Instead of relying on fake domains or compromised mail servers, attackers use Google AppSheet to send emails through Google’s own infrastructure. These messages are generated as part of automated workflows, meaning they pass authentication checks like SPF, DKIM, and DMARC without raising suspicion.

As a result, security tools and spam filters see them as trusted communications, allowing phishing messages to land directly in inboxes of targeted users—often business account owners managing Facebook pages.

Multi-Layered Attack Strategy

The campaign is not a single phishing page but a structured, multi-stage system designed to increase success rates. Victims are first directed to pages hosted on Netlify, where attackers replicate the Facebook Help Center with high accuracy. These pages are customized per victim using unique subdomains, making them difficult to block using traditional security measures.

From there, users are guided through a series of steps that collect not only login credentials but also deeper identity information such as date of birth and even government-issued ID images. In some cases, the attackers shift tactics by offering fake incentives, like verification badges, hosted on platforms such as Vercel. These pages are designed to look dynamic and legitimate, while quietly bypassing detection systems using techniques like hidden Unicode characters.

The operation becomes more advanced in later stages. Attackers host phishing documents on Google Drive, presenting them as official Meta notifications. These documents, often designed using Canva, contain embedded links that redirect victims into interactive phishing environments. These environments are powered by real-time communication frameworks, allowing attackers to actively engage with victims during the login process.

This live interaction is a critical aspect of the campaign. Instead of passively collecting credentials, attackers can request one-time passwords, monitor user actions, and even capture browser sessions as they happen. This significantly increases the likelihood of successful account takeover, even when multi-factor authentication is enabled.

Real-Time Data Exfiltration and Attribution

Once credentials are captured, they are immediately transmitted through a centralized system built around Telegram bots. This allows operators to monitor incoming data in real time and quickly take control of compromised accounts before victims notice suspicious activity.

Analysis of the infrastructure shows a strong operational scale, with thousands of records flowing into attacker-controlled channels. Most victims are concentrated in regions like the United States and Europe, indicating a focus on high-value targets such as businesses and influencers.

Investigators were also able to trace elements of the campaign back to Vietnamese actors. This attribution is supported by metadata found in phishing documents and developer comments embedded within the malicious code, providing insight into the origin of the operation.

A Shift Toward Industrialized Phishing

AccountDumpling reflects a broader shift in cybercrime, where phishing is no longer a simple tactic but part of a larger, industrialized ecosystem. Attackers are combining trusted services, automation, and real-time interaction to create highly effective campaigns that are difficult to detect and disrupt.

Compromised accounts are rarely the end goal. They are often reused for further scams, advertising fraud, or additional phishing attacks, creating a cycle that sustains and expands the operation. This approach shows how modern threat actors are leveraging legitimate platforms at scale, turning them into tools for widespread abuse while staying under the radar.

The post Facebook Phishing Campaign Targets Business Accounts appeared first on First Hackers News.

This activity was uncovered by the Atos Threat Research Center in early 2026. The goal is clear—compromise high-privilege users and gain direct access to critical systems.

How the Attack Starts

The attack begins with SEO poisoning across search engines like Bing, Yahoo, DuckDuckGo, and Yandex.

Attackers push fake GitHub repositories to the top of search results for queries related to popular admin tools. These repositories look legitimate and contain detailed documentation, but they don’t host malware directly.

The infection flow works like this:

• Fake GitHub repo acts as a trusted storefront
• README links redirect users to another repository
• Second repo hosts a malicious MSI installer
• Payload is executed on the victim system

This two-step setup helps attackers stay active even if one repository is removed.

Targeting High-Privilege Users

The campaign specifically mimics well-known administrative tools such as PsExec, AzCopy, Sysmon, LAPS, and WinDbg. These tools are typically used by administrators, DevOps teams, and security analysts.

This approach acts as a filtering mechanism:

• Only users searching for these tools are targeted
• Most victims already have elevated privileges
• A successful infection gives immediate high-level access

By abusing trust in commonly used tools, attackers increase the chances of execution without suspicion.

Malware Behavior and Execution

Once the malicious installer runs, a multi-stage RAT is deployed using JavaScript and fileless techniques.

The behavior includes:

• Obfuscated scripts install Node.js and trigger execution
• Payloads are decrypted in memory using AES-256
• Persistence is created through Windows Registry Run keys
• Malware runs under legitimate processes like conhost.exe
• Continuous communication with attacker infrastructure

The RAT allows attackers to execute commands, monitor systems, and extract sensitive data without obvious signs.

Blockchain-Based Command and Control

One of the most unique aspects of EtherRAT is its use of blockchain for command-and-control.

Instead of fixed servers, the malware retrieves its C2 address from the Ethereum network. This makes it extremely difficult to block or disrupt.

Key advantages for attackers:

• No fixed IP or domain to blacklist
• C2 can be updated instantly via blockchain transactions

Because public blockchain infrastructure is widely accessible, traditional takedown strategies become ineffective.

Ongoing Activity and Threat Impact

Researchers observed at least 40+ malicious GitHub repositories over several months, showing this is not a one-time campaign but an ongoing operation.

There are also similarities with techniques used by groups like Lazarus Group and MuddyWater, though attribution is still being analyzed.

Unlike typical large-scale malware campaigns, EtherRAT focuses on stealth and persistence. After initial access, attackers perform quiet reconnaissance instead of immediate disruptive actions.

Why This Matters

This campaign highlights a shift in cyber threats:

• Attackers target fewer users but with higher value
• Legitimate platforms like GitHub are used to build trust
• Decentralized technologies like blockchain increase resilience

Organizations should verify software sources, limit administrative privileges, and monitor unusual outbound traffic—especially connections to blockchain services.

EtherRAT shows how modern attackers are blending trusted platforms with advanced techniques to create highly targeted and durable threats.

The post EtherRAT Attack Targets Enterprise Admins appeared first on First Hackers News.

With this approach, users will no longer have to depend on shared cloud storage limits. Instead, WhatsApp aims to provide its own storage environment specifically built for messaging data. This is especially important as chat backups today include large files like high-resolution images, videos, and voice notes, which quickly consume available space.

All data stored in this system will be protected with end-to-end encryption by default. This means that messages remain private, and even WhatsApp itself cannot access the content. By keeping backups encrypted at all times, the platform is aiming to reduce the risk of unauthorized access or data exposure.

Enhanced Security with Passkeys

To strengthen protection further, WhatsApp is planning to introduce passkey-based authentication for backup access. Instead of using traditional passwords or long encryption keys, users will be able to unlock their backups using biometric methods such as fingerprint or facial recognition.

This makes the process both simpler and more secure. The authentication is tied directly to the user’s device, which reduces the risk of attacks like phishing, credential theft, or brute-force attempts. The passkey is securely stored and can sync across trusted devices, allowing users to restore backups without needing to remember complex credentials.

At the same time, WhatsApp is expected to keep alternative options available. Users who prefer using passwords or encryption keys will still have that choice, ensuring flexibility for different security preferences.

Storage Options and Rollout Plans

The upcoming system is also expected to introduce dedicated storage plans for backups. Early expectations suggest a small free storage tier for basic use, along with larger paid options for users who need more capacity. This would allow users to manage their backup storage without affecting their personal cloud accounts.

Despite this shift, WhatsApp is likely to continue supporting third-party backups for users who prefer their current setup. This ensures a smoother transition without forcing immediate changes.

The feature is still in development and has not yet been released publicly. It is expected to go through multiple testing phases to ensure stability, security, and compatibility with existing systems before a wider rollout begins.

This move reflects a broader industry trend toward building self-contained ecosystems that prioritize privacy, security, and better control over user data, rather than relying entirely on external platforms.

The post WhatsApp Tests Safer Cloud Backup for Messages appeared first on First Hackers News.

The attack starts with a targeted phishing email sent to specific organizations, particularly government-related entities. The email is designed to look legitimate, pretending to come from an internal consultant and referencing a real-looking project to gain trust.

To make the message more convincing, it is marked as urgent and includes a request for a read receipt. This increases the chances that the recipient will open the attachments without suspicion.

This multi stage malware attack poses serious threats to organizations, as its multi-layered nature complicates detection and remediation efforts.

The email contains two files with slightly misspelled names to appear like quick internal documents:

• A Word file pretending to be a report
• A PDF file that looks like an official document

These small tricks are used to make the attack look normal and believable.

How the Multi-Stage Attack Works

The infection process is carefully designed and happens in multiple steps. This layered approach helps the malware stay hidden during each stage.

When the Word file is opened, it asks the user to enable macros. If the user allows it, hidden code runs in the background and downloads a malicious file from an external server. This technique helps bypass basic security checks.

At the same time, the PDF file acts as another attack path. It shows a fake error message asking the user to update their PDF reader. If the user clicks the prompt, it downloads another malicious file disguised as a legitimate application.

Once installed, the malware:

• Connects to remote servers using trusted services
• Uses tools like developer tunnels to maintain access
• Sends stolen data through platforms like Discord
• Executes commands on the infected system

By using legitimate platforms, the malware blends in with normal network traffic, making it difficult to detect.

Evasion Techniques and Why It’s Dangerous

This malware uses several techniques to avoid being detected by security systems. It checks for analysis environments, hides its code, and uses trusted services to carry out its activities.

Some of its key evasion methods include:

• Hiding malicious code inside compiled scripts
• Using trusted cloud services for communication
• Disguising files with familiar names and branding
• Delivering payloads in stages instead of all at once

Because of these methods, the malware can remain active for a long time without being noticed. It can steal data, monitor systems, and give attackers remote access.

This attack shows a growing trend where cybercriminals rely on trusted platforms and multi-step infections to bypass traditional defenses. Organizations should focus on monitoring behavior, restricting macros, and educating users to recognize suspicious emails.

The post Multi Stage Malware Attack Uses Obfuscation to Evade Detection appeared first on First Hackers News.

Social Engineering and Delivery Tactics

The attack typically begins with direct contact. Victims are approached through platforms like LinkedIn, email, or messaging apps by accounts posing as journalists, support staff, or known contacts. These interactions are carefully crafted to build trust before introducing a malicious link.

The link is usually presented as something urgent or relevant, such as a video call request, shared document, or account alert. Once clicked, victims are redirected either to fake login pages or download portals.

Common tactics used:

• Impersonation of trusted individuals or organizations
• Spearphishing messages tailored to the target
• Fake login pages mimicking services like email or cloud platforms
• Malicious download links disguised as secure communication tools

This approach relies heavily on human trust rather than technical exploitation, making it highly effective even against cautious users.

Fake Apps and Spyware Capabilities

The core of the campaign is the use of fake Android applications that appear to be secure messaging tools. These apps are distributed through convincing websites that mimic official sources and offer “enhanced” or “pro” versions of popular platforms.

Once installed, the spyware operates silently in the background, collecting and transmitting sensitive data to attacker-controlled servers.

Key capabilities include:

• Access to contacts, messages, and call-related data
• Collection of device information and stored files
• Extraction of documents, media, and backup data
• Continuous communication with remote command servers

The malware is designed to blend in as a legitimate app, making detection difficult for users who install it outside official app stores.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Broader Implications

This campaign highlights a growing trend where attackers combine social engineering with mobile spyware to conduct surveillance operations. The targeting of civil society groups suggests a shift toward more personalized and contract-driven espionage activities.

It also reinforces a critical point: even advanced threats often rely on simple entry points — convincing a user to trust and install something that appears legitimate.

The post Fake Messaging Apps Used to Deliver ProSpy Spyware appeared first on First Hackers News.

The new approach uses Merkle Tree Certificates (MTCs), developed through the IETF PLANTS working group, to strengthen web security without slowing down the internet.

Why This Is Needed

Quantum computers could one day break today’s encryption methods used in HTTPS.

Post-quantum cryptography already exists, but it creates much larger keys. Larger keys mean:

• Bigger certificate sizes
• Slower TLS handshakes
• Higher bandwidth usage
• Performance issues in traditional X.509 certificate chains

Because of this, Chrome is not adding post-quantum X.509 certificates to its Root Store right now.

What Are Merkle Tree Certificates (MTCs)?

Instead of using large signature chains, MTCs use compact cryptographic proofs.

Here’s how it works:

• A Certification Authority (CA) signs one “Tree Head”
• That Tree Head can represent millions of certificates
• The browser receives only a small proof showing the certificate is included

This keeps security strong while reducing data size.

Key Benefits of MTCs

• Smaller TLS handshakes
• Better performance
• Built-in transparency
• Easier scaling for millions of certificates
• Strong post-quantum protection

Chrome’s Rollout Plan

Chrome is rolling this out in three phases.

Phase 1 (Now Ongoing)
Chrome is working with Cloudflare to test MTCs in real-world conditions. A traditional X.509 certificate is still used as a backup during testing.

Phase 2 (Q1 2027)
Trusted Certificate Transparency log operators will help launch public MTC systems.

Phase 3 (Q3 2027)
Chrome will introduce a new Quantum-Resistant Root Store (CQRS). This will support only MTC-based certificates and run alongside the current root program.

Websites will also have the option to enforce quantum-resistant connections only.

What’s Next

Google sees this as a major step in modernizing TLS.

Future plans include:

• Improved automated certificate management (ACME)
• Better revocation systems to replace old CRLs
• Stronger domain validation methods
• Continuous external monitoring instead of yearly audits

Chrome aims to build a faster, simpler, and quantum-safe web while maintaining compatibility with today’s ecosystem.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Chrome Introduces Quantum-Safe HTTPS Protection appeared first on First Hackers News.

The vulnerability required no clicks, no extensions, and no user interaction. Simply visiting a malicious website could trigger the attack.

The OpenClaw team classified the issue as High severity and released a fix within 24 hours.

How the Attack Worked

When a developer visited an attacker-controlled website, malicious JavaScript executed in the browser. That script initiated a WebSocket connection directly to the local OpenClaw gateway.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

Because the gateway exempted localhost connections from rate limiting, attackers could perform rapid brute-force password attempts — often hundreds per second — significantly increasing the likelihood of bypassing human-created passwords.

Once authentication was successful, the malicious script silently registered itself as a trusted device. This bypassed normal user confirmation prompts and granted persistent access.

From there, the attacker effectively controlled the AI agent and the connected environment.

What Attackers Could Do

With gateway-level access, attackers could:

• Send instructions to the AI agent and retrieve responses
• Access configuration data, including AI providers and integrations
• Enumerate connected nodes and internal IP addresses
• Read logs for operational and reconnaissance insights
• Search Slack or messaging history for API keys and credentials
• Extract sensitive files from the workstation
• Execute shell commands on connected systems

In practical terms, this equated to a full workstation compromise.

This incident highlights a growing cybersecurity concern: shadow AI. Developer-adopted AI tools often operate outside traditional IT visibility while maintaining deep access to local systems, credentials, APIs, and internal communications.

Earlier this year, OpenClaw’s ecosystem also faced issues with malicious community “skills” distributed through its marketplace. However, this newly discovered vulnerability was more severe because it resided in the core gateway architecture itself — not in third-party plugins.

The OpenClaw team classified the issue as High severity and released a fix within 24 hours. Users and organizations must immediately upgrade to version 2026.2.25 or later to mitigate risk.

Beyond patching, enterprises should implement stronger governance, monitoring, and security controls for AI-powered developer tools.

As AI agents gain deeper system access, their compromise no longer represents just an application breach — it represents full environment exposure.

The post OpenClaw Exploit Compromises Developer AI Agents appeared first on First Hackers News.

In such an environment, cybersecurity controls alone are not sufficient.

What determines resilience during conflict is the strength of Business Continuity Planning (BCP) combined with real-time cyber defense operations.

The Shift From Security to Continuity

Traditional cybersecurity focuses on detection and response. During active regional conflict, that approach must evolve into operational resilience.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

Business Continuity ensures that critical operations remain functional despite sustained cyber pressure. It defines executive decision authority during crisis, structures communication channels, aligns legal and compliance obligations, and prioritizes recovery timelines based on business impact.

When war tensions escalate, tolerance for downtime disappears. Customers expect uninterrupted service. Regulators expect accountability. Stakeholders expect leadership clarity. Organizations without a tested continuity framework risk turning a cyber incident into a full-scale operational disruption.

Elevated Threat Conditions Require Elevated Readiness

The current regional instability demands a higher defensive posture. This includes continuous monitoring, validated backup integrity, predefined executive escalation paths, and tight coordination between security operations and leadership.

A mature continuity-driven model integrates:

• 24×7 Security Operations and incident management
• Advanced threat detection and correlation
• MITRE ATT&CK–aligned investigations
• Rapid containment and structured recovery
• Executive-level reporting and crisis coordination

Security tools are critical, but without structured continuity alignment, even strong detection capabilities can fall short under sustained attack pressure.

Multi-Platform Security Expertise

Effective resilience requires seamless operation across enterprise ecosystems. i6 brings deep experience across leading SIEM, XDR, and EDR platforms, including Microsoft Sentinel, IBM QRadar, Splunk, ArcSight, Google Chronicle, CrowdStrike Falcon, VMware Carbon Black, Microsoft Defender, and other enterprise-grade technologies.

Our approach reinforces existing security investments while strengthening response coordination and operational stability.

i6 Commitment During the Current Middle East Conflict

In response to the elevated cyber threat landscape created by the ongoing Middle East war tensions, i6 is extending FREE SOC monitoring and Business Continuity reinforcement support to eligible organizations operating within the region.

This initiative reflects our belief that during periods of regional instability, cybersecurity responsibility extends beyond commercial engagement. Operational continuity becomes a shared priority.

Our objective is clear: strengthen detection, accelerate response, and help organizations maintain operational stability despite heightened risk conditions.

Continuity Defines Leadership

Business Continuity is not a document prepared for audits. It is an executive discipline that determines whether an organization absorbs disruption or withstands it.

During the current Middle East environment, resilience is no longer optional. Organizations that remain operational during instability are not necessarily those without incidents. They are those with structured readiness and continuity-driven defense.

At i6, we stand ready to reinforce that resilience when it matters most.

The post i6 — Your Business Continuity Partner During the Ongoing Middle East Conflict appeared first on First Hackers News.

In just twelve days, 1,437 Windows users downloaded a malicious file after visiting a fake Zoom meeting page. What looked like a routine update turned into silent surveillance.

How the Scam Works

The attack begins with a fake domain designed to closely resemble Zoom’s official website.

When opened, the page displays a realistic Zoom waiting room. Fake participants join the meeting one by one. Background sounds and meeting chimes play to create authenticity.

Everything feels normal.

Then a “Network Issue” message appears on the screen.

This is intentional. The warning creates urgency and makes users believe their Zoom session requires a fix.

The Fake Update Trap

Shortly after the “network issue” appears, users see an “Update Available” pop-up.

A countdown timer starts. There is no option to close it.

Within seconds, a file downloads automatically. The page even switches to what looks like a Microsoft Store installation screen for “Zoom Workplace,” reinforcing the illusion.

But the downloaded file is not a Zoom update.

It is a modified Teramind monitoring agent — a legitimate employee surveillance tool — preconfigured to send data to attacker-controlled servers.

Once executed, the installer:

• Runs silently in the background
• Installs under a hidden system directory
• Uses legitimate Teramind binaries
• Avoids detection because the software itself is genuine

The tool operates in stealth mode, meaning no visible icons or program listings appear.

After installation, it begins collecting:

• Keystrokes
• Screens activity
• Application usage
• Clipboard content

It also includes anti-analysis techniques, behaving differently in sandbox or research environments.

Because it uses authentic software components, many antivirus tools fail to immediately flag it.

Why This Attack Is Effective

This campaign does not rely on sophisticated exploits.

It relies on timing and psychology.

Within 30 seconds, victims believe they are simply fixing a Zoom glitch. The interactive design even prevents automated security scanners from easily detecting the malicious behavior.

Instead of building new malware, attackers are misusing trusted corporate monitoring software.

That makes detection harder — and the deception more convincing.

What To Do If You Suspect Infection

If you visited the fake site or downloaded the file:

• Do not run the installer
• Check for unusual hidden folders in the ProgramData directory
• Review active background services for unknown entries
• Change passwords from a clean device
• Contact your IT or security team immediately

Indicators of Compromise (IOCs)

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Fake Zoom Update Infects 1,437 in Days appeared first on First Hackers News.

Security researchers from Cyberthint found that ZeroDayRAT is being sold on Telegram as a Malware-as-a-Service (MaaS). This means even non-technical criminals can subscribe, access a web-based dashboard, and control infected devices remotely.

The infection usually starts with smishing messages — fake SMS alerts pretending to be service providers or app updates. Victims are tricked into installing a malicious Android APK or iOS payload. Once installed, the attacker gains full control through a browser-based control panel.

Through this dashboard, attackers can view device details, monitor messages, track GPS location, and even activate the microphone and camera. The malware also targets financial apps by using clipboard hijacking and fake login overlays to steal credentials. It can intercept OTP codes, allowing criminals to bypass two-factor authentication in real time.

ZeroDayRAT is sold in subscription tiers — $250 per day, $1000 per week, and $3500 per month — and transactions are reportedly handled through escrow services, indicating an organized criminal operation.

What Makes ZeroDayRAT Dangerous

• Real-time GPS tracking and live surveillance
• Remote camera and microphone activation
• Screen recording and keylogging
• Clipboard hijacking for cryptocurrency theft
• Fake login overlays for banking and payment apps
• OTP interception to bypass 2FA
• Easy-to-use browser control panel
• Sold as a subscription service on Telegram

Credibility Concerns

Security analysts say ZeroDayRAT appears to be a real threat, but some details raise questions. In one promotional screenshot, researchers noticed a browser tab labeled “Create USDT Wallet Address,” which looked staged or taken from demo material. This suggests that some features may be exaggerated for marketing.

Even so, the overall capability of the tool reflects a growing shift in cybercrime. Criminals can now rent advanced surveillance kits that were once limited to highly skilled actors. ZeroDayRAT joins other mobile-focused threats like Anatsa, Arsink, and NFCShare that target banking apps, crypto wallets, and everyday mobile behavior.

As mobile malware continues to evolve, users and organizations must stay cautious. Most infections still begin with simple smishing messages or fake app downloads — proving that even small actions can lead to serious compromise.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post ZeroDayRAT Turns Mobile Phones into Spy and Theft Tools appeared first on First Hackers News.