March 2025 Trends Report on Phishing Emails

The report analyzes phishing email trends in March 2025, revealing that phishing attacks constituted 59% of email threats. Attackers primarily used HTML scripts to mimic login pages and promotional content, aiming to steal user credentials. The analysis covers distribution statistics, Korean phishing email patterns, and case studies of different attachment formats. Document attachments were found to contain hidden malicious files exploiting vulnerabilities, while compressed script files saw an increase in distribution. The report provides insights into attachment file extensions, recent distribution trends, and detailed analyses of specific phishing email attacks to help users identify and mitigate these threats.

Pulse ID: 67f812fe5a7e6a68a3ba46ba
Pulse Link: https://otx.alienvault.com/pulse/67f812fe5a7e6a68a3ba46ba
Pulse Author: AlienVault
Created: 2025-04-10 18:50:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Introduces New Banking Phishing Kit

The Chinese eCrime group Smishing Triad has launched a global SMS phishing campaign targeting over 121 countries across various industries. Their infrastructure generates over one million page visits in 20 days, averaging 50,000 daily. The group has introduced a new 'Lighthouse' phishing kit focusing on banking and financial organizations, particularly in Australia and the Asia-Pacific region. Smishing Triad claims to have '300+ front desk staff worldwide' supporting their operations. They frequently rotate domains, with approximately 25,000 active during any 8-day period. The majority of phishing sites are hosted by Chinese companies Tencent and Alibaba. The campaign primarily targets postal, logistics, telecommunications, transportation, finance, retail, and public sectors.

Pulse ID: 67f80a4937d04f9036252cf7
Pulse Link: https://otx.alienvault.com/pulse/67f80a4937d04f9036252cf7
Pulse Author: AlienVault
Created: 2025-04-10 18:13:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Operation Sea Elephant: The Dying Walrus Wandering the Indian Ocean

The CNC group, with South Asian origins, has been targeting domestic teachers, students, and research institutions. Their operation, named 'sea elephant', aims to spy on scientific research achievements in the ocean field. The group employs various tactics, including spear-phishing emails, IM software exploitation, and customized plug-ins. Their malware includes remote command execution backdoors, USB flash drive propagation tools, keyloggers, and file stealers. The attackers use GitHub APIs and steganographic techniques to avoid detection. The operation's focus on ocean-related research suggests a nation's determination to dominate the Indian Ocean region. Additionally, a related campaign, UTG-Q-011, targets areas such as laser science and aerospace.

Pulse ID: 67f8130ae540cbf2f4076329
Pulse Link: https://otx.alienvault.com/pulse/67f8130ae540cbf2f4076329
Pulse Author: AlienVault
Created: 2025-04-10 18:50:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Scattered Spider: Still Hunting for Victims in 2025

Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. Silent Push researchers have identified five unique phishing kits used by Scattered Spider since 2023, with some undergoing updates. A new version of Spectre RAT has been discovered, along with the acquisition of a domain previously owned by Twitter/X. Despite arrests of several members in 2024, Scattered Spider has adapted its tactics, including the use of dynamic DNS providers and updated phishing kits. The group continues to employ sophisticated social engineering attacks to obtain credentials and multi-factor authentication tokens.

Pulse ID: 67f62708c6faf0ab4e24f6d4
Pulse Link: https://otx.alienvault.com/pulse/67f62708c6faf0ab4e24f6d4
Pulse Author: AlienVault
Created: 2025-04-09 07:51:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks

Pakistan-linked SideCopy APT has expanded its targeting to include Indian railways, oil & gas, and external affairs ministries. The group has shifted from HTA files to MSI packages for staging, employing advanced techniques like DLL side-loading and reflective loading. They are leveraging customized open-source tools such as Xeno RAT and Spark RAT, and deploying a new CurlBack RAT. The attackers use compromised domains and fake sites for credential phishing and payload hosting. New tactics include reflective loading, AES decryption via PowerShell, and multi-platform attacks targeting both Windows and Linux systems. The group continues to evolve its methods to enhance persistence and evade detection.

Pulse ID: 67f573a5bed936092f4a65fd
Pulse Link: https://otx.alienvault.com/pulse/67f573a5bed936092f4a65fd
Pulse Author: AlienVault
Created: 2025-04-08 19:06:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

The Wagmi Manual: Copy, Paste, and Profit

The Wagmi traffer group, operating since early 2023, specializes in NFT scams and cryptocurrency theft. They utilize sophisticated social engineering tactics, fake web3-themed games, and impersonation of legitimate projects to lure victims. Their operations have allegedly earned over $2.4 million between June 2023 and March 2025. The group employs various techniques, including seed phrase phishing and automated wallet address scraping from social media. They target users of NFT marketplaces and the Web3 community, using fake job offers and enticing game promotions. The group also engages in code signing certificate abuse to bypass security measures and increase infection rates. Their malware payloads include HijackLoader, Lumma C2 infostealer, Rhadamanthys stealer, and AMOS stealer for MacOS.

Pulse ID: 67f4faa0ced84c07a0fad6d8
Pulse Link: https://otx.alienvault.com/pulse/67f4faa0ced84c07a0fad6d8
Pulse Author: AlienVault
Created: 2025-04-08 10:29:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads

North Korean threat actors have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the BeaverTail malware and introduce new remote access trojan loader functionality. The campaign, known as Contagious Interview, aims to compromise developer systems, steal sensitive data, and maintain access to compromised environments. The actors have created new npm accounts and deployed malicious code across npm, GitHub, and Bitbucket. The expanded campaign includes 11 new packages with over 5,600 downloads, using hexadecimal string encoding to evade detection. The malware targets browser data, macOS keychain, and cryptocurrency wallets. The threat actors are diversifying their tactics, using multiple malware variants and obfuscation techniques to ensure resilience and evade detection.

Pulse ID: 67f4fb27428373d4ee443799
Pulse Link: https://otx.alienvault.com/pulse/67f4fb27428373d4ee443799
Pulse Author: AlienVault
Created: 2025-04-08 10:32:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

March 2025 Security Issues in Korean & Global Financial Sector

This analysis covers cyber threats and security issues in the financial industry, focusing on South Korea and global incidents. It examines malware and phishing cases, lists top malware strains, and provides statistics on leaked Korean accounts. The report delves into major financial threats on the dark web, including credit card data breaches, database leaks, and ransomware attacks. Notable cases involve the sale of 40 GB of credit card details from BidenCash, a data breach at a Swiss insurance company, a ransomware attack on a Sri Lankan bank, and the sale of SSH access credentials for a Canadian bankers association. These incidents highlight the need for enhanced security measures, comprehensive data management, and vigilance against evolving cyber threats in the financial sector.

Pulse ID: 67f4d122afc32aa34ba64375
Pulse Link: https://otx.alienvault.com/pulse/67f4d122afc32aa34ba64375
Pulse Author: AlienVault
Created: 2025-04-08 07:32:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Vidar Stealer: Infostealer malware discovered in Steam game

A recent analysis uncovered a sophisticated deployment of Vidar Stealer, an infamous information-stealing malware, disguised as a legitimate Microsoft Sysinternals tool, BGInfo.exe. The malware, found with an expired Microsoft signature, was significantly larger than the original file and contained modified initialization routines. It creates virtual memory allocations to execute its malicious code, ultimately extracting and running Vidar Stealer. This variant maintains its core functionalities, including credential theft, cryptocurrency wallet targeting, session hijacking, and cloud data theft. The incident highlights the evolving tactics of cybercriminals, emphasizing the need for vigilant threat hunting and proactive security measures.

Pulse ID: 67f42a4eca9270b211468d90
Pulse Link: https://otx.alienvault.com/pulse/67f42a4eca9270b211468d90
Pulse Author: AlienVault
Created: 2025-04-07 19:41:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation

A new threat group, dubbed PoisonSeed, is targeting enterprise organizations and individuals outside the cryptocurrency industry. The campaign focuses on phishing CRM and bulk email providers' credentials to export email lists and send bulk spam. The attackers use a cryptocurrency seed phrase poisoning attack, providing security seed phrases to trick victims into compromising their wallets. Similarities have been detected between PoisonSeed, Scattered Spider, and CryptoChameleon, but the campaign is being classified separately due to unique characteristics. The attackers have set up phishing pages for prominent CRM and bulk email companies, including Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho. Once credentials are phished, the process of bulk downloading email lists appears to be automated. The campaign also involves spam sent from compromised accounts, including a notable breach of an Akamai SendGrid account.

Pulse ID: 67f432acbd8d0957264e79a3
Pulse Link: https://otx.alienvault.com/pulse/67f432acbd8d0957264e79a3
Pulse Author: AlienVault
Created: 2025-04-07 20:16:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Unveiling EncryptHub: Analysis of a multi-stage malware campaign

EncryptHub, an emerging cybercriminal entity, has been conducting multi-stage malware campaigns using trojanized applications and third-party distribution services. Their tactics include using PowerShell scripts for system data gathering, information exfiltration, and payload deployment. The threat actor prioritizes stolen credentials based on cryptocurrency ownership and corporate network affiliation. EncryptHub is developing a remote access tool called 'EncryptRAT' with plans for future distribution. Their evolving killchain involves multiple stages, including initial execution, data exfiltration, system information collection, and eventual deployment of the Rhadamanthys malware. Despite operational security mistakes, EncryptHub continues to refine their tactics, emphasizing the need for vigilant cybersecurity measures.

Pulse ID: 67f3aae3b4d4fbbfe08e7839
Pulse Link: https://otx.alienvault.com/pulse/67f3aae3b4d4fbbfe08e7839
Pulse Author: AlienVault
Created: 2025-04-07 10:37:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

The Lotus Blossom espionage group has been conducting cyber espionage campaigns targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan. The group employs various versions of the Sagerunex backdoor, including new variants that use cloud services like Dropbox, Twitter, and Zimbra for command and control. Lotus Blossom utilizes multiple hacking tools and techniques to maintain long-term persistence in compromised networks. The attacks involve multi-stage operations, including reconnaissance, lateral movement, and data exfiltration. The group has been active since at least 2012 and continues to evolve its tactics and malware to evade detection.

Pulse ID: 67f038f22c3d7acc43c35cb7
Pulse Link: https://otx.alienvault.com/pulse/67f038f22c3d7acc43c35cb7
Pulse Author: AlienVault
Created: 2025-04-04 19:54:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

EDIT: It magically started working right after I posted this.

I am struggling to switch from Google Calendar to Nextcloud calendar. I exported my Google Calendar data as an .ics file. Then I went to Nextcloud (web client), clicked on the Calendar tab, clicked settings, clicked "import calendar," and uploaded my data...

and then nothing happened. None of my events showed up on my Nextcloud calendar.

How do I fix this? I wanna leave Google Calendar.

#Nextcloud #NextcloudCalendar #ICS #GoogleCalendar

#Ivanti: Critical Ivanti Connect Secure #ICS Vulnerability CVE-2025-22457 (CVSS score: 9.0) is Actively Exploited by Attackers to Deploy TRAILBLAZE and BRUSHFIRE Malware. Patch now!

https://thehackernews.com/2025/04/critical-ivanti-flaw-actively-exploited.html

Deobfuscating APT28's HTA Trojan: A Deep Dive into VBE Techniques & Multi-Layer Obfuscation

This analysis delves into APT28's cyber espionage campaign targeting Central Asia and Kazakhstan diplomatic relations, focusing on their HTA Trojan. The malware employs advanced obfuscation techniques, including VBE (VBScript Encoded) and multi-layer obfuscation. The investigation uses x32dbg debugging to decode the obfuscated code, revealing a custom map algorithm for character deobfuscation. The process involves decoding strings using embedded characters from Windows vbscript.dll. The analysis identifies the use of Microsoft's Windows Script Encoder (screnc.exe) to create VBE files. By employing various deobfuscation techniques, including a Python script, the final malware sample is extracted and analyzed, showcasing APT28's evolving tactics in cyber espionage.

Pulse ID: 67efc6e712b49d46c1423ca9
Pulse Link: https://otx.alienvault.com/pulse/67efc6e712b49d46c1423ca9
Pulse Author: AlienVault
Created: 2025-04-04 11:47:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign

A Russian-speaking threat actor has launched a new phishing campaign using Cloudflare-branded pages themed around DMCA takedown notices. The attack abuses the ms-search protocol to deliver malicious LNK files disguised as PDFs. Once executed, the malware communicates with a Telegram bot to report the victim's IP address before connecting to Pyramid C2 servers. The campaign leverages Cloudflare Pages and Workers services to host phishing pages, and uses an open directory to store malicious files. The infection chain includes PowerShell and Python scripts, with incremental changes in tactics to evade detection. The actors' infrastructure spans multiple domains and IP addresses, primarily using Cloudflare's network.

Pulse ID: 67efc6ed5285702a3440969a
Pulse Link: https://otx.alienvault.com/pulse/67efc6ed5285702a3440969a
Pulse Author: AlienVault
Created: 2025-04-04 11:47:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

APT Targets South Korea with Deceptive PDF Lures

The Kimsuky APT group, also known as Black Banshee, has been actively targeting South Korean government entities using evolving tactics. Two distinct campaigns were uncovered, both utilizing government-themed PDF documents as lures. The infection chain begins with a phishing email containing a malicious LNK file attachment, which drops an obfuscated VBA script. This script then deploys additional files, including a PDF and a ZIP containing malicious components. The attacks involve sophisticated techniques such as Base64 encoding, obfuscation, and VM-aware evasion. The malware's functionalities include data exfiltration, cryptocurrency wallet theft, browser data extraction, keylogging, and establishing C2 communication. The campaigns demonstrate the group's continuous efforts to compromise South Korean targets using deceptive tactics and multi-stage malware.

Pulse ID: 67efe85af4503af2018d414e
Pulse Link: https://otx.alienvault.com/pulse/67efe85af4503af2018d414e
Pulse Author: AlienVault
Created: 2025-04-04 14:10:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation

The PoisonSeed campaign is targeting enterprise organizations and individuals outside the cryptocurrency industry by phishing CRM and bulk email provider credentials. The attackers export email lists and send bulk spam from compromised accounts, primarily to support cryptocurrency spam operations. The campaign uses a novel cryptocurrency seed phrase poisoning attack, providing security seed phrases to trick victims into copying them into new cryptocurrency wallets for future compromise. While similarities exist with Scattered Spider and CryptoChameleon groups, PoisonSeed is currently classified separately due to unique characteristics. The campaign has targeted companies like Coinbase, Ledger, Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho, using sophisticated phishing techniques and automated processes to quickly exploit compromised accounts.

Pulse ID: 67ef8546d1d9ef9cd8e91906
Pulse Link: https://otx.alienvault.com/pulse/67ef8546d1d9ef9cd8e91906
Pulse Author: AlienVault
Created: 2025-04-04 07:07:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Gootloader Returns: Malware Hidden in Google Ads for Legal Documents

The Gootloader malware campaign has evolved its tactics, now using Google Ads to target victims seeking legal templates. The threat actor advertises legal documents, primarily agreements, through compromised ad accounts. Users searching for templates are directed to a malicious website where they are prompted to enter their email address. They then receive an email with a link to download a seemingly legitimate document, which is actually a zipped .JS file containing malware. When executed, the malware creates a scheduled task and uses PowerShell to communicate with compromised WordPress blogs. The campaign demonstrates a shift in Gootloader's strategy, moving from poisoned search results to controlled infrastructure for malware delivery.

Pulse ID: 67ef0696f2790ccbd23c46a9
Pulse Link: https://otx.alienvault.com/pulse/67ef0696f2790ccbd23c46a9
Pulse Author: AlienVault
Created: 2025-04-03 22:07:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective

OUTLAW is a persistent Linux malware that uses basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence to maintain a long-lasting botnet. Despite its lack of sophistication, it remains active by leveraging simple but impactful tactics. The malware deploys modified XMRig miners, uses IRC for command and control, and includes publicly available scripts for persistence and defense evasion. OUTLAW's infection chain spans nearly the entire MITRE ATT&CK framework, offering many detection opportunities. It propagates in a worm-like manner, using compromised hosts to launch further SSH brute-force attacks on local subnets, rapidly expanding the botnet.

Pulse ID: 67ef069f9224aa64d79e6a8e
Pulse Link: https://otx.alienvault.com/pulse/67ef069f9224aa64d79e6a8e
Pulse Author: AlienVault
Created: 2025-04-03 22:07:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.