Our latest TDR report on the #IClickFix framework:
📊 3,800+ WordPress sites compromised worldwide
⚙️ Multi-stage JavaScript loader
🚦 Abusing YOURLS as TDS
🖱️ Fake Cloudflare CAPTCHA and #ClickFix lure
🦠 #NetSupport RAT payload
bsky.app/profile/seko...
📝 Our latest #TDR report delivers an in-depth analysis of Adversary-in-the-Middle (#AitM) #phishing threats - targeting Microsoft 365 and Google accounts - and their ecosystem.
This report shares actionable intelligence to help analysts detect and investigate AitM phishing.
The future of security operations depends on tools that reflect a deep understanding of investigative work. Unfortunately, many AI-driven products are being built by folks with neither investigative experience nor insight into the cognitive processes underlying effective analysis
CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!
As usual, feedback is greatly appreciated!
Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures.
ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.
⬇️
bsky.app/profile/seko...
I recently read the paper "Towards Joint Activity Design Heuristics: Essentials for Human-Machine Teaming" which I loved so much I wanted to make it easier to share. To that end, I've excerpted the Ten Heuristics from the paper here: human-machine.team with anchors for each heuristic.
Thank you, I love these blog posts!
Out of curiosity: do you track EpiBrowser and OneStart as belonging to this BrowserAssistant cluster that you just dropped?
For those who did not monitor the supply chain attack against Chrome extensions in December 2024, our article provides an overview of:
- the targeted phishing attack against extension developers
- malicious code
- the adversary's infrastructure
⬇️
bsky.app/profile/seko...
Around 1,000 malicious domains are hosting webpages impersonating Reddit and WeTransfer, redirecting users to download password-protected archives
These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia.io, which executes #Lumma Stealer
IoCs ⬇️
25gray3cook[.]com #Mamba2FA
Our last article exposes the new AiTM phishing kit Sneaky 2FA, sold by the cybercrime service "Sneaky Log"!
We provide an in-depth analysis of the phishing pages, the associated service, detection opportunities and multiple IoCs.
⬇️
bsky.app/profile/seko...
Sekoia investigated a cyber espionage campaign using legitimate Office documents assessed to originate from the Ministry of Foreign Affairs of Kazakhstan, docs weaponized and used to collect strategic intelligence in Central Asia.
Here is the Double Tap campaign > blog.sekoia.io/double-tap-c...
