SpiderLabs

The threat didn't break in. It simply applied. 💼 Background check: passed. Interviews: nailed. Intent: not so great... This case shows how a North Korea-linked IT worker blended into a legitimate hiring funnel and how combining OTX intelligence with XDR surfaced what individual tools would miss. hubs.ly/Q0476_Xz0

URL rewriting is meant to make email safer. Attackers are finding ways to turn it into cover. Our recent blog looks at how attackers are using multi‑vendor, multi‑layered URL rewriting to mask #phishing links and bypass email security controls. These redirect chains have been used to deliver AiTM PhaaS kits like #Tycoon2FA and #Sneaky2FA. Review the breakdown: levelblue.com/blogs/spiderla…

The Stryker incident is more than a cyberattack. It’s a signal. The attack on Stryker highlights a shift from intelligence gathering to disruption by the Iran-linked group Handala, reflecting a broader trend where global conflict increasingly plays out in corporate networks. Our analysis breaks down what this change means for defenders: hubs.ly/Q046NgjQ0

Callback Phishing Via @Microsoft Azure Monitor Alert Notifications 🪝 #PhishingAlert: We’ve spotted an ongoing campaign where threat actors are abusing #Microsoft #Azure Monitor alert notifications to deliver callback phishing using fake invoice and unauthorized-payment lures. Attackers create malicious Azure Monitor alert rules, embedding #scam content in the alert description, including fake billing details and attacker-controlled support phone numbers. Victims are then added to the Action Group linked to the alert rule, causing Azure to send the phishing message from the legitimate sender address azure-noreply@microsoft.com. Scam numbers: 1 [805] 258 \4288 1 [808] 216 \8505 1 [812] 263 \5725 1 [812] 263 \8724 1 [812] 266 \1510 1 [812] 266 \1890 1 [812] 266 \5395 1 [812] 266 \8438 1 [812] 484 \9724 1 [813] 453 \4558 1 [813] 495 \1666 1 [828] 242 \5508 1 [828] 378 \6192 #Phishing #Cybersecurity #IOC #ThreatIntel

Cyber activity is escalating alongside the conflict in the Middle East. Key signals our researchers are tracking: - 10+ Iranian APT groups and 60+ hacktivist groups are active - 133% spike in attacks - Targets: government, finance, defense, aviation, and energy What defenders should prioritize: - Watch for credential abuse & unusual cloud activity - Test DDoS readiness + incident response - Secure critical infrastructure & OT Full findings: hubs.ly/Q046fjNC0

Phishing Emails Push Fake ChatGPT and Gemini iOS Apps To Steal Facebook Credentials🪝 Phishing emails impersonating #ChatGPT and #Gemini are pushing users to download malicious #Apple iOS apps from the App Store. Disguised as business or ads management tools, these apps prompt for #Facebook credentials, leading to credential harvesting. IOCs: hxxps[://]apps[.]apple[.]com/au/app/geminiai-advertising/id6759005662 hxxps[://]apps[.]apple[.]com/au/app/ads-gpt/id6759514534 #CyberSecurity #Cybersec #MailMarshal #Levelblue #Spiderlabs #Scams #BEC #Phishing #Infosec #CyberAwareness

Modern conflict no longer begins or ends with kinetic force, as digital operations and cyber warfare now unfold simultaneously for increased disruption, influence, and strategic pressure. Our team is actively tracking the cyber dimension of the Iran crisis. Here's what's happening right now that global organizations should be aware of: - Activation and retooling of state-linked APTs are suspected to be pre-positioning for espionage, credential theft, and disruption ahead of strikes - Signs of early retaliation from Iranian actors include recon, DDoS, and wiper attacks (anticipated to hit US and Israeli critical infrastructure) Understanding these tactics and implications is crucial to defend against them. Full analysis: hubs.ly/Q045D5Q40

We're strongly recommending a "shields up" security approach in light of the recent United States-Israel-Iran confrontation that has spilled over into full cyber warfare. Insights below: levelblue.com/blogs/spiderla…

New Research Blog Posted: How ClickFix Opens the Door to Stealthy StealC Information Stealer We analyzed the complete attack chain from the user clicking a compromised website -> fake CAPTCHA -> PowerShell -> Donut shellcode -> reflective PE loading -> StealC injection into svchost.exe. All fileless, RC4-encrypted C2 comms. Full analysis with IOCs + C2 traffic decryption tool 🔧 levelblue.com/blogs/spiderla… #LevelBlue #SpiderLabs #ThreatIntel #Malware #MalwareAnalysis #StealC #ClickFix #InfoSec

🚨 Supply chain attack analysis: Notepad++ SpiderLabs investigated a targeted campaign where attackers didn’t touch source code — instead they compromised the WinGUp update infrastructure, selectively redirecting update traffic to malicious servers. An example of how trusted delivery ≠ trusted software. 🔍 Full analysis: levelblue.com/blogs/spiderla… #SupplyChainAttack #ThreatIntel #Infosec #MalwareAnalysis

#MalspamAlert: An ongoing spam campaign distributes PDF documents that tricks users into visiting fake Adobe Acrobat download page. Instead of legitimate software, victims install remote monitoring and management (RMM) tools that provide threat actors persistent remote access to their systems. Abusing trusted RMM tools helps threat actors blend in as normal IT activity while bypassing security controls. #ThreatIntel #RMMAbuse #MailMarshal #LevelBlue #IoCs: Redirect URL hxxps[://]99d04a7a-345a-487c-8ea3-a9a626aa773e-00-3qpe7rminty[.]com/e/WlppNUlubg Download page hxxps[://]adb-pro[.]design/Adobe/landing[.]php scanned_document.pdf 0432f2e433bf42aaff0f078d500dd6f47c2500a8c8560601d8eadd0d9b365861 Adobe_Reader_Installer.exe (TrustConnect) edde2673becdf84e3b1d823a985c7984fec42cb65c7666e68badce78bd0666c0 Adobe_Reader_Installer.exe (Datto RMM) ae42e874b598cce517c40f9314bdef94828ba20f15bb7f8026187573f26fff9f

#BECAlert 🚨 Active tax season #BEC campaign using CEO impersonation emails to obtain W2 and W3 #IRS forms. Criminals use this data to file fraudulent returns or commit other crimes. The campaign also uses newly registered reply to domains. Stay vigilant. #IOCs: Reply-to domains: azureamail[.]com azireemail[.]com ssamail[.]net coxomail[.]com executives-portal-email[.]com akpages[.]com isbecolconsult[.]com #CyberSecurity #Cybersec #MailMarshal #Levelblue #Spiderlabs #Scams #BEC #Phishing #Infosec #CyberAwareness

#Vishing Campaign Alert: Microsoft Teams Call -> QuickAssist Abuse -> Multi-Stage .NET Malware We've analyzed an attack chain starting with social engineering and ending with fileless malware execution. Attack Flow: * Victim receives Teams call from attacker impersonating Senior IT Staff (spoofed display name) * Attacker convinces user to launch QuickAssist * ~10 mins later: Redirected to ciscocyber[.]com/verify.php * "updater.exe" deployed (disguised as legitimate updater) The "updater.exe" is .NET Core 8.0 wrapper with embedded "loader.dll" that downloads encryption keys from jysync[.]info, retrieves encrypted payload, decrypts using AES-CBC + XOR, then loads assembly directly into memory for fileless execution via reflection. #IOCs Domains:   - ciscocyber[.]com   - jysync[.]info    * Both domains currently return 404, but infrastructure may return. SHA256:   2d751f48376c777dd76090130740cfd04693b3da12d03e94e3e6514e864410fc   7d29bf061719dc442dc00f670768d7a52a70c029678bd67a07b17317ffbd8c69 Debug Information:   "D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb" #Trustwave #Levelblue #Spiderlabs #IOC

#BECAlert We detected a large-scale Business Email Compromise (BEC) campaign sent using SendGrid, targeting company accounting departments globally. This attack impersonates the company's executive and an accountant from a coaching firm, with the latter requesting payment for a bogus overdue executive coaching invoice. IoCs: ipeccoach[.]info novus-worldwide[.]ws novusworldwide[.]org novus-global[.]us xiroemail[.]com executives-foxmails[.]com #BEC #Scam #MailMarshal

PhishingAlert: Threat actors are abusing #Microsoft Teams notifications to deliver callback #phishing. Victims are invited to groups where team names contain the #scam content, such as fake invoices, auto-renewal notices, or #PayPal payment claims, and urges users to call a fake support number if the charge was not authorized. Because these messages come from the official Microsoft Teams sender address (no-reply[@]teams[.]mail[.]microsoft), they may bypass user suspicion and email filters. #CyberSecurity #Cybersec #Microsoft365 #MailMarshal #Trustwave #Levelblue #Spiderlabs #IOC #Scams Scam numbers: 1 [983] 220 \ 2463 1 [810] 221 \ 5391 1 [805] 331 \ 8539

#MalwareAlert: A new "Executive Award" campaign delivers a two-stage hit. First, a polished HTML phish steals credentials straight to Telegram C2. Then, a malicious SVG triggers a PowerShell #ClickFix chain that installs the #Stealerium infostealer via multi-stage loaders. One lure = stolen credentials + malware infection. #cybersecurity #malware #mailmarshal #IoCs: Virtual-Gift-Card-Claim.html 4db5c047a1cfd9ee5f8da8611c30889b 7cb2fa5762cb71120e16e9a778c5a1f1c3649aa02e06f837bf142885b98ee58c account-verification-form.svg 5ed74724b45d28825d93f21097dc2475 2f5973d9515b15273dbf64ad0542b27d752814d794752b41c912d18db747993e Stealerium DLL 602ac35cc1e49320493eb54bde62b760 88feadbb2f9548d3c0cb9c6519bcea476acf9ac2a3eeccde5655457cbba29db4 Telegram Exfil (Phish) Bot: 6926474815:AAHMa86FvgJGailNJ2EzmIgA8hk_nzb5KvA Chat ID: 875787587 Telegram Exfil (Stealerium) Bot: 6926474815:AAFx9tLAnf5OAVQZp2teS3G2_6T1wCP67xM Chat ID: -4224073938 Download URLs hxxp[://]31[.]57[.]147[.]77:6464/getcmd hxxp[://]31[.]57[.]147[.]77:6464/gethta hxxp[://]31[.]57[.]147[.]77:6464/getexe hxxp[://]31[.]57[.]147[.]77:6464/getdll hxxp[://]31[.]57[.]147[.]77:6464/getps hxxp[://]31[.]57[.]147[.]77:6464/getbatch Stealerium C2 URL: hxxp[://]31[.]57[.]147[.]77:6464 Key: StealeriumC2SecretKey123

#PhishingAlert 🚨 A new phishing campaign is using newly registered domains to impersonate #Google Partners, luring victims with fake personal invitations to claim a Partner Badge. The links lead to a spoofed Google page before redirecting to a phishing login portal, with domains following patterns such as signup.gpartner{randomstrings}.com or invite.gpartner{randomstrings}.com so remain cautious and verify any unexpected badge or partner invitations before clicking. Sample IoCs: hxxps://signup[.]gpartnerpaths[.]com hxxps://signup[.]gpartnercollect[.]com hxxps://signup[.]gpartnerpaths[.]com hxxps://invite[.]gpartnersapplyhub[.]com hxxps://invite[.]gpartnerslevelup[.]com #Phishing #Google #MailMarshal

#ScamAlert: Fraudsters are impersonating Costco in multiple fake Thanksgiving turkey dinner giveaways. Users are required to answer a survey, which eventually leads to a phishing page collecting personal and financial info. IoCs: hxxp://rewardsmartlink[.]co[.]uk hxxps://mnjbhcgvghvgh[.]blob[.]core[.]windows[.]net hxxp://lunexa[.]sa[.]com hxxps://dinusreal[.]store hxxps://spottershotdeal[.]com #Scam #Phishing #MailMarshal