Phishing

Ukraine’s Computer Emergency Response Team (CERT-UA) has revealed details of a series of new cyberattacks targeting its defense forces and state institutions. These attacks, which took place between October and December 2025, involve various intrusion techniques and several malware families, including one known as PLUGGYAPE. PLUGGYAPE attacks attributed to Void Blizzard Among the most notable attacks are those distributing the PLUGGYAPE malware, attributed with “medium confidence” to the Russian hacking group Void Blizzard (also known as Laundry Bear or UAC-0190), active since at least April 2024. ...

The holiday shopping season has brought with it a notable increase in cyber threats targeting consumers. According to recent data, there has been an 86% increase in malicious websites impersonating postal services in the last month. This trend underscores the growing risk for consumers awaiting delivery of their online purchases. Cybercriminals are taking advantage of the seasonal increase in online shopping to send fraudulent messages that imitate legitimate delivery companies. These messages usually alert about supposed delays or suspensions of packages, with the aim of deceiving victims. ...

North Korean threat group Kimsuky has been linked to a new cyberattack campaign that uses QR codes to distribute a new variant of the DocSwap Android malware. Attackers are using phishing sites that imitate South Korean logistics company CJ Logistics to trick victims. Distribution and Deception Mechanism The campaign targets users of Android mobile devices using a sophisticated social engineering method. The attack process develops as follows: Launch of the Attack: Cybercriminals send smishing messages (phishing SMS) or emails impersonating package delivery companies to trick recipients into clicking on malicious URLs. Redirection with QR Codes: Victims who access the fraudulent URLs from a desktop computer are redirected to a page that asks them to scan a QR code with their Android device. This QR code leads to the download of the malicious application. Social Engineering to Outwit Warnings: The phishing site claims that the installation of a supposed tracking application is necessary to verify identity due to “international customs security policies.” This tactic seeks to convince victims to ignore Android security warnings about installing apps from unknown sources. DocSwap Malware Technical Analysis Analysis by South Korean cybersecurity company ENKI reveals that the new DocSwap variant features evolved capabilities: ...

Recent research has revealed the existence of four distinct threat activity groups that are leveraging a malware loader known as CastleLoader. This evidence reinforces previous assessment that the tool is offered to other cybercriminals under a malware-as-a-service (MaaS) model. The threat actor behind CastleLoader has been identified by Recorded Future’s Insikt Group as GrayBravo, previously tracked as TAG-150. GrayBravo’s Profile GrayBravo is a threat actor characterized by: Rapid development cycles. Technical sophistication. Responsiveness to public reports. An expansive and constantly evolving infrastructure. Tools and Frameworks GrayBravo’s toolset includes several key pieces of malware: ...

A new phishing framework called GhostFrame, built around a stealthy iframe architecture, has been linked to more than a million attacks, cybersecurity experts at Barracuda have found. This attack kit distinguishes itself from known Phishing-as-a-Service (PhaaS) offerings by its innovative approach to evasion and deception. How Does GhostFrame Work? GhostFrame’s design focuses on a simple HTML file that presents itself as a harmless landing page, while hiding its malicious behavior within an embedded iframe. This structure allows attackers to: ...

Phishing kits typically have distinctive signatures in their delivery methods and infrastructure, making attribution easier. However, analysts have recently observed an overlap between two phishing kits such as Salty2FA and Tycoon2FA, marking a significant change that complicates detection. ANY.RUN observed a sudden drop in Salty2FA activity, followed by the appearance of Tycoon2FA indicators within Salty attack chains. Finally, unique payloads were detected that combined code from both frameworks. This convergence weakens kit-specific detection rules and gives threat actors more leeway to evade early detection. ...

Security Alert: Iberia Airlines Reports Customer Data Breach Iberia Airlines, part of the International Airlines Group (IAG) along with British Airways and Aer Lingus, has notified its customers about a security incident that compromised personal information. The data breach originated through an Iberia supplier, underscoring the inherent risks to supply chain security. The airline began sending notifications to customers over the weekend, revealing that the incident involved unauthorized access to a supplier’s systems. ...