLand #ExpertDecode #AI #SecurityBreach #Cyberattack #OpenAI #ChatGPT #Claude #Gemini #SpearPhishing #Business #Enterprise #Mixpanel

Read More: https://www.security.land/openai-mixpanel-breach-security-analysis-2025/

North Korean hackers are using Google’s own tools to remotely wipe Android devices and hijack messaging apps. Think your account is safe? Dive into how a single breach can trigger a digital meltdown.

https://thedefendopsdiaries.com/konni-activity-cluster-north-korean-apts-exploit-google-find-hub-for-advanced-cyber-espionage/

#konni
#apt37
#cyberespionage
#androidsecurity
#googlefindhub
#malware
#northkorea
#spearphishing
#infosec

North Korean hackers are using Google’s own tools to remotely wipe Android devices and hijack messaging apps. Think your account is safe? Dive into how a single breach can trigger a digital meltdown.

https://thedefendopsdiaries.com/konni-activity-cluster-north-korean-apts-exploit-google-find-hub-for-advanced-cyber-espionage/

#konni
#apt37
#cyberespionage
#androidsecurity
#googlefindhub
#malware
#northkorea
#spearphishing
#infosec