UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns PDF icon read more about UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns

UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns reconbee.com/uat-10362-ta...

#UAT10362 #Taiwanese #NGO #LucidRookmalware #spearphishing #phishingcampaigns #phishing

New XWorm Malware Variants Emerge in Phishing Campaigns with Advanced Plugin Capabilities   New variants of the XWorm backdoor malware are being actively spread through phishing campaigns after its original creator, known as XCoder, abandoned the project last year. The latest editions — XWorm 6.0, 6.4, and 6.5 — have been adopted by multiple cybercriminal groups. These updated versions include plugin support that enables a wide range of malicious activities, from data theft and remote system access to file encryption and decryption. The most recent release developed by XCoder was version 5.6, which contained a remote code execution (RCE) vulnerability. The newly distributed variants reportedly fix that flaw while introducing enhanced attack features. First detected in 2022, XWorm gained notoriety for its modular structure and broad feature set. It’s primarily used to harvest sensitive data such as passwords, cryptocurrency wallets, and financial information. The malware can also record keystrokes, extract clipboard data, perform DDoS attacks, and deliver other malicious payloads. After XCoder deleted their Telegram channels, cracked versions of the malware began circulating widely, with various threat actors distributing them. In fact, one campaign even used XWorm itself as bait to target less-experienced hackers—infecting over 18,000 systems globally, primarily across Russia, the U.S., India, Ukraine, and Turkey. A new version of XWorm appeared on a hacker forum, advertised by a user named XCoderTools, who offered access for a $500 lifetime subscription. Although it’s unclear if this is the same developer, the user claimed that the new versions fixed the RCE issue and introduced multiple updates. Cybersecurity researchers at Trellix have observed a rise in XWorm samples on VirusTotal since June, suggesting the malware’s increasing popularity among threat actors. In one campaign, XWorm was distributed using malicious JavaScript that executed a PowerShell script capable of bypassing Microsoft’s Antimalware Scan Interface (AMSI) to install the backdoor. According to Trellix’s September report, “the XWorm malware infection chain has evolved to include additional techniques beyond traditional email-based attacks.” While .LNK files and email attachments remain common entry points, newer variants disguise themselves as legitimate executables — even mimicking applications like Discord. “This marks a shift towards combining social engineering with technical attack vectors for greater effectiveness,” Trellix explained. Further analyses revealed campaigns using AI-themed phishing lures and a modified version of ScreenConnect, as well as cases where malicious Excel files (.XLAM) embedded with shellcode delivered the payload. Trellix researchers uncovered over 35 plugins associated with the latest XWorm versions, significantly expanding its functions — including a ransomware component. The Ransomware.dll plugin allows attackers to lock victims’ files, demand payment, and customize ransom notes, wallpaper messages, and Bitcoin wallet details. The encryption avoids system-critical directories, focusing on user folders like %USERPROFILE% and Documents. Encrypted files are appended with the .ENC extension, while a ransom instruction HTML file is dropped on the desktop. Code analysis revealed similarities between XWorm’s ransomware module and the NoCry ransomware from 2021, both using the same encryption methods (AES-CBC with 4096-byte blocks). Beyond ransomware, other identified modules include: * RemoteDesktop.dll – Enables full remote control sessions. * Stealer.dll, Chromium.dll, Recovery.dll – Extract credentials and application data. * FileManager.dll – Grants file system access and manipulation. * Shell.dll – Executes commands through hidden CMD processes. * Webcam.dll – Records or verifies the infected system through webcam access. * TCPConnections.dll & ActiveWindows.dll – Send live system and network data to command servers. With modules designed to steal data from more than 35 browsers, email clients, and crypto wallets, the malware represents a serious risk to both individuals and organizations. Trellix recommends a multi-layered cybersecurity defense, including EDR solutions for detecting malicious behavior, and email/web gateways to block droppers. Network monitoring tools can also help identify communications with command-and-control (C2) servers and prevent data exfiltration.

New XWorm Malware Variants Emerge in Phishing Campaigns with Advanced Plugin Capabilities #datatheftmalware #malware #PhishingCampaigns

Phishing Campaigns Exploit RMM Tools to Sustain Remote Access A sophisticated phishing operation in which attackers deploy remote monitoring and management (RMM) tools—ITarian (formerly Comodo), PDQ Connect, SimpleHelp, and Atera.

Phishing Campaigns Exploit RMM Tools to Sustain Remote Access
gbhackers.com/rmm-tools/

#Infosec #Security #Cybersecurity #CeptBiro #PhishingCampaigns #Exploit #RMMTools #RemoteAccess

Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft victims' login credentials read more about Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft

Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft reconbee.com/phishing-cam...

#phishingcampaigns #phishingattack #emails #credentials #cybersecurity #cybersecuritynews #cyberattacks

Threat Actors Exploit Government Website Vulnerabilities for Phishing Campaigns Cofense Intelligence has continually observed the abuse or usage of legitimate domain service exploitation. This report highlights observed phishing threat actor abuse of .gov top-level domains (TLDs)...

Threat Actors Exploit Government Website Vulnerabilities for Phishing Campaigns
securityboulevard.com/2025/01/thre...

#Infosec #Security #Cybersecurity #CeptBiro #ThreatActors #Exploit #GovernmentWebsite #Vulnerabilities #PhishingCampaigns

HTTP Headers Phishing Campaigns Used For Credential Theft Uncover the attack details and techniques of the recent HTTP headers phishing campaigns. Gain insights and ensure protection today!

HTTP Headers Phishing Campaigns Used For Credential Theft
tuxcare.com/blog/http-he...
#Infosec #Security #Cybersecurity #CeptBiro #HTTPHeaders #PhishingCampaigns #CredentialTheft

Phishing campaigns target SMBs in Poland Phishing campaigns target SMBs in Poland to deliver malware families such as Agent Tesla, Formbook, and Remcos RAT.

Phishing campaigns target SMBs in Poland, Romania, and Italy with multiple malware families
securityaffairs.com/166380/cyber...
#Infosec #Security #Cybersecurity #CeptBiro #PhishingCampaigns #SMBs #Poland #Romania #Italy #MultipleMalwareFamilies

Secure email gateways struggle to keep pace with sophisticated phishing campaigns - Help Net Security In 2023, malicious email threats bypassing secure email gateways (SEGs) increased by more than 100%, according to Cofense.

Secure email gateways struggle to keep pace with sophisticated phishing campaigns
www.helpnetsecurity.com/2024/02/23/b...

#Infosec #Security #Cybersecurity #CeptBiro #SecureEmailGateways #PhishingCampaigns