Cybercriminals are increasingly pretending to be IT staff or trusted authorities to trick employees into giving them access to sensitive systems, recent cybersecurity reports reveal.
These attackers rely on “authority bias”—our tendency to follow instructions from people who appear knowledgeable or in charge. By posing as IT support, tax agents, or bank reps, they convince victims to install remote access tools or hand over login credentials.
Cisco Talos’ latest report notes a rise in ransomware groups using this tactic. Victims are contacted by attackers pretending to be IT professionals offering to fix urgent issues. Once access is granted using tools like AnyDesk or TeamViewer, the attackers move quickly to steal data, move across networks, or launch ransomware.
Because the software used is legitimate and often already installed in businesses, traditional security tools don’t flag these actions as suspicious.
Attackers also use techniques like spoofing phone numbers, email addresses, or even real employee identities to appear credible. This tactic has contributed to a 37% increase in Business Email Compromise (BEC) cases since 2024.
Threat Hunting in the Age of LOLBins
As attackers increasingly rely on built-in system tools—known as Living-Off-the-Land Binaries (LOLBins)—cyber defenders are being pushed to evolve their threat-hunting strategies.
Instead of using traditional malware, attackers now abuse trusted utilities like PowerShell, WMI, and PsExec to carry out malicious actions while avoiding detection. Cisco Talos recommends focusing on anomalies—like strange process chains, unusual network activity, or behavior that doesn’t match typical user patterns.
A good example: attackers recently used WMI to set up scheduled tasks that deployed Cobalt Strike beacons. By analyzing process logs and network activity, threat hunters were able to pinpoint the malicious behavior hidden among routine admin tasks.
Looking at the Windows Registry for suspicious changes—like unexpected entries under Run keys—can also uncover hidden threats. And unusual command-line arguments in legitimate apps can be a red flag worth investigating.
Automated tools help, but manual review is still key. For instance, a sudden increase in DNS traffic from development servers could indicate credential theft using tools like Mimikatz. Memory forensics is also crucial for spotting fileless malware that never touches the hard drive.
Real-World Cases Show the Stakes
In May 2025, a California man, Jason Miller, admitted to stealing 1.1 TB of data from Disney’s Slack channels. He used a fake AI art tool to spread Remote Access Trojans (RATs), giving him access to sensitive communications. The FBI and CISA later linked the attack to larger financial fraud schemes.
The DragonForce ransomware group also made headlines by attacking major UK retailers, including Harrods, Co-op, and Marks & Spencer. They hit point-of-sale systems with unpatched flaws, encrypting data and demanding $8.7 million in Monero.
At the same time, attacks targeting exposed developer secrets—like API keys and cloud credentials—jumped 52% in a year. Hackers scan public repos and misconfigured DevOps setups to find these valuable tokens and gain deeper access to company networks.
New Malware Variants to Watch
Cisco Talos has flagged four active malware types:
- VID001.exe: A worm (Win.Worm.Bitmin) that spreads via phishing and exploits SMB bugs.
- img001.exe: A downloader pushing crypto miners through hacked WordPress sites.
- AAct.exe: A fake software tool that installs backdoors and steals browser data.
Staying ahead of these threats requires constant monitoring, layered defenses, and a proactive hunting mindset.
How to Stay Safe as Attacks Evolve
To defend against these modern threats, organizations need to focus on both technology and people.
Cisco Talos recommends verifying all unexpected IT support requests—especially those asking for remote access—by confirming through official channels before taking action.
Using tools like multi-factor authentication, network segmentation, and application allowlisting can help stop attackers from moving through systems if they do get in.
It’s also important to monitor for signs of LOLBin abuse, such as unusual use of tools like PowerShell or WMI.
As cybercriminals blend tech tricks with social engineering, the security community must keep sharing threat intelligence and building smarter detection systems that look for suspicious behavior.
In this new threat landscape, staying secure means being alert—both technically and psychologically.
Leave A Comment