ReliaQuest Threat Research

ShinyHunters is likely firing up another Zendesk campaign 🎯 Over the past two months, ReliaQuest has identified 60+ newly registered domains impersonating #Zendesk support portals. These domains follow the pattern [brandname]zendesk[.]com and target organizations across financial services, SaaS vendors, and other high-value sectors. #ShinyHunters is building at scale by embedding trusted brand names directly into malicious domains to increase their legitimacy. Combined with valid TLS certificates, these sites appear authentic in browsers and email clients, making credential harvesting significantly more effective. For security teams: monitor email gateways for these domain patterns, watch for Zendesk subdomain abuse in authentication logs, and educate users that legitimate Zendesk support portals will never use third-party domains containing "zendesk" in the URL structure. Authentication attempts from domains matching [anything]zendesk[.]com should be treated as high-priority alerts.

🎙️ New #ShadowTalk Episode: The 2026 Annual Threat Report Breakdown, Part 3: The Long Game — Nation-State Threats & What's Coming in 2026 A Chinese APT held network access for over a year. North Korean insider hires jumped 116%. Both campaigns exploited the exact same six control gaps, just at different speeds. This week, we break down why 5 of 6 recurring control failures from 2024 showed up again in 2025, how DPRK operatives used deepfake interviews and IP-KVM hardware to bypass defenses, and why the 2026 forecast shifts from industry-based targeting to tech-stack fingerprinting. 👉 Tune in tomorrow on Apple Podcasts or YouTube: bit.ly/3IDjhGF 🎧 #ShadowTalk #CyberSecurity #ThreatIntelligence #NationState

🚨 Everyone is focused on the cyberattack on Stryker claimed by Iran-linked Handala. But there may be a second story unfolding alongside it. We identified stryker.passkeysetup[.]com, a subdomain that appears to have been created after the Handala incident came into public view. We have already tied passkeysetup[.]com to ShinyHunters infrastructure from a real attempted attack involving help desk impersonation, MFA reset guidance, and mobile-first lures, the same tradecraft highlighted in our recent reporting. That suggests a financially motivated actor may be trying to take advantage of the confusion around #Stryker’s current situation. In other words, one incident may now be creating cover for another. 🔗 reliaquest.com/blog/threat-sp…

🚨 The impact of recent global developments is now reaching private-sector operations through cyber disruption, third-party fallout, and pressure on the digital infrastructure businesses depend on. This spotlight examines how that pressure is expanding, where disruption may spread next, and what teams can do now to strengthen resilience with an AI-driven SOC. 🔗 Read the spotlight: ow.ly/ftjC50YtbHG #ReliaQuest #MakeSecurityPossible #ThreatResearch #Cybersecurity

🚨 Scattered Lapsus$ Hunters (SLH) appears to be recruiting for a wide range of roles, and that says a lot about where the group may be headed. They’re looking for developers and engineers to build tools, phishing and DDoS operators to carry out campaigns, and even individuals with 0-day or brute-force expertise. That mix matters. Rather than depending solely on purchased malware or off-the-shelf phishing kits, SLH seems to be building capability in-house from start to finish. That could give them the ability to move faster, adapt their tactics more quickly, and tailor attacks more precisely to their targets. For defenders, if SLH is developing more of an end-to-end operation, it could mean a broader attack surface and a group that can pivot faster when one technique is detected or blocked.

🎙️ New #ShadowTalk Episode: The 2026 Annual Threat Report Breakdown, Part 2: Once They're In - Post-Compromise Tactics, Ransomware & Exfiltration 79% of incidents involved data exfiltration. Only 28% involved encryption. Attackers aren't abandoning ransomware, they're just hitting exfiltration first because it's faster, quieter, and harder to stop. This week, we break down why the fastest exfiltration took just 6 minutes, how 42% of data theft now moves through platforms like OneDrive, GitHub, and Dropbox and why detection architectures built around batch processing are structurally losing the speed race. 👉 Tune in tomorrow on Apple Podcasts or YouTube: bit.ly/3IDjhGF 🎧 #ShadowTalk #CyberSecurity #Ransomware #ThreatIntelligence

🚨 ReliaQuest is tracking ShinyHunters’ “Salesforce Aura” campaign. The group claims it will name “hundreds” of impacted companies in the coming days/weeks as part of an extortion-style disclosure effort. ShinyHunters is known for data theft and public leak/extortion activity. This comes amid increased public attention on auditing Salesforce Aura/Experience Cloud access-control configurations, which may drive further adversary focus on exposed Aura endpoints and data access gaps. For organizations using #Salesforce, validate access controls and monitoring around OAuth-connected apps, user sessions, and data exports, and watch for unusual login activity or large-volume downloads.

🚨 ReliaQuest is tracking a new macOS RAT/stealer called “notnullOSx” advertised with a web panel, Telegram notifications, and modules to steal browser and Telegram data. The listing also advertises “app replacement” and calls out Ledger, consistent with crypto theft. They’re marketing it around operator pain points: keep it working on macOS (they claim it’s not brittle AppleScript) and make initial execution easy (ClickFix gets users to paste a Terminal command instead of dealing with noisy installs and prompts). Everything else is about faster payoff: auto-run stealing modules on first check-in, and show the stolen data right in the panel so it’s quick to triage and monetize. For defenders, the takeaway is continued productization around proven paths: social engineering that leads to Terminal execution, browser credential and cookie theft, and lures tied to crypto apps.

🚨 ReliaQuest is tracking recurring ChatGPT Stealer activity over the past few months tied to malicious Chrome extensions masquerading as “AI sidebar” tools. We’ve observed Chrome extension installs dropping JavaScript payloads (e.g., setup.html/loader.js) that inject scripts into visited pages (specifically ChatGPT) to capture prompts and AI responses, then stage and exfiltrate that data to attacker-controlled infrastructure. If your organization permits broad extension installs and users handle sensitive data in #ChatGPT via the browser, now is a good time to tighten extension controls, review browser credential storage, and hunt for suspicious extension IDs and related outbound traffic.

🎙️ New #ShadowTalk Episode: Beyond 'Don't Click the Link'—How ClickFix and AI Malware Are Outrunning Enterprise Defenses ClickFix attacks surged 200% in 2025 — and most of it did not use email. Attackers moved to the search bar, poisoning results and tricking users into running malicious commands themselves. Phishing simulation scores mean little now. This week, we dig into how BaoLoader uses AI-generated code and valid certificates to bypass static detection and why, with a 34-minute average breakout window, behavioral detection isn't optional—it's the only model that works. 👉 Tune in tomorrow on Apple Podcasts or YouTube: bit.ly/3IDjhGF #ShadowTalk #CyberSecurity #ClickFix

Since Saturday’s strikes, ReliaQuest has been monitoring underground forums and Telegram for cyber activity tied to the US-Israel-Iran escalation. With Iran’s command structure disrupted, proxy and aligned groups may act more independently, increasing unpredictability. What we’re tracking (claims unverified): - Russia-linked NoName057(16) claiming ops against Israeli municipal, telecom, and defense entities - Cyber Islamic Resistance claiming access to 130+ control systems across multiple countries - Sylhet Gang calling for coordinated attacks on US and Israeli targets - Handala threatening imminent, large-scale infrastructure attacks Near-term risk: a rise in high-volume, lower-sophistication activity (DDoS, defacements, service disruption), potentially masking more capable operations. #OperationEpicFury

ReliaQuest is tracking an evolving ClickFix campaign that uses fake error messages to trick users into pasting malicious commands via Win+R. Those commands download a legitimate process, Flare.exe, which then pulls down both Remcos and NetSupport RAT for redundant remote access. Once in, the attacker runs a fileless JavaScript-based stealer through the command line to harvest saved credentials from the browser. If your environment allows Win+R for standard users and still relies on browser-saved passwords, this is a good time to revisit both to strengthen your organizations security posture. #ClickFix #Remcos #NetSupport #malware #CyberSecurity

🚨 Our latest research shows the extortion group ShinyHunters is shifting to branded subdomain impersonation (SSO and Okta-themed) paired with phone-guided, adversary-in-the-middle (AiTM) phishing and mobile-first lures. We are seeing them combine this with outsourced vishing operators and recycled CRM and ERP data to figure out exactly who to call. They guide users to fake mobile SSO pages and steal the session, allowing them to pivot across SaaS apps. Read the full breakdown here: reliaquest.com/blog/threat-sp……

🚨 In 2025, 1 in 4 incidents we investigated started with social engineering. Targeting trust is often faster (and quieter) than breaking through infrastructure. When the lure hits a privileged user, attackers can begin with elevated access and skip time-consuming steps like privilege escalation. That speed shows up in outcomes, with the fastest intrusions reaching lateral movement in just 4 minutes. Our Annual Threat Report breaks down what we observed and how to defend against it: reliaquest.com/campaigns/annu…

🚨 ReliaQuest is tracking CVE-2026-20127, a critical authentication bypass affecting Cisco Catalyst SD-WAN Controller and Manager that is being used to add unauthorized peers and modify network configurations. Exploitation has been traced back to 2023. Threat actor UAT-8616 has reportedly used log clearing and history wiping to reduce visibility and stay under the radar. CISA, Cisco, and the UK NCSC have issued a joint advisory in response. CISA Emergency Directive 26-03 requires federal agencies to patch, investigate, and preserve forensic artifacts by February 27. If your SD-WAN management interface is internet-exposed, this is a good time to review your exposure and apply available updates. #Cisco #SDWAN #CyberSecurity #CISA

🎙️ New #ShadowTalk Episode: Malware Isn't Required—How Ransomware Groups Turn Weaponize RMMs Into a Weapon Ransomware groups don't need custom malware anymore, they're using .scr file droppers to silently deploy the same remote access tools your IT team already trusts. So how do you detect a threat that looks exactly like authorized activity? This week, we dig into how attackers weaponize legitimate RMM tools to bypass detection and why one compromised platform can expose dozens of downstream environments. The real defense isn't better signatures; it's proactive governance. 👉 Tune in tomorrow on Apple Podcasts or YouTube: bit.ly/3IDjhGF 🎧 #ShadowTalk #CyberSecurity #Ransomware

🚨 The ReliaQuest 2026 Annual Cyber-Threat Report—the most comprehensive analysis we've ever published—is now available. Thousands of incidents. Hundreds of campaigns. One report. 💡 Some of what's inside: → Fastest breakout time: 4 minutes (85% faster than 2024) → Fastest time-to-exfiltration: 6 minutes → 1 in 4 incidents involved social engineering → Ransomware's "giants" era is over—replaced by a swarm of agile operators We break down why defense in depth beat single-layer controls against a zero-day we discovered. Why behavioral detection is the only answer to AI-generated malware that looks legitimate. And why a single anomalous remote-access indicator could expose an entire network of nation-state operatives hiding inside your workforce. We also show how agentic AI is making these defenses faster and more scalable than any manual process can match. This is what we saw. This is what's coming. Read it. 👉 ow.ly/YPvY50YkOXf #ReliaQuest #AnnualThreatReport #Cybersecurity #MakeSecurityPossible #AgenticAI

🚨 ShinyHunters recently named high-profile brands on their DLS, but public reporting suggests the data being leveraged may be months old. Then on Feb 22, the group’s Telegram channel posted recruitment for female speakers for scripted calls “to the helpdesk,” with pay tied to “success/hit rate.” Is this a sign of headwinds in newer extortion campaigns—prompting monetization of older datasets while scaling vishing to regain fresh access/leverage?

🚨 ReliaQuest is tracking SANDWORM_MODE, an active Shai-Hulud-like supply chain worm spreading through typosquatted npm packages. This variant does something new: it plants fake MCP servers in AI coding tools like Claude and Cursor, then uses prompt injection to trick the AI into silently harvesting SSH keys, tokens, and credentials. Like earlier Shai-Hulud campaigns, this works by weaponizing trusted developer accounts and hijacking the software update process itself. A single compromised package can propagate across thousands of dependent projects, exploiting the interconnected nature of modern software development.