Also tracked as UAC-0010 or Shuckworm, Gamaredon continues to exploit CVE-2025-8088, a directory traversal vulnerability in WinRAR that allows malicious files to be written outside the intended extraction directory. Although the flaw has been widely abused since 2025, researchers noted that Gamaredon’s campaigns stand out due to their persistence, rapid infrastructure rotation, and repeated targeting of Ukrainian government entities.

Phishing Campaign Delivers GammaDrop Malware

The attacks begin with carefully crafted spearphishing emails sent either from compromised Ukrainian government accounts or spoofed domains designed to appear legitimate. Many of these emails mimic official court summons, legal notices, or government-related communications to increase the likelihood of user interaction.

The phishing attachments typically contain malicious RAR or ARJ archives disguised as regular documents. Inside the archive, researchers identified:

• A decoy PDF document used to distract the victim
• A hidden VBScript payload stored using NTFS Alternate Data Streams (ADS)

When the archive is extracted, the WinRAR vulnerability is abused to silently place the malicious VBScript into the Windows Startup folder. This ensures persistence on the infected machine without requiring additional user interaction.

The first-stage payload, known as GammaDrop, functions as a downloader responsible for retrieving additional malware from attacker-controlled infrastructure. Researchers observed that the script is heavily obfuscated using randomized variables, junk code, and automated generation techniques commonly associated with Gamaredon operations.

GammaLoad Expands Persistence and Reconnaissance

After execution, GammaDrop downloads a second-stage malware component called GammaLoad from infrastructure hosted through Cloudflare Workers. The payload is delivered as an HTA file and launched using mshta.exe in a hidden window to avoid drawing attention.

GammaLoad acts as both a persistence mechanism and a reconnaissance tool. It creates RunOnce registry entries and continuously communicates with command-and-control servers to receive instructions and additional payloads.

The malware collects system-level information including:

• Computer name
• System drive details
• Volume serial numbers
• Victim identification data

This information is embedded into beaconing traffic, allowing attackers to uniquely track infected systems and selectively deliver follow-up malware.

Researchers also observed that Gamaredon frequently rotates its infrastructure using fast-flux DNS, dynamic DNS services, and short-lived domains to evade detection. Communication traffic is disguised using legitimate browser user-agent strings, while some newer variants imitate automated services such as Bingbot to blend malicious traffic with normal network activity.

The Security Service of Ukraine (SSU), along with regional government and law enforcement organizations, remains one of the primary targets of these campaigns. Researchers believe the operation’s success is also supported by weak email authentication practices across some targeted domains, where missing or poorly configured SPF, DKIM, and DMARC policies allow attackers to spoof trusted senders more effectively.

Although the malware itself is not considered highly advanced, Gamaredon continues to maintain a strong operational presence through continuous adaptation, large-scale phishing activity, and aggressive infrastructure management.

Security teams are advised to patch vulnerable WinRAR installations immediately, strengthen email authentication controls, monitor suspicious archive-based phishing activity, and block known malicious infrastructure associated with the campaign.

The post Gamaredon Phishing Attacks Use GammaDrop Malware appeared first on First Hackers News.

Instead of relying on fake domains or compromised mail servers, attackers use Google AppSheet to send emails through Google’s own infrastructure. These messages are generated as part of automated workflows, meaning they pass authentication checks like SPF, DKIM, and DMARC without raising suspicion.

As a result, security tools and spam filters see them as trusted communications, allowing phishing messages to land directly in inboxes of targeted users—often business account owners managing Facebook pages.

Multi-Layered Attack Strategy

The campaign is not a single phishing page but a structured, multi-stage system designed to increase success rates. Victims are first directed to pages hosted on Netlify, where attackers replicate the Facebook Help Center with high accuracy. These pages are customized per victim using unique subdomains, making them difficult to block using traditional security measures.

From there, users are guided through a series of steps that collect not only login credentials but also deeper identity information such as date of birth and even government-issued ID images. In some cases, the attackers shift tactics by offering fake incentives, like verification badges, hosted on platforms such as Vercel. These pages are designed to look dynamic and legitimate, while quietly bypassing detection systems using techniques like hidden Unicode characters.

The operation becomes more advanced in later stages. Attackers host phishing documents on Google Drive, presenting them as official Meta notifications. These documents, often designed using Canva, contain embedded links that redirect victims into interactive phishing environments. These environments are powered by real-time communication frameworks, allowing attackers to actively engage with victims during the login process.

This live interaction is a critical aspect of the campaign. Instead of passively collecting credentials, attackers can request one-time passwords, monitor user actions, and even capture browser sessions as they happen. This significantly increases the likelihood of successful account takeover, even when multi-factor authentication is enabled.

Real-Time Data Exfiltration and Attribution

Once credentials are captured, they are immediately transmitted through a centralized system built around Telegram bots. This allows operators to monitor incoming data in real time and quickly take control of compromised accounts before victims notice suspicious activity.

Analysis of the infrastructure shows a strong operational scale, with thousands of records flowing into attacker-controlled channels. Most victims are concentrated in regions like the United States and Europe, indicating a focus on high-value targets such as businesses and influencers.

Investigators were also able to trace elements of the campaign back to Vietnamese actors. This attribution is supported by metadata found in phishing documents and developer comments embedded within the malicious code, providing insight into the origin of the operation.

A Shift Toward Industrialized Phishing

AccountDumpling reflects a broader shift in cybercrime, where phishing is no longer a simple tactic but part of a larger, industrialized ecosystem. Attackers are combining trusted services, automation, and real-time interaction to create highly effective campaigns that are difficult to detect and disrupt.

Compromised accounts are rarely the end goal. They are often reused for further scams, advertising fraud, or additional phishing attacks, creating a cycle that sustains and expands the operation. This approach shows how modern threat actors are leveraging legitimate platforms at scale, turning them into tools for widespread abuse while staying under the radar.

The post Facebook Phishing Campaign Targets Business Accounts appeared first on First Hackers News.

The operation focused on the W3LL phishing kit, a tool widely used by cybercriminals to steal credentials and bypass multi-factor authentication. Attackers used this kit to carry out large-scale fraud attempts, with losses estimated to exceed $20 million.

How the W3LL Phishing Kit Worked

The W3LL toolkit was designed to make cybercrime easier, even for low-skilled attackers. It was sold as a service, allowing buyers to quickly launch phishing campaigns using ready-made fake login pages that closely mimicked legitimate websites.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What made this tool especially dangerous was its ability to go beyond simple credential theft. Instead of just capturing usernames and passwords, it also collected session data and authentication tokens. This allowed attackers to bypass MFA protections and gain ongoing access to accounts without raising immediate alerts.

The ecosystem also included an underground marketplace called W3LLSTORE. This platform enabled criminals to buy and sell stolen credentials, corporate access, and remote connections, creating a full cybercrime supply chain.

• Over 25,000 compromised accounts were sold between 2019 and 2023
• More than 17,000 victims were targeted globally in recent campaigns
• Fraud attempts exceeded $20 million
• Stolen access was often resold multiple times for profit

Law Enforcement Action and Impact

Even after the original marketplace shut down, the operation continued through private channels. Investigators tracked its evolution and identified the key individuals behind it.

With support from U.S. authorities, the FBI seized critical infrastructure used to run the phishing service. At the same time, Indonesian police arrested the suspected developer and took control of domains linked to the operation.

Officials described the platform as more than just a phishing kit—it functioned as a complete cybercrime service. By shutting it down, authorities have disrupted a major tool that attackers relied on to breach organizations.

This takedown highlights how modern phishing has evolved into organized, scalable operations—and why international cooperation is essential to combat today’s cyber threats.

The post W3LL Phishing Kit Takedown Disrupts MFA Bypass Campaign appeared first on First Hackers News.

A new phishing campaign is pretending to be LastPass support emails to trick users into revealing their vault passwords and account credentials.

Attackers send emails that look like internal support conversations about suspicious activity on a user’s account.

These messages claim that someone is attempting actions such as:

• Exporting vault data
• Recovering the account
• Registering a new trusted device

The goal is to scare users into reacting quickly.

How the Phishing Attack Works

Hackers use a method called display name spoofing. The sender name appears as LastPass Support, but the actual email address comes from a different domain.

Many email apps, especially on mobile devices, show only the sender name. Because of this, users may not notice the fake address.

The email then asks users to secure or verify their account by clicking a link.

However, the link leads to a malicious website such as:

verify-lastpass[.]com

This site hosts a fake LastPass login page designed to look identical to the official one. If users enter their credentials, attackers can capture their master password and access their stored vault data.

Common Phishing Email Signs

The phishing emails often include LastPass branding and fake message threads to appear legitimate.

Some of the subject lines used include:

• “Account recovery verification request”
• “Unauthorized vault export attempt detected”
• “New trusted device registered to your account”

These messages create urgency so users click before verifying the source.

Security Advice for LastPass Users

LastPass has warned that it will never ask for a user’s master password through email.

Users should take the following precautions:

• Check the full sender email address carefully
• Avoid clicking links inside emails
• Access LastPass directly through the official website or app
• Enable multi-factor authentication (MFA)
• Report suspicious emails to abuse@lastpass.com

Why This Attack Matters

Phishing attacks are becoming more realistic and harder to detect.

Since password managers store sensitive data, they are a high-value target for cybercriminals. Users should always verify security alerts and avoid rushing to click links, even when the message appears legitimate.

The post Fake LastPass Support Scam Targets Password Vaults appeared first on First Hackers News.

Instead of exploiting software bugs or directly stealing passwords, attackers abuse trusted login flows used by platforms like Microsoft Entra ID and Google Workspace. This tactic allows them to bypass traditional email security systems and quietly redirect victims to malicious sites.

How the Attack Starts

The attack begins when threat actors create a malicious application inside their own cloud tenant. They configure the application’s redirect link to point to a domain controlled by the attackers.

To lure victims, attackers send phishing emails that appear legitimate. These messages often look like normal workplace requests.

Common phishing lures include:

• Fake e-signature requests
• Microsoft Teams meeting invitations
• Password reset alerts
• Account verification messages

When a victim clicks the link, a hidden OAuth authorization process begins.

How Attackers Bypass Detection

Attackers modify certain parameters in the OAuth request to trigger a silent authentication process.

Two parameters are commonly abused:

• prompt=none – forces the system to check the session without user interaction
• scope=invalid – intentionally triggers an authentication error

This forces the identity provider to redirect the user automatically. Because the redirection happens through a trusted identity provider, the link looks legitimate to users and security tools.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

Using the “State” Parameter for Deception

To make the attack look even more convincing, attackers abuse the OAuth state parameter.

Normally, this parameter is used to match authentication requests and responses. However, attackers encode the victim’s email address inside it.

Encoding methods used include:

• Base64
• Hex encoding
• Custom decoding schemes

When the victim lands on the phishing page, their email address is already filled in automatically, making the login page appear legitimate.

What Happens After Redirection

Once redirected, victims are sent to attacker-controlled infrastructure.

Two main outcomes have been observed:

Credential Theft

Victims are redirected to phishing frameworks such as EvilProxy that capture login credentials and session cookies.

Malware Delivery

In some campaigns, the redirect automatically downloads a ZIP file. This archive contains a malicious shortcut that launches a PowerShell script.

The script performs several actions:

• Collects system information
• Extracts a legitimate executable file (steam_monitor.exe)
• Loads a malicious DLL (crashhandler.dll)

This technique allows attackers to run malicious code while appearing as legitimate software, ultimately connecting the infected system to an external command-and-control server.

Mitigation and Threat Indicators

This attack shows how threat actors can misuse normal OAuth authentication behavior instead of exploiting software bugs. Because the activity follows standard protocol rules, it can be harder for traditional security tools to detect.

Key Mitigation Steps

• Restrict user consent for third-party OAuth applications
• Regularly audit apps with excessive permissions
• Implement Conditional Access policies
• Enable strong identity protection controls
• Use XDR to monitor identity, email, and endpoint activity
• Monitor OAuth URL clicks with invalid scope parameters
• Watch for unusual downloads triggered after OAuth redirects
• Investigate suspicious PowerShell executions
• Detect unexpected DLL side-loading activit

IOCs

The post OAuth Phishing Campaign Targets Entra ID and Google Workspace appeared first on First Hackers News.

By hosting phishing content on legitimate Google-owned domains, the attackers are able to bypass many email security filters and web gateways. Because the links appear trustworthy, they are less likely to raise suspicion.

Victims are redirected to realistic login pages that imitate well-known brands. After entering their credentials, they are quietly sent to the real website, making the attack difficult to detect.

Global Impact and Scale

The campaign is widespread. Investigators uncovered attacker-controlled servers containing thousands of stolen credentials linked to more than 1,000 organizations across 100+ countries and over 200 industries.

Mexico has the highest number of confirmed victims, particularly in manufacturing, education, and government sectors. The United States, Spain, India, and Argentina are also significantly affected.

The use of trusted cloud services makes this campaign especially effective and harder to block using traditional security controls.

Group-IB researchers describe GTFire as a structured, large-scale credential theft operation.

Attackers reuse the same phishing templates across multiple brands and store stolen data on centralized servers, organized by date, language, and targeted servic

More than 120 phishing domains were discovered, using similar naming patterns to quickly rotate infrastructure and avoid detection.

Attackers customize each fake login page to closely match real brands. After victims enter their credentials, they are redirected to the legitimate website, delaying suspicion.

Because the campaign uses trusted Google domains, traditional URL filtering and blocklists struggle to detect it — showing how easily legitimate infrastructure can be misused for phishing.

How the Attack Works

The attack starts with a phishing email that contains a Google Translate link. This link quietly routes the victim through Google’s translation service before redirecting them to a fake login page hosted on Firebase.

Because the link uses a Google domain, many email filters and web gateways do not block it.

Attackers create many random *.web.app subdomains to host phishing pages and rotate them frequently to avoid detection. Each page is designed to look like a real brand login portal.

When victims enter their credentials, they are shown a fake “wrong password” message and asked to try again. Both login attempts are secretly captured and sent to attacker-controlled servers, along with basic details like location and browser language.

The stolen data is collected using simple, ready-made backend tools, making the campaign easy to scale.

Mitigation Measures

Organizations should:

• Enforce phishing-resistant multi-factor authentication (MFA)
• Train employees to recognize suspicious Google-based links
• Monitor for unusual use of translate.goog and *.web.app domains
• Watch for brand impersonation hosted on trusted cloud platforms
• Share indicators of compromise with security communities and CERT teams

Trusted services can be misused, so detection strategies must go beyond basic domain reputation check

The post GTFire Phishing Attack Hides Behind Google Services appeared first on First Hackers News.

AI-Driven Phishing Kit

Researchers track the activity using a small but unusual clue: four mushroom emojis hidden inside the text “OUTL.” So far, this marker has been linked to more than 75 separate attack setups.

The attackers collect stolen email usernames and passwords, along with the victim’s IP address and location. This information is then sent to the attackers using Telegram and Discord.

To trick users, the phishing page copies the Outlook login screen and displays prompts in Spanish, making it look legitimate to victims.

After a victim enters their login details, the phishing tool quickly adds extra context to the stolen data. It checks the user’s IP address using api.ipify.org and pulls location details from ipapi.co.

This data collection happens instantly, before the stolen credentials are sent to the attackers.

The campaign shows careful planning. Even though the attackers change how the code is hidden, the way the operation runs stays mostly the same.

Sage Hollow researchers first spotted the activity by noticing the repeated mushroom emoji marker, which helped them trace more related attacks.

Over time, the phishing kit has appeared in multiple versions. Some use heavy obfuscation and anti-analysis tricks, while others are left completely open and resemble AI-generated code. The latest version, disBLOCK.js, uses clean formatting, clear function names, and Spanish comments explaining each step — signs that the code was likely generated with AI rather than written fully by hand.

How the Phishing Kit Works

The phishing tool is designed with separate pieces, keeping its settings away from the main logic. In earlier versions, a file called xjsx.js was used to store Telegram bot details with only basic hiding techniques.

When someone enters their login details on the fake page, the tool runs through a set process. It checks whether the email address is valid, then reaches out to external services to collect IP and location information.

All stolen data is bundled into a standard message format and sent over regular HTTPS connections. The attackers use either Telegram bots or Discord webhooks to receive this information.

Newer samples rely more on Discord webhooks because they work as one-way channels. Even if the link is discovered, past data cannot be viewed.

This setup points to a shared phishing platform, where multiple attackers reuse the same toolkit across different campaigns.

Security Recommendations

• Organizations should enable phishing-resistant MFA on Microsoft accounts to reduce the impact of stolen passwords.
• Email gateways should be tuned to detect look-alike Outlook login pages and block messages that redirect users to external authentication sites.
• Security teams should monitor outbound traffic for suspicious connections to Telegram bot APIs and Discord webhooks, especially from user workstations.
• User awareness remains critical. Employees should be reminded to verify login pages and avoid entering credentials through email links.
• Incident response teams should reset affected credentials immediately and review sign-in logs for abnormal locations and IP addresses.

The post AI-Driven Phishing Kit Targets Microsoft Accounts appeared first on First Hackers News.

Earlier incidents linked to ForumTrol involved rare malware families such as the LeetAgent backdoor and the Dante spyware developed by Memento Labs.

In contrast to their previous attacks on large organizations, this new activity is directed at individual experts in political science, international relations, and global economics across major universities and research institutes in Russia.

𝗖𝗵𝗿𝗼𝗺𝗲 𝟬-𝗗𝗮𝘆 𝗶𝗻 𝗡𝗲𝘄 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻

The campaign uses phishing emails sent from support@e-library[.]wiki, an address crafted to mimic the legitimate scientific platform eLibrary. The attackers rely on this impersonation to make their messages look genuine and increase the chances of victims opening the malicious content.

When someone clicks the link in the phishing email, they are taken to a page that delivers a ZIP file created specifically for them. The file even uses the victim’s full name in the LastName_FirstName_Patronymic.zip format to appear legitimate.

The group behind the attack planned this well in advance. They registered the malicious domain in March 2025, long before the campaign started. This helped the domain look “normal” online and reduced the chances of it being flagged as suspicious.

To make the operation more convincing, the attackers copied the real eLibrary website and added controls that block repeated downloads. This made it harder for analysts to examine the files.

Securelist researchers discovered the campaign in October 2025, shortly before presenting their research on ForumTrol at the Security Analyst Summit.

Their analysis showed that the attackers studied each target, gathered personal details, and adjusted every message to match the individual. The website also checked a visitor’s device and asked people using non-Windows systems to switch to a Windows computer before accessing the file—another sign of the attackers’ technical precision.

These steps—personalized files, early domain registration, and careful filtering—show how much effort ForumTrol put into avoiding detection and increasing the chances of a successful infection.

The archive includes a shortcut named after the victim and a folder of random images to appear normal. Opening the shortcut runs a PowerShell script that downloads a DLL from e-library[.]wiki and saves it as iconcache_.dll.

The malware stays on the system using COM Hijacking by adding the DLL path to the InProcServer32 registry key.

To distract the user, a fake plagiarism report opens while the loader installs the Tuoni remote-access framework.

The post 𝗙𝗼𝗿𝘂𝗺𝗧𝗿𝗼𝗹 𝗨𝘀𝗲𝘀 𝗖𝗵𝗿𝗼𝗺𝗲 𝟬-𝗗𝗮𝘆 𝗶𝗻 𝗡𝗲𝘄 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻 appeared first on First Hackers News.

According to the National Cyber Security Centre (NCSC), victims are receiving fake text messages claiming their missing iPhones have been found — often in another country and even months after being lost.

These messages appear to come from Apple and include real details about the device, such as model, color, and storage, making them look legitimate.

The scam works like this:

• Victims receive a message or iMessage saying their iPhone has been located.
• The message includes a link that appears to show the phone’s location.
• When clicked, it redirects to a fake Apple login page that steals the victim’s Apple ID and password.

Attackers are becoming more sophisticated, using accurate information from the lost device and realistic design elements to build trust. The phishing site even displays a fake map showing the device’s “location”, increasing the urgency and making users more likely to log in.

The Real Goal Behind iPhone Phishing Scams: Bypassing Activation Lock

Apple’s Activation Lock ties a device to its owner’s Apple ID, making a stolen iPhone practically useless to thieves. There’s no reliable technical way to remove this lock — so criminals try social engineering instead.

How attackers get a locked phone’s contact details (two likely methods):

• SIM access: If the thief still has the phone’s SIM and it hasn’t been blocked, they can read the number.
• Find My message: Owners often show a contact phone or email on the lock screen via Find My so an honest finder can return the device. Thieves can use that same info to craft targeted phishing messages.

Why this matters: the contact information meant to help you get your phone back can also give scammers the exact data they need to trick you into handing over your Apple ID.

Quick safety tips:

• Avoid putting a personal phone number or email on the lock screen.
• Use the official Find My Lost Mode and follow Apple’s guidance if your device is missing.
• Immediately change your Apple ID password and contact your carrier to suspend the SIM if your phone is stolen.

The post New Phishing Trick Hits People Who Lost Their iPhones appeared first on First Hackers News.

The attack uses MIME encoding and Unicode soft hyphens to make the subject appear normal to human readers while concealing malicious intent from email scanners.

This method targets email filters that rely on keyword detection and pattern matching, representing a more advanced social engineering tactic. Researchers noticed the campaign when subject lines looked garbled or incomplete in the inbox, but displayed normally once the email was opened.Invisible characters are strategically placed to break up keywords and avoid detection.

The campaign mainly aims to steal login credentials through fake webmail pages, sending subjects like “Your Password is about to Expire,” where the invisible characters hide the trigger words from security systems.

The phishing emails send recipients to fake websites designed to capture login details.

Analysts at the Internet Storm Center spotted this tactic while reviewing malicious messages, noting that invisible characters were being used in subject lines—an uncommon twist compared to the usual use in email bodies.

How it works:

Attackers use MIME encoded-word formatting (RFC 2047) to hide the characters. The subject line follows this pattern:

encoded-word = "=?charset?encoding?encoded-text?="

Here, the content is UTF-8 text encoded in Base64.

Captured examples show headers like:

Subject: =?UTF-8?B?WcKtb3XCrXIgUMKtYXPCrXN3wq1vwq1yZCBpwq =?UTF-8?B?dMKtbyBFwq14wq1wwq1pcsKtZQ==?=

When decoded, soft hyphen characters (Unicode U+00AD) are inserted between letters, breaking up recognizable keywords to evade email filters.

Soft hyphens are invisible in most email clients (including Outlook), so they break keywords at the code level—making “password” unreadable to scanners while still appearing normal to users. Attackers also hide these characters inside message bodies to bypass content filters. The phishing links point to compromised legitimate sites that host fake webmail login pages to harvest credentials.

The post Phishing Attack Hides Malicious Emails with Invisible Characters appeared first on First Hackers News.