Normal view

Received — 8 June 2026 Proofpoint Threat Insight

Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency

8 June 2026 at 17:11
By Saher Naumaan, Carlos Rubio, and the Proofpoint Threat Research Team Key Findings Between April and May 2026, Proofpoint Threat Research observed a likely North Korean threat actor conducting phishing campaigns using developer role recruitment or code review themes to targets in close to 100 organizations in finance, cryptocurrency, education, technology, and several other sectors. Proofpoint clusters this activity under the name UNK_DeadDrop. The infection chain begins with emails containing links to actor-controlled GitHub repositories hosting malicious scripts that result in the execution of cross-platform malware for macOS, Linux, and Windows, including an open-source Go framework named Overlord. The campaigns abused Visual Studio Code workflows and deployed a stealthy new technique using malicious Visual Studio Extensions (VSIX) that requires minimal user interaction. The activity has similarities to another North Korean group called Contagious Interview; however, there is no direct overlap in Proofpoint telemetry so Proofpoint Threat Research tracks this activity as a distinct cluster. Overview Since at least 2022, North Korea-aligned threat actors have made a concerted effort not only to target cryptocurrency and decentralized finance organizations, but specifically to target developers using fake recruiter personas, malicious npm/PyPI packages (TraderTraitor / Jade Sleet), and trojanized cryptocurrency trading applications (AppleJeus / Citrine Sleet). These often masquerade as technical assessments or coding challenges and use techniques such as ClickFix or abusing Visual Studio Code’s features to execute malware. Approaches often occur over LinkedIn, Slack, Telegram, or in a multi-platform manner, with a consistent aim of targeting developer assets such as API tokens, cryptocurrency wallets, and credentials. In April and May 2026, Proofpoint Threat Research observed a new, large wave of this type of activity distinct from known DPRK operations (also recently reported by independent researcher Denys Vitali). Proofpoint tracks this new cluster as UNK_DeadDrop, a very likely North Korea-aligned group that uses broad phishing to target developers. Figure 1. Distribution of UNK_DeadDrop targeting across sector and geography. Over a six-week period, the attackers sent over 250 emails to individuals in almost 100 organizations across several sectors, primarily technology, education, business services, and financial services, specifically organizations in the cryptocurrency industry. Most targeted organizations were in the US, but the distribution of targeted geographies was global. Infection chain The emails contained links to GitHub repositories masquerading as technical assignments or cryptocurrency-related projects. The instructions encouraged the target to clone the repository and open it in an editor such as VS Code or Cursor. A pre-configured task executes silently when the user opens the repository folder in the IDE, triggering platform-specific loaders that decode embedded payloads on Linux, macOS, and Windows. The loader installs a malicious VS Code extension (VSIX) masquerading as a legitimate Google service. The payloads communicate with a hardcoded C&C server, enabling remote command execution, system reconnaissance, followed by exfiltration of browser wallet extensions, decrypted credentials, and desktop wallets. The infection chain finishes by deleting malicious payloads and directories from the cloned repository in an effort to clean up forensic artifacts, while maintaining persistence through the VSIX extension. Lures UNK_DeadDrop activity in late April and early May 2026 masqueraded as companies from various sectors seeking to recruit for software developer roles. The spoofed companies included: Ondo Finance: a decentralized finance (DeFi) platform Empower Pharmacy: a pharmaceutical company NXLog: a log collection and centralization tool OnePlan: a strategic portfolio and work management platform Hypen Connect: a Web3 & AI Talent Agency Valon: a mortgage service provider Nourish: a telehealth company The emails used attacker-owned sender domains and approached targets with job opportunities for “Full-Stack Engineer” or “Agent Lead Developer” positions. Figure 2: UNK_DeadDrop emails containing job offers for developer roles. The emails provided instructions on how to complete a technical assignment that was part of the job application process. The URLs led to attacker-controlled GitHub repositories hosting take-home assessments and coding challenges. Campaigns observed later in May 2026 changed their approach to targets with requests for peer review on open-source projects. The attackers masqueraded as cryptocurrency trading or prediction companies, such as Pulsynk and Trixauvex, to send requests for developer code reviews with the option of a job offer based on the fixes. Figure 3. UNK_DeadDrop emails requesting code reviews. In late May, another UNK_DeadDrop campaign targeted finance and technology organizations requesting targets to test an ERC-4626 vault in Foundry, a toolkit for Ethereum and smart contract development. Figure 4. UNK_DeadDrop emails requesting testing on Foundry tool. The most recently observed iteration of UNK_DeadDrop campaigns used a project for building AI agent-based systems with payment capabilities, similarly including skill requirements and a potential job offer. Figure 5. UNK_DeadDrop emails offering a role building an AI payments project. Analysis of 10 repositories, all hosted by different GitHub accounts, showed four thematic categories: cryptocurrency platforms, exploit archives, Foundry testing, and AI payments. Repo Name GitHub Account Theme Description First Commit Date Repository URL pulsynk Pulsynk Crypto Prediction AI-powered cryptocurrency price prediction platform May 10, 2026 hxxps://github[.]com/Pulsynk/pulsynk trixauvex Trixauvex-org Crypto Trading Cryptocurrency trading engine and analytics platform May 16, 2026 hxxps://github[.]com/Trixauvex-org/trixauvex rekt-db PedrinPY Exploit Archive Cross-chain blockchain exploit archive with runnable PoCs May 19, 2026 hxxps://github[.]com/PedrinPY/rekt-db rekt-db wayout4u Exploit Archive Cross-chain blockchain exploit archive with runnable PoCs May 21, 2026 hxxps://github[.]com/wayout4u/rekt-db rekt-db Stomp47 Exploit Archive Cross-chain blockchain exploit archive with runnable PoCs May 25, 2026 hxxps://github[.]com/Stomp47/rekt-db forge-4626-invariants sr-werney Foundry Testing Drop-in Foundry invariant tests for ERC-4626 vaults May 20, 2026 hxxps://github[.]com/sr-werney/forge-4626-invariants forge-4626-invariants ziobiri Foundry Testing Drop-in Foundry invariant tests for ERC-4626 vaults May 27, 2026 hxxps://github[.]com/ziobiri/forge-4626-invariants forge-4626-invariants mireles343 Foundry Testing Drop-in Foundry invariant tests for ERC-4626 vaults May 26, 2026 hxxps://github[.]com/mireles343/forge-4626-invariants x402-kit skyjum AI Payments HTTP 402 micropayments for AI agents - EVM, Solana, Lightning adapters May 25, 2026 hxxps://github[.]com/skyjum/x402-kit x402-kit rkama411 AI payments HTTP 402 micropayments for AI agents - EVM, Solana, Lightning adapters May 27, 2026 hxxps://github[.]com/rkama411/x402-kit Figure 6. UNK_DeadDrop GitHub repositories and descriptions. The attackers presented Pulsynk and Trixauvex as AI-powered crypto prediction and trading platforms with professional Python project structures, while rekt-db masqueraded as a security research archive with reproducible proof-of-concepts for real high-profile exploits such as Bybit ($1.46B), Wormhole ($325M), and Radiant Capital ($50M). The forge-4626-invariants repository was centered around drop-in Foundry invariant tests for ERC-4626 tokenized vaults. The newest variation, x402-kit, focused on HTTP 402 micropayment infrastructure with multi-chain adapters for EVM, Solana, and Lightning networks. The malicious repositories appeared legitimate, masquerading as open-source projects targeting specific developer niches within the cryptocurrency and blockchain ecosystem: security researchers, DeFi developers, and AI engineers. They had technical credibility, containing realistic directory structures, working npm/forge scripts, and references to real standards and frameworks. Across 10 repositories analyzed, there were roughly six builds containing only minor changes such as binary recompilations, altered naming conventions, and bug fixes. This suggests that the operators are continuing active development. Delivery The emails all contained GitHub or GitLab URLs with instructions to clone the repository and open it in a code editor such as VS Code or Cursor.   Figure 7. Sample attacker-controlled GitHub repository. Inside the hidden vscode folder, there is a file called tasks.json that will execute either a shell script or .cmd file, buried in the src/ folder, when the repository is opened in Cursor or VS Code. This infection chain abuses the IDEs’ task automation as well as VSIX extensions to facilitate further execution, as well as achieve persistence on macOS and Linux devices. Execution The hidden tasks.json file defines a task with runOptions.runOn: "folderOpen", a VS Code feature that executes the task automatically when the folder is opened in the editor. Figure 8. tasks.json file that is run when .vscode folder is opened. The task definition specifies the platform-specific commands that will be executed when the task runs: Linux/macOS: /bin/bash vendor/run-update[.]sh Windows: wscript[.]exe //B //Nologo vendor/run-update-hidden-launch.vbs VS Code requires user interaction before any task can run; additionally, if automatic task execution has never been accepted before, a second prompt is shown. Figure 9. VS Code trust prompt when running malicious repository. By contrast, Cursor does not show any trust dialog. Opening a folder with tasks.json containing runOn: "folderOpen" in Cursor results in immediate silent execution with zero user interaction. The launcher scripts install the VSIX extension to the editor. Every time the user opens VS Code or Cursor on macOS or Linux, the VSIX extension activates, checks whether the subsequent infection portions are already running, and re-launches them if not. On Windows, this persistence mechanism does not apply. The pipeline executes once and terminates; the VSIX remains installed but does not re-execute on subsequent editor starts. Once the task is executed, the infection chain diverges by platform. The Linux and macOS chains use a native Go binary that connects to the C&C as a persistent RAT, while Windows runs a Node.js pipeline entirely inside the editor's Electron process. Both paths share the same C&C infrastructure and exfiltration endpoints but differ significantly in their architecture and capabilities. Linux/macOS infection chain The Linux and macOS infection chains use native Go binaries derived from the open-source Overlord C&C framework (github[.]com/vxaboveground/Overlord). Unlike the Windows pipeline (which performs a single stealer operation), these binaries function as full RATs with persistent WebSocket connectivity. Binary Platform google-update-support-linux-amd64 Linux AMD64 google-update-support-darwin-amd64 macOS Intel google-update-support-darwin-arm64 macOS Apple Silicon Figure 10. Binaries built for respective platforms. The threat actor added three custom modules: browserlogin (Chrome and Firefox credential theft), companywallet (crypto wallet stealer with 2-phase ZIP+upload exfiltration), and cleanup (anti-forensic removal of workspace artifacts). The initial launcher (run-update.sh) is a bash script with an embedded Base64-encoded payload. When executed, it installs the VSIX extension in all available editors (Cursor, VS Code, VSCodium), resolves the correct Go binary for the platform, removes macOS quarantine, and launches Overlord fully detached. It also schedules cleanup of vendor/ and .vscode/ via a background subshell that survives editor shutdown. Figure 11. run-update.sh (Base64-decoded). Once Overlord is running, it immediately establishes a persistent WebSocket connection to the C&C server at 23.137.105[.]75:5173. Figure 12. Overlord agent.log. macOS credential theft and exfiltration The credential theft chain then proceeds differently on each platform. Internally, the malware code divides its operation into two phases: Phase 1 (wallet data collection) and Phase 2 (credential theft + exfiltration). Overlord first collects wallet extension data, browser profile artifacts, and standalone wallet directories, packaging them into a ZIP and uploading to the C&C server. The malware waits five minutes before proceeding to credential theft. The credential theft uses a second embedded Mach-O binary named darwin-password-prompt that creates a fake system dialogue to prompt the user to enter their password: Figure 13. darwin-password-prompt app showing the fake prompt. Figure 14. Prompt for the credentials to access the keychain. The credentials are validated by the parent Overlord process. After password validation, the malware modifies Keychain ACLs for the following browsers: Chrome, Brave, Edge, Opera, Vivaldi, Arc, Yandex, and Chromium. Safe Storage keys are then extracted. Following credential gathering, the backdoor re-launches itself as root using the captured password. The elevated instance performs a command to dump the entire login keychain. The collected credentials, Safe Storage keys, and keychain data are then packaged as ZIP files and uploaded to the C&C via the persistent WebSocket connection. Linux credential theft and exfiltration If it is running on Linux, Overlord first collects wallet-related data (browser extension storage, standalone wallet directories) and uploads a ZIP to the C&C before attempting credential theft. After Phase 1 upload, the agent waits five minutes before proceeding to password capture. The Linux backdoor uses Zenity, a standard GTK dialog tool present on most desktop Linux distributions, to create a prompt to collect user credentials. Figure 15. Fake dialog to collect user credentials. This backdoor also attempts to read browser passwords from GNOME Keyring by spawning Python3 processes for each browser, querying chrome_libsecret_os_crypt_password_v2 and v1 schemas. If secret-tool is not installed, the agent falls back to the Python gi.repository.Secret method via D-Bus. Similar to the macOS chain, Overlord re-launches itself as root using the captured password. The elevated instance re-attempts keyring access by impersonating the original user via runuser, since the GNOME Keyring is tied to the user session and not accessible directly as root. Credentials are exported to e_p.txt and uploaded as a _pa.zip to the C&C. Windows infection chain Unlike Linux/macOS, the Windows attack does not deploy a Go binary. It runs entirely as JavaScript inside the editor's Electron process using ELECTRON_RUN_AS_NODE=1, a documented Electron feature that turns the editor into a plain Node.js interpreter. No binary is dropped to disk, the process appears as Code.exe in Task Manager, and the editor itself provides the runtime. As stated before, the VSIX extension does not create persistence in the Windows infection chain. The tasks.json file launches run-update-hidden-launch.vbs via wscript[.]exe //B (hidden window), which calls run-update[.]cmd. Figure 16. run-update.cmd script. The CMD file decodes an embedded script, which installs a VSIX extension. The script then stages three encrypted files into a staging directory and relaunches the editor with ELECTRON_RUN_AS_NODE=1 running gus-node-bootstrap.js. The three encrypted payloads are decrypted at runtime using the hardcoded AES-256-GCM key: 4f7a8c3d2e1b5f9071a6b2c8d4e3f50a92b1c7d6e8f4a30b5c2d9e1f7a6b8c4d. Encrypted file Purpose windows-js-pipeline.js.enc Runs the Node.js agent through both phases, uploads artifacts to the companywallet API, and cleans up Windows runtime files. windows-agent-node.js.enc Wallet stealer + Python setup detect_malware.py.enc DPAPI + App-Bound Encryption bypass for credential stealing Figure 17. Windows encrypted payloads in staging directory. Credential theft and exfiltration The Windows variant first conducts wallet collection and then credential theft. The wallet collection is done by scanning Chromium browser variants for items in Local State, Login Data, and Local Extension Settings/, as well as wallet-specific IndexedDB entries. It targets 35 wallet extension IDs (MetaMask, Phantom, Rabby, Keplr, and others), 18 standalone wallet applications (Exodus, Electrum, Ledger Live, Monero, Solana CLI, Bitcoin, and others), and Firefox profiles. It also enumerates all Windows user profiles via registry, not just the current user. The wallet stealer also looks for Python executables in the victim host and attempts to download Python 3.12.8 embeddable from the C&C, or falls back to system Python. If downloaded, Python is installed inside the browser's application directory (e.g., Program Files\Google\Chrome\Application\python[.]exe) to pass App-Bound Encryption's path validation. Once Python is available, the credential stealer (detect_malware.py) is executed for each browser profile. It performs: Password extraction from Chromium browsers via DPAPI + App-Bound Encryption bypass (COM Elevation Service, IElevator2) Firefox credential extraction via key4.db + logins.json Cookie theft from Chrome/Edge/Brave Five cascade methods for reading locked databases: shutil.copy2 → SQLite backup() → Win32 shared-read → Win32 backup-semantics → Volume Shadow Copy (VSS) For Chrome, Edge, and Brave, elevated privileges are required to access credentials protected by App-Bound Encryption. COM Elevation Moniker is used to elevate privileges silently. If this fails, it falls back to Start-Process -Verb RunAs, which displays the standard Windows UAC dialog. After both phases are complete, the stolen data is uploaded to the C&C server at 23.137.105[.]75:5173 via HTTP POST. Unlike the Linux/macOS agent, the Windows pipeline does not maintain a persistent connection; it uploads the ZIP files, performs cleanup, and terminates. The VSIX package.json contains a reference to a Windows binary (google-update-support-windows-amd64.dat) in its description of the windowsActivationMode setting. While this binary was not found in any of the analyzed repositories, searching VirusTotal for the developer path Yuki/dionbenu2yuki returned Windows samples named google-update-support-windows-amd64[.]exe with the same C&C server and agent token found in the Linux and macOS binaries. This implies the threat actor previously distributed a Windows Go binary (Overlord RAT) but replaced it with the Node.js and Python pipeline in the current campaign, likely to avoid detection. The references to the DAT/EXE binary in the scripts are legacy code that is no longer executed. Infrastructure UNK_DeadDrop campaigns spanned April and May 2026 with related infrastructure created in the same timeframe and emails sent within days of domain registrations. Figure 18. UNK_DeadDrop domain registration timeline (April-May 2026). Most domains were registered using Namecheap, and set MailHostBox mailservers. The domains used slight name variations of fake companies used for recruiting in phishing emails. Some domains used to send phishing emails were also hosting unfinished, likely AI-generated websites to market the projects. These were hosted on Vercel Inc. rather than Namecheap infrastructure. Figure 19. Fake company websites hosted at trixauvexnet[.]ink, trixauvex[.]org, and pulsnyk[.]org. A small subset of domains, including nemesis[.]work, used Advin Services LLC IPs for hosting, which are likely attacker-controlled boxes that were also used as sender IPs in early UNK_DeadDrop campaigns: 170.205.29[.]83 and 170.205.30[.]227. In May, the attackers transitioned to using Mailgun and MailHostBox as email sender services. Figure 20. Fake company website spoofing NEMESIS, a decentralized finance protocol, hosted at nemesis[.]work. Attribution UNK_DeadDrop activity shares several characteristics with previously documented North-Korea-aligned operations, specifically Contagious Interview activity reported by OpenSourceMalware, Microsoft, and JAMF. The campaigns broadly overlap in developer targeting, cryptocurrency and credential theft, GitHub delivery, VS Code workflow abuse, and cross-platform targeting.   UNK_DeadDrop Contagious Interview Targeting Software developers, security researchers, AI engineers in cryptocurrency Developers in cryptocurrency and AI Target platforms macOS, Windows, Linux macOS, Windows, Linux Initial access Phishing over email Phishing over social media Lures Job recruitment, code reviews Job recruitment Delivery GitHub, GitLab GitHub, GitLab, BitBucket Repositories Professional structure, legitimate references, industrialized creation, iterative builds, consistent obfuscation Possibly AI-assisted generation, less polished code, tutorial comments, emoji logging Installation VS Code tasks.json auto-execution abuse (silent) VS Code tasks.json npm installation abuse (visible) Execution Malicious VSIX extension and self-contained payloads Remote fetch from Vercel or external hosting Payload Overlord (Go binaries) OtterCookie (JavaScript), Invisible Ferret (Python), FlexibleFerret (Go/Python) C&C protocol WebSocket Secure (WSS) HTTP/HTTPS Exfiltration Cryptocurrency wallets, browser credentials, system keychains Cryptocurrency wallets, API tokens, credentials, source code, password managers Anti-forensics Removes payload and malicious artifacts from directories Self-cleanup capability Figure 20. Comparison of UNK_DeadDrop and Contagious Interview campaigns and TTPs. However, there are several differences between the activity sets, such as the shift in social engineering from arranging fake interviews to unsolicited job offer or code review approaches as well as the move from delivery platforms such as LinkedIn to email. UNK_DeadDrop campaigns use the Overlord framework as a payload instead of custom malware, and it is contained within the repository rather than hosted remotely. The VS Code auto-execution approach exploits trust in standard developer workflows similar to malicious npm packages and previous VS code abuse, but requires less user interaction, executes silently without output, and doesn’t rely on external infrastructure that can be taken down. It is possible, or even likely, that the overlaps between UNK_DeadDrop and Contagious Interview demonstrate an operational evolution to include more mature techniques rather than distinct but related groups. However, based on the use of email for initial access, the high volume of emails, industrialization and scale of repository creation, a new self-contained payload, and distinct infrastructure from previous Proofpoint observations of Contagious Interview campaigns, Proofpoint Threat Research continues to track UNK_DeadDrop activity as an independent cluster. Conclusion UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving. The shift from active social engineering over social media platforms to conduct fake interviews to large campaigns of recruitment-themed phishing emails distributing links to malicious repositories could indicate an actor industrializing and scaling operations. The consistent creation of new GitHub repositories as well as a new malware framework with iterative builds and a stealthy new execution and persistence technique through VSIX extensions demonstrates dedicated resourcing and active development of tooling. The attackers have likely also adapted by embedding payloads rather than hosting them externally, potentially increasing operational resilience and avoiding the effects of infrastructure takedowns. UNK_DeadDrop bears many similarities to Contagious Interview activity and may be an improved and more professional iteration of previous operations as attackers adapt to defenders and adopt new techniques. However, the TTP and infection chain differences could also suggest another actor leveraging previously disclosed techniques or a subgroup incorporating various types of tradecraft into one operation. While attribution to a known actor remains unconfirmed, Proofpoint continues to track this ongoing activity as an independent cluster. Indicators Indicator Type Description First Seen alex@contacttrixauvex[.]ink Email address Attacker-controlled email address May 2026 alex@mailpredicttogether[.]ink Email address Attacker-controlled email address May 2026 alex@predicttocareer[.]space Email address Attacker-controlled email address May 2026 alex@pulsynk[.]org Email address Attacker-controlled email address May 2026 alex@trixauvexnet[.]ink Email address Attacker-controlled email address May 2026 alexsnow@hr.onoplanoai[.]ink] Email address Attacker-controlled email address May 2026 alexsnow@hr.predicttocareer[.]space Email address Attacker-controlled email address May 2026 alexstone@hr.trixauvex[.]org Email address Attacker-controlled email address May 2026 carissae@hr.mailpulsynk[.]xyz Email address Attacker-controlled email address May 2026 christopher@hr.trixauvex[.]org Email address Attacker-controlled email address May 2026 chrisyan@hr.pulsynk[.]org Email address Attacker-controlled email address May 2026 emmaparker@hr.recruitvex[.]us Email address Attacker-controlled email address May 2026 faithtedesco@hr.mailtrixauvex[.]ink Email address Attacker-controlled email address May 2026 frankbloch@hr.trixauvex[.]org Email address Attacker-controlled email address May 2026 jamesrock@hr.trixauvexnet[.]ink Email address Attacker-controlled email address May 2026 jamierain@hr.contacttrixauvex[.]ink Email address Attacker-controlled email address May 2026 jamierain@hr.onoplanoai[.]ink Email address Attacker-controlled email address May 2026 jamiereed@hr.mailpredicttogether[.]ink Email address Attacker-controlled email address May 2026 jamiereed@hr.predicttocareer[.]space Email address Attacker-controlled email address May 2026 joshn@hr.recruitvex[.]us Email address Attacker-controlled email address May 2026 justinstone@hr.trixauvex[.]org Email address Attacker-controlled email address May 2026 nicoupdyke@hr.trixauvexnet[.]ink Email address Attacker-controlled email address May 2026 oliviaben@hr.pulsynk[.]org Email address Attacker-controlled email address May 2026 sam@hr.pulsynk[.]org Email address Attacker-controlled email address May 2026 samalt@hr.contacttrixauvex[.]ink Email address Attacker-controlled email address May 2026 samalt@hr.onoplanoai[.]ink Email address Attacker-controlled email address May 2026 samalt@hr.predicttocareer[.]space Email address Attacker-controlled email address May 2026 shelbysturm@hr.mailtrixauvex[.]ink Email address Attacker-controlled email address May 2026 sophiareed@hr.contacttrixauvex[.]ink Email address Attacker-controlled email address May 2026 sophiareed@hr.onoplanoai[.]ink Email address Attacker-controlled email address May 2026 taylorzhang@hr.pulsynk[.]org] Email address Attacker-controlled email address May 2026 dalbir@empowerpharmacy[.]space Email address Attacker-controlled email address April 2026 dianaberendi@nxlog[.]tech Email address Attacker-controlled email address April 2026 gusb@ondofinance[.]tech Email address Attacker-controlled email address April 2026 jasen@empowerpharmacy[.]space Email address Attacker-controlled email address April 2026 joshc@ondofinance[.]tech Email address Attacker-controlled email address April 2026 jovanav@nxlog[.]tech Email address Attacker-controlled email address April 2026 michaelw@ondofinance[.]tech Email address Attacker-controlled email address April 2026 neila@ondofinance[.]tech Email address Attacker-controlled email address April 2026 oladotuna@ondofinance[.]tech Email address Attacker-controlled email address April 2026 sarikasinha@nxlog[.]tech Email address Attacker-controlled email address April 2026 sladjanas@nxlog[.]tech Email address Attacker-controlled email address April 2026 valerie@empowerpharmacy[.]space Email address Attacker-controlled email address April 2026 vanjamirkovic@nxlog[.]tech Email address Attacker-controlled email address April 2026 nemesistrade[.]work Domain Related infrastructure May 2026 ceronet[.]work Domain Related infrastructure May 2026 deep-ai-guard[.]store Domain Related infrastructure May 2026 ceronetwork[.]org Domain Related infrastructure May 2026 culyrax[.]us Domain Related infrastructure May 2026 elsavora[.]us Domain Related infrastructure May 2026 optixauvex[.]us Domain Related infrastructure May 2026 recruitvex[.]us Domain Sender domain May 2026 talentnexhr[.]ink Domain Related infrastructure May 2026 onoplanoai[.]ink Domain Sender domain May 2026 trixauvexnet[.]ink Domain Sender domain May 2026 recruitptogether[.]xyz Domain Related infrastructure May 2026 contactpredicttogether[.]ink Domain Related infrastructure May 2026 connectptogether[.]ink Domain Related infrastructure May 2026 notifypulsynk[.]ink Domain Related infrastructure May 2026 contactpulsynk[.]ink Domain Related infrastructure May 2026 contacttrixauvex[.]ink Domain Sender domain May 2026 trixauvex[.]org Domain Sender domain May 2026 careertrixauvex[.]ink Domain Related infrastructure May 2026 cotrixauvex[.]ink Domain Related infrastructure May 2026 pulsynk[.]org Domain Sender domain May 2026 mailtrixauvex[.]ink Domain Sender domain May 2026 teampulsynk[.]team Domain Related infrastructure May 2026 careerpulsynk[.]xyz Domain Related infrastructure May 2026 mailpulsynk[.]xyz Domain Sender domain May 2026 mailpredicttogether[.]ink Domain Sender domain May 2026 predicttogetherrecruit[.]store Domain Related infrastructure May 2026 predicttogerecruit[.]store Domain Related infrastructure May 2026 predicttogether[.]ink Domain Related infrastructure May 2026 careerpredictto[.]space Domain Related infrastructure May 2026 togetherhire[.]fun Domain Related infrastructure May 2026 predictcareertogether[.]space Domain Related infrastructure May 2026 predicttocareer[.]space Domain Sender domain May 2026 nowurisch[.]fit Domain Sender domain May 2026 hyperdevpipline[.]org Domain Sender domain May 2026 asteara[.]org Domain Related infrastructure April 2026 doxxela[.]ink Domain Related infrastructure April 2026 coslyintra[.]online Domain Related infrastructure April 2026 valorecuiting[.]online Domain Sender domain April 2026 onoplainai[.]ink Domain Related infrastructure April 2026 raxvatange[.]ink Domain Related infrastructure April 2026 alphanonega[.]org Domain Related infrastructure April 2026 domatisc[.]ink Domain Related infrastructure April 2026 migadyn[.]info Domain Sender domain April 2026 empowerpharmacy[.]space Domain Sender domain April 2026 nxlog[.]tech Domain Sender domain April 2026 ondofinance[.]tech Domain Sender domain April 2026 170.205.29[.]83 IP address Sender IP April 2026 170.205.30[.]227 IP address Sender IP April 2026 hxxps://github[.]com/Pulsynk/pulsynk URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/Trixauvex-org/trixauvex URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/PedrinPY/rekt-db URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/sr-werney/forge-4626invariants URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/wayout4u/rekt-db URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/ziobiri/forge-4626-invariants URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/skyjum/x402-kit URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/Stomp47/rekt-db URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/mireles343/forge-4626invariants URL Attacker-controlled GitHub repository May 2026 hxxps://gitlab[.]com/pulsynk-org/rekt-db.git URL Attacker-controlled GitHub repository May 2026 hxxps://gitlab[.]com/trixauvex-org/x402-kit.git URL Attacker-controlled GitHub repository May 2026 hxxps://gitlab[.]com/predict-together/forge-4626invariants.git URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/rkama411/x402-kit URL Attacker-controlled GitHub repository May 2026 23.137.105[.]75 IP address C&C IP May 2026 35813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252e SHA256 settings.json May 2026 c935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4b SHA256 tasks.json May 2026 4c0d9b802c075be79e9edb52d88f8dd72e6904f5c58267213745818470945c78 SHA256 run-update-hidden-launch.vbs May 2026 62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb SHA256 run-update.cmd May 2026 d3ebce2f05fe91a8260e87fd11a6ea17c156703d081b3f91d9bbe5fd6aeedc10 SHA256 gus-node-bootstrap.js May 2026 91b9381d19b2e6a2db5cc0307167979b502731cb3fb50da684479e9ed35261aa SHA256 windows-agent-node.js.enc May 2026 6cf9f7b2aa456a0b438600588df869b38d8007e28f01fa96022f9d8059f120b0 SHA256 windows-js-pipeline.js.enc May 2026 2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f SHA256 detect_malware.py.enc May 2026 52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7 SHA256 google-update-support.vsix May 2026 d5e9288693aa745dc89368deac677e7ea1ec81e663283af30838cdae189b7a7e SHA256 extension.js May 2026 734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352f SHA256 run-update.sh May 2026 e1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667 SHA256 google-update-support-agent.zip May 2026 a2b9a769df84d9d3a4694bb0252a2c6a5e5f5d1a85a04565362737092bbb3a86 SHA256 google-update-support-linux-amd64 May 2026 bb10adac5b0124efedfe71102c1d5638135ec9e1cde8c8cb3353c5ed91bb9f81 SHA256 google-update-support-darwin-amd64 May 2026 339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943 SHA256 google-update-support-darwin-arm64 May 2026 808e7154b7af2bc7a4b28d577297c55f77221c355191cbe00f9f1810b6d4a619 SHA256 darwin-password-prompt May 2026

TA4922: The Suspected Chinese Crime Group is Going Global

3 June 2026 at 19:06
Key Findings:  TA4922 is a highly sophisticated threat actor demonstrating a rapid operational tempo and continually evolving malware arsenal.  The group has been observed using multiple malware families including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT (Winos4.0), among others.  TA4922 relies on localized lures often themed around HR, payroll, tax, and invoicing to convince targets across multiple regions. In recent months, the actor’s activity has spread to more countries globally, including in Europe and Africa.  The actor combines malicious activity with legitimate tools, trusted software, and cloud hosting services, making detection and defense more challenging.  Overview  The Chinese-speaking cybercriminal ecosystem has grown dramatically in recent years. Many of the threats observed in the landscape are descendants of malware first used by Chinese espionage threat actors, namely Gh0stRAT and related payloads, and frequently targeted Chinese-speaking users. But as Chinese-speaking cybercriminals develop better capabilities in malware, social engineering, and global targeting, their footprint is expanding, and more actor clusters are emerging. In this report, we’ll dive into TA4922, a newly designated Chinese-speaking threat actor largely targeting East Asia.   This actor is unique due to its wide variety of lure themes, targeting, and objectives. TA4922 distributes malware, credential phishing, and attempts fraud like credit card theft. Cybercriminals will sometimes display multiple objectives (using credential phishing to enable fraud, for example), but TA4922’s consistency with disparate campaigns, payloads, and goals makes it one of the most unique actors tracked by Proofpoint.   TA4922 activity shows overlap in tooling, infrastructure, and social engineering themes with activity reported by other researchers as Silver Fox or Void Arachne. While those clusters are sometimes characterized as espionage oriented, Proofpoint assesses that the campaigns attributed to TA4922 align more closely with cybercriminal objectives despite the actor’s advanced tradecraft. The activities described in this report do not overlap one to one with Silver Fox/Void Arachne, and Proofpoint tracks this actor as a distinct threat cluster.   Beginning in spring 2025, Proofpoint tracked malicious email campaigns associated with TA4922. Based on Proofpoint’s analysis of the emails, targeting, and payloads, the actor is likely financially motivated and focused on obtaining remote access to victim environments for financial gain such as data theft, fraud, access resale, or persistent access.  In March and April 2026, Proofpoint identified a series of campaigns that demonstrate TA4922’s evolution in malware tooling. The actor’s operational tempo increased dramatically in March and into April 2026. Across these observed campaigns, the actor relied on mostly human resources and business themed lures in attempts to deliver credential phishing, fraud, and malware payloads including the newly identified Atlas RAT. Campaigns also leveraged new loader families Proofpoint designated as RomulusLoader and SilentRunLoader. RomulusLoader is used to stage additional tooling including legitimate remote management software (RMM) such as AnyDesk and SyncFuture. The diverse payloads observed in recent months is a significant change in the actor’s tactics, techniques, and procedures (TTPs).   This report focuses on the newly identified payloads and related notable campaigns.  Actor Details  TA4922 relies on social engineering to convince recipients to click malicious links, download payloads hosted on third party services, steal credentials, or direct communications from email to messaging applications. The actor has been historically associated with malware families including Winos4.0 (sometimes referred to as ValleyRAT) and HoldingHands. The actor increased its malware arsenal in recent months, which we describe below.   Campaigns are typically small to medium in size, ranging from a few hundred to a few thousand, and the messages are tailored to specific regions or business functions. Campaigns mostly target organizations in Japan, with additional targeting in Asia including Taiwan, Korea, Singapore, and India. In recent months, the actor expanded global targeting to include European organizations in the U.K., Germany, Italy, and South Africa.  Figure 1: Targeted country assessment.  In addition to malware delivery, TA4922 has conducted credential phishing and imposter campaigns that attempt to shift interactions out of email and into out-of-band communication channels. These messages impersonate trusted authorities or internal contacts and request that recipients continue conversations via messaging platforms such as LINE, WhatsApp, or Microsoft Teams. Once communication moves to those platforms, the actor is better positioned to extend social engineering, harvest contact information, or deliver malware beyond traditional email security visibility.    Figure 2: Social engineering email instructing recipients to create a new LINE messaging group.  Figure 3: Variation in campaign objectives, January – May 2026.  Proofpoint assesses that TA4922 is likely based in East Asia and is Chinese speaking. Chinese language metadata in malware samples, frequent use of infrastructure tied to Chinese providers and overlap with the Silver Fox and Void Arachne ecosystem help support this assessment.   Geographic targeting is highly regionalized. TA4922 most frequently targets organizations in Japan, Taiwan, India, Malaysia, Singapore, Indonesia, and occasionally European countries such as Germany and the United Kingdom. Lures commonly impersonate tax authorities, finance departments, or human resources teams and are written to closely match local language norms.  Campaign Details  To better understand the diverse nature of targeting, lure themes, and payloads, we’re highlighting a handful of recently observed campaigns from TA4922. These campaigns represent a small part of the actor’s overall activity but are illustrative of typical behaviors from this group. The new malware also shows that while the group’s techniques remain relatively consistent, their payloads can change rapidly between campaigns.  Atlas RAT Campaign 1  On 6 March 2026, Proofpoint observed a TA4922 campaign targeting organizations in Japan using human resources themed messages. The emails were designed to resemble internal HR notifications and claimed to inform recipients of personnel-related changes and compensation.  Email Body Translation:  The language is formal and intentionally vague. It avoids specific figures while creating urgency around compensation which is a tactic to increase the chances of the recipient acting quickly without verifying the message.  The email contained a GoFile URL linking to a ZIP file, “【給与調整のお知らせ】.zip” which translates to [Notice of salary adjustment]. zip. The ZIP contained an executable along with a malicious DLL. Upon execution, the Atlas RAT payload is installed via DLL sideloading which is configured to communicate with IP 206[.]238[.]115[.]58 over TCP port 886.  Figure 4: HR-themed salary adjustment email lure used in the March 2026 campaign.  Atlas RAT Campaign 2  On 2 April 2026, Proofpoint identified a second TA4922 campaign leading to Atlas RAT against targets in the United Kingdom and Germany. The social engineering and delivery infrastructure were mostly unchanged from the March activity.  Emails in this campaign again impersonated internal human resources communications and instructed recipients to review routine paperwork. In some cases, the messages suggested that documents required confirmation or acknowledgment.   The URLs led to ZIP files hosted on GoFile with filenames such as “Paperwork.zip” and “HR (2).zip”. They contained an executable with a malicious DLL file, libcef.dll. Execution triggered DLL sideloading and resulted in the deployment of Atlas RAT, configured to communicate to C2 IP 154[.]211[.]86[.]110 over TCP port 886.  Figure 5: HR themed email lures in April 2026.  Atlas RAT Campaign 3  On 7 April 2026, Proofpoint observed a third TA4922 campaign that introduced a different lure theme while maintaining familiar delivery techniques. Unlike the prior HR-themed activity, this campaign appeared to impersonate customer service communications related to invoicing. The emails claimed to deliver an electronic invoice in PDF format.  Email Body Translation:  The email attachment was a ZIP archive named “電子請求書発行のお知らせ.zip”, which contained a compressed IMG file. When mounted, the IMG file included an executable that relied on DLL sideloading to install Atlas RAT. Once executed, the payload established C2 communication with the same infrastructure observed in prior campaign, IP 154[.]211[.]86[.]110 over TCP port 886.  Figure 6: Electronic invoicing email lure delivering Atlas RAT via compressed IMG attachment.  RomulusLoader Campaign 1 – Initial activity   On 23 March 2026, Proofpoint observed TA4922 campaigns that marked the first identified use of a new loader family Proofpoint named RomulusLoader. The emails primarily targeted organizations in Japan and used corporate and human resources–themed lures.  The messages impersonated internal company communications and urged recipients to review business documents. URLs embedded in the email body redirected users to file sharing services (LimeWire) where a ZIP archive was hosted.  Email Body Translation:  The archive contained an executable paired with a malicious DLL. Upon execution, the payload leveraged DLL sideloading to install RomulusLoader. The loader subsequently attempted to retrieve and execute additional payloads, although the final stage was not identified during initial analysis. Observed network traffic showed communications with C2 infrastructure at 43[.]156[.]77[.]97 over TCP port 1234.  Figure 7: Corporate/HR-themed lure with LimeWire URL.  Figure 8: LimeWire hosting RomulusLoader payload.  RomulusLoader Campaign 2 – RMMs  Remote Monitoring and Management (RMM) payloads are very popular across the cybercriminal threat landscape currently, in part because abusing legitimate services can enable threat actors to “hide” in networks masquerading as authentically used software. However, Proofpoint typically observes threat actors deliver an RMM as a first-stage payload for initial access, then will drop follow-on payloads (like more RMMs or malware) once they’ve gained a foothold. TA4922 switches things up, using the newly identified RomulusLoader as a first stage to drop RMMs.  In mid‑April 2026, Proofpoint identified multiple TA4922 campaigns that leveraged RomulusLoader to deploy legitimate RMM software, AnyDesk and the Chinese RMM SyncFuture.  The emails used business and tax‑related themes which targeted organizations in Japan and Germany. Similar to the prior campaign, emails contained embedded URLs which led to ZIP archives containing an executable and a malicious DLL. Execution triggered DLL sideloading, resulting in the installation of RomulusLoader.  Following initial execution, RomulusLoader retrieved an additional component that installed RMM software, either SyncFuture or AnyDesk. First‑stage infrastructure in these campaigns overlapped, leveraging IP address 103[.]214[.]172[.]33 to host the subsequent payload.   Notably, TA4922 was last observed deploying SyncFuture in a campaign in December 2025 with subsequent activity shifting away from its use. However, recent campaigns indicate it is still part of this actor’s malware arsenal.   The SyncFuture campaign targeted organizations in Germany and impersonated the Munich tax authority (Finanzamt München). Messages purported to claim the target was receiving a tax audit.   Figure 9: Tax audit–themed email to lure recipients into downloading audit documentation.  URLs in the email led to a landing page impersonating a tax portal.   Figure 10: Fraudulent German‑language tax portal landing page.  The AnyDesk campaign targeted companies in Germany using payroll and salary themed lures. Emails contained URLs leading to a ZIP file and claimed to share pay slip and expense information in a zipped PDF. The file contained the EXE and DLL leading to the malware.  Figure 11: Payroll‑themed lure impersonating an internal salary and expense notification system to prompt victims to download a purported PDF document.  Figure 12: CAPTCHA‑style verification gate presented on the initial landing page. Figure 13: Payroll‑themed landing page impersonating an internal salary notification system and providing a button to download purported PDF pay statements.  SilentRunLoader Campaign 1 – Initial activity  Proofpoint first identified the campaign leading to the Python‑based loader and stealer tracked as SilentRunLoader on 30 March 2026. This campaign primarily targeted organizations in the United Kingdom and impersonated tax authorities with references to VAT filings, payroll tax documentation, and regulatory compliance requirements. Embedded URLs directed recipients to the file‑hosting service, MediaFire, where the executable was hosted. Upon execution, the payload installed SilentRunLoader which harvested sensitive data from Google Chrome including stored credentials, cookies, and browsing information. Collected data was exfiltrated via HTTP POST requests to C2 infrastructure hosted at “ws[.]ztts88[.]cyou” which resolved to IP address 18[.]139[.]83[.]110.  Figure 14: Tax‑themed email lure impersonating the UK government tax authority HMRC and directing recipients to the SilentRunLoader payload hosted on MediaFire.  SilentRunLoader Campaign 2  Proofpoint identified another TA4922 campaign delivering SilentRunLoader on 10 April 2026. The campaign targeted recipients across Southeast Asia and the United Kingdom using benefits and compliance‑themed lures. The lures impersonated government and universal benefits services.  Emails contained embedded srt.tw URLs, a URL shortening service, which redirected to ZIP or RAR archive files hosted on MediaFire. SilentRunLoader was installed via DLL sideloading and exfiltrated Chrome data to previously observed C2 infrastructure hosted at “ws[.]ztts88[.]cyou” which resolved to IP address 18[.]139[.]83[.]110.  Figure 15: Benefits‑themed email lure using a shortened URL to deliver the SilentRunLoader payload.  Now let’s examine the malware TA4922 is using in greater technical detail.  Malware Analysis  RomulusLoader  RomulusLoader is a unique loader malware written in C, designed to download and execute additional payloads from a C2. It features:  A Custom PE loader with section mapping and relocation processing  Dynamic API resolution using PEB/TEB walking and ROR13 hashing  RC4 encryption for an embedded payload (the RomulusLoader PE file)  In campaigns observed within Proofpoint data, RomulusLoader was delivered inside a ZIP archive containing a legitimate executable and DLL related to the Vulkan Graphics API. Vulkan is a low-level, cross-platform graphics and compute API designed for high performance and control over GPU operations. Specifically, the RomulusLoader samples Proofpoint researchers analyzed were masquerading as a component of Vulkan Loader, a sub-component of Vulkan. The metadata of the executable file can be seen in the below image:  Figure 16: Metadata seen in the legitimate Vulkan Loader component abused by RomulusLoader.  The EXE also included this PDB path:            j\msdk\build\Khronos-Tools\repo\build\vulkaninfo\RelWithDebInfo\vulkaninfo.pdb  The DLL has this metadata:  Figure 17: Metadata of a RomulusLoader DLL.  We assess that this DLL file contains legitimate code related to either Vulkan or AnyDesk, but is used primarily to execute RomulusLoader. This is as follows:  1. When the target user executes the legitimate executable, it sideloads the DLL (in our case, “vulkan-1.dll”) as well as a malicious .bin file (in our case, “vulkan-1.bin”). The .bin file contains a shellcode stub and an encrypted blob of data that will eventually result in RomulusLoader itself.  2. The shellcode stub resolves its required Windows function addresses. It also resolves several native API functions like ZwAllocateVirtualMemory, which will be used to load and execute code.  3. The shellcode then locates the embedded payload, which is in the following structure:  Offset 0x00: [4 bytes] PE size (metadata)                     Offset 0x04: [4 bytes] Encrypted payload size                 Offset 0x08: [1 byte]  RC4 key length  Offset 0x09: [N bytes] RC4 key  Offset 0x09+N: Encrypted PE                    4. The shellcode decrypts the embedded PE file, maps it into memory, and executes it as a DLL (starting at the DllMain function).  5. Once the RomulusLoader executable runs, it checks if it is running with Administrator user privileges and copies the original executable (the Vulkan Loader binary) as well as the DLL and malicious .bin file, to the directory “C:\Program Files\Common Files” as a sort of persistence directory.  6. RomulusLoader starts one or more “workers”, which are effectively copies of its code that are injected into other processes (such as svchost[.]exe and dllhost[.]exe). These processes may be started by RomulusLoader, or alternatively, the OpenProcess function can be called to inject into a running process. Once this occurs, RomulusLoader terminates its original process, and the workers continue to execute. This code can be seen in the below example:  Figure 18: Code snippet of RomulusLoader’s start_worker loop.   These worker processes, as well as the termination of the original parent process, are likely used as a technique to attempt to evade endpoint defenses and establish a persistent connection to the C2.   7. The “worker” processes execute the C2 communications routine in a loop. This involves a check-in to the C2 (over HTTP), at which point the C2 server may respond with a payload. Payload delivery seems selective based on targeting. Based on analysis of the C2 communications functions, the payload can take different forms, with support for the following payload execution options (among others):  Shellcode injection, by writing a shellcode payload into a running process (WriteProcessMemory) and executing it (CreateRemoteThread)  Creation of a suspended process, followed by injection (Process Hollowing)  Download (drop to disk) and execute (via a provided URL)  8. When RomulusLoader receives a payload, it decrypts (XOR) and decompresses it (ZLib) and writes the payload to disk (or executes it directly in memory in the case of shellcode). In one instance, the payload was written to the C:\ directory (C:\112[.]121[.]183[.]202ClientSetup.exe).  Below is a diagram of the malware attack chain:  Figure 19: Diagram of RomulusLoader’s behaviors.  A Yara rule to detect or hunt for RomulusLoader shellcode is available here.   SilentRunLoader (a Vibe-Coded Python Stealer/Loader)  Proofpoint has also seen TA4922 using a new compiled Python stealer/loader we call SilentRunLoader, due to its internal naming “silent_run_and_upload.py”. SilentRunLoader is designed to silently download and execute an additional payload, then separately upload sensitive Chrome backup files to a command and control (C2) server.   A few snippets from the decompiled Python code can be seen below.  Figure 20: Screenshot of the beginning of SilentRunLoader’s Python code.  Figure 21: Screenshot of SilentRunLoader’s code, showing the malware’s configuration and other key functions.  The Python code is quite basic and serves two purposes: to download a next-stage payload (cg[.]exe, in this case) and exfiltrate a backup of Chrome browser user data to an actor-controlled server. The downloaded executable (cg[.]exe) is another compiled Python executable and is responsible for gathering Chrome data and packing it into an archive, at which point the main Python code (SilentRunLoader) executes.  In the malware’s configuration, there is an API key “your_secret_key_here”, which the actor didn’t change. This appears to be a placeholder generated by an LLM. Proofpoint has witnessed TA4922 using a few similar Python loader/stealers. Given the comments, strings, and unchanged, hardcoded constants in the code, we assess with high confidence that this group is likely using LLM’s to rapidly develop new Python-based malware. TA4922 seems to be deploying “new” malware at a very fast rate, also leading us to believe that much of it is vibe-coded.    Atlas RAT   Atlas RAT is a fully featured backdoor consisting of multiple stages with a final download of a “core” module, and one or more auxiliary plugins that can be requested and downloaded from the C2. Atlas RAT shares similarities with the Winos4.0 C2 framework in its modular nature and seeming alignment with Chinese-speaking groups.   Given that Atlas RAT was recently documented in detail by researchers at Hexastrike, Proofpoint will provide only a high-level overview of the malware here and highlight techniques or behaviors of interest.   Atlas RAT has the following capabilities:  Gather system information and forward it to the C2, likely for reconnaissance and target selection  List and upload files to the C2 server (data exfiltration)  Load additional plugins, modules, and/or payloads  Surveillance capabilities, such as:  Record audio and video (webcam)  Start a keylogger  Capture clipboard and screenshot data  Shutdown and reboot the system  Atlas RAT consists of multiple stages:  1. The target receives a legitimate executable file and a malicious DLL (the Atlas RAT loader) that is sideloaded into the executable’s process. We have observed that sometimes the malicious DLL copies itself (along with the original executable) to a temporary directory in the user’s path and re-executes itself from there, likely to be a bit stealthier. This can be observed in the following screenshot:  Figure 22: Screenshot of part of Atlas RAT’s loader code.  2. The Atlas RAT loader DLL runs several interesting anti-sandbox and anti-analysis checks, such as:  Checks if the active username is “WDAGUtilityAccount”, which is a built-in account for the Microsoft Defender Application Guard sandbox environment.   Checks if the “CExecSvc” service is running. CExecSvc (Container Execution Service) is a Windows service that acts as the container execution agent, enabling the management and execution of processes inside Windows containers. If this service exists, the malware assumes it is running in a containerized environment.  Checks if the network adapter DNS suffix is “mshome”, which is a default suffix that may be used in Hyper-V and other virtual environments.  Checks if the “vmsmb” device exists on the system, which could indicate to the malware that it is running in a VM.  Checks the UUID of the Windows operating system, which can help determine if the Windows operating system is activated. Many sandboxes and analysis environments don’t have an activated Windows environment.  Checks for the existence of the “WDAG” RunOnce registry key, a registry key associated with Windows Defender Application Guard (WDAG).  If any of these checks fail, the malware assumes it’s running in a hostile environment and terminates itself. After the anti-sandbox checks, the malware loads shellcode into memory:  Figure 23: Screenshot of Atlas RAT’s loader functionalities.  3. The malware uses direct syscalls via SysWhispers to allocate memory for the shellcode and execute it. The shellcode is a small, encrypted blob in the DLL which resolves Windows API function addresses it requires to download the next stage of the malware (such as the WSAStartup, socket, connect, send, and receive functions). The last ~329 bytes of the shellcode contain a multi-stage XOR decoding routine which decodes the C2 address where the Atlas RAT core module will be downloaded.   Figure 24: Snippet of Atlas RAT’s XOR-decryption routine in its shellcode.  4. The Atlas RAT loader DLL then connects to the C2 to download the next stage. The loader issues a very specific check-in consisting of the string “SFuck” followed by 3 null bytes.   Figure 25: Snippet from a malware sandbox of the Send call buffer containing the unique string.  If successful, the C2 responds with the next stage: The Atlas RAT core module.  5. The Atlas RAT core module consists of another DLL with a specific export address of “AtlasInfo” (at least in the samples we observed). Once the AtlasInfo exported function is executed, the core module parses its config structure and writes it to disk in the user’s Documents directory. The config is as follows:  [Setting]  LoginAddress=3200300036002e003200330038002e003100310035002e0035003800 LoginPort=380038003600 REMARK=d89ea48b0759e86c GROUPS=d89ea48b0652c47e Time=32003000320036002d0033002d0036002000310032003a0032003800 SIGN=660035003500630039003600370065002d0066003200370034002d0034006400340066002d0062006100300064002d00660035003500330064003200350032003900640064003100  The config is hex-encoded, and once decoded, results in the following data (example):  Config Value  Description  206[.]238[.]115[.]58  LoginAddress (C2 IP)  886  LoginPort (C2 port)  ؤYèl  GROUPS (likely a build id or affiliate id)  ؤRÄ~  REMARK (likely a sort of campaign id)  2026-3-6 12:28  Time (Time of infection)  f55c967e-f274-4d4f-ba0d-f553d2529dd1  SIGN (used as a unique victim id)  6. Atlas RAT then attempts to connect to its C2 server. Upon successful connection, the malware collects system information and sends it to the C2 encrypted with the ChaCha encryption algorithm. The sysinfo struct looks as follows (example data):  Figure 26: Atlas RAT’s sysinfo struct it sends to its C2 (example only).  The malware also checks for a camera as well as the audio (recording and output) devices on the endpoint and sends this data to the C2.  Figure 27: Screenshot of Atlas RAT’s audio input/output device check code.  7. Atlas RAT maintains its connection state to the C2. It continually checks if the user is actively using their system (via a GetLastInputInfo call), and if this status changes, it sends the current status to the C2:  Figure 28: Screenshot of Atlas RAT’s user activity check code.  8. Atlas RAT continues to execute the above in a loop. The malware client waits for instructions or data from its C2. Based on code analysis of the samples we observed, we assess that these are the commands supported by the malware client and C2 panel (this is subject to change among versions and variants):  Command Code  Description  0x11  Heartbeat / timing synchronization  0x12  Load and execute a plugin DLL  0x13  Payload DLL injection (in our case, injects DLL into WeChat.exe)  0x14  Payload DLL unload  0x15 & 0x16  Update configuration  0x17  Uninstall malware  0x18  Process check (checks if named process is running)  0x19  Window check (checks if window with given title exists)  0x1A  Shutdown/reboot  0x1D  Download payload from URL  0xC8 & 0xC9  Unclear, but possibly related to download and verification of plugin modules  We did not observe follow-on payloads from the C2 during our analysis. However, there is evidence in the code that shows that Atlas RAT is modular in nature, so we suspect additional modules may be downloaded.  Winos4.0 Analysis  Winos4.0 is a well-documented C2 framework. The payloads generated by this framework are referred to by Proofpoint as ValleyRAT, although the terms are sometimes used interchangeably in public reporting. It is a modular, full-featured remote access trojan that has many capabilities, including:  The ability to download additional modules and payloads  File management (read, delete, create files on disk)  Webcam and microphone control  Remote shell access and command execution  Keylogging  DDoS attack support (via a “stress testing” module)  As there are versions of Winos4.0 on GitHub, it is largely open source and could be used by anyone. Due to this, researchers tend to observe different variants and versions of Winos4.0, with slightly different configurations. We have even observed different variations of Winos4.0 being used by TA4922. As an example, in early 2026, we saw a new variation of the standard Winos4.0 malware being used by this group. The malware’s configuration, once decrypted, is as follows:  |A16A6736FB5DC030EF3|A1:aeya388[.]club|o1:7880|t1:1|S2:aeya388[.]club|o2:7881|t2:1|p3:aeya388[.]club|o3:7881|t3:0|dd:10|cl:30|fz:̄ψ|bb:11171030|bz:2025.11.20|jp:0|bh:0|ll:0|dl:0|sh:0|kl:0|bd:0|  This configuration is largely similar to other Winos4.0 configurations with one notable detail: the addition of a string that prefixes the C2 list. This string (“A16A6736FB5DC030EF3”, in one case) is an RC4 key that decrypts the configuration stored in the binary and is possibly used as a campaign identifier.   The malware binary contains a hexadecimal data blob:  3FE030CD5BF6376A61A184A6DC6007584E2F61DCC0C5E44159C45EBF60E3C41F47FA4CD320ADEB17E619A1B593A541B72CC87E261BA9E9C3ECE124B32D4520172C23EACC15C68CDE848DAD61D8A7048413E6A7D51301DD8D4BB661D3E22F0D2BCD3208FECC11AF193C07A2F7BB42324F4F380B8FAE032C6A358AECC87EA5A3035138D26DFEE743A94908979E0E4E21DB6F81E0E3BE12F323D599393BC496FAE730D8154619B79CDF0ADC55C0B6CA68EC8954F0DE88A864A618294F02D895398A486AD0C1E879A  The first 19 characters are an RC4 key that decrypts the config data (starting at the bytes “184A...”. Here is a Cyberchef recipe that can be used to decrypt this config:  Figure 29: Cyberchef recipe for decrypting the config of this Winos4.0 variant.  In addition to this code change, Proofpoint researchers observed some other key code differences between this newer variant of Winos4.0 and other variants. Some notable differences are:  Significantly more complex codebase (71 times larger than other Winos4.0 samples we’ve looked at). Much of this is likely bloat, junk or unused code, however. It’s likely the actor purposefully bloated the code to help evade basic endpoint defense scanning.  Configuration is completely encrypted in binary (using RC4). In many other Winos4.0 samples, config struct is only partially encrypted.   Some differences in module download and implant injection and C2 communications, but many other behaviors are similar.   Proofpoint does not observe this version of Winos4.0 often. Because Winos4.0 has been documented by many other research organizations, we won’t delve into more details of Winos4.0 in this blog post. We highlighted this simply to further demonstrate the number of malware variations used by this group.  Recommendations  To defend against TA4922 and malware described in this report, Proofpoint recommends the following:  Enforce application allowlisting on trusted directories  Prevent or monitor execution from temporary user-path directories such as %TEMP%, %APPDATA%  Monitor for executable files written to system paths or root directories like “C:\”  Prevent or monitor network traffic destined to non-standard or unnecessary ports (such as “1234”), at least for processes that are not allowlisted  Enforce least-privilege principles and limit local admin rights  Conclusion  TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives. While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance which could be used by or sold to espionage groups.   Proofpoint initially observed the actor targeting organizations in East Asia but has since expanded its scope to include many European countries, particularly in 2026. The actor appears well-organized, using highly targeted lures, and rarely mistakenly distributes campaigns (for example, we don’t see them using Italian language lures to target people in Japan).   The global nature of this actor shows how organizations should be aware of emerging and complex threats, regardless of geographic targeting. These types of actors can quickly expand and scale their tactics to include more targets at any time.   IOCs  Indicator  Description  First Seen  206.238.115.58  Atlas RAT C2  6 March 2026  a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295  ZIP archive (【給与調整のお知らせ】.zip) delivering Atlas RAT  6 March 2026  584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8  Atlas RAT DLL (libcef.dll)  6 March 2026    154.211.86.110  Atlas RAT C2  2 April 2026  66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d  ZIP archive (Paperwork.zip) delivering Atlas RAT  2 April 2026  4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d  ZIP archive (HR (2).zip) delivering Atlas RAT  2 April 2026  a75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad  Atlas RAT DLL (libcef.dll)    2 April 2026  43.156.77.97  RomulusLoader C2  23 March 2026  40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5  RAR archive (会社文書.rar) delivering RomulusLoader  23 March 2026    8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0  RomulusLoader DLL (vulkan-1.dll)  23 March 2026  3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d  RomulusLoader component (vulkan-1.bin)  23 March 2026  https://nwphotoblog[.]com  URL used in RomulusLoader / SyncFuture campaign which hosted a landing page with download button  16 April 2026  103.214.172.33  RomulusLoader First-stage C2  16 April 2026  314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef  RomulusLoader / SyncFuture ZIP (Alles in dem schuppen.zip)  16 April 2026  2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d  RomulusLoader / SyncFuture executable (Alles in dem schuppen.exe)  16 April 2026  0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8  RomulusLoader / SyncFuture DLL (teamspeak_control.dll)  16 April 2026  https://ws.ztts88[.]cyou/file/cg[.]exe  SilentRunLoader download URL  30 March 2026  https://ws.ztts88[.]cyou/upload[.]php  SilentRunLoader data exfiltration URL  30 March 2026  e0a6a71c605d9a4076147e9537f82f79f1e1eccadc874595160aa4637ff4088c  SilentRunLoader Executable SHA256  30 March 2026  18[.]139[.]83[.]110  SilentRunLoader data exfiltration IP  30 March 2026  de82998ad5fcd63deae030803388e0fb4290d6223fda82368fd25b99b823f0d2  SilentRunLoader ZIP SHA256    10 April 2026  9d0a55c545c4147956db2c2667c4ed931a2875309147548b1dfdd216228f5f73  SilentRunLoader Executable SHA256  10 April 2026 

More CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild

27 May 2026 at 17:00
Executive Summary The CVE Landscape Has Changed. The Threat Actors Haven't.  Proofpoint's dual telemetry streams — targeted attack visibility covering hundreds of millions of messages daily, and a global network sensor array that generated over 3 million alerts and identified four undisclosed CVEs in 2026 to date — present a consistent picture: attackers are opportunistic. They grab newly published CVEs when public proof-of-concept code appears, chain them with established techniques, and move on.  What has changed is the volume of vulnerabilities feeding that pipeline. NIST reported that CVE submissions in Q1 2026 were nearly one-third higher than the same quarter last year, and that the National Vulnerability Database still cannot keep pace with enrichment. The widely-cited driver is AI-assisted vulnerability discovery: frontier models are enabling both defenders and researchers — and, increasingly, anyone with access to an open-weights model — to surface bugs at machine speed. The exploit window is narrowing, but the exploitation pattern remains recognizable.  KEY TAKEAWAY  Proofpoint telemetry shows 12 distinct 2026 CVEs being actively exploited in network-facing attacks, compared to the 8 currently listed on the CISA KEV catalog. The four-CVE gap represents real-world exploitation that CISA has not yet formally catalogued — a visibility problem that defenders cannot afford to ignore. Targeted Email Telemetry Three 2026 CVEs in Targeted Email: Old Tricks, New Vulnerabilities  Proofpoint's email telemetry — which covers organizations across the globe — has identified two 2026 CVEs being actively weaponized in targeted attack campaigns this year. Neither represents a fundamental shift in tradecraft. Both fit cleanly into attacker playbooks that Proofpoint has tracked for years.  CVE-2026-21509 — Microsoft Office (RTF/OLE Code Execution)  The more prominent of the two is CVE-2026-21509, a remote code execution vulnerability in Microsoft Office affecting RTF and OLE document processing. Within 24 hours of public disclosure in January 2026, Russia-linked TA422 (APT28) weaponized the flaw in malicious RTF files targeting Ukrainian government agencies and European defense, transportation, and diplomatic entities — behavior consistent with the group's well-documented practice of rapidly adopting newly disclosed Office vulnerabilities for email-borne initial access.  Proofpoint telemetry observed CVE-2026-21509 in targeted spear-phishing campaigns delivering weaponized document attachments with high-fidelity institutional lures — official letterheads, bilingual formatting, ministerial seals. The exploitation delivers a multi-stage infection chain culminating in the NotDoor Outlook backdoor and Covenant Grunt implants. Cloud storage services (notably filen.io) serve as C2 infrastructure, blending malicious traffic with normal enterprise activity.  CVE-2026-21510 — Windows Shell Protection Mechanism Failure  In two separate campaigns observed by Proofpoint in March and April 2026, DPRK-aligned threat actor TA406 (Opal Sleet) chained CVE-2026-21509 and CVE-2026-21510 within a single attack sequence. Social engineering lures themed around visa processing and diplomatic initiatives delivered RTF attachments weaponizing CVE-2026-21509 for initial code execution.  The use of the same CVE pair previously documented in TA422's campaigns is a textbook illustration of the delayed-remediation risk: once a vulnerability with reliable code execution is demonstrated in the wild, additional threat actors will adopt it opportunistically, regardless of patch availability. Disclosure and exploitation are no longer sequential.  In both TA406 campaigns, the OLE objects embedded in the RTF attachments were LNK files. Upon execution, these initiated a WebDAV connection to download secondary LNK files, which then invoked CVE-2026-21510 to bypass Windows Shell security controls and execute a DLL payload. It is at this stage that TA406's chain diverges from TA422's — the downstream payloads and post-exploitation behavior reflect distinct operational infrastructure and tradecraft between the two threat actors.  PROOFPOINT OBSERVED  All CVE-2026-21509 and CVE-2026-21510 messages targeting Proofpoint customers were blocked at delivery. Indicators of compromise for the associated campaign are available to Proofpoint Threat Intelligence subscribers.  CVE-2026-32202 — Windows (Incomplete Patch Bypass)  The third (targeted) email-weaponized CVE of 2026 is CVE-2026-32202, a Windows vulnerability stemming from an incomplete patch for earlier CVE-2026-21510. The flaw was exploited as a zero-day alongside CVE-2026-21513 by TA422 in attacks targeting Ukraine and EU member states beginning in late 2025. Microsoft added CVE-2026-32202 to the CISA KEV catalog after acknowledging active exploitation in April 2026.  The exploitation chain is notable for its stability: the two CVEs are being chained to achieve reliable initial access via email-delivered lures, reinforcing a recurring Proofpoint observation that incomplete patches create a secondary exploitation window that sophisticated actors actively monitor and capitalize on.  FINDING #1  Both 2026 CVEs observed in targeted email campaigns are Microsoft-ecosystem vulnerabilities exploited by a single, state-sponsored actor (TA422) via highly targeted spear-phishing. The technique — weaponized Office documents with institutional lures — is unchanged from campaigns Proofpoint tracked years prior. The CVEs are new. The behavior is not.  Network Sensor Telemetry  Twelve 2026 CVEs Across 5,000+ Sensors — Four Ahead of CISA  Proofpoint's network sensor infrastructure — spanning over 5,000 sensors globally with more than 3 million alerts analyzed in 2026 — has detected active exploitation attempts for 12 distinct 2026 CVEs. The CISA KEV catalog, as of this writing, lists 8 CVEs from 2026. The four-CVE gap reflects a structural reality: CISA's KEV process is necessarily reactive and evidence-based, while internet-scale sensor telemetry captures exploitation activity earlier and more broadly.  The 12 CVEs observed span a predictable set of target categories: network perimeter devices, enterprise web infrastructure, collaboration and mail platforms, and remote access management systems. This distribution reflects attacker prioritization of internet-exposed attack surface.  CVES SEEN IN NETWORK TELEMETRY (PROOFPOINT OBSERVED VS. CISA KEV)  CVE  Affected Product  Vulnerability Type  Vector  KEV Listed  CVE-2026-20122  Cisco Catalyst SD-WAN  Authentication Bypass  Network  Yes  CVE-2026-20128  Cisco Catalyst SD-WAN  Authentication Bypass  Network  Yes  CVE-2026-20133  Cisco Catalyst SD-WAN Manager  Info Disclosure  Network  Yes  CVE-2026-0300  Palo Alto PAN-OS  Out-of-bounds Write / RCE  Network  Yes  CVE-2026-6973  Ivanti EPMM  Authentication Bypass  Network  Yes  CVE-2026-41940  WebPros cPanel & WHM / WP2  Missing Auth — Critical Function  Network  Yes  CVE-2026-42897  Microsoft Exchange Server  Cross-Site Scripting (OWA)  Network  Yes  CVE-2026-39987  Marimo (Python notebooks)  Remote Code Execution  Network  Yes  CVE-2026-1281  Ivanti EPMM  Zero-day / Auth Bypass  Network  No *  CVE-2026-1340  Ivanti EPMM  Zero-day / Auth Bypass  Network  No *  CVE-2026-20182  Cisco Catalyst SD-WAN  Authentication Bypass  Network  No *  CVE-2026-31431  Linux Kernel  Incorrect Resource Transfer / Priv-Esc  Network  No *  * Not on CISA KEV list as of May 15, 2026, but active exploitation confirmed in Proofpoint telemetry.  The cPanel Cluster: Mass Exploitation at Scale  CVE-2026-41940, the cPanel authentication bypass, illustrates the opportunistic mass-exploitation pattern most clearly. What began as exploratory probing evolved into a multi-actor campaign combining ransomware deployment, website defacement, and — in at least one documented case — targeted cyber-espionage. We also now increasingly observe this vulnerability within attack chains of threat actors that rely on compromising legitimate websites via web inject, such as TA569 (SocGholish). As these campaigns generally leverage non-malicious email communications to drive intended victims to the compromised assets, we have not included this activity in the “targeted” email section of this report.  Proofpoint sensor data observed automated scanning traffic targeting cPanel instances within days of public proof-of-concept code availability, consistent with how financially motivated actors typically operationalize newly published vulnerabilities.  Cisco SD-WAN: A Persistent Perimeter Target  Three CVEs in our network telemetry affect Cisco Catalyst SD-WAN infrastructure: CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133. The first two are authentication bypass vulnerabilities; the third exposes sensitive configuration data. CISA issued Emergency Directive ED 26-03 specifically covering these flaws. Proofpoint sensor data shows exploitation attempts against exposed SD-WAN management interfaces across multiple verticals, consistent with reconnaissance-phase activity by both nation-state and financially motivated actors.  FINDING #2  Four of the 12 2026 CVEs seen in Proofpoint's network telemetry are not yet on the CISA KEV list. Organizations relying solely on KEV for prioritization are operating with an incomplete picture. Network-scale telemetry is consistently 2–4 weeks ahead of formal KEV inclusion for perimeter vulnerability classes.  Structural Context AI Is Discovering More Vulnerabilities. It Isn't (Yet) Changing How They're Exploited.  The macro context behind the 2026 CVE surge deserves careful framing. There is credible, growing evidence that frontier AI models are materially accelerating vulnerability discovery. Mozilla's Firefox team, working with frontier models, released 61 patches in February and 76 in March. Apache is experiencing a 170%+ increase in published CVEs. NIST CVE submissions in Q1 2026 ran nearly one-third above the same period last year. By one estimate, 55,000 to 60,000 CVEs will be published across all of 2026.  Critically, these discoveries are being made primarily by defenders and researchers — the intent is patching, not exploitation. The early 2026 surge was initially noisy, with a flood of low-quality AI-assisted submissions, but quality has improved markedly since April as tooling matures.  What Proofpoint's telemetry does not show is a corresponding transformation in attacker behavior. The threat actors exploiting 2026 CVEs in our email and network data are using them the same way they've used newly disclosed vulnerabilities for years: grab the public PoC, adapt it to existing delivery infrastructure, target exposed attack surface opportunistically. APT28 weaponized CVE-2026-21509 within 24 hours — but delivered it via the same spear-phishing RTF/OLE chain the group has used since at least 2022.  THE NUANCE THAT MATTERS  Frontier AI is almost certainly shrinking the window between vulnerability discovery and exploit availability, even if it hasn't yet transformed attacker tradecraft at scale. The 42% year-over-year increase in zero-days exploited before public disclosure (CrowdStrike 2026 Global Threat Report) is a leading indicator worth watching. The story may look different by year-end.  The NIST Gap Problem  One structural consequence of the CVE volume surge deserves particular attention for defenders. NIST has formally acknowledged that the National Vulnerability Database can no longer enrich every new CVE submission at the same speed or depth as before. Backlogged CVEs published before March 1, 2026 are being moved to a "Not Scheduled" enrichment category. For security teams relying on NVD CVSS scores and metadata to drive patch prioritization queues, this creates a systematic blind spot. Threat-intelligence-driven prioritization — using data like Proofpoint's sensor telemetry to identify what is actually being exploited — becomes more important, not less, as the vulnerability catalog scales.  FINDING #3  The surge in 2026 CVE volume is a consequence of AI-assisted vulnerability discovery by defenders, not offensive AI capability deployed at scale. Attacker behavior in Proofpoint telemetry remains opportunistic and technique-stable. The risk is not that AI has transformed the threat actor, but that a higher-volume CVE pipeline will strain patch prioritization processes — particularly as NIST NVD enrichment coverage thins out.  Defensive Guidance Recommendations for Security Teams  The patterns in Proofpoint's 2026 telemetry translate into several concrete defensive priorities:  1. Don't Wait for KEV to Prioritize Network-Facing CVEs  Four of the 12 2026 CVEs Proofpoint has observed being actively exploited are not yet on the CISA KEV list. For internet-exposed infrastructure — network perimeter devices, mail servers, VPN and remote access management platforms — treat newly disclosed authentication bypass and RCE vulnerabilities as high priority immediately upon disclosure, particularly when public PoC code is available. Prevention via an IPS ruleset will likely be the only option for certain exploits.  2. Patch Microsoft Office and Windows With Urgency  Both 2026 CVEs observed in targeted email campaigns are Microsoft-ecosystem vulnerabilities. CVE-2026-21509 and CVE-2026-32202 were exploited by APT28 within days of disclosure. Organizations in government, defense, transportation, and European critical infrastructure should treat Microsoft's monthly patches — especially for Office and Windows zero-days — as emergency items. Apply Microsoft's registry hardening guidance alongside patches.  3. Rebuild Patch Prioritization Workflows for Higher Volume  With 55,000–60,000 CVEs projected for 2026 and NVD enrichment coverage declining, CVSS-score-driven prioritization is increasingly inadequate. Teams should augment or replace CVSS-centric workflows with exploitation-signal-based prioritization: which vulnerabilities are generating actual exploit traffic in telemetry right now?  4. Monitor AI Developer Tooling as an Emerging Attack Surface  CVE-2026-39987 (Marimo RCE) and the BerriAI LiteLLM SQL injection vulnerability represent a newly emerging class of AI developer tooling targets on the KEV list. As AI infrastructure proliferates in enterprise environments — often with broad network access and sensitive credential stores — treat these platforms with the same exposure scrutiny applied to traditional web application infrastructure.  5. Assume the Window Is Narrower Than It Was  TA422’s sub-24-hour weaponization of CVE-2026-21509 is consistent with a structural trend: the time between vulnerability disclosure and exploit availability is compressing. Assume that a high-severity, remotely exploitable vulnerability with public PoC is being actively attempted within 48–72 hours of disclosure, and size response SLAs accordingly.  Methodology Data Sources and Scope  Email telemetry in this report covers Proofpoint's global email security platform, which analyzes hundreds of millions of messages daily across enterprise customers in AMER, EMEA, and APJ. Targeted attack data reflects campaigns observed by the Proofpoint Emerging Threats team in which CVE-year-2026 vulnerabilities appeared as the initial access vector.  Network telemetry is sourced from Proofpoint's distributed sensor infrastructure: more than 5,000 passive network sensors generating over 3 million alerts in 2026 year-to-date. CVE observation in this context reflects detected exploitation attempts or successful exploitation events, not theoretical exposure. The CISA KEV catalog figures cited reflect the catalog's state as of May 15, 2026.  CVE background information and campaign attribution details draw on public reporting from CISA, CERT-UA, Trellix, Securelist, Recorded Future, and other sources, corroborated against Proofpoint telemetry. 
Received — 19 May 2026 Proofpoint Threat Insight

Device Code Phishing is an Evolution in Identity Takeover

14 May 2026 at 06:05
Key Findings Device code phishing is exploding across the threat landscape, with new device code phishing tools emerging every week.   The spike in device code phishing coincides with publicly released criminal toolkits, and the emergence of multiple phishing-as-a-service (PhaaS) offerings.   Most of the identified activity is using “vibe coded” techniques. It is unclear whether most are copying and modifying publicly known tools or using similar prompts to generate nearly identical attack flows wholesale.   Regardless of how the tool was created and which device code tool actors are using, defense remains the same.   The surge of device code phishing is the natural progression of credential phishing, as more people become aware of multifactor authentication bypass techniques, criminals must get creative.  Overview  Credential phishing remains an effective technique enabling everything from account takeover and fraud to ransomware and espionage. However, as organizations become better at defending against common phishing techniques such as multifactor authentication (MFA) phishing, cyber threat actors have expanded their capabilities to techniques like device code and OAuth phishing. When combined with LLM-generated tools and social engineering, criminals can use such techniques to target more people with new social engineering tricks at scale.   From 2020 to around 2022, red teams and occasionally criminals and espionage threat actors leveraged the device code phishing technique to trick someone into authorizing a malicious app on their enterprise email accounts. But the popularity grew in recent years. The publication of criminal device code phishing tools in fall 2025, paired with new innovations in attack chains amplified by “vibe coding” resources, turned the previously obscure technique into a phishing free-for-all.     Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 or other enterprise user accounts by approving access for actor-controlled applications. While the majority of device code phishing campaigns focus on Microsoft accounts, Proofpoint has also observed Google themed campaigns in significantly lower volumes.   Device code phishing campaigns frequently leverage “account takeover (ATO) jumping,” a technique where an attacker compromises an initial email account and then uses it to send phishing links to a wide set of contacts.  In observed activity, campaigns typically begin with an initial message delivering a URL in various ways, like embedded behind a button, as hyperlinked text, embedded in a document, or within a QR code. When a user visits the URL, it initiates an attack sequence leveraging the legitimate Microsoft device authorization process.   The current device code landscape contains a major difference that’s increased the popularity from the original implementations: on-demand code generation.   Previously, threat actors would generate a code and send it directly to the recipients, saying they need to enter the code as soon as possible because it expires in 15 minutes. If a target didn’t see the email, or decided to wait to interact with malicious URLs, the code would expire and the actor was out of luck. Current iterations address the limitations of the 15-minute expiration window. In most current device code phishing attacks, the code is generated dynamically when a user clicks on the initial phishing link. This seemingly small change allows the user to view the email at any time to kickstart the attack chain. These new implementations of the device code attack chains can be purchased via phishing-as-a-service (PhaaS) offerings, like EvilTokens or Tycoon, or created and owned by the threat actor conducting the campaigns.   Successful device code phishing attacks can lead to full account takeover, theft of sensitive information, fraud and business email compromise, lateral movement within a compromised environment, and even disruptive attacks like ransomware.  Campaign Examples  In device code phishing campaigns, emails can include URLs, attachments with URLs, or QR codes that lead to the device code phishing landing pages. The presented code is a unique device code generated for the target and the button redirects the user to https[:]//microsoft[.]com/devicelogin, which is part of Microsoft's device code authentication flow. If the target enters the provided code into the legitimate Microsoft device code authentication portal, it allows the threat actor to capture authentication tokens, which can then be used to access the target's account, including data and other services that the compromised account has access to.   EvilTokens is one of the most prominent device code PhaaS options.   Proofpoint assesses EvilTokens is created and maintained using “vibe coding” AI generation techniques. It was first advertised on Telegram in February 2026. EvilTokens is designed to capture authentication tokens, which can then be used to access the target's account, including data and other services that the compromised account has access to.   Figure: EvilTokens Telegram channel announcement.   The platform offers various landing pages and themes for customers including Microsoft, Adobe, DocuSign, etc. The platform can generate the attack chain from lure to infrastructure.     Figure: Example of EvilTokens landing page, observed by Proofpoint in March 2026.  EvilTokens affiliates can also pay for the “Portal Browser” which enables them to access and manage multiple compromised Microsoft 365 accounts. This tool helps automate and scale business email compromise (BEC) operations. Researchers at Sekoia previously detailed the EvilTokens PhaaS operations.   Notably, Proofpoint researchers observe numerous variations of device code phishing kits that look similar to EvilTokens, but use slightly different API endpoints and HTML headers, enabling researchers to differentiate the unique kits. Some are used regularly by multiple threat actors; some appear briefly in threat data and are used in just a handful of campaigns.   In one 10-day window in April 2026, Proofpoint researchers observed around seven unique device code phishing variants that looked nearly identical.   It is unclear whether EvilTokens copied an existing kit and monetized it, or if other threat actors are copying and/or updating EvilTokens via AI tools to create their own device code phishing without using the PhaaS platform. There's a strong possibility that both are occurring simultaneously.  Figure: Example of multiple device code phishing landing pages.  For example, cybercriminal actor TA4903 began using device code phishing to steal credentials in March 2026. The actor continues to impersonate small businesses and government entities but is now using the device code phishing technique almost exclusively, which appears to have replaced their business email compromise activities. It is a notable shift in tactics.   In a campaign observed in April 2026, TA4903 masqueraded as a human resources contact, and sent “salary notifications” emails containing a PDF attachment.   Figure: TA4903 lure.   The PDF included a QR code that, when scanned, redirected via a Cloudflare Workers URL to a custom filtering page. When passed, the user was shown a landing page impersonating DocuSign and Microsoft hosted on Cloudflare Workers.   Figure: PDF attachment distributed by TA4903.  Figure: TA4903 landing page impersonating Microsoft and DocuSign, observed April 2026.  The landing page included a "signing code" and instructions to login to the users' corporate email via the hyperlinked button and add the device code in the authentication flow.   The actor uses a custom device code phishing kit that looks and operates in a very similar manner to EvilTokens. The device code generation service is hosted on actor-controlled infrastructure, but the rest of the attack chain was deployed to cloud services. Once the user inputs the code at the authentic device authentication portal, the token generated by TA4903 was validated, giving the threat actor access to the targeted Microsoft 365 account.  Interestingly, in some device code campaigns, Proofpoint observed actors sending blank email bodies. For example, in an April 2026 campaign, TA4903 distributed payment confirmation emails with a blank email body and attached PDF with a QR code. In another unattributed campaign from late March 2026, the actor pretended to be the Federal Court of the United States to deliver PDF attachments leading to device code phishing, but the email was completely blank.   Figure: TA4903 email with a blank lure.    Figure: Email impersonating the U.S. court system, with a blank lure.   These campaigns suggest that portions of the campaign may be automated, and the actor is either unfamiliar with how (or too lazy) to create believable social engineering to go along with their PDF attachments and colorful device code phishing landing pages. Or, the actor made a mistake, and they forgot that important component of their email threat campaign. Either way, it is not very realistic.  Device code phishing is not limited to English-speakers. Proofpoint has observed the technique in multiple languages targeting organizations globally.   Figure: Device code phishing landing pages in Spanish (left) and German (right).  Many device code phishing campaigns use the layouts as documented above, using a handful of the same colors, with a box around the generated device code and details on how to copy and login to the target account. Others get more creative, like the following campaign observed in March 2026. In this campaign impersonating Microsoft, the threat actor pretended to send security or product notifications. The URL in the email led to a landing page impersonating Microsoft with the generated device code on the left side of the page.      Figure: Microsoft impersonation landing page containing actor-generated device code.  Proofpoint has also observed campaigns that direct to a landing page where the user must first input their email address, then will be redirected to the device code phishing landing page to retrieve the code. This example is from the ARTokens kit.  Figure: ARTokens landing page.  Despite the extensive use of AI by many of the threat actors creating and/or distributing device code phishing, the observed campaigns are not typically sophisticated. In many cases, actors are exposing their infrastructure, usernames, email addresses, stolen information, or other sensitive details to the public, due to not properly securing AI-generated panels, HTML code, or infrastructure. These OpSec failures have helped identify or otherwise classify the wave of new implementations.  (We are not publicly sharing the details of these operational security failures, as we do not want to help criminals get better.)  Pivot to Device Code  Evidence suggests that threat actors who distributed AiTM phishing are now pivoting to device code phishing. In fact, following the disruption to a significant portion of the infrastructure in February 2026, Tycoon 2FA’s operator began selling device code PhaaS as part of its offerings.   While Tycoon 2FA activity has significantly decreased post-disruption, Proofpoint still observes some campaigns using the service, including device code campaigns. Interestingly, the Tycoon 2FA device code landing page looks very similar to EvilTokens.  Figure: Tycoon 2FA device code landing page.  Proofpoint researchers also recently identified the ODx PhaaS providing device code capabilities in addition to their AiTM offerings. ODx is one of the most popular AiTM kits currently. It's also tracked as Storm-1167 and FlowerStorm.  In the observed campaign, the actor used compromised senders to deliver URLs leading to the ODx device code phishing landing page. The landing pages included multiple different themes including impersonating SharePoint, Adobe, and Docusign.   Figure: ODx device code landing page.  ODx’s device code capabilities are using Kali365, a device code PhaaS. Kali365 is just one of many such kits available for purchase. It’s unclear whether ODx stole or purchased Kali365, or partnered with them to integrate directly into their service.   Figure: Kali365 portal.   Researchers have also observed campaigns distributing device code phishing that include artifacts of previous AiTM phishing attempts. In one campaign observed in April, the threat actor distributed PDFs masquerading as SharePoint documents with URLs leading to device code landing pages.   Figure: SharePoint PDF lure (left) and device code landing page (right).   But interestingly, the PDF’s metadata contained an unintentional URL artifact. Though currently inactive, this URL artifact was associated with Tycoon in April 2025. It is likely the threat actor was reusing PDF lures but not fully removing old content. This indicates that threat actors who previously used the Tycoon PhaaS may be moving to device code phishing instead. This campaign was not attributed to either EvilTokens or Tycoon, using one of the many other variants instead.   Technique Proliferation  Similarities can be drawn between the popularity and recent explosion of device code phishing and another favored technique that also recently took over the threat landscape: ClickFix. ClickFix emerged as a unique social engineering technique in 2024, used by a small number of cybercriminals. With it, threat actors trick people into copying, pasting, and running scripts on their host. The copy/paste social engineering technique is also used in device code phishing.   In less than a year, ClickFix took off across the landscape – both with cybercrime and espionage threat actors – before becoming a staple of modern threat campaigns used by many different adversaries.   Both ClickFix and device code phishing rely on social engineering. An actor must convince a user to take a risky action (copying information provided) and pasting it somewhere they shouldn’t (like a terminal window or in the Microsoft 365 authentication flow). Both techniques also started out relatively small, with threat actors appearing to experiment, before growing into prominent threats that are now available to be purchased as services on crime forums.   New, effective techniques follow similar patterns: a small number of criminals innovate and once they find success, everyone else follows.   The rapid uptake and sustained use of device code phishing suggest threat actors find it very effective. This could be because the attack chain may still be unfamiliar to users who think they are just following the proper authentication prompts, and LLM-generated landing pages make them look somewhat believable.   Device code phishing represents the latest evolution in credential theft, exploiting legitimate authentication flows to bypass modern security controls. As security gets better, and users get more knowledgeable, hackers need to try new tricks. Although AI has lowered barriers to entry and accelerated development, it has simultaneously introduced exploitable weaknesses through OpSec failures and poor implementation, showing that just because someone has more tools to do crime, doesn’t mean they’re always good at it.   Recommendations  The good news is, defense against device code phishing remains the same, regardless of the kit being used or method of delivery.   Block device code flow where possible   The strongest mitigation is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. Conditional Access policies can first be deployed in a report only mode, or the “Policy impact” viewed over historic sign in log records, to determine the impact for an environment.    If blocking device code flow completely is not feasible, Conditional Access can be used to create an allow-list approach based on accepted use cases. For example, only enabling device code authentication for approved users, operating systems, or IP ranges such as using “Named locations”.   Require compliant or joined devices   If organizations use device registration or Intune, Conditional access policies requiring that sign ins originate from a compliant or registered device will protect users from device code phishing. This should be deployed as a defense in depth strategy, as there will likely be exclusions from this requirement, when compared with a dedicated device code flow policy.    Enhance user awareness regarding device code phishing attacks    Traditional phishing awareness often emphasizes checking URLs for legitimacy. This approach does not effectively address device code phishing, where users are prompted to enter a device code on the trusted Microsoft portal hxxps://microsoft.com/devicelogin. User training should include guidance on not entering device codes received from untrusted sources.   Example Emerging Threats Rules  2069030 DeviceCode Phishing Landing Page Observed  2867149 DeviceCode Phishing Landing Page Observed  2867150 DeviceCode Phishing Landing Page Observed  2867151 DeviceCode Phishing Landing Page Observed  2867154 Observed DNS Query to device code Phishing Domain  2867158 Observed device code Phishing Domain in TLS SNI  2867169 DeviceCode Phishing API Activity (GET)  2867170 DeviceCode Phishing API Response  2068813 Wahala Microsoft OAuth device code Landing Page 2026-04-16  2068814 Successful Wahala Microsoft OAuth device code Attack, Polling for User Validated Tokens  2068628 Generic device code Landing Page 2026-04-07  2068629 EvilTokens Fetch Valid user_code from Microsoft API  2068630 EvilTokens Poll for user_code Authentication Status  Example Indicators of Compromise  Indicator   Description  First Seen  onedrive-7tu[.]techroboticslabmade-techie-com-s-account[.]workers[.]dev    EvilTokens Device Code Phishing Landing  26 March 2026  voicemail-59f[.]admin-treyripple-com-s-account[.]workers[.]dev  EvilTokens Device Code Phishing Landing  24 March 2026  voicemail-wx7[.]mark-squires-expressrancnes-com-s-account[.]workers[.]dev  EvilTokens Device Code Phishing Landing  24 March 2026  voicemail-lyr[.]nbuckley-cambek-com-s-account[.]workers[.]dev  EvilTokens Device Code Phishing Domain  24 March 2026  f8uh-dwam-j4l5[.]pvasquez-princetonpartners-com-s-account[.]workers[.]dev  EvilTokens Device Code Phishing Landing  1 May 2026  ytgw-9n30-xlwd[.]pvasquez-princetonpartners-com-s-account[.]workers[.]dev    EvilTokens Device Code Phishing Landing  1 May 2026  z6e43e5886fe-endpoint[.]com  Device Code Phishing Domain  5 May 2026  019d442e-endpoint[.]com  Device Code Phishing Domain  5 May 2026  jo2c9ada427c6-endpoint[.]com  Device Code Phishing Domain  5 May 2026  7806d4cf9366-endpoint[.]com  Device Code Phishing Domain  5 May 2026  ee10bbf6c689-endpoint[.]com  Device Code Phishing Domain  5 May 2026  yaga9b286ae2c101-endpoint[.]com  Device Code Phishing Domain  5 May 2026  f36c2774f013-endpoint[.]com  Device Code Phishing Domain  5 May 2026  2dc62559e005-endpoint[.]com  Device Code Phishing Domain  5 May 2026  4daa2aea93db-endpoint[.]com  Device Code Phishing Domain  5 May 2026  ed5ce47d835f-endpoint[.]com  Device Code Phishing Domain  5 May 2026  6dd5fd945b34-endpoint[.]com  Device Code Phishing Domain  5 May 2026  0fdba029e6a5-endpoint[.]com  Device Code Phishing Domain  5 May 2026  019d442a-endpoint[.]com  Device Code Phishing Domain  5 May 2026  019d6860-endpoint[.]com  Device Code Phishing Domain  5 May 2026  stablewebsystems[.]de  ODx Device Code Phishing Domain  30 April 2026  marktkarree-langenfeld[.]de  ODx Device Code Phishing Domain  30 April 2026  crediblebizextension[.]de  ODx Device Code Phishing Domain  30 April 2026  servicewithoutinterruption[.]de  ODx Device Code Phishing Domain  30 April 2026  marketcredibilitysignals[.]de  ODx Device Code Phishing Domain  30 April 2026  kohlhoff-edelstahlverarbeitung[.]de  ODx Device Code Phishing Domain  30 April 2026  reliablesupport[.]de  ODx Device Code Phishing Domain  30 April 2026  europetrustwave[.]de  ODx Device Code Phishing Domain  30 April 2026  trustedengagement[.]de  ODx Device Code Phishing Domain  30 April 2026  methodicalness[.]de  ODx Device Code Phishing Domain  30 April 2026  extendyourcredibility[.]de  ODx Device Code Phishing Domain  30 April 2026  europesignaltrust[.]de  ODx Device Code Phishing Domain  30 April 2026  consistentdigital[.]de  ODx Device Code Phishing Domain  30 April 2026  uninterruptedperformance[.]de  ODx Device Code Phishing Domain  30 April 2026  digitalcontinuity[.]de  ODx Device Code Phishing Domain  30 April 2026  digitalreliability[.]de  ODx Device Code Phishing Domain  30 April 2026  heilbronner-fruehlingssymposium[.]de  ODx Device Code Phishing Domain  30 April 2026  reliableinteractions[.]de  ODx Device Code Phishing Domain  30 April 2026  euromarketsignal[.]de  ODx Device Code Phishing Domain  30 April 2026  audit-report-9767d3[.]fullerjp09[.]workers.dev  TA4903 Device Code Phishing Landing  15 April 2026  hti-245401512[.]hs-sites-na2[.]com  TA4903 Device Code Phishing Landing  5 April 2026  7740f766-8d1d-46ad-a6bc-onedrive[.]p-9jluifuu[.]workers[.]dev  ARToken Device Code Landing  2 May 2026  panel[.]hewktree[.]net  ARToken Device Code Panel  2 May 2026 
Received — 23 April 2026 Proofpoint Threat Insight

Beyond the breach: inside a cargo theft actor’s post-compromise playbook

17 April 2026 at 01:38
Key findings Proofpoint monitored a cargo theft actor’s post‑compromise activity for more than a month in a decoy environment operated by Deception.pro.  The attacker abused multiple remote access tools to establish persistence, including the use of a previously unknown third‑party signing‑as‑a‑service capability.  Proofpoint also observed extensive reconnaissance to identify financial access, payment platforms, and cryptocurrency assets to enable freight fraud and broader financial theft.  Reconnaissance specifically targeting fuel card services, fleet payment platforms, and load board operators was likely intended to enable transportation‑related crimes, including cargo theft.  Overview  In late February 2026, Proofpoint researchers executed a malicious payload from a threat actor targeting transportation organizations inside a controlled decoy environment operated by our partners at Deception.pro. While the environment did not represent a transportation carrier, it remained compromised for more than a month—offering rare, extended visibility into post‑compromise operations, tooling, and decision‑making.  Proofpoint previously documented this actor’s campaigns against trucking and logistics companies to facilitate cargo theft and freight fraud. In this case, the extended interaction revealed persistence through multiple remote management tools, the use of a previously unknown signing‑as‑a‑service capability designed to evade detection and suppress security warnings, and extensive post-compromise reconnaissance activity.   This reconnaissance focused on identifying financial access—such as banking, accounting, tax software, and money transfer services—as well as transportation‑related entities, including fuel card services, fleet payment platforms, and load board operators. The latter activity was likely designed to support crimes against the transportation industry, including cargo theft and related financial fraud.  A familiar actor, a new view  In November 2025, Proofpoint published research describing a threat actor leveraging compromised load boards to gain access to trucking companies, enabling freight diversion and cargo theft. While that research focused on initial access and target impact, opportunities to observe the actor’s post-compromise operations were limited.   This engagement changed that.  Following payload execution inside the Deception.pro environment in late February, the actor maintained access for more than a month. Their ensuing activity provided Proofpoint researchers with an unusually detailed view of post‑compromise tooling, scripting, reconnaissance behavior, and operator‑driven decision‑making.  Initial access and payload delivery  On February 27, 2026, after compromising a load board platform, the actor delivered a malicious payload via email to transportation carriers inquiring about fraudulent advertised loads. Load board platforms are online marketplaces that connect shippers and freight brokers with motor carriers by advertising available loads.  The payload consisted of a Visual Basic Script (VBS) file that, when executed:  Downloaded and executed a PowerShell script  Installed the ScreenConnect remote access tool  Displayed a decoy broker‑carrier agreement to mask malicious activity  Figure 1. Email content sent after responding to a fraudulent load posted on a load board.  Figure 2. Actor-controlled web page hosting a malicious VBS payload.  Establishing persistence with multiple RMM tools  Once access was established, the actor focused heavily on remote administration and redundancy.  Over the following month, the actor leveraged existing access to install:  Four separate ScreenConnect instances  Pulseway Remote Monitoring and Management (RMM)  SimpleHelp RMM  The use of multiple concurrent RMM platforms suggests deliberate redundancy designed to preserve access even if one tool is detected or disabled.  A previously unknown signing‑as‑a‑service capability  The fourth ScreenConnect instance, downloaded in late March, stood apart from earlier installations.  This installation chain began when the attacker used an existing ScreenConnect session to launch an initial PowerShell script. That script bypassed normal PowerShell controls, downloaded and executed a second‑stage PowerShell payload with parameters specific to the ScreenConnect installer, and then deleted itself to reduce forensic artifacts. The second‑stage script performed the core deployment using a third‑party signing‑as‑a‑service provider, which re‑signed ScreenConnect installers and components with a valid—but fraudulent—code‑signing certificate.  Specifically, the second‑stage script:   Built a ScreenConnect MSI download URL from the attacker’s ScreenConnect infrastructure hosted at amtechcomputers[.]net.  Submitted that MSI URL to an external signing service hosted at signer[.]bulbcentral[.]com  Polled the service until signing was completed  Downloaded the newly signed MSI from a separate, signer‑controlled URL hosted at services-sc-files.s3.us-east-2.amazonaws[.]com  Verified that the MSI’s Authenticode signature was valid  Silently installed the signed MSI on the system  After installation, the script optionally downloaded a ZIP archive from the same S3 infrastructure. This ZIP contained ScreenConnect component binaries (e.g., ScreenConnect.Client.exe) re‑signed with the same certificate used for the MSI. The script extracted these files and replaced the originally installed components—backing up existing files, stopping and restarting the ScreenConnect service as needed. This step eliminated ScreenConnect binaries signed with now‑revoked ConnectWise certificates and ensured that all installed components were uniformly signed with a certificate that Windows still treated as trusted.  In combination, these actions allowed the attacker to establish and maintain persistent remote access while actively circumventing certificate revocations, security warnings, and trust‑based endpoint controls. By laundering trust through an external signing service and replacing revoked vendor‑signed binaries, the attacker preserved long‑term, stealthy access and reduced the likelihood of user awareness or control‑based detection.  Proofpoint researchers collaborated with security researcher @Squiblydoo to analyze the signing service and successfully revoke the associated certificate:  SignerName: STEPHEN WHANG, CPA, INC.  ValidFrom 5:00 PM 12/23/2025  ValidTo 4:59 PM 12/24/2026  SerialNumber 38 4B 49 3A B7 6F AE 54 F8 3A E6 BF A8 7E 5C 10  Thumbprint D45D60B20006BC3A39AE1761CB5F5F5B067B4EE5  CertIssuer Sectigo Public Code Signing CA EV R36  Interactive hands-on-keyboard (HOK) post-compromise activity  With persistent access in place, the actor conducted hands‑on-keyboard activity and tooling execution:  Approximately three days after intrusion, the actor manually accessed the PayPal website through the user’s browser.  Eight days into the intrusion, the actor used ScreenConnect to execute a PyInstaller‑packed binary designed to scan for browser extension and desktop cryptocurrency wallets and exfiltrate positive findings to attacker‑controlled Telegram bots.  These actions indicate discretionary, operator‑driven targeting rather than purely automated malware execution.  Reconnaissance through PowerShell automation  During the intrusion, Proofpoint observed at least 13 PowerShell scripts executed by the threat actor which, collectively, focused on determining whether the compromised host belonged to a financially valuable user.  Script Capabilities:  Enumerate all local user accounts and browser profiles  Extract browsing history from Chrome, Edge, Firefox, and Chromium‑based variants  Copy locked browser databases to temporary locations  Identify hard‑coded URLs associated with banking, payments, logistics, fleet services, and accounting platforms  Exfiltrate metadata—such as hostname, browser type, profile counts, and match frequency—to attacker‑controlled Telegram bots  This telemetry provides the actor with rapid insight into a victim’s financial authority, payment access, and business role.  Consistent behaviors across scripts  Across multiple scripts, Proofpoint identified consistent behaviors:  Scanning browser history across all user profiles  Querying SQLite databases and performing binary pattern matching  Searching for access to specific logistics, payment, and financial services  Storing artifacts in hidden directories (e.g., C:\H)  Executing successfully under SYSTEM context  Sending summary results to Telegram for operator review  In one instance, creating delayed SYSTEM scheduled tasks to evade proxy controls  The scripts searched for indicators of access to the following platforms, among others:  U.S. financial institutions and banks  Money transfer services  Online accounting platforms  Interbank payment systems  Fleet fuel card and payment providers  Freight brokerage and load management platforms  The breadth of these targets strongly aligns with financially motivated theft, fraud, and cargo diversion operations tied to transportation workflows. In particular, targeting of fuel card services, fleet payment platforms, and freight brokerage systems indicates intent to enable crimes against the transportation industry, including freight diversion and cargo theft.  A final PowerShell script  In late March, the attacker ran an additional PowerShell script through ScreenConnect’s custom property feature to quietly collect endpoint intelligence and report it back to the attacker through the existing remote‑access channel. It enumerated installed antivirus software and checked for the presence of high‑value financial, tax, accounting, and cryptocurrency applications. The results were automatically returned to the attacker’s ScreenConnect console without generating separate network traffic or alerts.  Conclusion  This extended intrusion highlights how financially motivated threat actors targeting transportation organizations operate well beyond initial access, prioritizing persistence, reconnaissance, and credential harvesting to identify opportunities for financial exploitation across transportation and related financial platforms. Portions of this activity are also consistent with preparatory behavior observed in freight theft and cargo diversion operations.  Notably, the use of a signing‑as‑a‑service capability underscores a growing trend toward attacker use of legitimate trust mechanisms to evade detection.  For transportation, logistics, and freight organizations, these findings reinforce the importance of monitoring for unauthorized remote management tools, suspicious PowerShell activity, and abnormal browser telemetry associated with financial platform access.  Emerging Threats signatures  2049863 - SimpleHelp Remote Access Software Activity  2049805 - Simplehelp Remote Administration Suite HTTP Server Value in Response  2066799 - Kaseya Pulseway Domain in DNS Lookup (pulseway .s3-accelerate .amazonaws .com)  2066797 - Kaseya Pulseway RMM Domain in DNS Lookup (pulseway .com)  2066798 - Observed Kaseya Pulseway Domain (pulseway .com) in TLS SNI  2066800 - Observed Kaseya Pulseway Domain (pulseway .s3-accelerate .amazonaws .com) in TLS SNI  Indicators of compromise*  *First Uploaded to VirusTotal by Proofpoint  Indicator  Description  First Seen  1f89a432471ec2efe58df788c576007d6782bbdf5b572a5fbf5da40df536c9f5  SHA256  VBS Payload  2026-02-27  hxxps://carrier-packets-docs[.]com/FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs  URL  VBS Staging  2026-02-27  hxxps://qto12q[.]top/pdf.ps1  URL  PowerShell Staging  2026-02-27  f4977bfeae2a957add1aaf01804d2de2a5a5f9f1338f719db661ac4f53528747  SHA256  ScreenConnect  2026-02-27  nq251os[.]top  Domain  ScreenConnect C2  2026-02-27  d9832d9208b2c4a34cf5220b1ebaf11f0425cf638ac67bf4669b11c80e460f58  SHA256  Pulseway RMM  2026-02-27  7f54cf5e2beb3f1f5d2b3ba1c6a16ce1927ffecd20a9d635329b1e16cb74fb14*  SHA256  ScreenConnect  2026-02-27  officcee404[.]com  Domain  ScreenConnect C2  2026-02-27  de30bb1e367d8c9b8b7d5e04e5178f2758157302638f81480ba018331a6f853e*  SHA256  ScreenConnect  2026-02-28  af124i1agga.anondns[.]net  Hostname  ScreenConnect C2  2026-02-28  b861e3682ca3326d6b29561e4b11f930f4a9f10e9588a3d48b09aa6c36a8ea80  SHA256  SimpleHelp  2026-02-28  147.45.218[.]0  Domain  SimpleHelp C2  2026-02-28  82d603c0b387116b7effdee6f361ca982c188de0c208e681e942300a0139c03f  SHA256  Cryptocurrency Wallet Stealer  2026-03-07  8a3d6a6870b64767ad2cc9ad4db728abf08bae84726b06be6cb97faac6c14ae4*  SHA256  ScreenConnect  2026-03-24  screlay[.]amtechcomputers[.]net  Hostname  ScreenConnect C2  2026-03-24  3dcb89430bae8d89b9879da192351506f4fdb7c67e253a27f58b3bf52101cd4c*  PowerShell Script  Signing Service  2026-03-24  signer.bulbcentral[.]com  Hostname  Signing Service  2026-03-24  services-sc-files.s3.us-east-2.amazonaws[.]com  Hostname  Signing Service  2026-03-24   

Mailbox rules in O365—a post-exploitation tactic in cloud ATO

13 April 2026 at 16:48
Key Takeaways  Mailbox rules are a high-risk post-exploitation tactic. Attackers abuse native mailbox rules for exfiltration, persistence, and communication manipulation. Combined with third-party services and domain spoofing, attackers can hijack threads, impersonate victims, and manipulate vendor communications, all without network-level interception.  It's more common than you think. Approximately 10% of compromised accounts in Q4 2025 had malicious mailbox rules created shortly after initial access.  Attackers use recognizable patterns. Malicious rules overwhelmingly use minimal, nonsensical names (., ..., ;) and favor actions like deleting messages, or moving them to rarely checked folders like Archive or RSS Subscriptions. Attackers are being lazy, confident they won't be detected, they put little thought into rule names, opting for quick, throwaway characters instead.  Persistence survives password resets. Forwarding and suppression rules remain active after credential changes, allowing continued data leakage as long as the rule exists.  Introduction  When was the last time you checked your mailbox rules?  In Microsoft 365 environments, attackers typically gain initial access through credential phishing, password spraying, brute-force, or OAuth consent abuse.  Once inside, adversaries focus on persistence and stealth rather than immediate disruption. Instead of deploying malware or C2 infrastructure, they abuse native platform features to operate undetected under the compromised identity.  One especially effective technique for maintaining persistence is creating malicious mailbox rules. While mailbox rules are designed to help users organize email, attackers leverage them to delete, hide, forward, or mark messages as read, silently controlling email flow without alerting the victim.  Why Attackers Abuse Mailbox Rules  Mailbox rules provide stealth, automation, and persistence using built-in M365 functionality, enabling several attacker objectives:  Covert Data Exfiltration:  Attackers create forwarding or redirection rules to automatically send copies of emails to external, attacker-controlled mailboxes, often using specific keywords ("invoice", "wire", "contract") or senders to collect high-value data while minimizing noise. Alternatively, emails are moved to obscure folders (Archive, RSS Feeds, or hidden folders) for periodic review without triggering forwarding indicators.  Victim Deception and Email Suppression:  Rules that delete, mark as read, or relocate messages hide security alerts, password reset emails, MFA notifications, suspicious replies, and third-party service registrations that could expose attacker activity. This manipulates the victim's perception of their own mailbox, buying attackers time to deepen their foothold or complete fraudulent operations.  Persistence Without Malware:  Auto-forwarding rules maintain visibility into a mailbox even after password changes. As long as the rule persists, information continues to leak, and creating a cloud-native persistence mechanism.  Man-in-the-Middle-Like Behavior:  By routing specific correspondence to hidden folders, attackers position themselves within communication channels to:  Intercept messages from vendors, partners, or clients before the victim sees them.  Impersonate the mailbox owner or inject themselves into existing message threads.  Suppress replies and notifications revealing fraudulent activity.  Control the narrative by selectively showing or hiding messages to both parties.  Unlike traditional MITM attacks requiring network positioning, this achieves similar outcomes using legitimate platform features. The victim communicates normally, unaware that high-value conversations are being silently intercepted and manipulated, giving attackers significant tactical advantage with a low detection profile.  Malicious Rule Creation Statistics  Analysis of compromised accounts consistently shows that mailbox rule abuse is not an edge case, but a frequent post-exploitation activity. During Q4 2025 approximately 10% of compromised user accounts had at least one malicious mailbox rule created shortly after initial access. The minimal time of mail rules creation after an ATO is around 5 seconds.  Most Common Rule Names Observed:  Attackers rarely use descriptive or human-readable names for malicious rules. Instead, they favor short, generic, or visually inconspicuous strings. This happens because attackers are often overconfident they won't be detected, allowing themselves to be lazy.  The most frequently observed rule names were:   ‘.’ (16%)   ‘...’ (8.5%)   ‘..’ (8%)   ‘;’ (6%)   ‘;;;’ (4%)  Figure 1: Rule creation example in Microsoft Outlook.  Most Common Rule Actions:  The most commonly observed actions in mailbox rule creation include:  Delete messages from certain senders or containing certain words.  Move messages to ‘Conversation History’ folder  Move messages to ‘Archive’ folder  Why Attackers Use Minimal or Nonsensical Rule Names:  Low Effort, Low Risk:  Attackers are often rushed or overconfident, investing minimal effort into naming convention given mailbox rules have historically low detection rates and are rarely reviewed.  Several factors may explain shared rule naming across different attackers. Public post-exploitation tools, phishing kits, and PhaaS platforms often use hardcoded default names or identical templates when programmatically creating rules across victims and operators. Additionally, BEC guides and code snippets circulated on forums and dark web marketplaces get copied and reused, including rule names. Even without shared tooling, attackers can independently arrive at similar names driven by the same minimal-effort logic.  Example Scenarios  Payroll Fraud  The following scenario illustrates how attackers combine mailbox rule abuse with internal phishing to execute a targeted payroll fraud attempt, while remaining largely invisible to the affected users.   Initial Compromise and Rule Creation  In this incident, the first compromised account belonged to a user with the title ‘Accounting Specialist’. Shortly after access was obtained, the attacker created a mailbox rule named ‘...’. Its logic was simple: Any email with the subject containing “FW: Payment Receipt” was automatically moved to the Archive folder. This subject line would later be used in the attacker's internal phishing campaign, with the rule designed specifically to suppress any warning replies or suspicious activity reports about that phishing email.  Internal Phishing:  With control over the first mailbox, the attacker launched an internal phishing campaign targeting 45 additional users within the same organization using the subject "FW: Payment Receipt". The phishing email was deliberately minimal:  The email body was empty  An attachment was included  The sender’s email signature had been subtly modified  Because the email originated from a legitimate internal account and used a familiar signature, it bypassed many user suspicion checks and traditional email security controls.  Secondary Compromise:  Among the recipients was the Assistant to the CEO, a role with visibility into sensitive business and payroll-related communications.  After opening the phishing attachment, this second account was also compromised. As with the first account, the attacker immediately established post-exploitation control by creating a mailbox rule again named ‘...’. This rule moved any email with the subject containing “Payroll enrollment” to the Archive folder, effectively suppressing payroll-related visibility for the victim.  An email with the subject “Payroll enrollment” was sent from the compromised Assistant to the CEO account to the company’s payroll specialist. The message attempted to initiate a fraudulent payroll-related action. At this stage, mailbox rules played a critical role in the attack’s success. They ensured that:  Replies or clarification requests were hidden  Security alerts were suppressed  Victims remained unaware of ongoing misuse of their accounts  The entire attack chain operated within Microsoft 365 using legitimate functionality, demonstrating why mailbox rules must be treated as a high-risk post-exploitation signal rather than a benign productivity feature.  Email Hijacking and Thread Manipulation  The following scenario demonstrates how attackers use mailbox rules in combination with third-party email services to create a man-in-the-middle-like environment entirely within email communications, enabling sophisticated business email compromise (BEC) without requiring persistent account access.  Initial Compromise and Suppression Rule  After the initial user account was compromised, the attacker created a malicious mailbox rule named '....'. The rule's logic targeted a specific email service: any email with a 'From' address containing the word 'zoho' was automatically moved to the 'RSS Subscriptions' folder. This folder, typically used for automated feed updates, is rarely checked by users, making it an ideal location for hiding attacker-controlled correspondence.  Abusing Third-Party Email Services for Infrastructure  Zoho offers a service that allows businesses to register custom email domains and create professional email addresses. The attacker leveraged the compromised user's business email to register for this service, creating a custom email account under the attacker's control. Because the mailbox rule was already in place, all verification emails and correspondence from Zoho were automatically hidden in the 'RSS Subscriptions' folder. The attacker retrieved verification codes and completed account setup without the victim's awareness.  Figure 2: Zoho Verification Code.  Domain Spoofing via Homoglyph Registration  Using the Zoho platform, the attacker registered a domain employing a homoglyph attack to closely mimic the legitimate tenant name. They then created the email account '[user_name]@[tenant_name]0.com' (note the number zero instead of the letter 'O'). They also configured an alias email address using the same spoofed domain structure. These nearly identical addresses were designed to appear legitimate in email threads, especially when viewed quickly or on mobile devices.  Figure 3: New spoofed email address add to the account.  Thread Hijacking and Fraudulent Communication  The attacker identified an existing payment request thread between the compromised tenant and third-party vendor. Rather than initiating a new conversation, which might raise suspicion, they hijacked the legitimate thread. Using the fake email addresses created via Zoho, the attacker added these spoofed addresses to the CC field, lending false authenticity to the correspondence.  The attacker sent a message inquiring about the status of a transaction. The vendor replied stating that the transaction had already been completed approximately one week prior. At this point, the attacker lost access to the compromised tenant account a few days later, after it was suspended and the password was changed following our alert to the customer.  Presumed Attack Continuation and Persistent Risk  Based on the established infrastructure and communication pattern, the primary assumption is that the attacker's plan was to claim that funds were never received and request a duplicate payment to the attacker-controlled account. Although access to the original mailbox was lost, the fake Zoho-based email address likely remains active. This creates a persistent risk: the attacker may continue the scam independently from the external spoofed account, leveraging the hijacked email thread's perceived legitimacy and the vendor's prior engagement.  This scenario illustrates a form of email-based man-in-the-middle activity conducted entirely within the application layer, where mailbox rules suppress detection, third-party platforms provide infrastructure, and thread hijacking establishes social proof, all without requiring continuous access to the compromised environment.  University Account Takeover and Mass Spam Operations  The following scenario illustrates a distinctly different attacker motivation and operational pattern. Unlike targeted business email compromise, where stealth and precision are paramount, university account compromises often involve complete mailbox takeover with little regard for detection, prioritizing volume and speed over sophistication.  Unconditional Mailbox Isolation  In university environments, compromised accounts frequently exhibit mailbox rules with a defining characteristic: they are unconditional. Rather than targeting specific senders, keywords, or subject lines, these rules apply blanket actions to all incoming email. The most common configurations observed include:  Delete all incoming messages   Move all incoming messages to obscure folders (e.g., Archive, RSS Subscriptions, Deleted Items)   Mark all incoming messages as read and move them out of the Inbox  The purpose is not selective suppression of security alerts or vendor communications. Instead, the goal is total mailbox isolation, completely severing the legitimate user's ability to receive any email whatsoever.  Operational Objectives: Mass Spam Distribution  Unlike BEC attackers, who craft narrowly scoped rules to intercept only emails from impersonated vendors or replies to specific phishing threads, university account attackers prioritize mass email distribution. Once the mailbox is isolated:  The attacker gains unrestricted control over outbound communications.  The legitimate user is unaware of incoming warnings, bounce-backs, or abuse reports.  The compromised account is used to send high-volume spam or phishing campaigns, often targeting other students, faculty, or external contacts.  This approach sacrifices stealth for operational efficiency. Attackers are aware that the account will likely be detected and disabled, but the short window of access is sufficient to distribute thousands of malicious emails before institutional security teams respond.  Common Fraud Schemes Targeting University Communities  University environments are particularly vulnerable to specific fraud schemes that exploit the academic community's characteristics. Attackers commonly distribute fake job postings targeting students seeking internships or part-time work, scholarship scams requesting upfront fees or personal information, and fraudulent marketplace listings advertising electronics, textbooks, or other items at suspiciously low prices. These schemes are effective because they align with legitimate student needs and often circulate during high-activity periods like semester start dates or graduation season. The compromised institutional email address lends false credibility to these scams, as recipients are conditioned to trust communications originating from .edu domains.  Figure 4: University fake job scam example.  Targeting Dormant and Abandoned Accounts  While active student and faculty accounts are frequently compromised, attackers also target dormant accounts, those belonging to former students, retired faculty, or staff who have left the institution, but whose accounts were never properly deactivated. These accounts present an attractive target for several reasons:  Weaker security posture: Dormant accounts often predate current security policies, lacking MFA enforcement, modern password requirements, or conditional access protections that have since been implemented for active users.  Absence of monitoring: Security teams typically focus monitoring efforts on active accounts where user behavior can be baselined. Dormant accounts generate no legitimate activity, meaning any authentication or mailbox rule creation may go entirely unnoticed.  Delayed detection: Because no legitimate user is actively checking these mailboxes, there is no one to notice suspicious emails, password reset notifications, or warning messages. Attackers can operate from these accounts for weeks or months before discovery.  Why Universities Are Targeted for This Tactic  Several factors make university environments attractive for mass spam operations:  Large contact lists with trusted relationships across academic and administrative networks.  Institutional email addresses carry inherent legitimacy, improving phishing success rates.  Historically lower security posture compared to enterprise environments, including weaker MFA adoption and limited mailbox rule monitoring.  High user turnover and decentralized IT management can delay detection and response.  Organizations should recognize that mailbox rule abuse is not a monolithic technique. Detection and response strategies must account for both sophisticated, low-and-slow BEC operations and aggressive, high-volume spam campaigns, each exhibiting distinct behavioral patterns in rule creation and usage.  Attacker Automation and Tools  Mailbox rules do require manual but not time-intensive effort from attackers. In practice, the creation of malicious mailbox rules across multiple compromised accounts can be fully automated, allowing attackers to scale their operations from individual targets to enterprise-wide campaigns with minimal effort.  The Reality of Bulk Rule Deployment  Attackers used to manually create each rule for each compromised account. Modern attack frameworks leverage Microsoft Graph API, Exchange Online PowerShell, and direct API calls to programmatically create, modify, or delete mailbox rules across dozens or hundreds of accounts simultaneously. Once an attacker has obtained valid session tokens or credentials, the technical barrier to mass rule deployment is extremely low.  This automation capability transforms mailbox rule abuse from a targeted, precision technique into a scalable, repeatable attack pattern. A single attacker with basic scripting knowledge can compromise multiple accounts through phishing and immediately establish persistence mechanisms across all of them within minutes.  ATOLS: Demonstrating the Ease of Automation  To demonstrate the potential risks and ease of how accessible and dangerous this automation capability has become, Proofpoint researchers created ATOLS (Account Take Over Live Simulation) a fully functional tool that demonstrates the simplicity with which attackers can execute these operations at scale.  ATOLS operates through the following workflow:  Phishing Infrastructure Setup: Via VPN for anonymity, ATOLS generates a phishing URL (with the help of an external phishing kit) that mimics legitimate Microsoft 365 login pages.  Session Token Theft: The phishing link is delivered to target users via email or through compromised third-party applications (3PA). Rather than simply capturing username and password combinations, the reverse proxy captures the session cookie/token generated after successful authentication. ATOLS uses the captured session cookie. This cookie provides immediate, authenticated access to the user's Microsoft 365 environment without triggering additional MFA challenges.  Automated Malicious Actions: Once the session token is obtained, ATOLS automatically creates a malicious mailbox rule with a name and logic specified by the operator.  Post-Exploitation: ATOLS can optionally perform additional post-exploitation actions such as enumerating contacts, accessing SharePoint, or pivoting to other connected services.  Mitigation  Preventive Controls  Strong preventive measures significantly reduce both the likelihood and impact of mailbox rule abuse:  Disable External Auto-Forwarding: Block automatic forwarding to external addresses in Exchange Online by default, disrupting one of the most common exfiltration and persistence mechanisms.  Enforce Conditional Access Policies: Require MFA, restrict access by device compliance and location, limit legacy authentication, and apply risk-based controls to reduce phishing, password spraying, and token replay success.  Monitor OAuth Grants and Consent Changes: Track new OAuth app registrations, consent grants, and permission changes, especially involving Mail.Read, Mail.ReadWrite, or offline_access scopes, to detect persistent passwordless access.  Incident Response Steps  When malicious mailbox rules are identified, focus on containment, eradication, and access revocation:  Remove Malicious Rules: Delete all unauthorized inbox rules and verify no additional hidden or conditional rules remain.  Revoke Sessions and Reset Tokens: Invalidate active sessions and refresh tokens to eliminate persistent access that survives password changes.  Review Sign-In Activity: Analyze Entra ID logs for suspicious IPs, unfamiliar user agents, anomalous locations, or risky authentication events preceding rule creation.  Audit OAuth Applications: Remove unrecognized or overly permissive apps with mailbox access and revalidate consent for legitimate ones.  These steps should be treated as mandatory, even if mailbox rules appear to be the only visible indicator of compromise.  [Disclaimer]  Third‑party product names, logos, and brands are the property of their respective owners. References to third‑party services (e.g., Microsoft 365/Outlook, Zoho Mail) are for identification only and do not imply endorsement or affiliation.     

I’d come running back to EU again: TA416 resumes European government espionage campaigns

1 April 2026 at 21:52
Key findings From mid-2025 onwards, the China-aligned threat actor TA416 resumed observed targeting of European government and diplomatic organizations following a period of reduced EU-focused activity in our telemetry. This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries. In March 2026, Proofpoint also observed TA416 expand targeting to include diplomatic and government entities in the Middle East in the weeks following the outbreak of conflict in Iran. Throughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX payload. TA416 most directly overlaps with public reporting on RedDelta, Red Lich, Vertigo Panda, SmugX, and DarkPeony. Overview In 2022, Proofpoint reported on high-volume TA416 activity targeting European governments, which increased sharply as Russian troops began amassing on the border of Ukraine. This high operational tempo of TA416 campaigns against European government targets continued until mid-2023, when the group shifted targeting away from Europe. From mid-2023 until mid-2025, Proofpoint observed minimal TA416 targeting within Europe, with the group mostly active across Southeast Asia, Taiwan, and Mongolia during this period. Since mid-2025, TA416 resumed regular targeting of European government and diplomatic entities. This renewed focus most heavily targeted individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU. TA416’s return to European government targeting occurred during heightened EU–China tensions over trade, the Russia–Ukraine war, and rare earths exports, and commenced immediately following the 25th EU–China summit. In March 2026, following the outbreak of the Iran war, TA416 conducted multiple campaigns targeting a wide range of diplomatic and government entities in the Middle East, a region not traditionally regularly targeted by this threat actor. This aligns with a trend observed by Proofpoint of some state-aligned threat actors shifting targeting toward Middle Eastern government and diplomatic entities in the aftermath of the war. This likely reflects an effort to gather regional intelligence on the status, trajectory, and broader geopolitical implications of the conflict. From mid-2025 to early 2026, TA416 conducted both broad web bug and malware delivery campaigns. The TA416 web bug campaigns used freemail sender accounts and a range of thematic lures, such as Europe sending troops to Greenland, to perform delivery and engagement reconnaissance. A web bug (or tracking pixel) is a tiny invisible object embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient's IP address, user agent, and time of access, allowing the threat actor to assess whether the email was opened by the intended target. Malware delivery campaigns used both attacker-controlled freemail accounts and compromised government and diplomatic mailboxes to send links to malicious archives hosted on Microsoft Azure Blob Storage, actor-controlled domains, Google Drive, and compromised SharePoint instances. During this period, TA416 repeatedly altered its initial infection chains while maintaining a consistent goal of loading the group's customized PlugX backdoor via DLL sideloading triads. Initial access techniques evolved from using fake Cloudflare Turnstile challenge pages that gated access to ZIP archives, to abuse of Microsoft Entra ID third‑party applications that redirected users to attacker-controlled malware delivery domains, and finally to archives containing a renamed Microsoft MSBuild executable and malicious C# project files. In each case, TA416 relied on either ZIP smuggling using Microsoft shortcut (LNK) files or CSPROJ-based downloaders to deliver a signed executable, malicious DLL, and encrypted payload triad that ultimately loaded PlugX into memory. Delivery: widespread web bug campaigns targeting EU diplomatic entities Figure 1: TA416 “humanitarian concerns” web bug phishing email from July 2025. TA416’s renewed targeting of European government entities commenced one day after the 25th EU–China summit with a series of web bug campaigns targeting diplomatic missions to the EU across many European countries. In late July and early August 2025, TA416 sent over 100 phishing emails containing web bugs from the following Gmail email addresses: emmeline.voss@gmail[.]com kordula.wehrli@gmail[.]com kayden.beaufort@gmail[.]com The group used multiple lure topics such as urgent humanitarian concerns, requests for interviews, and proposals for collaboration. These web bug campaigns were likely conducted for reconnaissance purposes to track delivery and engagement to inform follow-on malware delivery attempts. Proofpoint observed the following URL formats used in these campaigns, with each email including a unique image filename: hxxps://welnetsanda[.]org/images/upload/logo.png/{UniqueID}.png hxxps://phpthemes[.]net/images/upload/eu.png/{UniqueID}.png hxxps://phpthemes[.]net/images/upload/{UniqueID}.png In January 2026, Proofpoint observed TA416 send another widespread wave of web bug phishing emails to European government entities, this time using an article taken from the London School of Economics website titled ‘It is time for Europe to send “tripwire” troops to Greenland.’ These emails also contained unique URLs that redirected to this news article if clicked. This was likely included as an additional method of reconnaissance, given many modern email clients and applications disable external image download by default, diminishing the efficacy of web bugs. Both the web bug and link included in the email used the infrastructure associated with TA416 domain speedifynews[.]com. Figure 2: TA416 Greenland-themed web bug phishing email campaign from January 2026. Delivery: malware campaigns targeting EU diplomatic entities In late September 2025, Proofpoint observed TA416 conduct multiple malware delivery campaigns targeting European ministries of defense and ministries of foreign affairs. This targeting predominantly focused on individuals assigned to NATO missions and delegations. In one instance, TA416 used a likely compromised account belonging to a European armed forces organization to send the phishing emails. In another, the group used a compromised email address from a Southeast Asian diplomatic entity. Proofpoint has observed TA416 abusing compromised accounts from this same Southeast Asian entity to conduct phishing campaigns on multiple occasions throughout 2025 and 2026. The infection chains observed in these campaigns have been covered extensively in public reporting by StrikeReady and Arctic Wolf. Figure 3: TA416 February 2026 spearphishing email spoofing Icelandic Ministry of Foreign Affairs. In January and February 2026, TA416 again conducted a series of malware delivery campaigns targeting numerous European government organizations, with later campaigns focusing on targeting individuals or mailboxes associated with diplomatic missions to the EU and Taiwan. Most of these phishing emails were sent via the Gmail accounts office2000005@gmail[.]com and hsuhalingaye26@gmail[.]com and spoofed various diplomatic entities. A smaller subset was sent via likely compromised accounts associated with the interior ministry of a European country and a Southeast Asian ministry of foreign affairs. Delivery: post-conflict expansion to Middle East targeting In mid-March 2026, Proofpoint observed TA416 conduct multiple campaigns targeting government and diplomatic entities within the Middle East. Historically, this region has not been regularly targeted by TA416, and this expansion in targeting was very likely driven by the outbreak of the war in Iran. One campaign conducted on 16 March 2026 used a compromised Syrian Ministry of Foreign Affairs and Expatriates account to send a phishing email concerning energy infrastructure in Iran, which was sent to a wide range of embassies located across multiple Middle Eastern countries. Figure 4: TA416 March 2026 spearphishing email using Iranian energy infrastructure lure. Shifting infection chains: all roads lead to PlugX The following section examines how TA416's infection chains have evolved over recent months while maintaining core elements of the group's longstanding tradecraft. Figure 5: Evolving TA416 infection chain from September 2025 to March 2026. Some components of TA416’s Tactics, Techniques, and Procedures (TTPs) remain consistent after many years. This includes the continued use of compromised diplomatic email accounts, web bug reconnaissance campaigns, and DLL sideloading triads to deploy a custom PlugX variant, all of which align with previous Proofpoint reporting on this threat actor in 2022. Despite this, TA416 continues to regularly evolve and innovate. The group regularly adapts the early stages of its infection chains and integrates new defense evasion and anti-analysis features into a custom PlugX variant. Between September 2025 and March 2026, Proofpoint observed TA416 employing multiple different initial infection chains that all ultimately lead to this customized PlugX variant. September 2025 – January 2026: Fake Cloudflare Turnstile challenge pages Beginning in September 2025, TA416 began employing fake Cloudflare Turnstile challenge pages impersonating login.microsoftonline[.]com hosted on Microsoft Azure Blob Storage sites. Early variations used a real Turnstile widget, which is used to redirect the target to a ZIP archive hosted on the same Microsoft Azure Blob Storage site when the checkbox is clicked and a Turnstile token is returned, though this token is not validated at any point. The user is redirected to a payload URL that is obfuscated within the page source code using character code arrays, as noted in StrikeReady reporting. Figure 6: Fake Cloudflare Turnstile challenge landing page used by TA416. Later variations instead redirected the user from the fake Cloudflare Turnstile challenge page to an attacker-controlled domain, with the returned Turnstile token appended as a URL parameter. This allows the threat actor to validate the Turnstile token server-side to impede automated analysis, before redirecting to a direct download of a ZIP archive, again hosted using Microsoft Azure Blob Storage. Figure 7: Redirection logic employed in later variations of fake Cloudflare Turnstile challenge landing page used by TA416. The downloaded archives in these infection chains all use a ZIP smuggling technique to hide the next stage file within the ZIP structure. The ZIP files contain a single Microsoft shortcut (LNK) file that runs an embedded PowerShell command to search for the parent ZIP, then carve an MSI or TAR file from the ZIP using either a byte marker or hardcoded offset, and execute either the MSI or a DLL sideloading executable contained within the TAR. In all cases, this leads to a DLL sideloading triad loading PlugX. While Proofpoint has not observed the use of these fake Cloudflare Turnstile pages in our telemetry since November 2025, submissions to third-party malware repositories in January 2026 suggest the group is continuing to use this technique selectively. December 2025 – January 2026: Microsoft OAuth redirect abuse In December 2025, TA416 began abusing third-party Microsoft Entra ID cloud applications to trigger redirects leading to direct downloads of malicious archives. In this infection chain, the group registers a third-party application in Entra ID and configures its redirect URI to point to an attacker-controlled domain hosting the malicious payload. TA416 phishing emails using this technique contain a link to Microsoft's legitimate OAuth authorization endpoint, crafted with parameters that suppress user interaction and force an authorization failure. When clicked, the user is redirected to the application's registered redirect URI, resulting in a direct download of the malicious archive with no user interaction. Proofpoint has previously reported on similar techniques used to perform redirection, which allow threat actors to bypass URL reputation checks and email security filters by ensuring the initial link points to a trusted Microsoft domain. The inclusion of a trusted Microsoft URL is also more likely to appear legitimate to targeted users. Figure 8: Example of Microsoft OAuth redirect technique employed by TA416. An example of a URL observed in a TA416 phishing email is shown above. In this case, the client_id refers to the attacker-controlled third-party application, the scope is set to a nonexistent value (scope=invalid) to deliberately trigger an authorization failure, and prompt=none is set to suppress user interaction. As the URL does not include a redirect_uri value, it defaults to the redirect URI configured on the application registration. This deliberately triggers an interaction_required error, and the user is redirected to a predetermined URL where TA416 has staged a direct download of a malicious ZIP archive. Proofpoint observed TA416 using a different state value for each target, likely to allow the use of unique URLs within each email and to easily correlate payload downloads with targets. The downloaded ZIP archives delivered through these infection chains use the same previously described ZIP smuggling technique to load PlugX. Microsoft published a report in March 2026 on the use of this redirection technique by TA416 and other threat actors. February 2026: use of MSBuild and C# project files Beginning in February 2026, Proofpoint observed TA416 adapt its initial infection chain once again in campaigns linking to archives hosted on Google Drive or a compromised SharePoint instance. In this case, the downloaded archives contained a legitimate Microsoft MSBuild executable renamed as a lure filename, alongside a malicious C# project (CSPROJ) file. Figure 9: Archive containing renamed MSBuild executable and malicious C# project file. When the MSBuild executable is run, it searches the current directory for a project file and automatically builds it. In the observed TA416 activity, the CSPROJ file acts as a downloader, decoding three Base64-encoded URLs to fetch a DLL sideloading triad from a TA416-controlled domain, saving them to the user's temp directory, and executing a legitimate executable to load PlugX via the group's typical DLL sideloading chain. The CSPROJ samples observed by Proofpoint were highly similar, with only the Base64-encoded URLs swapped out. The presence of slightly modified comments before these encoded URL variables within each sample, such as Base64-encoded URLs with separate endpoints and Base64-encoded URLs with new endpoints, suggests that these CSPROJ files may have been created or altered with the assistance of an LLM. Figure 10: Excerpt of C# project file showing example of comments preceding Base64-encoded URL variables. TA416 tweaks PlugX sideloading chain While the overall DLL sideloading triad delivery mechanism has remained consistent for several years, TA416 regularly changes the PlugX payload loading chain, in particular the DLL loader, payload obfuscation, and sideloading executable used. Between September 2025 and March 2026, Proofpoint observed the following signed executables being abused by TA416 to load PlugX. Filename SHA256 cnmpaui.exe 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3 steam_monitor.exe 8c0051a83b3611ff2b669b670aa005633f3d9e844454a112b31d2a4bc944a234 ABRemove.exe 6b363e0f16fc5a612bd98631e7cdc4f68a95329e92c21ef0495c9117b8b8f360 Avk.exe 8421e7995778faf1f2a902fb2c51d85ae39481f443b7b3186068d5c33c472d99 ErsChk.exe bc8b022c10bcab39da302446b0a50988de94607c7e724f2051578e8ed2f8bbe7 CNMNSST2.exe 53086e3b557a1d21cf7f4ffc73d92c39b08872334a8cdb09dda0a06bd060cfe9 Figure 11: Signed executables vulnerable to DLL sideloading abused by TA416 between September 2025 – March 2026. In the latest observed variants in March 2026, TA416 used a signed Canon executable CNMNSST.exe to sideload a malicious loader DLL named CNCLID.dll. The loader DLL uses DJB2 API hashing to dynamically resolve Windows API functions and execute a payload file Canon.dat as shellcode, which decodes the PlugX payload. The loader and payload code and data are obfuscated using techniques such as API hashing, junk code, and control-flow flattening. For persistence, the DLL sideloading triad is copied to the directory C:\Users\Public\Canon and a Run registry key Canon is created to run CNMNSST.exe upon startup. Overview and updates in C&C protocol The PlugX payload establishes C&C communications over HTTP using an RC4-encrypted binary protocol. Prior to initiating network activity, the malware performs several initialization steps to generate host identifiers and applies anti-analysis checks. The client initiates communication to the C&C server by sending an HTTP GET request. The server responds with application/octet-stream data that serves as the RC4 encryption key for the subsequent exchange. The client creates a SYSINFO structure containing information on the infected host; RC4 encrypts it using the key received in the previous step; and sends it to the server inside an HTTP POST request body. The SYSINFO structure is as follows: Field Description is64bit Whether the host runs a 64-bit OS dwMajorVersion OS major version dwMinorVersion OS minor version dwBuildNumber OS build number wServicePackMajor Service pack major version wServicePackMinor Service pack minor version wSuiteMask OS suite mask user_name Current username computer_name Computer name id Campaign/victim identifier ip_address Host IP address Figure 12: PlugX SYSINFO system reconnaissance structure. The server then replies with RC4 encrypted data that contains the command and its parameters. Currently, the following list of commands are available: Command Description 0x00000002 Outgoing system information beacon (SYSINFO structure) 0x00001005 Uninstall — deletes autorun registry keys and drops a self-delete batch file 0x00001007 Adjusts reconnect_interval and connection_timeout parameters 0x00003004 Downloads a new payload set (EXE, DLL, DAT) and executes the sideloading binary 0x00007002 Opens a reverse command shell Figure 13: List of available PlugX commands. In older variations seen prior to December 2025, the C&C HTTP requests include four custom headers that mimic the Fetch metadata specification: Sec-Fetch-Dest: <random_string> If-None-Match: <system_token> Sec-Fetch-Site: none Sec-Fetch-Mode: cors The If-None-Match header carries a host-generated hex token, while the Sec-Fetch-Dest value is randomized per request. In this older C&C protocol, the HTTP URI used the following predictable pattern: A base endpoint selected randomly from a fixed set: /upload /download /developer /help/? /api/v1/resource /user/profile /settings /i/bookmark A timestamp parameter appended: ?t=<unix_timestamp> A variable number of randomly generated key-value pairs This led to URI values such as /api/v1/resource?t=1760970011&1Tr=askZVyeahfE00bt4&d9=e8cAQ4T&vE8=uUlMYYuJ&S=zMLY3z. Figure 14: Older PlugX variant HTTP C&C traffic. In the updated variants first seen in December 2025, the group updated this C&C protocol, likely to evade network-based detections. In the new variation, the Sec-Fetch-Dest, If-None-Match, Sec-Fetch-Site, and Sec-Fetch-Mode custom headers are no longer sent. Instead, a 16-character host token is embedded within a Cookie header, surrounded by randomly generated cookie key-value pairs. Additionally, the use of hardcoded base URI endpoints is removed, with the full URI path now randomly generated. Figure 15: Newer PlugX variant HTTP C&C traffic. Updates in config encryption The PlugX payload C&C parameters (C&C domains or IP addresses, campaign identifiers, mutex names, install paths, and decoy document metadata) are stored in an embedded configuration blob that is RC4-encrypted. The encryption scheme and internal structure of this configuration have evolved in more recent variations such as those seen in February 2026, with the newer variant introducing additional hardening to the configuration encryption and now employing two layers of obfuscation. After RC4 decryption of the outer blob, individual string fields such as C&C domains, mutex names, and campaign identifiers are then independently decoded using a rolling XOR. Variable Value RC4 key anMgFtsFCvA Decoy Size 41671 Decoy Filename Meeting invitation.pdf Mutex Name dGcEuQhKT Campaign ID msbuild Install Directory %public%\GData Decoy Directory %temp% C&C ombut[.]com:443, ombut[.]com:443, ombut[.]com:443 Figure 16: Example of decrypted PlugX configuration from February 2026 campaign. Infrastructure analysis In recent years, TA416 has shifted its infrastructure procurement TTPs and now almost exclusively uses a steady supply of re-registered, formerly legitimate domains for C&C, malware delivery, and web bugs, often first using domains within days after re-registering them. This tactic of purchasing previously legitimately used domains is likely an effort to evade domain reputation-based heuristics. The group typically also uses the Cloudflare Content Delivery Network (CDN) to obscure backend hosting IP addresses used for malware delivery and C&C. Figure 17: Timeline of TA416 C&C domain first sightings (July 2025-March 2026). TA416 has heavily favored use of the virtual private server (VPS) providers Evoxt Enterprise (AS149440), XNNET LLC (AS6134), and Kaopu Cloud HK Limited (AS138915) throughout 2025 and 2026. The group also typically deploys minimal fake websites on its C&C domains, likely to hinder signaturing and tracking efforts and to make these domains appear legitimate. Figure 18: Example of fake websites hosted on TA416 C&C domains (example shown is ombut[.]com). Attribution – what even is Mustang Panda anyway? In recent years, the Mustang Panda moniker within public threat intelligence reporting has become increasingly opaque and difficult to disentangle. Generally, Proofpoint tracks what is commonly publicly referred to as Mustang Panda under two primary clusters: TA416 (covered within this report) and a second group tracked under the temporary designator UNK_SteadySplit. Within Proofpoint’s visibility, UNK_SteadySplit has been active since at least 2022, with related open-source activity dating back to at least 2019. UNK_SteadySplit is a user of the custom TONESHELL and PUBLOAD malware families, alongside multiple other first-stage malware families delivered in phishing campaigns. Since the beginning of 2025, Proofpoint has predominantly observed UNK_SteadySplit targeting government, hospitality, and technology organizations in South and Southeast Asia, with a particular focus on Myanmar and Thailand. Within Proofpoint's telemetry, the group exclusively uses freemail senders and typically employs much more simplistic infection chains than TA416, most often delivering an archive containing a DLL sideloading pair downloaded from a cloud storage service. The table below highlights some of the key similarities and differences between the two clusters, as observed within Proofpoint’s visibility.   TA416 UNK_SteadySplit Targeting European government and diplomatic entities Southeast Asian and Mongolian government and healthcare organizations Five Poisons targeting Government, insurance, hospitality, technology, and energy organizations in South and Southeast Asia Capabilities Customized PlugX variant Heavy obfuscation and use of control flow flattening PUBLOAD TONESHELL Various custom first stage loaders Minimal obfuscation Regular inclusion of Easter egg strings and recurring PDB path patterns Recurring use of FakeTLS C&C protocols Infection Chain Use of both freemail and compromised government sender email addresses Varied infection chains, including use of: MSC files HTA files LNK files with Zip Smuggling Fake Cloudflare Turnstile challenge pages CSPROJ files Microsoft OAuth redirection abuse DLL sideloading triads Updates DLL sideloading executable every 1-2 months Exclusive use of freemail sender email addresses Archive download from cloud hosting site (e.g. Google Drive) Archive typically contains a DLL sideloading pair with lure filename More frequent rotation of DLL sideloading executable than TA416, with minimal overlap in sideloading executables Infrastructure Mostly uses domains for C&C Heavy usage of Cloudflare CDN Re-registers former legitimate domains Favors Evoxt Enterprise (AS149440), XNNET LLC (AS6134), and Kaopu Cloud HK Limited (AS138915) Mostly uses raw IP addresses for C&C Varied hosting providers, no overlaps in providers favored by TA416 Lure themes Geopolitical events and diplomatic communications Meeting invitations Conference invitations Geopolitical events and diplomatic communications Fake job promotions Hotel room bookings Hotel association and lifestyle benefits offers Meeting minutes and notes Figure 19: Similarities and differences between TA416 and UNK_SteadySplit clusters. As noted in previous reporting by Trend Micro in 2022, there are historical technical overlaps between TA416 and UNK_SteadySplit activity, most directly via the presence of a UNK_SteadySplit TONESHELL C&C IP address within a filepath seen in two LNK files used in TA416 campaigns. It is therefore likely that some form of organizational, personnel, or hierarchical link exists or existed between TA416 and UNK_SteadySplit. However, currently Proofpoint is unable to assess the nature of this relationship, and we have not observed similar overlaps in recent years. From Proofpoint’s perspective, both clusters appear operationally distinct and use different tooling, TTPs, and infrastructure to conduct different targeting. Based on an analysis of public research and discussions with industry partners, Proofpoint believes the following most accurately reflects the clustering overlaps between TA416, UNK_SteadySplit, and related groups tracked by other vendors: TA416 UNK_SteadySplit TA416 and UNK_SteadySplit combined Vertigo Panda RedDelta Red Lich UNC6384 SmugX DarkPeony Mustang Panda (CrowdStrike) CerenaKeeper Red Ishtar Twill Typhoon Temp.HEX Earth Preta Stately Taurus HoneyMyte Hive0154 Figure 20: Overlaps between TA416, UNK_SteadySplit, and related groups tracked by other vendors. Conclusion TA416's shift back to European government targeting in mid-2025, following two years of focus on Southeast Asia and Mongolia, is consistent with a renewed intelligence-collection focus against EU and NATO-affiliated diplomacy entities. In addition, TA416's expansion to Middle Eastern government targeting in March 2026 further highlights how the group’s tasking prioritization is likely influenced by geopolitical flashpoints and escalations. Throughout this period, the group has shown a willingness to iterate on infection chains, cycling through using fake Cloudflare Turnstile pages, OAuth redirect abuse, and MSBuild-based delivery, while continuing to update its customized PlugX backdoor. These TA416 operations suggest the group will likely continue to prioritize targeting European diplomatic networks and, as the conflict continues, Middle Eastern diplomatic entities, while maintaining parallel activity across Southeast Asia. Organizations in scope for this targeting should expect continued experimentation with initial access vectors delivered via spearphishing campaigns alongside continually updated PlugX payloads.   ET rules 2068412 - ET MALWARE TA416 PlugX CnC Activity (GET) 2068413 - ET MALWARE TA416 PlugX CnC Activity (GET) 2068414 - ET MALWARE TA416 PlugX CnC Activity (POST) Indicators 2026/05/13 update: The domain devredin[.]com that originally appeared in this blog was a false positive that has now been removed. Note: Indicators encompass a range of TA416 activity observed since July 2025, not just campaigns targeting European government.  Indicator   Type   Description   First Seen  cnrelojes[.]com  Domain  C&C domain  Jun-25  hnk-capljina[.]com  Domain  C&C domain  Jun-25  harrietmwelch[.]com  Domain  C&C domain  Jun-25  theprmummy[.]com  Domain  C&C domain  Jun-25  ecolnomy[.]com  Domain  C&C domain  Jun-25  mettayoga[.]org  Domain  C&C domain  Jun-25  it-evenement[.]nl  Domain  C&C domain  Jun-25  welnetsanda[.]org  Domain  Web bug domain  Jun-25  thecamco[.]net  Domain  C&C domain  Jun-25  paquimetro[.]net  Domain  C&C domain  Jun-25  fuyuju[.]com  Domain  C&C domain  Jul-25  nvofficespace[.]com  Domain  C&C domain  Jul-25  premegalithic[.]com  Domain  C&C domain  Jul-25  phpthemes[.]net  Domain  Web bug domain  Jul-25  supplementsoftheyear[.]com  Domain  C&C domain  Jul-25  colorflee[.]org  Domain  C&C domain  Aug-25  atravelingwitch[.]com  Domain  C&C domain  Sept-25  napasbdc[.]org  Domain  C&C domain  Sept-25  buzzurro[.]net  Domain  C&C domain  Sept-25  racineupci[.]org  Domain  C&C domain  Sept-25  cubukluescort[.]com  Domain  C&C domain  Sept-25  cseconline[.]org  Domain  C&C domain  Sept-25  ecomputers[.]org  Domain  C&C domain  Oct-25  designehair[.]com  Domain  C&C domain  Oct-25  loumuenz[.]com  Domain  C&C domain  Oct-25  ronnybush[.]net  Domain  C&C domain  Oct-25  hayabusamt[.]com  Domain  C&C domain  Oct-25  rondabusco[.]com  Domain  C&C domain  Nov-25  doorforum[.]com  Domain  C&C domain  Nov-25  portabalbufe[.]com  Domain  C&C domain  Nov-25  papermoonweddings[.]com  Domain  C&C domain  Nov-25  hoplitellc[.]com  Domain  C&C domain  Nov-25  mongolianews[.]info  Domain  C&C domain  Nov-25  famisu[.]com  Domain  C&C domain  Dec-25  espacebus[.]com  Domain  C&C domain  Dec-25  dnzapping[.]com  Domain  C&C domain  Dec-25  buddhismnewsdaily[.]org  Domain  C&C domain  Dec-25  buywownow[.]com  Domain  C&C domain  Dec-25  goodmedsx[.]com  Domain  C&C domain  Dec-25  anbusivam[.]com  Domain  C&C domain  Dec-25  phbusiness[.]net  Domain  C&C domain  Dec-25  bobbush[.]org  Domain  C&C domain  Dec-25  majicbus[.]org  Domain  C&C domain  Dec-25  busopps[.]org  Domain  C&C domain  Dec-25  turileco[.]net  Domain  C&C domain  Dec-25  basecampbox[.]com  Domain  C&C domain  Jan-26  adimagemarketing[.]com  Domain  C&C domain  Jan-26  ecoafrique[.]net  Domain  C&C domain  Jan-26  speedifynews[.]com  Domain  Web bug domain  Jan-26  creatday[.]com  Domain  C&C domain  Jan-26  fruitbrat[.]com  Domain  C&C domain  Jan-26  dalerocks[.]com  Domain  C&C domain  Jan-26  aaitile[.]com  Domain  C&C domain  Jan-26  ombut[.]com  Domain  C&C domain  Jan-26  gestationsdiabetes[.]com  Domain  C&C domain  Jan-26  gynecocuk[.]net  Domain  C&C domain  Feb-26  decoraat[.]net  Domain  C&C domain  Feb-26  embwishes[.]com  Domain  C&C domain  Feb-26  carhirechicago[.]com  Domain  C&C domain  Feb-26  ytsonline[.]net  Domain  C&C domain  Mar-26  coastallasercompany[.]com  Domain  C&C domain  Mar-26  shalomrav[.]org  Domain  C&C domain  Mar-26  rhonline[.]net  Domain  C&C domain  Mar-26  winesnmore[.]net  Domain  C&C domain  Mar-26  alpinemfg[.]net  Domain  C&C domain  Mar-26  amblecote[.]net  Domain  C&C domain  Mar-26  stuypa[.]org  Domain  C&C domain  Mar-26  buscacnpj[.]org  Domain  Delivery domain  Feb-26  subusiness[.]org  Domain  Delivery domain  Dec-25  florarevival[.]com  Domain  Delivery domain  Jan-26  bushidomma[.]net  Domain  Delivery domain  Jan-26  devlyrics[.]com  Domain  Delivery domain  Feb-26  softhunts[.]com  Domain  Delivery domain  Feb-26  gesecole[.]net  Domain  Delivery domain  Feb-26  meritsoftwebportals[.]com  Domain  Delivery domain  Feb-26  foxmediagency[.]com  Domain  Delivery domain  Mar-26  ghonline[.]net  Domain  Delivery domain  Mar-26  hxxps://mydownload.z29.web.core.windows[.]net/nv2199_update_on_situation_of_cambodia-thailand_border.html   URL  Fake Cloudflare Turnstile challenge page  Sept-25  hxxps://mydownload.z29.web.core.windows[.]net/nv2230_update_of_situation_on_cambodia-thailand_border.html   URL  Fake Cloudflare Turnstile challenge page  Sept-25  hxxps://mydownload.z29.web.core.windows[.]net/naju_plan_obuka_oktobar_2025.html   URL  Fake Cloudflare Turnstile challenge page  Sept-25  hxxps://mydownload.z29.web.core.windows[.]net/epc_invitation_letter_copenhagen_1-2_october_2025.html  URL  Fake Cloudflare Turnstile challenge page  Sept-25  hxxps://mydownloadfile.z7.web.core.windows[.]net/jatec_workshop_on_wartime_defence_procurement_(9-11_september).html   URL  Fake Cloudflare Turnstile challenge page  Sept-25  hxxps://mydownfile.z11.web.core.windows[.]net/agenda_meeting_26_sep_brussels.html   URL  Fake Cloudflare Turnstile challenge page  Sept-25  hxxps://filesdownld.z13.web.core.windows[.]net/a9t3zb7l1qx5.html   URL  Fake Cloudflare Turnstile challenge page  Oct-25  hxxps://filestoretome.z23.web.core.windows[.]net/filelocate.html  URL  Fake Cloudflare Turnstile challenge page  Nov-25  hxxps://attd.z23.web.core.windows[.]net/attd.html   URL  Fake Cloudflare Turnstile challenge page  Nov-25  hxxps://gooledives.z48.web.core.windows[.]net/election_2026.html   URL  Fake Cloudflare Turnstile challenge page  Jan-26  hxxps://gooledives.z48.web.core.windows[.]net/%e0%a6%a8%e0%a6%bf%e0%a6%b0%e0%a7%8d%e0%a6%ac%e0%a6%be%e0%a6%9a%e0%a6%a8_%e0%a7%a8%e0%a7%a6%e0%a7%a8%e0%a7%ac.html   URL  Fake Cloudflare Turnstile challenge page  Jan-26  mydownload.z29.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Sept-25  mydownloadfile.z7.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Sept-25  mydownfile.z11.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Sept-25  filesdownld.z13.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Oct-25    attd.z23.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Nov-25  filestoretome.z23.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Nov-25  gooledives.z48.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Jan-26  reloadsite.z13.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Mar-26  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=607bb911-0f5a-4186-9d48-ecff8e094280&response_type=code&scope=invalid&prompt=none&state=2  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Dec-25  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=5e6b7cf5-69b7-4f85-87d1-8b4cb6df8aa2&response_type=code&scope=invalid&prompt=none&state=3  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Dec-25  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=8d015a9c-f912-445d-8b3c-4f3b3201ded1&response_type=code&scope=invalid&prompt=none&state=47  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Dec-25  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=684d7892-c993-41d7-b6c1-07613c43cd61&response_type=code&scope=invalid&prompt=none&state=17  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Dec-25  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=a9785a2d-445e-4ffa-a770-bec734911841&response_type=code&scope=invalid&prompt=none&state=1  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Dec-25  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?state=149&x_client_ver=1.0.0&response_type=code&client_id=b004ab26-f57b-439d-ae54-c39b958e5743&nonce=ab93f2c1&prompt=none&scope=invalid&ui_locales=en-us  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Jan-26  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?state=6&x_client_ver=1.0.0&response_type=code&client_id=3c7bf1a4-927f-40a1-97b0-7a7aa08f4bb2&nonce=ab93f2c1&prompt=none&scope=invalid&ui_locales=en-us  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Jan-26  hxxps://login.windows[.]net/common/oauth2/v2.0/authorize?client_id=7d980c52-31e5-4554-9e20-b89c4617102f&response_type=code&scope=invalid&prompt=none&state=1  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Mar-26  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?utm_source=portal&utm_medium=web&client_id=c47683e4-16a3-4b8a-a3d3-c1fe4c86f073&response_type=code&scope=invalid&prompt=none&utm_campaign=login&state=o1&ref=dashboard  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Mar-26  hxxps://web.florarevival[.]com:443/download/a6d6u9ff13?error=interaction_required&error_description=session+information+is+not+sufficient+for+single-sign-on.&state=6  URL  Example redirect URL delivering malicious archive  Jan-26  hxxps://www.bushidomma[.]net/download/l7o9afe?error=interaction_required&error_description=session+information+is+not+sufficient+for+single-sign-on.&state=2  URL  Example redirect URL delivering malicious archive  Dec-25  hxxps://www.buscacnpj[.]org/download/we7823bn?error=interaction_required&error_description=session+information+is+not+sufficient+for+single-sign-on.&state=3  URL  Example redirect URL delivering malicious archive  Dec-25  hxxps://www.subusiness[.]org/download/aetce17ge?error=interaction_required&error_description=session+information+is+not+sufficient+for+single-sign-on.&state=47  URL  Example redirect URL delivering malicious archive  Dec-25  hxxps://www.foxmediagency[.]com/download/qqa36sa0d6fq066?error=interaction_required&error_description=Session+information+is+not+sufficient+for+single-sign-on.&state=o1  URL  Example redirect URL, redirects again to direct download of malicious archive  Mar-26  hxxps://dash.ghonline[.]net:443/download/jyebbtg?error=interaction_required&error_description=Session+information+is+not+sufficient+for+single-sign-on.&state=o1  URL  Example redirect URL, redirects again to direct download of malicious archive  Mar-26  607bb911-0f5a-4186-9d48-ecff8e094280  GUID  Microsoft Entra Third Party Application Client ID  Dec-25  5e6b7cf5-69b7-4f85-87d1-8b4cb6df8aa2  GUID  Microsoft Entra Third Party Application Client ID  Dec-25  8d015a9c-f912-445d-8b3c-4f3b3201ded1  GUID  Microsoft Entra Third Party Application Client ID  Dec-25  684d7892-c993-41d7-b6c1-07613c43cd61  GUID  Microsoft Entra Third Party Application Client ID  Dec-25  a9785a2d-445e-4ffa-a770-bec734911841  GUID  Microsoft Entra Third Party Application Client ID  Dec-25  3c7bf1a4-927f-40a1-97b0-7a7aa08f4bb2  GUID  Microsoft Entra Third Party Application Client ID  Jan-26  b004ab26-f57b-439d-ae54-c39b958e5743  GUID  Microsoft Entra Third Party Application Client ID  Jan-26  7d980c52-31e5-4554-9e20-b89c4617102f  GUID  Microsoft Entra Third Party Application Client ID  Mar-26  c47683e4-16a3-4b8a-a3d3-c1fe4c86f073  GUID  Microsoft Entra Third Party Application Client ID  Mar-26  262a1003a2cd04993b29e687686eba573d6202fea8611c437ecbd6312802677a  SHA256  JATEC workshop on wartime defence procurement (9-11 September).zip  Sept-25  7c96d08f5ce46d1a857184490a7e68ca2b02e9cbe9d188742f184f21bc9c62d9  SHA256  JATEC workshop on wartime defence procurement (9-11 September).lnk  Sept-25  ae8d2cef8eac099f892e37cc50825d329459baa9625b71fb6f4b7e8f33c6ccce  SHA256  cnmpaui.dll  Sept-25  36e516182b4c8aa48ea3e50b7dc353f32d3412f59fb0cb1c7b3590aa4d821c57  SHA256  cnmplog.dat  Sept-25  30475ff5b32776e554433ff00e7c18590253521024662c267abaefd24f1b9bbe  SHA256  EPC invitation letter Copenhagen 1-2 October 2025.zip  Sept-25  28a8bdaee803d9cf9186ff4756e15b0fb491fd3b65bde002361615f27e5ca92d  SHA256  EPC invitation letter Copenhagen 1-2 October 2025.lnk  Sept-25  c96338533d0ab4de8201ce1f793e9ea18d30c6179daf1e312e0f01aff8f50415  SHA256  cnmpaui.dll  Sept-25  56f0247049be8b9dc1da7c55957d2fb4f7177965ba62789c512f3e2b4c0c5c26  SHA256  cnmplog.dat  Sept-25  e036e2ba402d808adbb7982ec8d7a207849ff40456633b2b372bc7916d9dc22f  SHA256  ATTD-ASIA-2025.zip  Nov-25  e1e597852d684bd6d0395d5094e58831f13635f668e7cf66ba71b8b66be0ce6c  SHA256  ATTD-ASIA-2025.lnk  Nov-25  795ad4789a185c3abc35b3ad82117db6b60a7b8ab857e41080873f070d4a06f0  SHA256  crashhandler.dll  Nov-25  79e0ab17e761a00ad12b9848f1f07b507f57db532fa2df8c722693e14feb17c3  SHA256  crashlog.dat  Nov-25  784a914bd1878ad68a6cf3f693da5ddcc2f04b794204333098ad749b7e372fd4  SHA256  Concept_Note_2nd_Global_Buddhist_Summit_2026.zip  Dec-25  e31eafb49dbcad079ff177703b5a033f3e0365991cf28492339eccfe0fdf812c  SHA256  Concept_Note_2nd_Global_Buddhist_Summit_2026.lnk  Dec-25  2c3708a103b257fa75fcb34948c817fd564d4479f1e267b33c5b08f0d4c7634f  SHA256  crashhandler.dll  Dec-25  e9d8f28fd0aef3bc3f5b28a41b3f342165b371db9aefd7d03f2aba4292009d3e  SHA256  crashlog.dat  Dec-25  50746ddd81a5dbc5cec793209ab552125fff9c7184aa5bcfe22d6c3b267f67f1  SHA256  Meeting_Outcome_Briefing_10_January_2026.zip  Jan-26  d0576b39bb6c05ea0a24d3a3d5d7cb234454fefc65860f21a97757582adc7650  SHA256  Meeting_Outcome_Briefing_10_January_2026.lnk  Jan-26  84d6a8b47edadf5725d9937d8928a90d190e0c98b5b4d1a4c58e97cddcd36768  SHA256  comn.dll  Jan-26  f988d58e4a32b908ff7a557d740c6860c59807832c7626774330dcaed65ead14  SHA256  backupper.dat  Jan-26  31f3606433e95bfbb047d31c885e56a70111e130f3d2da0580644c01323b46d1  SHA256  Meeting invitation-2026.rar  Feb-26  29cd44aa2a51a200d82cca578d97dc13241bc906ea6a33b132c6ca567dc8f3ad  SHA256  Invitation_Letter_No.02_2026.zip  Feb-26  7d2b6c48cbd6cef05ea2bdae7dfc001504cccda99dd89eb7fe6646e96c1d5515  SHA256  Meeting invitation 2026.rar  Feb-26  3e7478d3854eaeed487230ba9299c87d5a5d70e4fbeac841555327c76b7b405e  SHA256  Meeting invitation 2026.csproj  Feb-26  c8a6302adf92353556c600a0afa9146fbc04663fffe8be90808df2bf04ec5703  SHA256  Meeting invitation 2026.csproj  Feb-26  de8ddc2451fb1305d76ab20661725d11c77625aeeaa1447faf3fbf56706c87f1  SHA256  Invitation_Letter_No.02_2026.csproj  Feb-26  f333bc5238e39790fb7560de067a852e9a99df2bb783cf08738d8a0d424b9658  SHA256  Avk.dll  Feb-26  06a70c54c580ec4c362bfbc94147a0f1ac9020c421933ccf494a8d553b114260  SHA256  Avk.dll  Feb-26  46314092c8d00ab93cbbdc824b9fc39dec9303169163b9625bae3b1717d70ebc  SHA256  Avk.dll  Feb-26  e7ed0cd4115f3ff35c38d36cc50c6a13eba2d845554439a36108789cd1e05b17  SHA256  AVKTray.dat  Feb-26  a3f9e20315663e4e8feb13e77563e3cb0f2f4844734987e51e14bd172b9a04fd  SHA256  AVKTray.dat  Feb-26  5c3208c5217933e16c5119e7baf78f85fd409e8822d1cd7a8ef2d52a5bd511c1  SHA256  AVKTray.dat  Feb-26  42c3b9cad6c8383699eba4f82d51908c0d61e9ea454bc40447cf20475ce20ff0  SHA256  Information_Note_Elections_Republic_of_Kosovo_28_December_2025.zip  Dec-25  64bae6a215ad9e956d1028603438228003d832bdd5e586ad4988f5c7ad1c54f0  SHA256  Information_Note_Elections_Republic_of_Kosovo_28_December_2025.lnk  Dec-25  843b22df66f87a587be77145da163f9615fe8164a5ea17f9e33562ff43894fbf  SHA256  crashhandler.dll  Dec-25  eb10443a2f0b9a25d01a84426a6a8532b0e7c9157abda55b94c98a1fd2d45562  SHA256  crashlog.dat  Dec-25   b1606ca49aa15eadb039f33d438697973b203693d0003e467e1f33b36d10a530  SHA256  Post-Meeting_Report_US-Adriatic_Charter_Partnership_Commission.zip  Dec-25  87929c8f53341a5e413950d33c7946c64e1d4b2eba6d1a8b2d08ef56f7065052  SHA256  Post-Meeting_Report_US-Adriatic_Charter_Partnership_Commission.lnk  Dec-25  6788365386ccd34d1db681c61ef07ef4d2faea5672571b77a76dc48f327afaa9  SHA256  crashlog.dat  Dec-25  2712f4ac5ad422bcf749699389cb1a0111a1b11e298efb0cffebc2e2f0becb5f  SHA256  election_2026.zip  Jan-26  4d528842c7fe73681dfe569d38a39f8d38ca5548dbc8b6ac02df096713a92efd  SHA256  election_2026.lnk  Jan-26  45d8d4f04eb44dc5d10290038825194b0ffc38048a786b4a8b81bb796afc58a3  SHA256  Avk.dll  Jan-26  a82c8845587a87010eab52ef8c35d45eaea8eb8102aae77ec96e222197b7db66  SHA256  AVKTray.dat  Jan-26  16e258b7b712b747a6037d56ee8d2cc99f8f8139da4a3a59c24af0887531ace0  SHA256  নির্বাচন_২০২৬.zip  Jan-26  29a70241660ff3234f1c5e8c01878ee01adb4a289262bd37403e1a323129ea86  SHA256  নির্বাচন_২০২৬.lnk  Jan-26  c73050860c8aaa0f79c03781519cdcee133832805e2e3e778fef3cb0e917efb1  SHA256  Avk.dll  Jan-26  9d61c4e21bbbddde5bb780ea0c5238a3538a84b9afe98d62d08845b47fb5caa9  SHA256  AVKTray.dat  Jan-26  b394e7a3b350b2104b73e29a04e48e5ede5078b9a811abae58d842ce3442c6b3  SHA256  Browser Updater.zip  Feb-26  0b916d2b4a02d01b42c2b04e281d786a05cc7974d2c4a272b01e8060fa713403  SHA256  Browser Updater.csproj  Feb-26  965894996e2cb9be1e0ccc509e079e7eca072cbc4e68945beb00ff5979dda19c  SHA256  Avk.dll  Feb-26  69b685fadce4f34bc4964b3d78d43694a428ae1ee4d2fe0ce4ed26fad07847fa  SHA256  AVKTray.dat  Feb-26  30c71d644bc72e0d55d46bed753ab3f72dc77b7f1be0e34693c957939a779507  SHA256  BRICS Report.zip  Feb-26  e79d19d68d307c12413f8549aafa4a56776002dd04601e36e0125b2e6d56ff94  SHA256  BRICS Report.lnk  Feb-26  44cfba85aa27265779b01f6eb8b69718462b1ca8078b21066061e8d1622dff7a  SHA256  crashhandler.dll  Feb-26  774841a2bfb07b61a8be3de8ae31e9847f987de652eef179761dc3d1b34c42ff  SHA256  crashlog.dat  Feb-26  3c065947461df428b0d29e401e2a28a0d2560943e96d3ac8b9ed71858fbcec38  SHA256  EID_AL-FITR_MESSAGES_2026(Kuwait).zip  Mar-26  7be77e6166aae9a89b16b64b593f35afc7424926047635f2230a4e364c6a46d8  SHA256  EID_AL-FITR_MESSAGES_2026(Kuwait).lnk  Mar-26  b6d866054dedf7a882dd1fa405a066de1278e35acf639b3a0e850a637d27c4bc  SHA256  CNCLID.dll  Mar-26  9e67f72bfbc8772ce10633430e1277fd8374e99877ddedb598b4f6717c799eeb  SHA256  Canon.dat  Mar-26  de13e4b4368fbe8030622f747aed107d5f6c5fec6e11c31060821a12ed2d6ccd  SHA256    Energy_Infrastructure_Situation_Note _Tehran_Province_2026.zip  Mar-26  a95e3857e2f32c2a9c23accadebc1ad6aabf73fed9d63c792d69122d9ec6726d  SHA256  Energy_Infrastructure_Situation_Note _Tehran_Province_2026.lnk  Mar-26  3021f4d365a641722748c5e60d983a080db17bef8f0a1dbe624ffe63cd544cc1  SHA256  Eraser.dll  Mar-26  c5267fefaac1764eba5f42681eb216f146b7d18fcbf546275d33e70cb36fdfba  SHA256  Eraser.dat  Mar-26  bcd30f2116f5ba6731c628483d597b2ba3620ed464c63875855906306beb102a  SHA256  OECD_Update_on_implications_for_energy_markets_of_events_in_the_Middle_East.zip  Mar-26  1df74ce45aa9320c48858eddce3f46f5687fbfdcfd497d92a1e17476e7a2951e  SHA256  OECD_Update_on_implications_for_energy_markets_of_events_in_the_Middle_East.lnk  Mar-26  93e9402af72b355554f9ba93c64871b1bae5be498e3b8a10e61ebdd10ab0d050  SHA256  Eraser.dll  Mar-26  2261c7640fe2f3c2385de61c546b5020ec8a486ad5bad64c31bc9268f6b36a2c  SHA256  Eraser.dat  Mar-26  kordula.wehrli@gmail[.]com  Email Address  TA416-controlled email address  Jul-25  kayden.beaufort@gmail[.]com  Email Address  TA416-controlled email address  Jul-25  emmeline.voss@gmail[.]com  Email Address  TA416-controlled email address  Aug-25  epc.copenhagen2025.dm@gmail[.]com  Email Address  TA416-controlled email address  Sept-25  galinaburl76@gmail[.]com  Email Address  TA416-controlled email address  Nov-25  office2000005@gmail[.]com  Email Address  TA416-controlled email address  Feb-26  hsuhalingaye26@gmail[.]com  Email Address  TA416-controlled email address  Feb-26 

Security brief: tax scams aim to steal funds from taxpayers

30 March 2026 at 15:20
What happened  Threat actors love to take advantage of tax season. It’s peak social engineering time: combine monetary concerns with often stressful responsibilities, sprinkle in the expectation of emails about taxes from multiple organizations and you’ve got a recipe for cybercrime.   So far in 2026 we’ve seen over a hundred campaigns leverage tax themes leading to  malware, remote monitoring and management (RMM) payloads, fraud, and credential phishing. Tax-themed campaigns are expected annually, but this year we’re seeing more RMM payloads, activity from newly identified threat actors, and a broader variety of social engineering lures.   Figure1. Breakdown of threat type delivered in tax-themed email campaigns. (Analyst note: Proofpoint manually contextualizes fewer BEC/Imposter threats overall, so they appear less in campaign data.) Threat actors are using tax themes in many ways, including posing as tax agencies or government entities like the Internal Revenue Service (IRS); claiming the recipient has expired tax documents; impersonating company human resources; requesting for tax filing support; claiming tax violations; and more.   Email volumes vary from a handful of messages to tens of thousands, depending on the campaign and the actors’ objectives. While most campaigns target the United States, Proofpoint has also seen recent tax-themed campaigns target other countries including Canada, Australia, Switzerland, and Japan, among others.   The following is an example of some notable tax-themed campaigns observed in 2026 so far.   Campaign examples  RMM  The most common payloads delivered via tax themes are RMMs. These tools are legitimate software commonly used within the enterprise but abused by cybercriminals. RMMs are used by many threat actors, and the cybercrime ecosystem leveraging legitimate software in malicious campaigns is thriving. Threat actors like using RMMs because they often fly under the radar in enterprise environments since they’re legitimate, often authoritatively signed, pieces of software. If organizations do not implement allow-listing for trusted RMMs, malicious ones may not get flagged by security tools.   Proofpoint has observed tax-themed campaigns deliver RMMs including Datto, N-Able, RemotePC, Zoho Assist, and ScreenConnect, among others. In some cases, threat actors will use one RMM for initial access and then drop another as a follow-on payload once the host is infected.   As an example, on 05 February 2026, Proofpoint observed a campaign impersonating the U.S. IRS. The lure purported to relate to the target’s recent IRS filing.   Figure 2. Phishing lure impersonating the IRS delivering N-able RMM.   Messages contained a hyperlinked button purporting to be a “Transcript Viewer” that was actually a Bitbucket URL leading to an executable file which, if executed, installed N-able RMM. Notably, the actor included a real phone number belonging to the IRS to further the social engineering and believability of the email.  IRS is a common lure theme used by multiple threat actors, as impersonating government agencies can be a compelling social engineering technique. Since January 2026, Proofpoint observed over a dozen RMM campaigns that have impersonated the IRS.   TA4922   TA4922 is a newly designated financially motivated threat actor regularly tracked by Proofpoint since spring 2025. The actor’s primary objective is to obtain remote access likely for monetization, like fraud, data theft, access brokering, or persistence. This actor delivers malware from the Winos4.0 ecosystem, which is also referred to in some reporting as ValleyRAT, and uses a variety of loaders and stealers. TA4922 also conducts fraud campaigns. The actor is likely based in East Asia and probably is Chinese speaking. TA4922 demonstrates overlaps with the Silver Fox and Void Arachne ecosystem as reported by third-party researchers.   This actor typically targets Japan with some additional East Asian targeting and commonly uses tax themes in its campaigns. One notable technique from TA4922 is its frequent use of impostor emails pretending to be someone in a position of authority. The attacker sends an initial email that requests the recipient’s phone number to establish communications outside of email.   For example, in early February 2026, Proofpoint observed a TA4922 campaign targeting organizations in Japan. Emails impersonated national tax authorities and claimed the recipient had unresolved tax obligations. The actor requested the recipient’s mobile phone number to establish out-of-band communications.   Figure 3. Japanese language National Tax Authority impersonation email.   Once engagement is established, the actor will likely escalate social engineering by impersonating the target organization’s finance leadership and may deliver malicious links or files via out-of-band channels.  In another campaign in early March, emails targeted Japan and purported to be from the "Inland Revenue Department." Messages included a URL which downloaded an executable, which, if executed, installed an information stealer still under investigation by Proofpoint researchers.   Figure 4. Inland Revenue Department impersonation.   Proofpoint has also observed this actor impersonate revenue agencies of other countries and target users in those regions, including India, Taiwan, Indonesia, Malaysia, and, unusually, Italy.   TA2730   Proofpoint has tracked TA2730, a prominent credential phishing threat actor, since June 2025. The actor focuses on obtaining credentials for various financial institutions, typically those focused on investments.  TA2730 campaigns appear opportunistic rather than targeted. The messages are sent from malicious domains most likely registered by the actor. The threat actor uses multiple phishing kits, including one they likely developed and use most frequently. The actor targets many countries, with its most frequent geographies of interest being Canada, Australia, Singapore, Switzerland and Japan.  Figure 5. TA2730 geographic targets of all campaigns.  One of the most popular lure themes this actor uses relates to a "W-8BEN" form, a U.S. tax form for non-U.S. taxpayers. This lure has been used in dozens of campaigns since we began tracking the actor.   Typically, the actor will pose as an investment company, telling the recipient they need to update or provide information for their W-8BEN form. Emails contain URLs leading to counterfeit investment account authentication pages designed to harvest user credentials. The following are two examples of recent campaigns observed in Proofpoint telemetry. Both these campaigns occurred in February, targeting Switzerland and Canada. In some cases, the actor includes the legitimate phone number for the impersonated entity to further the believability of the lure.  Figure 6. TA2730 email impersonating Swissquote (left) and malicious phishing landing page impersonating the company (right). This campaign targeted Switzerland.  Figure 7. TA2730 email impersonating Questrade (left) and malicious phishing landing page impersonating the company (right). This campaign targeted Canada.  The objective of these campaigns is to take over investment accounts for financial gain.   W-2 fraud  Business email compromise (BEC) threat actors also regularly use tax form lures including W-2 Form (Wage and Tax Statement) and W-9 (Request for Taxpayer Identification Number and Certification) themes. Typically, these campaigns will impersonate company executives, human resources, or vendor/supplier contacts in attempts to steal financial and personal data, likely with a goal of leveraging it for follow-on fraud.   For example, in one campaign observed in March, email sender names were spoofed to appear as if they came from an executive at the targeted organization, requesting all employee W-2 forms for 2025.   Figure 8. BEC W-2 fraud email example.   Such forms contain sensitive information like names, addresses, and Social Security numbers. This data can be used for identity theft and banking fraud.   Why it matters  The examples represented in this blog are just a small portion of the overall landscape, and while tax season is a popular time for these types of lures, taxes and financial information can be an effective lure, no matter the time of year.   Tax lures are commonly used by threat actors, especially around filing seasons, as people leverage various applications and services to collate and file important business and personal finance information. Such lures can be convincing to recipients who are either expecting communications from organizations related to financial or government institutions or would be concerned and worried by receiving an email suggesting they will have fines or fees for incorrectly submitting information.   In general, enterprises should educate users about the techniques and lures commonly abused by threat actors and be aware that cybercriminals routinely gravitate towards timely and topical lure themes, with taxes being among their annual favorites.   Indicator  Description   First Seen  Aubrey162243her@hotmail[.]com  TA4922 Sender Email  06 March 2026  Baerg536714qrr@hotmail[.]com  TA4922 Sender Email  06 March 2026  Belinda319932ywa@hotmail[.]com  TA4922 Sender Email  06 March 2026  Brenda26111993bbs@hotmail[.]com  TA4922 Sender Email  06 March 2026  Brett77124cnd@hotmail[.]com  TA4922 Sender Email  06 March 2026  Clint15032004ye@hotmail[.]com  TA4922 Sender Email  06 March 2026  Dan0600ups@hotmail[.]com  TA4922 Sender Email  06 March 2026  Darryl658773qfs@hotmail[.]com  TA4922 Sender Email  06 March 2026  Elmer445637xqd@hotmail[.]com  TA4922 Sender Email  06 March 2026  Genet868615mfd@hotmail[.]com  TA4922 Sender Email  06 March 2026  Gilana406avh@hotmail[.]com  TA4922 Sender Email  06 March 2026  Gilbert6704ysw@hotmail[.]com  TA4922 Sender Email  06 March 2026  Glenn0045bnk@hotmail[.]com  TA4922 Sender Email  06 March 2026  Greg2505880dbq@hotmail[.]com  TA4922 Sender Email  06 March 2026  Hilda2441790ajg@hotmail[.]com  TA4922 Sender Email  06 March 2026  Kaitlyn135452qyw@hotmail[.]com  TA4922 Sender Email  06 March 2026  Kayla383537cau@hotmail[.]com  TA4922 Sender Email  06 March 2026  Kelly5906byn@hotmail[.]com  TA4922 Sender Email  06 March 2026  Mattie9227fdx@hotmail[.]com  TA4922 Sender Email  06 March 2026  Quirita42462vpp@hotmail[.]com  TA4922 Sender Email  06 March 2026  Rafael0746881jxk@hotmail[.]com  TA4922 Sender Email  06 March 2026  Sabah30035vrj@hotmail[.]com  TA4922 Sender Email  06 March 2026  Tanisha535486nyg@hotmail[.]com  TA4922 Sender Email  06 March 2026  Violet82113vbv@hotmail[.]com  TA4922 Sender Email  06 March 2026  Violet900048ege@hotmail[.]com  TA4922 Sender Email  06 March 2026  Yvette20071993pgc@hotmail[.]com  TA4922 Sender Email  06 March 2026  Yvonne8544809axa@hotmail[.]com  TA4922 Sender Email  06 March 2026  YObutler.jonasd8nC29@yahoo[.]com  TA4922 Reply-to Email  09 February 2026  hxxps://www[.]upsystems[.]one/Alex[.]exe  TA4922 Payload URL  06 March 2026  d338a7f85737cac1a7b4b5a1cca94e33d0aa8260548667c6733225d4c20cb848  TA4922 Information Stealer SHA256  06 March 2026  121[.]127[.]232[.]253:8443  TA4922 Information Stealer C2  06 March 2026  Bella1987Jenny8927@outlook[.]com  TA4922 Sender Email  02 February 2026  Cedric1985Mattie70601@outlook[.]com  TA4922 Sender Email  02 February 2026  Chappel1994Sunkel79549@outlook[.]com  TA4922 Sender Email  02 February 2026  Chris1987Juanita79531@hotmail[.]com  TA4922 Sender Email  02 February 2026  Elisa1966Tamara82159@hotmail[.]com  TA4922 Sender Email  02 February 2026  Ellis1986Akihito92@hotmail[.]com  TA4922 Sender Email  02 February 2026  Garrett2003Jaime3246@outlook[.]com  TA4922 Sender Email  02 February 2026  GhaemmaghamiBorg2909@outlook[.]com  TA4922 Sender Email  02 February 2026  Iris2003Francis43001@hotmail[.]com  TA4922 Sender Email  02 February 2026  Jo1990Nelson506@hotmail[.]com  TA4922 Sender Email  02 February 2026  Kamiisa1962Eunice52@outlook[.]com  TA4922 Sender Email  02 February 2026  KatsaounisSetlak6267@outlook[.]com  TA4922 Sender Email  02 February 2026  Lathrop1966Alice63@hotmail[.]com  TA4922 Sender Email  02 February 2026  Lucia1968Sheryl4254@outlook[.]com  TA4922 Sender Email  02 February 2026  LucinaMcnear6104@outlook[.]com  TA4922 Sender Email  02 February 2026  Morris1965Cruz7189@hotmail[.]com  TA4922 Sender Email  02 February 2026  Nabila2004Eunice770@hotmail[.]com  TA4922 Sender Email  02 February 2026  NicholWollan4783@outlook[.]com  TA4922 Sender Email  02 February 2026  Peony1982Jamila936@outlook[.]com  TA4922 Sender Email  02 February 2026  Quirita1980Laraine303@hotmail[.]com  TA4922 Sender Email  02 February 2026  SablanLoretz4374@outlook[.]com  TA4922 Sender Email  02 February 2026  Sheryl1993Sabah3812@outlook[.]com  TA4922 Sender Email  02 February 2026  SteadfastSeefried8443@outlook[.]com  TA4922 Sender Email  02 February 2026  Terrell1980Dawn020@hotmail[.]com  TA4922 Sender Email  02 February 2026  Vanessa1991Gretel73372@outlook[.]com  TA4922 Sender Email  02 February 2026  WaffleMehta9842@outlook[.]com  TA4922 Sender Email  02 February 2026  Wendell1988Lovice46@hotmail[.]com  TA4922 Sender Email  02 February 2026  844202972ff19afa760447fc87963de0fbbc0ebc69d50164f03ecf5d4e67952f  N-Able RMM Payload, Fake IRS Campaign  05 February 2026  hxxps[:]//bitbucket[.]org/pmlasobjekightailsians/rgww/downloads/amzn-s3-EfinTranscriptViewer.cm10_14_4_.EXE  Payload URL Fake IRS Campaign  05 February 2026  bksgcefzqyb[.]com  TA2730 Phishing Landing Domain  25 February 2026  whghfpytehu[.]com  TA2730 Phishing Landing Domain  25 February 2026  akcjdrya[.]com  TA2730 Phishing Landing Domain  27 January 2026  buwxkiy[.]com  TA2730 Phishing Landing Domain  27 January 2026  eodrggi[.]com  TA2730 Phishing Landing Domain  27 January 2026  gyglowcq[.]com  TA2730 Phishing Landing Domain  27 January 2026  iuzndfqr[.]com  TA2730 Phishing Landing Domain  27 January 2026  nirbsff[.]com  TA2730 Phishing Landing Domain  27 January 2026  rmwztbrr[.]com  TA2730 Phishing Landing Domain  27 January 2026  wijgzsfh[.]com  TA2730 Phishing Landing Domain  27 January 2026     

CursorJack: weaponizing Deeplinks to exploit Cursor IDE

17 March 2026 at 22:00
Author’s Note: This post reflects Proofpoint Threat Research observations in a controlled test environment as of January 19, 2026. Proofpoint has no commercial, customer, partner, or vendor relationship with Cursor (published by Anysphere, Inc.). Cursor did not review or endorse this report. We notified Cursor through its vulnerability‑reporting channel; the report was closed as out‑of‑scope / Not Applicable under their policy. Findings are presented as a risk pattern involving deeplink‑driven installation flows and social engineering and may evolve as vendors update features. Configurations and results may vary based on OS, user permissions, enterprise controls, and product versions; readers should apply multi‑layered controls and follow vendor guidance.  Overview  Cursor implements deeplinks for Model Context Protocol (MCP) to provide a mechanism for installation of MCP servers in Cursor IDE. This blog describes CursorJack, a method of potentially abusing Cursor MCP deeplinks that, under certain conditions, could enable code execution or allow installation of a malicious remote MCP server. The behavior described below is specific to the test environments noted and does not imply silent or zero‑click exploitation by default. It does, however, highlight the urgent need to secure agentic AI environments.  Key takeaways  The cursor:// protocol handler could be abused through social engineering in specific configurations.  In our tests, a single click followed by user acceptance of an install prompt could result in arbitrary command execution.  The technique could be leveraged both for local code execution via the command parameter or to install a malicious remote MCP server via the URL parameter.  There is currently no visual distinction between a malicious MCP install deeplink and a legitimate one in the default UI flows we observed.  Developers are potentially high-value targets as their workstations may have privileged accounts or contain credentials, API keys, source code and other sensitive data.  Our POC code is available on GitHub.  Cursor MCP Deeplinks  Deeplinks are custom URL schemes to direct users to specific pages within an app. Cursor IDE implements MCP deeplink for quick installation of MCP servers with the following structure:  cursor://anysphere.cursor-deeplink/mcp/install?name=<name>&config=<base64> Figure 1. Deeplink schema (source: https://cursor.com/docs/context/mcp/install-links ).    The MCP server configuration is base64-encoded within the deeplink URL.  When Cursor is installed, the application registers the cursor:// protocol handler with the operating system. Once registered, any cursor:// link clicked launches Cursor and passes the full URL to the executable. In our tests, we did not alter OS URL‑handler protections or bypass interactive prompts.  Figure 2. Cursor protocol handler.  MCP.json   The mcp.json configuration format has emerged as a standard for clients to declare how MCP servers should be launched or connected to. Within the ‘mcpServers’ object, each server entry defines its setup, including fields such as command, arguments, environment variables, or a url.  Figure 3. mcp.json configuration format.  MCP servers commonly specify a command and arguments in their configuration. Examples include npx, uvx, and docker, though this key can be used to pass any valid command.  Figure 4. Example command-based MCP.  Alternatively, MCP servers may define a URL in their configuration which could point to either a remote or local MCP server, functioning similarly to an API.  Figure 5. Example of URL-based MCP.  Abuse preconditions observed (high‑level): (1) The user clicks a deeplink from an untrusted/spoofed source; (2) The user accepts an installation prompt; (3) Local conditions permit child‑process execution or remote server addition (e.g., default policies, EDR/allow‑listing, user permissions). We did not observe a silent “zero‑click” path in default configurations.   Cursor MCP install process   Cursor hosts an online MCP Directory that makes MCP servers available for installation.  Figure 6. Cursor MCP Directory (source:https://cursor.com/docs/context/mcp/directory).  Installation process  User clicks a Cursor deeplink from a source (ideally trusted).  Browser prompts to open Cursor IDE.  Cursor displays an installation dialogue showing the MCP server name and parameters.  User clicks "Install" to approve.  Cursor adds the MCP configuration to ~/.cursor/mcp.json.  Cursor executes the configured command (subject to OS/user permissions and local security controls).  During the installation process, the user is shown a preview of the configuration within an installation dialogue and is prompted that the MCP server will execute commands with the same privileges as the user.  Figure 7. Installation dialogue for installing example MCP server.  However, this warning is identical for all deeplinks, whether they are legitimate links from MCP directory or a malicious crafted deeplink. It is this mechanism that could be exploited to gain arbitrary local code execution or to socially engineer users into installing a malicious remote MCP server via deeplinks. Outcomes depend on environment, user privileges, and enterprise controls.  Security considerations  MCP servers create a new attack vector in AI development tools. Users are being encouraged to adopt AI, and many are writing and executing code for the first time without fully understanding security implications. The proliferation of AI coding assistants has normalized approval prompts, with even experienced developers becoming conditioned to approve in AI development environments.  Cursor executes user-privileged commands when users accept the install prompt. The command field in the MCP configuration is executed directly by the IDE as designed. IDE’s that support MCP servers are commonly deployed on developers workstations which may have privileged access including SSH keys, API tokens, cloud credentials, source code, and access to production systems.  Controls such as EDR, allow‑listing, and OS policies may limit or block abuse depending on configuration.  Deeplinks can use any name which can be used to masquerade as legitimate MCP servers (e.g., "Azure DevOps”) and there is no verification that the deeplink originates from the claimed vendor. Users should verify origin and review parameters prior to approval.    CursorJack: proof of concept  CursorJack is a proof-of-concept demonstrating that MCP deeplinks can be abused for local command execution or to install a malicious remote MCP server. The attack abuses the intended MCP installation flow combined with social engineering.  For this proof of concept, where testing was conducted exclusively in Outlook, it is shown that a custom protocol handler like cursor:// can be used to phish users, even when Outlook does not render such links as clickable. Results may vary with other email services. Attackers may also deliver deeplinks via browsers, chats, or documents (such as PDFs).  The phishing page redirects to the malicious deeplink, which encodes a malicious MCP configuration in base64. Once the user installs the MCP, the malicious installation command is executed.   Command execution: Meterpreter Reverse Shell  A phishing email directs the victim to a malicious landing page that triggers an MCP deeplink. The deeplink populates the mcp.json configuration with a malicious command that downloads and executes a batch script. This batch script functions as a stager and retrieves a Metasploit payload from attacker‑controlled infrastructure. The payload executes, establishing a full Meterpreter session that enables file system access, credential harvesting, and possible lateral movement.  1. Phishing Link Delivered.     The attacker sends a crafted HTTP link that email clients can render.    Figure 8. Phishing email.  2. When clicked, the phishing link redirects to a MCP install deeplink. This triggers the Cursor protocol handler, prompting the user to install the MCP within the Cursor IDE.  Figure 9. Landing page with automatic JavaScript direct to Cursor deeplink.  3. Malicious MCP config is accepted, triggering bat script download.    Figure 10. Cursor install command.  4. On install, Cursor executes the curl command to fetch run.bat from the attacker's server.    Figure 11. CursorJack PoC hosting phishing page and attacker resources. 5. run.bat is a staging script that uses curl to download and execute the Metasploit payload (p.exe) to the temp folder.   Figure 12. Contents of run.bat script which retrieves remote payload.  6. Payload executes and launches Metasploit payload independent of Cursor process.  Figure 13. Curl executing as a child process of Cursor.  7.  Figure 14. p.exe executing independently of Cursor.  8. Reverse shell connects and Meterpreter establishes connection to attacker's listener.  Figure 15. Successful Meterpreter session.  Command vs URL exploitation  Cursor's MCP can be configured via command or URL, and both paths are exploitable through deeplinks. While the POC used the command key to stage a payload, attackers could alternatively embed payloads directly in the deeplink or install a remote MCP via social engineering using the URL parameter.  Command  Command-based MCP grants immediate code execution with Cursor's privileges and persists across IDE restarts,  consistent with prior community reporting (CVE-2025-54136), with the install command executing each time Cursor is launched. Attackers can establish sessions, deploy software, or harvest credentials like SSH keys and API tokens including those stored in the mcp.json config itself.  URL  The URL key enables a different attack vector, socially engineering users into installing a malicious remote MCP server. While less powerful than local execution, this provides a foothold for MCP-based attacks like tool poisoning and cross-server manipulation, with lower visibility to security controls.  Delivery methods and obfuscation tactics  Mimic legitimate package installations   Adversaries may disguise their payload delivery by using familiar developer binaries like npx or uvx to pull malicious code from seemingly legitimate locations. This approach blends in with standard package installation patterns, making the malicious activity appear routine and reducing opportunities for detection.  Staging vs. embedded payloads   Malicious MCP deeplinks could potentially deliver payloads via remote staging or direct embedding. Staged payloads leave fewer local artifacts but require C2 availability and may trigger detection through suspicious outbound connections. Embedded payloads could avoid external retrieval and can be swapped server-side without modifying the deeplink, but the payload is static once distributed and fully recoverable from the deeplink, potentially increasing likelihood of detection. Both approaches can be mitigated by strict allow‑listing and content inspection.  Obfuscation techniques   Command obfuscation can conceal malicious MCP configurations, exploiting the user-dependent approval flow. A resolved vulnerability (CVE-2025-54133), as reported by its discoverers, previously allowed hiding command arguments from the installation dialog. Attackers may use encoding techniques or excessively long command strings to push harmful arguments outside the preview window, reducing user scrutiny.  Mitigations  The MCP ecosystem requires fundamental security improvements embedded directly into the framework architecture, rather than relying on additional security tools or user vigilance as the primary defense.  Regarding deeplink abuse, the installation process should address arbitrary command execution through the command parameter, such as through a more granular permissions model or containerization approach to isolate from the host OS.  A trusted MCP ecosystem with signing and verified publishers for MCP servers, analogous to browser extension or app installation stores, would establish server authenticity. A robust code signing mechanism would ensure users can verify the source and integrity of servers before installation, creating a marketplace-like environment for trusted MCP integrations.  Deeplinks from untrusted sources should be treated with the same caution as untrusted executables. Approval flows should incorporate granular security warnings and source verification to help users distinguish deeplinks from trusted and untrusted locations. Macros provide a strong security analogy: attackers historically manipulated users into enabling macros, resulting in arbitrary code execution. To mitigate this, internet‑sourced documents are tagged with Mark‑of‑the‑Web and subjected to stricter execution policies.  Disclosure and relationship notes  Proofpoint has no commercial, customer, partner, or vendor relationship with Cursor / Anysphere, Inc.  Proofpoint does not compete in Cursor’s market segment (AI developer IDE/tools). Product names are used for identification only; nothing herein is an endorsement or warranty.  We notified Cursor prior to publication; the report was closed as out‑of‑scope / Not Applicable under their policy. This post may be updated if Cursor issues guidance or product changes.  To facilitate additional research and experimentation, we’ve made the CursorJack POC code available on GitHub. 
Received — 12 March 2026 Proofpoint Threat Insight

Iran conflict drives heightened espionage activity against Middle East targets

11 March 2026 at 20:04
Analyst note: Proofpoint uses the UNK_ designator to define clusters of activity that are still developing and have not been observed for long enough to receive a numerical TA designation. This report reflects Proofpoint Threat Research’s observations as of the date of publication and does not constitute geopolitical analysis or policy commentary.  What happened  On 28 February 2026, the US and Israel conducted strikes targeting assets inside Iran, in a campaign the US called Operation Epic Fury. According to public sourcing, the attacks targeted Iranian missiles and air defenses, other military infrastructure, and Iranian leadership. Iran responded with retaliatory missile and drone strikes in the region, targeting US embassies and military installations.  As the war continues into its second week, several Iranian hacktivist groups and personas have claimed responsibility for various disruptive operations. Iranian espionage-focused threat groups remain somewhat active despite the Iranian government’s shutdown of the internet immediately following the initial US and Israeli attacks. For instance, on 8 March, Proofpoint observed the Iran-aligned threat actor TA453 (Charming Kitten, Mint Sandstorm, APT42) conduct a credential phishing attempt against a US thinktank target. The email correspondence culminating in this credential phishing attempt commenced prior to the beginning of the conflict, indicating that TA453 is continuing to prioritize intelligence collection against its traditional target set.  While it is unclear how wider Iranian cyber operations will continue, Proofpoint Threat Research has also observed an increase in campaigns from other state-sponsored threat actors targeting Middle East government organizations since the war began. These campaigns were conducted by both known groups and previously unobserved actors, with suspected attribution to China, Belarus, Pakistan, and Hamas. The campaigns heavily relied on aspects of the conflict as topical lure content to engage the targets and often used compromised accounts belonging to government organizations to send phishing emails. Proofpoint assesses that this activity reflects a mixture of threat actors opportunistically using the war as lure content to conduct routine operations and those with an increased focus on intelligence collection targeting Middle Eastern government and diplomatic entities.  Campaign #1: UNK_InnerAmbush  In early March 2026, the suspected China-aligned threat actor UNK_InnerAmbush conducted a phishing campaign targeting Middle Eastern government and diplomatic organizations. The emails were sent from a likely compromised email address "uzbembish@elcat[.]kg" and linked to a Google Drive URL. The initial wave began on March 1, one day after the conflict began. The theme of phishing emails observed in this initial wave was Ayatollah Khamenei’s death with an attempt to share sensitive images from the US “Department of Foreign Affairs”. Later waves purported to share evidence that “Israel prepares to attack Gulf oil and gas infrastructure to frame Iran.”  Figure 1.UNK_InnerAmbush phishing email linking to archive hosted on Google Drive.  The Google Drive URL hosted a password protected ZIP or RAR archive named "Photos from the scene.rar" or "Strike at Gulf oil and gas facilities.zip". These archives contained several Microsoft Shortcut (LNK) files disguised as JPG images, which run a loader executable stored within a hidden subfolder.  A decoy image is shown to the user, and the loader executes a benign signed executable vulnerable to DLL sideloading ("nvdaHelperRemoteLoader.exe"). Upon execution, "nvdaHelperRemoteLoader.exe" loads the malicious loader DLL "nvdaHelperRemote.dll" which decrypts a Cobalt Strike payload from WinHlp.hlp and loads it into memory. The Cobalt Strike payload uses a customized malleable C&C profile and communicates with the C&C domain "support.almersalstore[.]com".  The phishing emails also contained unique tracking pixels hosted on a likely compromised website to track target engagement. These were in the format: "hxxps://deepdive.hypernas[.]com/hypernas/api/page.php?uid= <target-email-address>".  Campaign #2: TA402  In early March 2026, TA402 (Frankenstein, Cruel Jackal) targeted a Middle Eastern government entity with an email credential phishing campaign. The actor used a compromised Ministry of Foreign Affairs of Iraq sender account ("ban.ali@mofa.gov[.]iq") and an attacker-controlled account ("nqandeel04@gmail[.]com") to send the phishing emails. The emails had conflict-themed subjects referencing a potential US ground operation in Iran and a Gulf military alliance to confront Iranian threats.  The emails contained a URL that selectively served either a decoy PDF or a credential harvesting page depending on the target’s IP geolocation.  The actor-controlled site was designed to impersonate Microsoft Outlook Web Application (OWA):  "hxxps[:]//mail[.]iwsmailserver[.]com/owa/auth/logon.aspx?uid=<target_specific_uuid>"  Figure 2. TA402 Outlook Web App (OWA) phish hosted on iwsmailserver[.]com.  If the target enters credentials, the values are sent via HTTP POST to an authentication endpoint on the same host.  Campaign #3: UNK_RobotDreams  On 5 March 2026, a suspected Pakistan-aligned actor Proofpoint calls UNK_RobotDreams sent spearphishing emails to India-based offices of Middle East government organizations. The email was sent from an Outlook freemail address impersonating India's Ministry of External Affairs: "jscop.mea.gov.in@outlook[.]com". The email used the subject “Gulf Security Alert: Iran Retaliation Impacts” referencing the Iran war to increase credibility and urgency.  The emails delivered a PDF attachment containing a blurred decoy and a fake Adobe Reader button.  Figure 3. UNK_RobotDreams PDF attachment leading to executable hosted on defenceprodindia[.]site.  Clicking the button redirected the victim to an actor-controlled URL: "hxxps://defenceprodindia[.]site/server.php?file=Reader_en_install". The URL implemented geofencing and served a decoy PDF to users outside the target region and an EXE payload to intended targets.  The downloaded executable ("Reader_en_install.exe") functioned as a .NET loader that used PowerShell (via "conhost.exe") to retrieve a Rust backdoor from the C&C host "endpoint1-b0ecetbuabcdg9cp[.]z01[.]azurefd[.]net", which was written to a file named "VLCMediaPlayer.exe". The Rust backdoor performed host fingerprinting and communicated with command and control using the same Azure Front Door hosted infrastructure.  This campaign and infrastructure overlapped with public reporting by Bitdefender; however, Proofpoint does not currently track the activity as a named actor.  Campaign #4: UNK_NightOwl  On 2 March 2026, a suspected state-aligned actor that Proofpoint Threat Research calls UNK_NightOwl sent emails from both a likely compromised account and an attacker-owned freemail account to a government ministry in the Middle East. The compromised account appears to belong to the Ministry of Emergency and Disaster Management in Syria ("ali.mo@med.gov[.]sy"), and the freemail account was for a fake organization called War Analyse Ltd ("war.analyse.ltd@outlook[.]com"). The attackers targeted a government ministry in the Middle East and referred to the conflict in the Middle East as a lure topic with the subject “About Escalating Situation.”  The emails included a domain that spoofed Microsoft OneDrive, but the URL led to a Microsoft Outlook Web Application (OWA)-themed credential harvesting page. The URL was target-specific with a client ID showing a fake session error and prompting the target to sign in again: "hxxps://iran.dashboard.1drvms[.]store/errors/sessionerrors/expire?client=<redacted>" Figure 4. UNK_NightOwl OWA credential phishing site hosted on 1drvms[.]store.  If the user enters credentials and clicks the sign in button, the target is redirected to "hxxps://iran.liveuamap[.]com/", a legitimate open-source platform called Liveuamap with news updates on the Middle East conflict.  Figure 5. Redirection to iran.liveuamap[.]com after target enters credentials.  Proofpoint attributes this campaign to a new cluster called UNK_NightOwl as the observed activity does not align with any currently tracked actors.  Campaign # 5: TA473  Between 3-5 March 2026, the Belarus-aligned threat actor TA473 (Winter Vivern) sent emails to government organizations in Europe and the Middle East. These messages originated from likely compromised infrastructure and purported to be a European Council President spokesperson. The phishing emails contained a HTML attachment titled "european union statement on the situation in iran and the middle east.html". Notably, Proofpoint has not previously observed TA473 targeting Middle Eastern government organizations.  Figure 6. TA473 phishing email spoofing spokesperson for the European Council President.  The HTML file, if opened, displays a decoy image to the user and conducts HTTP request to a URL of the format "hxxps://unityprogressall[.]org/imagecontent/getimgcontent.php?id=<target-email-address>". Proofpoint Threat Research was unable to retrieve any next-stage payloads at the time of analysis. Based on the HTML content, these HTTP requests were likely intended for tracking purposes rather than delivering follow-on malicious payloads.  Campaign #6: TA453  Proofpoint’s tracking of known Iranian actors has surfaced only one campaign so far since the beginning of the war. In late February into early March, Iran-aligned actor TA453 (Charming Kitten, Mint Sandstorm, APT42) used an attacker-owned freemail account "McManus.Michael@hotmail[.]com" spoofing Michael McManus, the head of research at the Henry Jackson Society, to target an individual at a thinktank in the US.  The initial thread had begun prior to the war as part of typical TA453 espionage activity with a benign email invitation sent to a target’s personal account in February. The email exchange then continued with further targets' corporate accounts after the war, suggesting that TA453 is maintaining its intelligence collection efforts during the ongoing conflict.  The email was themed around an invitation to participate in a roundtable on air defense in the Middle East. Part of the benign outreach included a OneDrive link to a benign PDF ("Air Defense Depletion & Deterrence in the Middle East.pdf") with the proposal for the roundtable to support a credible lure.  "hxxps://1drv[.]ms/b/c/cbec61ab8028f986/IQDa9igU3D3BRqiyNtth76AzAbOM6jUpa8apnuRl-zKXKow?e=E8bIfd"  Figure 7. Benign OneDrive link hosting PDF proposal for Henry Jackson Society roundtable.  Once a rapport had been established with the target, the following email in the exchange included a malicious URL disguised as a link to another PDF called "Air Defense Depletion & Deterrence in the Middle East-Event Overview.pdf".  The URL used an attacker-owned domain ("transfergocompany[.]com") that then redirected to a OneDrive-themed credential phishing page hosted on the cloud-hosting service Netlify ("fileportalshare.netlify[.]app") pre-filled with the target’s email.  Figure 8. OneDrive spoofing credential phishing landing page.  Why it matters  As the conflict involving Iran and regional actors continues, the operations of Iranian threat actors remain a mix of traditional espionage and disruptive campaigns in support of war efforts. Proofpoint also observed a range of non-Iranian threat groups targeting Middle Eastern governments with conflict-themed social engineering. While several of these groups incorporated the war-themed lure content in operations that are largely consistent with typical targeting remits, others demonstrated a shift toward intelligence collection against Middle Eastern government and diplomatic entities. This likely reflects an effort to gather regional intelligence on the standing, trajectory, and broader geopolitical implications of the conflict. This suggests the conflict is being used both as a topical social engineering pretext and a driver of collection priorities for a range of state-aligned threat actors.  Indicators of compromise  UNK_InnerAmbush  Indicator   Type   Description   First Seen    uzbembish@elcat[.]kg  Email address  Sender email (likely compromised)  March 2026  fed6ebb87f7388adf527076b07e81dfa432bac4e899b0d7af17b85cc0205ffad  SHA256  Photos from the scene.rar  March 2026  a9de383c6a1b00c9bd5a09ef87440d72ec7fc4bcd781207b3cace2f246788d4d  SHA256  Strike at Gulf oil and gas facilities.zip  March 2026  dfaaaf75147afbd57844382c953ec7ef36f68a9c17c66a47a847279a6b1109c9  SHA256  _1c9fe357-a209-4c71-923f-34acd3d337a5.jpg.lnk  March 2026  4b9661092051839496c04169ccb52b659c0f65cefd14a990e23565a0c0e8eeaf  SHA256  20260301_100324.jpg.lnk  March 2026  d518262dd687a48f273966853f3ed4eb7404eb918b165bb71ff83f75962c0104  SHA256  LaunchWlnApp.exe  March 2026  b58ec14b0119182aef12d153280962ad76c30e3cd67533177d55481704eba705  SHA256  OfficeClickToRun.scr  March 2026  7b6d69a249fe2adf43eefc31cdeca62cf48ab428fcbf199322feeb99d24fb001  SHA256  nvdaHelperRemote.dll  March 2026  a8acb9864e6f64323ed75e69038ca9bfe76f7b1b0d24ec7df8ac07b6dbd641a3  SHA256  nvdaHelperRemote.dll  March 2026  14efa1194cc4c6aa5585d63c032268794364123d41a01121cbd5e56f7c313399  SHA256  WinHlp.hlp  March 2026  support.almersalstore[.]com  Hostname  Cobalt Strike C&C  March 2026  almersalstore[.]com  Domain  Cobalt Strike C&C  March 2026    TA402  Indicator   Type   Description   First Seen    ban.ali@mofa.gov[.]iq  Email address  Sender email (likely compromised)  March 2026  nqandeel04@gmail[.]com  Email address  Sender email  March 2026  hxxps://mail.iwsmailserver[.]com/owa/auth/logon.aspx?uid=<target_specific_uuid>  URL  OWA credential phishing URL format  March 2026  iwsmailserver[.]com  Domain  TA402-controlled domain  March 2026    TA473  Indicator   Type   Description   First Seen    maria.tomasik@denika[.]se  Email address  Sender email (likely compromised infrastructure)  March 2026  hxxps://unityprogressall[.]org/imagecontent/getimgcontent.php?id=<target-email-address>  URL  URL format contacted by HTML attachment  March 2026  unityprogressall[.]org  Domain  TA473-controlled domain  March 2026  72.60.90[.]32  IP address  Hosting IP address for unityprogressall[.]org  March 2026    UNK_NightOwl  Indicator  Type  Description  First Seen  war.analyse.ltd@outlook[.]com  Email address  Sender email  March 2026  ali.mo@med.gov[.]sy  Email address  Sender email (likely compromised)  March 2026  hxxps://iran.dashboard.1drvms[.]store/errors/sessionerrors/expire?client=[redacted]  URL  Credential harvesting page  March 2026      UNK_RobotDreams  Indicator  Type  Description  First Seen  jscop.mea.gov.in@outlook[.]com  Email address  Sender email  March 2026  hxxps://defenceprodindia[.]site/server.php?file=Reader_en_install  URL  Delivery URL  March 2026  defenceprodindia[.]site  Domain  UNK_RobotDreams-controlled domain  March 2026  hxxps://endpoint1-b0ecetbuabcdg9cp.z01.azurefd[.]net:443/download.php?file=cnVzdHVwaW5pdA  URL  Azure Front Door staging URL  March 2026  endpoint1-b0ecetbuabcdg9cp[.]z01[.]azurefd[.]net  Hostname  Azure Front Door staging and C&C hostname  March 2026  9477d9cd1435dc465b4047745e9c71103a114d65ed0d5f02ac3c97ac3f1dbf47  SHA256  gulf_disruption_advisory_march2026.pdf  March 2026  a9f4f4bc12896d0f0d2eeff02dd3e3e1c1406d8a6d22d59aa85f151d806ba390  SHA256  Reader_en_install.exe  March 2026  ea1d98a41ad9343d017fa72f4baeeca0daa688bec6e0508e266c5e37e9d330de  SHA256  VLCMediaPlayer.exe  March 2026      TA453  Indicator  Type  Description  First Seen  McManus.Michael@hotmail[.]com  Email address  Sender email  February 2026  hxxps://1drv[.]ms/b/c/cbec61ab8028f986/IQDa9igU3D3BRqiyNtth76AzAbOM6jUpa8apnuRl-zKXKow?e=E8bIfd  URL  Delivery URL  March 2026  16db04b632668dae081359fc07c97e5a9b79dad61713642e48b494aa6b7828be  PDF  Benign lure PDF  March 2026  transfergocompany[.]com  Domain  TA453-controlled domain  March 2026 

Disruption targets Tycoon 2FA, popular AiTM PhaaS

5 March 2026 at 01:28
Key findings  Tycoon 2FA is one of the most popular phishing-as-a-service (PhaaS) platforms currently used by threat actors, and highest volume adversary-in-the-middle (AiTM) phishing threat in Proofpoint data.  Tycoon 2FA infrastructure was disrupted by public and private partners, including Proofpoint, Microsoft, Europol, Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel 471, Resecurity, The Shadowserver Foundation, SpyCloud, and TrendAI, and additional European law enforcement partners.  The Tycoon 2FA disruption and associated lawsuit naming the creator will have a significant impact on Tycoon 2FA, related infrastructure, and threat actor activity.    Proofpoint was proud to assist in the law enforcement and private sector investigations into Tycoon 2FA activity and supported Microsoft’s action with data, including malicious domains and information related to Tycoon 2FA campaigns.  Overview  Tycoon 2FA operates as an AitM phishing kit. Its primary function is to harvest usernames, passwords, and Microsoft 365 and Gmail session cookies. Attackers use these cookies to circumvent multifactor authentication (MFA) access controls during subsequent authentication. That allows them to achieve full account takeover (ATO) and gain unauthorized access to a user’s accounts, systems and cloud services—even those that have MFA as an additional security measure.  According to Proofpoint threat data, in 2025, 99% of organizations experienced account takeover attempts, and 67% experienced a successful account takeover. Of these, 59% of taken over accounts had MFA enabled. While not all MFA bypassing ATO campaigns are attributable to Tycoon 2FA, Tycoon 2FA is the highest volume AiTM phishing threat in Proofpoint visibility. Tycoon 2FA threat volumes vary based on actor activity, and in February 2026, Proofpoint observed over three million messages associated with Tycoon 2FA.   Tycoon 2FA infrastructure, including domains and servers, was disrupted in collaboration with private and public partners including Proofpoint, Microsoft, Europol, Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel 471, Resecurity, The Shadowserver Foundation, SpyCloud, and TrendAI. In coordination with Europol, law enforcement in Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom carried out a seizure of infrastructure and other operational measures. Microsoft and co-plaintiff Health-ISAC also filed a lawsuit against the alleged Tycoon 2FA creator, Saad Fridi, and unnamed associates. The disruption and associated civil filing in the United States Southern District of New York will have a significant impact on Tycoon 2FA operations and overall threat activity.   Proofpoint supported Microsoft’s action with threat data from our visibility, including malicious domains and information related to Tycoon 2FA campaigns, and provided a declaration for the suit.   In addition to the disruption, the following splash page was displayed on the seized Tycoon 2FA domains:    Figure 1. Tycoon 2FA splash page.  Tycoon 2FA campaign details  Tycoon 2FA relies on attacker-controlled infrastructure to host the phishing webpages. Using a synchronous proxy the platform allows the interception of victims’ entered credentials. The credentials are then relayed to the legitimate service for a transparent, successful login, prompting MFA requests. The resulting session cookies are relayed back to the threat actors.    Tycoon 2FA is sold as a phishing-as-a-service (PhaaS), meaning that threat actors purchase access to the phishing tool and then they can customize it to suit their specific needs. The kit can be used multiple times through the duration of the subscription. Tycoon 2FA is used by multiple different threat actors, and sold by one main individual. It has been sold on Telegram since 2023 and was initially distributed via the “Saad Tycoon Group” channel.  Some Tycoon 2FA users are leveraging “ATO Jumping” whereby the actor compromises an initial email account, uses the compromised sender to broadly distribute Tycoon 2FA URLs, and attempts further account takeover (ATO) activities. Using this technique enables emails to look like they are authentically coming from a victim’s trusted contact, increasing the likelihood of a successful compromise.  Tycoon 2FA infections can lead to a variety of malicious activities including theft of private data including financial information, personally identifiable information, proprietary business information; full account takeover and access to M365 hosts that can be sold to additional threat actors; and potentially lead to follow-on malware compromises including ransomware.  Proofpoint has regularly tracked actors using the Tycoon 2FA phishing kit since 2024. We observe Tycoon 2FA distributed via email campaigns. A campaign is a time-bound set of related activity that is clustered by indicators of compromise (IOCs) such as senders, URLs, attachments, Tycoon 2FA configuration, etc. Tycoon 2FA campaigns vary in terms of scale; some include just a handful of messages; some include millions of messages. Campaign timelines can range from one day to one week.  Tycoon 2FA distribution depends on the criminals’ preferred method of email spam. Emails may contain malicious links, QR codes, SVGs, or attachments with URLs. In all cases, a user is redirected to an actor-controlled URL that displays a unique CAPTCHA resolution that, if solved, will direct to an attacker-controlled site impersonating a Microsoft or Google login portal. In many cases, the threat actor will display a target organization’s Azure Active Directory branding to further the social engineering component and trick a user into thinking they are entering their credentials into a real corporate site.   Figure 2. Email lure observed in late January 2026 with a PDF attachment containing a QR code leading to Tycoon 2FA.  Figure 3. Example CAPTCHA used by Tycoon 2FA, January 2026.   Figure 4. Tycoon 2FA landing page with the target organization’s logo redacted, January 2026.  Tycoon 2FA campaigns are typically opportunistic and target a broad range of organizations and often leverage compromised accounts to spread their phishing kits. Proofpoint has observed Tycoon 2FA distributed via compromised accounts from various industries including legal, real estate, healthcare, government, education, construction, and technology, as well as personal emails such as Gmail addresses.  Tycoon 2FA customers manage their campaigns via a panel provided by the Tycoon 2FA creator. The panel landing pages have changed slightly since 2023, but overall, the general URL structure and landing page functionality has remained the same.   Figure 5. Tycoon panel login screen, February 2026.   The current panel (as of February 2026) also requires a CAPTCHA.  Impact  The majority of tracked Tycoon 2FA campaigns impact North America, mainly the U.S. and Canada, with additional activities targeting many European countries including Germany, Spain, France, and the UK. According to Microsoft, Tycoon 2FA enabled cybercriminals to access almost 100,000 organizations, including schools, hospitals, non-profits, and public institutions.  Based on Proofpoint’s visibility, the following is an example of industries that were targeted in observed Tycoon 2FA campaigns in our threat data, and the percent of campaigns in which they appeared. (Individual campaigns impact multiple different targets).  Vertical  Percent of Tycoon 2FA Campaigns  Aerospace  73%  Business Services  82%  Defense  64%  Education  75%  Energy  78%  Financial Services  84%  Government  79%  Healthcare  83%  Hospitality  76%  Manufacturing  83%  Real Estate  77%  Technology  85%  Utilities  76%    Disruption  On 4 March 2026, Microsoft announced a lawsuit and disruption action against the Tycoon 2FA creator and multiple unnamed associates. Proofpoint supported the civil filing by providing a declaration regarding Tycoon activity, including infrastructure and campaign details. Microsoft seized 330 control panel domains associated with Tycoon 2FA. This action will have a significant impact on operations, disrupting ongoing criminal activity.    Successful account takeovers can cause significant harm to compromised organizations including financial and reputational damage, loss of proprietary data, and potentially lead to follow-on attacks like ransomware that can have destructive and potentially organizational damaging consequences.  Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever it is possible and appropriate to do so, and as is the case with the Tycoon 2FA disruption, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware and phishing threats. Proofpoint was proud to assist in the law enforcement and private sector investigations into Tycoon 2FA activity.   Through its unique vantage point, Proofpoint is able to identify the largest and most consequential malware distribution campaigns, providing the authorities with much-needed insight into the biggest threats to society, affecting the greatest number of people around the world. 
Received — 19 February 2026 Proofpoint Threat Insight

(Don't) TrustConnect: It's a RAT in an RMM hat

19 February 2026 at 18:13
Key findings  Proofpoint observed a new malware-as-a-service (MaaS) masquerading as a legitimate remote monitoring and management (RMM) tool. It calls itself TrustConnect.   The “business page” – clearly created by automated tooling of some kind– is actually the login for the MaaS. As of this writing, access was advertised at $300 per month.  Based on details of the malware creator, capabilities of the malware, and knowledge of the ecosystem, we assess with moderate confidence the threat actor behind TrustConnect was also a prominent user of Redline stealer.  Proofpoint, in collaboration with intelligence partners, disrupted some of the malware’s infrastructure, causing an impact to cybercrime activities. But the actor demonstrated resilience, with another fake RMM website identified shortly before publication that advertised malware called DocConnect.  Overview  RMM tools continue to be many attackers’ top choice for initial access. Such enterprise remote support software like SimpleHelp, SuperOps, Datto, N-able and others are frequently delivered via email campaigns by cybercrime actors or used as follow-on payloads once an actor achieves initial access. (As always, the legitimate RMM tools mentioned in this report are just that — legitimate. It’s the threat actors doing the abusing. We call out brand names strictly to explain what the actors misused, not because the vendors themselves had any hand in the activity.)  But at the end of January, Proofpoint observed a weird twist on the RMM landscape: a threat actor created a malware masquerading as an RMM called “TrustConnect Agent.”  Initially, TrustConnect appeared to be another legitimate RMM tool being abused. Given the sheer number of existing remote administration tools available for threat actors to choose from, and their prevalence in the threat landscape, it could have made sense. But upon investigation, Proofpoint researchers identified evidence that showed TrustConnect is actually new malware-as-a-service (MaaS) classified as a remote access trojan (RAT).   TrustConnect details  Malware portal  The malware domain, trustconnectsoftware[.]com, was created on 12 January 2026. This site purports to be an RMM tool called TrustConnectAgent. The malware creator uses the domain as the “business website” designed to convince the public (including certificate providers) that the software is a legitimate RMM app, providing fake details like customer statistics and software documentation. Proofpoint suspects the actor used an LLM to create the site.  This website is also the portal for criminals to sign up for the service and acts as the command and control (C2) for the malware. Cybercriminals are instructed to sign up for a "free trial", instructed on how to pay in cryptocurrency, and then verify payment in the TrustConnect portal.   Figure 1. TrustConnect “business website”.  The website is also the front they used to purchase a legitimate Extended Validation (EV) certificate in the name of "TrustConnect Software PTY LTD", supposedly based in Alexandra, South Africa. The certificate was valid from 27 January, and the actor used this EV certificate to sign the malware. Obtaining EV certificates costs thousands of dollars and requires additional levels of validation on behalf of the domain holder. Such certificates are supposed to demonstrate that the domain and related business is trustworthy. When used by threat actors, they can help criminals evade signature-based detections. Threat actors can pay malicious providers for EV certificates or attempt to create them on their own.   In collaboration with fellow researchers at The Cert Graveyard, Proofpoint was able to get the EV certificate revoked on 6 February 2026, removing the trick the actor was using to bypass security tools and adding friction to their operations. However, the revocation of the certificate was not backdated, so the old signed files remained valid. This aligns with the actor stopping new subscriptions, but current customers could still distribute the files via email campaigns.  Campaign details  Threat actors in the RMM ecosystem frequently rotate payloads, which allows a specific URL to lead to different malware or abused RMMs throughout a campaign. Though likely that some low volume testing was done in previous weeks based on similar file sizes and file naming, threat actors were confirmed distributing TrustConnect on 27 January, correlating with the date the seller began digitally code signing the software. Proofpoint has observed campaigns from multiple different threat actors distributing this malware.   For example, beginning on 26 January we observed a campaign purporting to be invitations for bids and to an event. Messages were sent from compromised senders and email body copy included both English and French.   Figure 2. Bid invite lure distributing TrustConnect RAT.  Figure 3. French language lure distributing TrustConnect RAT.  Messages contained URLs leading to an executable file "MsTeams.exe". The MsTeams file Proofpoint retrieved on 30 January 2026 was signed with the original filename “MsTeams.dll” with the EV certification dated 29 January and belonging to “TrustConnect Software PTY LTD.”, meaning that the threat actor either used an unsigned executable or some other payload early in the campaign  The executable dropped a file called "TrustConnectAgent.exe" which communicated with the TrustConnect RAT C2 server, and likely led to the installation of additional payloads.  Figure 4. Payload EV cert timeline.  Threat actors distributing TrustConnect have used a variety of lure themes including taxes, document shares, meeting invitations, events, and government themes. The MaaS provides templates for many different kinds of brand abuse, which we will describe in the next section.   Interestingly, researchers also observed campaigns delivering multiple different RMMs alongside TrustConnect. One campaign observed over a four-day period leveraged a single sender, with lures containing overlapping payload URLs, to deliver multiple executables in late January 2026.  Figure 5. Due diligence themed lure delivering LogMeIn RMM.  Proofpoint observed the following variations of the campaign:   31 January and 01 February: messages contained URLs leading to an executable file which, if executed, installed ScreenConnect.  03 February: observed messages contained URLs leading to an executable file which, if executed, installs LogMeIn Resolve.  03 February: observed messages contained URLs leading to an executable file "reference_letter_sign.exe". This dropped a file called "TrustConnectAgent.exe" leading to the installation of TrustConnect RAT.  Additionally, Proofpoint has observed TrustConnect campaigns leading to the follow-on deployment of a legitimate remote access tool, typically ScreenConnect. Proofpoint observed TrustConnect deploying ScreenConnect from at least nine distinct on‑premises (self‑hosted) ScreenConnect servers over a 10‑day period. All were older versions signed with expired or revoked certificates, suggesting the instances were illegitimately purchased previously or possibly pirated. Proofpoint also observed deployment of Level RMM via an abused account as well as hands‑on-keyboard activity. This activity occurred within minutes of TrustConnect installation, reinforcing the assessment that it is used by multiple threat actors. (We reported it to Level, and the account was disabled by the vendor.)  The use of legitimate remote enterprise tooling both alongside and as a follow-on malware suggest this RAT is very much embedded with the overall ecosystem of threat actors abusing these tools, and the MaaS provider is likely selling to the same customers abusing real RMM payloads and infrastructure in campaigns.  Malware capabilities and C2 panel  The platform provides a web-based C2 dashboard, automated payload generation with digital signatures, and a subscription-based access model which costs $300 per month paid via cryptocurrency. The centralized C2 server, trustconnectsoftware[.]com, manages multiple customers.  Figure 6. TrustConnect public sign-in page with link to free sign up.  After registering for a free account, which requires that the user enter their email, "company name", and create a password, they are then prompted to verify their account with an one-time password (OTP) provided in an email that is sent via integration with Zoho transactional email service.  Figure 7. OTP code for account verification at sign-up.  Figure 8. OTP entry.  Once the email has been verified, the visitor is redirected to a subscription page, that despite previously stating that a free trial was available, claims that the account is blocked and that payment is needed to continue using the service.  Figure 9. TrustConnect subscription dashboard.  The subscription dashboard states that the subscription costs U.S. $300/month, and that the payments can be made in the cryptocurrencies Bitcoin or USDT. It provides wallet addresses to pay in either of these currencies. After manual payment, the customer needs to paste the transaction hash (publicly available on the blockchain) and click a button to verify the transaction. The verification is performed automatically by the server, by verifying in the blockchain that the transaction has occurred to the wallet, and that the transaction hasn’t been registered in the panel previously. This suggests that the seller has a database of payments and who paid when. This, in combination with the requirement of an email address, makes the payment not as anonymous as customers thought.  Even though the server-side blockchain verification checks that the transaction has happened, it doesn’t check if the transaction happened before the service opened for registration.  Figure 10. Infected devices page (with mock devices).  The Device page of the C2 dashboard lets the attacker see the devices that have the RAT installed. It’s possible to execute pre-defined commands or run custom commands directly on the device, transfer files to the device, view system information and connect to the device via a remote desktop function. It’s also possible to organize the devices into different custom groups. This page as well as others have a scrolling text that states “Note: Download the EXE, then upload to your own hosting/domain. Send your hosted link to targets for best results - avoids browser flagging.”  The C2 dashboard provides a real-time audit of connected devices, with a timeline feature that shows the relevant actions taken by the MaaS, such as registration, deployment of the RAT, commands executed and so on.   Figure 11. TrustConnect audit dashboard.  Notably, there doesn’t seem to be any functionality to disable or clear the audit log, making it hard for the attacker to erase evidence of malicious activity.  Figure 12. RDP dashboard view.  The remote desktop management function includes features for full mouse and keyboard control, surveillance on the compromised host, UAC bypass, ability to hide operator activity from the victim, screen recording, and the ability to switch between victim displays. The screen is streamed via unauthenticated WebSocket.  TrustConnect generates “branded” installers that bundle legitimate icons and metadata with payload delivery. The brands used are commonly observed across the ecrime threat landscape and are frequently seen used as lures in other cybercriminal RMM campaigns. Lures include:   Corporate: Zoom, Microsoft Teams, Adobe Reader, Google Meet.  Government and Business: "Proposal", "Special Events", "Social Security Administrative"  As well as a generic installer just branded as “TrustConnect” likely designed to masquerade as a real RMM.  Figure 13. Advertised "branded" installers.  Each one of the installers can be downloaded from the C2 via an URL without being signed in, allowing direct download of the malicious installers. The EXE files are named in line with the impersonated brand:  ZoomWorkspace.exe  AdobeReader.exe  MsTeams.exe  Proposal.exe  GoogleMeet.exe  Ssa.exe  SpecialEvents.exe  Installer.exe  The downloaded file is around 35 MB, containing metadata from the impersonated brand as well as pre-configured with the attackers install token so it will join the corresponding “organization” in the C2 panel. The internal name of the file matches the EXE but uses the file extension .dll. This is likely an artifact of the application being compiled as a .NET Core single-file executable, which inherits the name of the source DLL it was built from. Each EXE is signed, and since each installer type contains the specific metadata of the impersonated brand, each customer will at minimum have access to files with eight different hashes. In addition to this, it’s possible to generate a new install token in the panel, which would generate new hashes.  Example EXE download URL:          <hxxps://trustconnectsoftware[.]com/downloads/brands/[organization_name]/MsTeams.exe>   The page also has instructions on how to run a one-liner PowerShell script to run a remote intermediate script that will install the RAT (possibly to be used in ClickFix attacks), as well as system requirements and deployment instructions.  Figure 14. Quick deploy commands.  Figure 15. Deployment guide and system requirements.  Customers also have access to a settings page, where they can enable two-factor authentication and set up Telegram bots to receive notifications when devices connect or disconnect, which means that the MaaS owner has stored ample information about the customers, from email and organization name to cryptocurrency wallet and Telegram tokens.  In addition to the customer-accessible pages above, there is also a hidden “admin-approvals” page that the user will be redirected to if logged in as a “SuperAdmin.”  Figure 16. JavaScript redirect for hidden “admin-approvals” page for SuperAdmin.  This page is an internal admin dashboard intended to be accessed by the MaaS owner or support.   Figure 17. Admin Dashboard (with mock data). In addition to managing customers, like adding days to the subscription or deleting them, the administrator can also list all online devices that the RAT is installed on, independent of which customer installed it. Notably, at this page the creator clearly labels these devices as “Victims”.  The platform links the operator's identity to the payload through a specific chain:  Operator Email: [Registered email in clear text] (Login credential)  Organization ID: [Internal UUID]  Organization Name: [organization name] (User-defined display name on sign up)  Download Path: .../brands/organization_name/... (Derived from Organization Name, used for EXE generation)  Installer Token: [token] (Unique key embedded in the EXE/Script to map victims back to the Org ID, can be expired and rotated by the customer in the panel)  Additional malware details  The malware communicates with the C2 on the same API as the web panel and doesn’t use any additional encryption other than standard SSL/TLS. Below are some examples of traffic:  POST /api/agents/register  Figure 18. TrustConnect check-in.  GET /api/agent-commands/  Figure 19. TrustConnect receiving PowerShell command to install ScreenConnect.  The following is a partial API endpoint map documenting methods and functions of the malware:  Category  Endpoint  Method  Function  Auth   /api/auth/login   POST   JWT Authentication      /api/auth/verify-login   POST   2FA Verification   C2   /api/devices   GET   List victims      /api/commands/run   POST   Execute shell command      /api/files/upload   POST   Upload file to victim   Viewer   /ws/viewer   WS   Remote Desktop Stream      /api/screen/start   POST   Initialize session      /api/recordings/chunk/{id}   POST   Upload screen recording   Malware   /api/agents/register   POST   Agent registration      /api/installer/script   GET   Get PowerShell loader     /api/agents/heartbeat  POST  Agent Heartbeat    /agent-update  GET  Agent Update    /api/files/browse/pull  GET  Agent file browse    /api/files/pull  GET  Agent file download    /api/agent-commands/  GET  Agent command retrieval    /ws/screen  GET  WebSocket Upgrade (RDP)    /api/agent-commands/result  POST  Agent command result  Admin   /api/admin/devices/online   GET   Super-Admin Global victim list      /api/admin/control-mode/check/{id}   GET      The malware C2 was hosted on 178[.]128[.]69[.]245. Proofpoint initiated coordinated remediation of the service, which concluded at ~00:00 UTC on 17 February 2026 and impacted the actor’s infrastructure. Supporting industry partners wish to stay anonymous.   Shortly before publication of this report, Proofpoint analysts identified a pivot to parallel infrastructure and testing of a new agent payload, called "DocConnect" or "SHIELD OS v1.0". Preliminary analysis reveals the new C2 panel is a React Single Page Application (SPA) backed by Supabase. Despite the architectural shift, the platform shares the distinct "vibe-coded" style observed in the TrustConnect website.  Initial analysis of the new agent shows the integration of SignalR instead of raw WebSockets, as well as giving users of the reworked MaaS the ability to include custom PDF lures in the installer itself. The new default name the installer is "DocConnect.Agent.exe".  Attribution  The malware panel includes a Telegram handle (@zacchyy09) for support and sales inquiries.   Figure 20. Support Telegram handle.  In addition, on 6 February 2026 (the same date the EV certificate was revoked), the open registration was closed and replaced with instructions to contact the same Telegram handle to get access to the MaaS:  Figure 21. Sign up instruction on February 6. Notably, this handle was also mentioned as a VIP customer in Operation Magnus, a joint law enforcement effort led by the Dutch National Police to disrupt Redline and META information stealers in October 2024. It is possible a different threat actor is using the same handle. However, based on campaign artifacts, infrastructure, and malware delivery, Proofpoint assesses with moderate confidence, the TrustConnect actor was also likely a Redline customer.   Figure 22. Screenshot of some VIP users from Operation Magnus disruption video.  Conclusion  The emergence of TrustConnect MaaS demonstrates a few major themes:  Disruptions to MaaS operations like Redline, Lumma Stealer, and Rhadamanthys, have created new opportunities for malware creators to fill gaps in the cybercrime market. While these disruptions are effective and impose cost on adversaries, emerging malware shows threat actors will always be looking for new ways to compromise victims.   The RMM abuse ecosystem is thriving. Although TrustConnect only masqueraded as a legitimate RMM, the lures, attack chains, and follow-on payloads (which include RMMs) show overlap with techniques and delivery methods that are frequently observed in RMM campaigns and used by multiple threat actors.   Based on website artifacts and functionality, both TrustConnect and DocConnect websites and agents are likely coded with the assistance of AI Agents, but the new version is significantly more advanced. It shows how threat actors quickly can gain momentum by the help of AI, just like the rest of the society.  Proofpoint would like to thank our colleagues at ConnectWise ScreenConnect for collaborating on taking down abused instances.   Emerging Threats rules  2067351 - ET MALWARE TrustConnect RAT CnC Domain in DNS Lookup (trustconnectsoftware .com)  2067352 - ET MALWARE Observed TrustConnect RAT Domain (trustconnectsoftware .com in TLS SNI)  2067682 - ET MALWARE TrustConnect RAT CnC Activity (Files Browse)  2067683 - ET MALWARE TrustConnect RAT CnC Activity (GET Agent Commands)  2067684 - ET MALWARE TrustConnect RAT CnC Activity (POST Command Results)  2067685 - ET MALWARE TrustConnect RAT CnC Activity (Agent Heartbeat)  2067686 - ET MALWARE TrustConnect RAT CnC Activity (Heartbeat Response)  2067687 - ET MALWARE TrustConnect RAT CnC Activity (WebSocket Upgrade Request)  2067688 - ET MALWARE TrustConnect RAT CnC Activity (Agent Register)  2067689 - ET MALWARE TrustConnect RAT CnC Activity (Agent Update)  2067690 - ET MALWARE TrustConnect RAT CnC Activity (Files Pull)  2067801 - ET MALWARE TrustConnect RAT CnC Domain in DNS Lookup (networkservice .cyou)  2067802 - ET MALWARE Observed TrustConnect RAT Domain (networkservice .cyou in TLS SNI)  2067803 - ET MALWARE TrustConnect RAT CnC Activity (Agent Registration)  2067804 - ET MALWARE TrustConnect RAT CnC Activity (Failed Registration)  2067805 - ET MALWARE TrustConnect RAT CnC Activity (Files Pending)  2067806 - ET MALWARE TrustConnect RAT CnC Activity (GET Commands)  Example indicators of compromise  Indicator   Description  First Seen  trustconnectsoftware[.]com  C2 Domain  12 January 2026  178[.]128[.]69[.]245  C2 IP  12 January 2026  adobe[.]caladzy[.]com  Payload Staging Domain  31 January 2026  ametax[.]net  Payload Staging Domain  31 January 2026  worldwide-www19[.]pages[.]dev  Payload Staging Domain  31 January 2026  vurul[.]click  Payload Staging Domain  31 January 2026  cee6895f7df01da489c10bf5b83770ceede79ed4e1c8c4f8ea9787a4d035c79b  TrustConnectAgent.exe  SHA256  2 February 2026  statementstview[.]online  Payload Staging Domain  10 February 2026  elev8souvenirs[.]com  Payload Staging Domain  26 January  cf85a4816715b8fa6c1eb5b50d1c70cfef116522742f6f1c77cb8689166b9f40  MsTeams.exe  SHA256  26 January  162c0d3e671ddf4f7f3ae5681da5272111eab6588bc53843cc604fc386634594  DocConnect Testing Payload  17 February 2026  networkservice[.]cyou  DocConnect C2  17 February 2026  hxxps[://]memphiswawu[.]com/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest  ScreenConnect Payload URL  10 February 2026  hxxps[://]aerobickarlaurbanovas[.]top/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest=  ScreenConnect Payload URL  10 February 2026  hxxps[://]stewise[.]top/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest  ScreenConnect Payload URL  10 February 2026  hxxps[://]smallmartdirectintense[.]com/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest=  ScreenConnect Payload URL  10 February 2026  hxxp[://]192[.]159[.]99[.]83/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest  ScreenConnect Payload URL  10 February 2026  hxxp[://]192[.]227[.]211[.]41:8040/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest  ScreenConnect Payload URL  10 February 2026   
Received — 29 January 2026 Proofpoint Threat Insight

Can’t stop, won’t stop: TA584 innovates initial access

28 January 2026 at 14:00
Key findings  TA584 is one of the most prominent cybercriminal threat actors tracked by Proofpoint threat researchers.  In 2025, the actor demonstrated multiple attack chain changes including expanded global targeting; ClickFix social engineering; and delivering new malware, Tsundere Bot.   TA584’s activity is unique in the cybercrime landscape and shows how static detections alone are not reliable for constantly innovating threat actors.   Overview  Proofpoint tracks multiple sophisticated cybercriminal threat actors, and one of the most frequently active with high volume campaigns is TA584. TA584 is a prominent initial access broker (IAB) that targets organizations globally. In the second half of 2025, TA584 demonstrated multiple attack chain changes including adopting ClickFix social engineering, expanded targeting to more consistently target specific geographies and languages, and recently delivering a new malware called Tsundere Bot. TA584 overlaps with a group tracked as Storm-0900.   The actor’s operational tempo increased throughout 2025, with the number of monthly campaigns tripling from March to December 2025.  TA584   Background  Tracked by Proofpoint since November 2020, TA584 has demonstrated a variety of tactics, techniques, and procedures (TTPs). Delivery methods included macro-enabled Excel documents, URLs with aggressive filtering, use of various traffic distribution services (TDS), and geo-fenced landing pages.    While TA584 has been tracked for several years, its earlier campaigns followed relatively predictable patterns compared to the variety of techniques observed in 2025. One of the most notable shifts in TA584’s activity during 2025 is how quickly campaigns are launched, modified, and retired. The actor has been active for several years, but earlier activity tended to follow longer-lived patterns, with infrastructure, lures, and delivery mechanisms reused over extended periods of time. In contrast, 2025 activity is characterized by high campaign churn and short operational lifespans.   Figure 1. Operational tempo increased throughout 2025.  In 2025, TA584 conducted campaigns in rapid succession, often overlapping in time while using distinct lure themes, branding, and landing pages. In many cases, individual campaigns remained active for only a short time (hours to days) before being replaced or significantly modified. Instead of refining a single successful attack chain, TA584 favors continuous iteration, rapidly cycling through various tactics, techniques, and procedures (TTPs), even when prior campaigns remained effective.  The consistency of this pattern throughout 2025 shows how a steady stream of brief, thematically distinct campaigns originating from the same actor provides insight into how modern financially-motivated threat actors adapt to defensive pressure.  Data scope  Proofpoint’s analysis of TA584 activity is based on email as an initial access vector. Although TA584 has been monitored periodically since 2020, the findings presented here primarily focus on activity observed throughout 2025, when visibility of campaign volume, operational tempo, and variability increased significantly. The analysis follows activity from initial message delivery through malware execution. This perspective lets us see how TA584 adapts social engineering techniques, distribution infrastructure, and payload delivery over time, while also identifying execution behaviors that remain consistent despite other changes.  The scope of this analysis is intentionally focused on the pre-compromise and early execution stages of TA584 attack chains. Areas covered include email lure construction, social engineering themes, brand impersonation, localization strategies, landing page design, delivery infrastructure, and malware execution.   Campaigns were identified and clustered by correlating multiple attributes including delivery characteristics, shared or structurally similar infrastructure, recurring execution patterns, geofencing and IP filtering, landing page design, malware and malware configuration, and overlapping lure characteristics. Attribution to TA584 is based on a combination of historical tracking, continuity across campaigns, and recurring patterns observed over multiple years of activity.   Overall, the methodology used in this report reflects the challenges of tracking modern, high-velocity, email-centric threat actors. TA584’s 2025 activity shows how quick campaign turnover and deliberate variability can make static indicators less effective.   Campaign details  Social engineering  TA584 sends emails impersonating various organizations. Impersonated entities include job-related firms (such as Michael Page, Addeco) or business services (BBB, Companies House), as well as brands like PayPal, OSHA, Medicare, OneDrive, or YourCostSolutions.   The most frequently observed vertical impersonated is healthcare, followed by government entities. Proofpoint has seen this actor impersonate hospitals, care facilities, and multiple various government agencies in multiple countries.   Figure 2. TA584 impersonations.  TA584 demonstrates unique social engineering content using a very wide range of themes and techniques used to get people to engage with malicious content. The emails and associated landing pages always match, with well-designed and believable lures.  Brand impersonation further reinforces this approach. TA584 regularly incorporates well-known brands into email content, but brand usage is typically short-lived, with individual brands appearing briefly before being replaced in subsequent campaigns. In several cases, brand selection appears aligned with geographic targeting, with localized or regionally relevant brands used to increase credibility among specific recipients. Importantly, this variability does not appear to be random. Despite frequent changes, lures consistently maintain a sense of urgency or implied legitimacy, often encouraging recipients to view a document, review a transaction, or resolve an outstanding issue. The underlying social engineering objective remains the same, even if the surface-level details change.  This actor’s behavior is notable. Because TA584 regularly changes their lures, it reduces the effectiveness of content-based detection and increases the likelihood that at least some variants will evade filtering. For defenders, this shows how campaigns should be assessed holistically, correlating sender behavior, delivery infrastructure, and downstream execution rather than relying solely on static content indicators.  Some themes observed in 2025 include debt collection and payment processing, invitations to events or programs, tax obligations, medical test results, healthcare benefits, parking tickets, recruiting emails, and business complaints.    One campaign in December used a unique social engineering technique: including a photo of an alleged package delivery that contained the name of the recipient in the email lure.  Figure 3. Purported photo of physical mail.   In the emails, TA584 included a photo of supposed physical mail that displayed the targets’ name and address, customized to each recipient. This likely furthered the believability of the lure. Proofpoint rarely observes this technique, however we have seen it used by TA2725 in recent months.  Attack chain  TA584 uses multiple delivery methods via email. In 2025, the actor most often sent emails from compromised individual senders. These accounts were typically paired with several display names per campaign that matched the lure, and a single wave could involve hundreds of different compromised senders across many unrelated, legitimate, and often aged domains.  TA584 also occasionally sends through thirdparty Email Service Providers (ESPs) such as SendGrid and Amazon Simple Email Service (SES). This likely involves stolen credentials to create or takeover ESP accounts and then authenticate the compromised domain for sending. In practice, that usually requires DNS access to add provider-specific DNS records.  Because the emails come from authenticated, aged senders and vary heavily in subject lines and URLs, it can be difficult to reliably track and cluster these campaigns using email characteristics alone.  The emails usually contain unique links for each target that performs geofencing and IP filtering. If these checks were passed, the recipient is redirected to a landing page aligning with the lure in the email. Between March 2021 and July 2025, the landing page featured a countdown, the target's name (from a query in the URL), and a CAPTCHA. The timer, which was always placed in the top right corner, added to the sense of urgency a recipient would have, feeling like there was limited time to reply to seemingly important emails. Solving the CAPTCHA revealed a download button for a zipped JavaScript or shortcut (.lnk) file.   In early campaigns, TA584 also delivered macro-enabled Excel documents (tracked as EtterSilent) directly after the filtering checks that, if macros were enabled, would lead to malware installation.  Figure 4. March 2021 campaign, emails containing URLs that redirect to the download of a zipped macro-enabled Excel sheet that, when enabled, downloaded Ursnif.  Figure 5. Lure impersonating a recruiting firm targeting North American organizations, containing a URL leading to a landing page featuring a countdown, matching the email lure, March 2025.   From late July 2025, the actor switched to using the ClickFix technique. The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick people into copying, pasting, and running malicious content on their own computer. First observed in 2024, the ClickFix technique is now used by many different threat actors that customize the landing pages based on lure theme and objective.   Currently, messages contain unique URLs with a link leading to a customized landing page with a "Slide" CAPTCHA. If the CAPTCHA is resolved, a ClickFix page will be displayed which guides users to follow instructions which, if completed, run a PowerShell command which in turn runs another remote intermediate PowerShell script containing obfuscated code that will execute the malware payload. The initial script from the ClickFix command can only be retrieved if the same IP address has accessed the landing page. The landing page also contains a call-back function to check if the payload has been accessed and redirects the browser to a benign site, for example docusign[.]com, when this has been done.  Figure 6. BBB complaint lure with URL, November 2025.   Figure 7. CAPTCHA and ClickFix landing pages, November 2025.   Redirect behavior and intermediate delivery techniques are a notable aspect of TA584’s landing page infrastructure. All campaigns use redirect chains or intermediary resources to obscure the final payload location, adding additional layers between the initial email and malware delivery. The individual URLs are not consistently reused, and the actor changes URLs and redirects with each campaign, often using third-party criminal services in the redirect chain. The actor often uses a set of compromised domains per campaign, with a path in the URL identifying the campaign (such as domain.tld/bbb/[unique query]) either directly in the email, or in the redirect chain if a third-party service has been used in the campaign. However, from late 2025, the actor preferred to instead use Amazon AWS S3 URLs, either directly in the email or in the redirect chain, also most often paired with a unique query per target. In 2025, Proofpoint also observed Blogspot URLs, and other various URLs used in the email lure. While in previous years, the actor commonly used Cookie Reloaded (Prometheus TDS) URLs for filtering payloads, we observed TA584 occasionally switch to Keitaro TDS, but the actor most frequently used 404 TDS as the primary filter in 2025. This variability reinforces the actor’s preference for adaptable infrastructure, causing detection to become more challenging.   404 TDS is a traffic distribution system (TDS) used by cybercriminal actors since at least 2021 and has been observed used by multiple ecrime actors, particularly those that demonstrate more sophisticated capabilities. 404 TDS was named due to the mechanism it used in initial campaigns to redirect users to the payload sites. Specifically, the TDS would respond with a "404 Not Found" code and then use a meta refresh method to automatically refresh the current web page to direct the user to the URL contained in the meta refresh element, which is the next site in the attack chain. 404 TDS does not appear to perform any filtering or blocking. In most cases the TDS simply redirects the user to next URL. 404 TDS links are time limited, typically to one day.   After any potential third-party filtering and the initial redirect, the browser is redirected to a long hostname (often related to the lure) hosted on an actor-controlled domain, where additional IP-based filtering is performed. Only if the target passes this final IP filtering step are they redirected to the final landing page, hosted under a campaign-specific path on the same host.  The domain itself is usually used for only one or two campaigns, and new domains are typically registered and deployed at least once per week. Although new domains are rotated frequently, the IP address hosting these final steps often remains static for long periods. For example, 94[.]159[.]113[.]37 (AS216234 Komskov Vadim Aleksandrovich) has been used since April 2025.  Because of the layered redirects and filtering, full redirect chains and final landing pages are rarely captured by public sandboxes or URL scanning services.  Targeting details  Campaigns typically target hundreds of organizations with message volumes ranging from a few thousand to nearly 200,000 messages per campaign.   Historically, this actor largely focuses targeting on organizations in North America, the UK, and Ireland, but at the end of July 2025, the actor expanded targeting to regularly include Germany. (Analyst note: Proofpoint previously observed a small number of campaigns targeting Germany in 2023, but in 2025 the actor consistently targeted that country at a significantly higher volume). TA584 focused its targeting efforts on European users for much of the summer, before returning to mostly targeting North America by fall 2025. Proofpoint has also observed limited targeting of Australia since at least spring 2025.   The actor appears to be opportunistic and doesn’t target specific verticals. The actor typically conducts a few campaigns per week, but we have observed breaks between campaigns. The most frequently targeted geography is North America.    Figure 8. Targeted countries by campaign, 2025.  TA584’s 2025 campaigns show consistent shifts in geographic targeting, with individual operations often focused on specific regions. While earlier activity associated with the actor had a less specific focus on geographic targeting, campaigns observed in 2025 frequently included deliberate regional targeting, with less opportunistic activity. TA584 focused its targeting efforts on European users for much of the summer, before returning to mostly targeting North America by fall 2025. Proofpoint has also observed limited targeting of Australia since at least spring 2025.   Targeted regions often change between campaigns, with geographic focus rotating over relatively short timeframes. In several cases, campaigns in a single week targeted different regions while using distinct branding, language, and lure themes relevant to selected targets.   Figure 9. UK targeted email lure 24 September 2025.  Figure 10. German targeted email lure 25 September 2025.  Figure 11. U.S. targeted email lure 19 September 2025.  This rotational targeting allows TA584 to keep high operational tempo while reducing repeated exposure within any single region.   Malware details  The current payload delivered is XWorm with the configuration “P0WER”, which it has used since at least mid-2024. However, at the end of November and through December 2025, TA584 also distributed a newly observed malware called Tsundere Bot which we will describe below.   Previously, the actor was observed distributing the following payloads for initial access: Ursnif (2020 – 2022), LDR4 (2022 – 2023), WarmCookie (2024), Xeno RAT (2024), and Cobalt Strike (2024). TA584 also used DCRAT in one campaign in September 2025, which was a significant outlier. The actor did not use this payload again.   XWorm is a remote access trojan (RAT) observed since 2022 that also includes some ransomware functionality. It is available for sale on criminal forums and used by many different threat actors of various levels of sophistication.   Tsundere bot  While Tsundere Bot was previously distributed by other threat actors in Proofpoint campaign data as early as August 2025, TA584 used Tsundere Bot for the first time at the end of November 2025. Throughout December, Proofpoint observed this payload in multiple additional campaigns, and it now appears to be a favored payload alongside XWorm. Tsundere Bot is a new malware with backdoor and loader capabilities. Further investigation identified the panels, which identified themselves as “Tsundere Netto” and “Tsundere Reborn”, from where the name Tsundere Bot was taken. It is a malware-as-a-service (MaaS). It is used by multiple different threat actors, according to third-party reporting from Kaspersky, including being dropped by RMMs downstream of web injects, and delivered via fake video game installers.   Figure 12. Tsundere Bot panel screenshot.   The bot needs Node.js to be installed on the system, which is handled by installers available to be built from the command and control (C2) panel in the form of MSI installers or PowerShell scripts. Tsundere Bot has the following capabilities:  Uses a form of EtherHiding to connect to the Ethereum blockchain via multiple RPC providers in order to retrieve its C2 and config via a Web3 smart contract and wallet defined by the installer, and uses a consensus mechanism to select the most commonly returned C2 URL from multiple providers. The malware also includes a hardcoded C2 fallback in the installer script.  Uses WebSockets to communicate with the C2.  Checks system locale and exits if the system uses CIS country languages (Russian, Ukrainian, Belarusian, Kazakh, etc.)  Collects system information such as CPU/GPU info, username and hostname, Windows version, volume serial numbers, etc. and creates a unique victim ID with this info.  Maintains connection health to C2 with a “ping/pong” heartbeat.  Can execute arbitrary JavaScript code sent from the C2  The C2 panel, which allows public account creation, contains functions such as:  Bot control panel which can be filtered by IP, country code, username and hostname  User settings where a license key for the MaaS can be applied  Build system where installers in the form of MSI or PowerShell can be generated  Autotasks management where custom Node.js scripts can be configured to run automatically on first or every bot connection.  A market where bots can be sold and purchased.  Socks Proxy, where bots can be configured to be used as SOCKS5 proxies.  Proofpoint has observed this malware delivered via a variety of attack chains based on the distinct threat actor using it, including multiple campaigns leveraging the ClickFix social engineering technique. Proofpoint has identified multiple pairs of contracts/wallets that resolves to different active C2 servers. Early versions of the installer and bot code contain comments in both Russian and English in different parts of the code.  In general, the malware can be used for information gathering, data exfiltration, lateral movement, and to install additional payloads. Given that Proofpoint has observed this malware used by TA584, researchers assess with high confidence Tsundere Bot malware infections could lead to ransomware.  The first observed TA584 Tsundere Bot campaign occurred on 28 November 2025 and impersonated the Health and Safety Executive (HSE). Other Tsundere Bot campaigns observed in December include impersonating document review tools, construction companies, and mobile providers.   Figure 13. HSE lure.   In this email, which is a typical lure style for the threat actor, TA584 is asking for recipients to provide requested information by clicking unique URLs that will redirect to a landing page with a CAPTCHA, if IP filtering and geofencing checks are passed.  Figure 14. HSE themed CAPTCHA.  If the CAPTCHA is resolved, a ClickFix page will be displayed which guides users to follow instructions which, if completed, runs a PowerShell command.   Figure 15. ClickFix steps.  This command, in turn, runs a remote intermediate PowerShell script that is likely generated from the Tsundere Bot malware panel. The remote script installs Node.js and its dependencies directly from nodejs[.]org, then decrypts two AES-encrypted embedded Node.js files: one loader script, which subsequently loads the second script, the Tsundere Bot itself.  Figure 16. TA584 PowerShell script.   Tsundere Bot retrieves its C2 address from the Ethereum blockchain using a variant of the EtherHiding technique, or a hardcoded C2 fallback, profiles the computer, sends this profiling information to the C2 (193[.]17[.]183[.]126:3001), and then waits for additional Node[.]js-based payloads.   Notably, while the PowerShell installer script contains English, the Node.js scripts are commented in Russian and include logic to abort execution if the malware detects that it is running on a system located in a CIS country.  While the contract can be updated to point to a new C2, the contract used in this infection chain has had the same C2 configured since its first transaction on 6 August 2025.   XWorm “P0WER”  Since XWorm is a well-known malware, we won’t go into details here but include summary of what the “P0WER” configuration means, and how TA584 uses it in their attack chain. Just as with Tsundere Bot, the “P0WER” variant of this malware is likely a complete product that is sold as a MaaS. The name “P0WER” that Proofpoint is using for this configuration is taken from the AES Key used in this specific version. And just as with other malware distributed by TA584, this configuration has also been seen from other unrelated clusters, which also use the same execution method as TA584.  Just as with the Tsundere Bot chain, the infection starts with PowerShell running a remote PowerShell script. Due to the similarity in the execution of this variant from other clusters, it’s likely that this script is built with a malware builder from a MaaS. While the obfuscation of the installation script has changed since the variant first was observed, and additional obfuscation of the binaries, the functionality remains the same.  The script begins by disabling AMSI scanning via a reflection trick that forces an initialization failure (amsiInitFailed), ensuring the rest of the code runs unmonitored. It suppresses errors to stay quiet and reconstructs two hidden Base64 blobs using string replacements. The first blob is a custom .NET loader, which is reflectively loaded into memory; the second is the XWorm malware executable.  Figure 17. XWorm P0WER PowerShell script used by TA584 in April 2025.  To execute the malware, the script invokes a method called BIG.BOOM. This method performs process hollowing, a technique where the loader starts a legitimate, signed Microsoft utility, RegSvcs[.]exe, in a suspended state, empties its memory, and replaces it with the XWorm payload.  Figure 18. Xworm P0WER PowerShell script with XOR obfuscation used by TA584 in December 2025.  Figure 19. Same as Figure 18 script with as much obfuscation removed as possible, while still showing the functionality as used by the actor.  This makes the detonation effectively file-less, as the malware resides entirely in RAM and masks its activity under the identity of a trusted system process. Finally, the script wipes the clipboard to remove traces of the initial ClickFix command.  Once active in memory, the XWorm client communicates with its C2 server to pull down secondary modules, including a persistence plugin built with SharpHide. This tool manipulates the Windows Registry by inserting null-byte characters (\x00) into the key names. Because many standard Windows APIs and management tools (like Regedit.exe) treat the null byte as a string terminator, the entry becomes effectively invisible to basic enumeration, hiding the malicious "Run" key from casual inspection.  This hidden key establishes an execution chain that triggers every system boot:  The key launches mshta which executes a VBScript one-liner that instantiates the WScript.Shell COM object. This object is used to execute a PowerShell process with the WindowStyle set to 0 (hidden), preventing any console window from appearing to the user.   The spawned PowerShell process decodes a Base64-encoded string to run another remote PowerShell script, which normally contains the same installation script as the one initially executed. However, by fetching the payload dynamically from an external IP on each boot, the attacker ensures the infection is modular. This allows for C2 infrastructure migration or the delivery of additional malware without needing to modify the local persistence entry, maintaining a persistent, "effectively file-less" foothold that is difficult to disrupt through standard file-system cleanup.  Attribution  Proofpoint assesses with high confidence this actor is an initial access broker with infections that can lead to ransomware. TA584 is a sophisticated cybercriminal threat actor that has maintained operational consistency since at least 2020. Based on the malware used and artifacts in the attack chains, it is likely this actor is plugged in to the Russian cybercriminal ecosystem and underground markets.  Defensive recommendations  Restrict users from running PowerShell unless necessary for their job function.  Use application control policies (like AppLocker or Windows Defender Application Control) to prevent the execution of tools like node.exe from non-standard, user-writable locations such as “C:\Users\*\AppData\Local\”.  Create detection rules for powershell[.]exe or cmd[.]exe spawning a node[.]exe process, especially when node[.]exe is located in a user's AppData or other non-standard locations.  Block or monitor Ethereum endpoints. The malware relies on a hardcoded list of public Ethereum RPC providers to retrieve its C2 server address. Blocking (or, monitoring) outbound traffic to these specific URLs at the network firewall or web proxy can prevent the malware from receiving its instructions.  Monitor and inspect WebSocket traffic. The malware uses WebSockets (ws:// or wss://) for C2 communication. Implement network monitoring to detect and inspect WebSocket connections to unknown or uncategorized domains.  Consider disabling Windows+R via Group Policy for users who do not need it for their job function.   Organizations should train users to identify the activity and report suspicious activity to their security teams. This is very specific training but can be integrated into an existing user training program.  Conclusion  The cybercriminal threat landscape has experienced dramatic shifts in behaviors, targeting, and malware use over the last year, with many priority threat actors disappearing from email threat data in 2025. TA584, however, bucks this trend and has demonstrated consistent patterns of behavior and targeting since 2020, with recent shifts that demonstrate the actor is attempting to infect a broader range of targets. Proofpoint assesses it’s likely TA584 will increase targeting in Europe in 2025. It is also possible the threat actor will continue experimenting with different payloads, like Tsundere Bot or other remote access payloads newly available for sale on criminal markets.   Organizations should be aware of techniques used by TA584 and implement preventative defensive measures including restricting users from running PowerShell unless required for job functions and blocking known TA584 hosts.  Example Emerging Threats rules  2865239 – Win32/xworm V2 CnC Command - RD- Inbound   2865240 – Win32/xworm V3 CnC Command - sendPlugin   2865241 – Win32/xworm V3 CnC Command - Informations Outbound  2865163 – Win32/xworm v3 CnC Command - PCShutdown Inbound  2865200 – Win32/xworm v3 CnC Command - savePlugin Inbound  2033355 – ET INFO Windows Powershell User-Agent Usage  Example indicators of compromise   Indicator  Description  First Seen  94[.]159[.]113[.]37   TA584 Host | AS216234 Komskov Vadim Aleksandrovich  April 2025  85[.]236[.]25[.]119  Tsundere Bot C2  9 December 2025  80[.]64[.]19[.]148  XWorm C2  10 November 2025  85[.]208[.]84[.]208  XWorm C2  9 September 2025  178[.]16[.]52[.]242  XWorm C2  27 October 2025  94[.]159[.]113[.]64  XWorm C2  28 March 2025  hxxp://94[.]159[.]113[.]37/ssd[.}png  ClickFix Payload URL  September 2025  bbedc389af45853493c95011d9857f47241a36f7f159305b097089866502ac99  SHA256 Remote PowerShell Script Leading to XWorm  December 2025  441c49b6338ba25519fc2cf1f5cb31ba51b0ab919c463671ab5c7f34c5ce2d30  SHA256 XWorm SharpHide Payload  December 2025 
Received — 11 January 2026 Proofpoint Threat Insight

Access granted: phishing with device code authorization for account takeover

18 December 2025 at 17:46
Key findings  Proofpoint is tracking multiple threat clusters - both state-aligned and financially-motivated - that are using various phishing tools to trick users into giving access to M365 accounts via OAuth device code authorization.   Successful compromise leads to account takeover, data exfiltration, and more.   Threat actors are using the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 user accounts by approving access for various applications.   Overview  Social engineering is a tactic used by threat actors to trick a user into taking an action, for example adding an application on their system, or divulging confidential information. Techniques like ClickFix highlight how threat actors use security-themed issues to trick users into taking an action, leveraging legitimate tools and services to gain unauthorized access. Device code phishing is another way threat actors are abusing enterprise resources for account takeovers.   Proofpoint Threat Research has observed multiple threat clusters using device code phishing to trick users into granting a threat actor access to their Microsoft 365 account. In general, an attacker will socially engineer someone into logging into an application with legitimate credentials. The service generates a token that is then obtained by the threat actor. This gives them control over the M365 account.   Proofpoint has previously observed targeted malicious and limited red team activity leveraging device code phishing. But by September 2025, we observed widespread campaigns using these attack flows, which was highly unusual.  In recently observed activity, campaigns begin with an initial message with a URL embedded behind a button, as hyperlinked text, or within a QR code. When a user visits the URL, it initiates an attack sequence leveraging the legitimate Microsoft device authorization process. Once initiated, the user is presented with a device code.  It is either presented directly on the landing page or received in a secondary email from the threat actor. The lures typically claim that the device code is an OTP and direct the user to input the code at Microsoft’s verification URL. Once the user inputs the code, the original token is validated, giving the threat actor access to the targeted M365 account.   In observed campaigns, some messages directly claim to be token re-authorization notifications, while others use different lures to trick the user into clicking a URL, which leads to an attack chain that ends with application authorization.    While this is not necessarily a novel technique, it is notable to see it used increasingly by multiple threat clusters including a tracked cybercriminal threat actor, TA2723. Proofpoint threat researchers have identified a malicious application for sale on hacking forums, which could be used for this type of campaign. Additionally, red team tools are available – such as Squarephish and SquarephishV2– that can be used for this type of attack. These tools help threat actors mitigate the short-lived nature of device codes, enabling larger campaigns than were previously possible.  The tools  SquarePhish2 Tool  SquarePhish is a phishing tool that enables threat actors to target the OAuth Device Grant Authorization flow in combination with QR codes to compromise Microsoft accounts. It was originally published in 2022 by Dell SecureWorks.  In 2024, an updated version – SquarePhish2 – was published on GitHub by an independent researcher. The attack chain is effective because it mimics the legitimate process that a user would follow to configure TOTP multifactor authentication. The attack begins with a phishing email containing a QR code that directs users to a website hosted on an attacker-controlled SquarePhish2 server. Upon scanning the QR code, the user is redirected to Microsoft’s legitimate authentication page, while the server initiates the OAuth Device Authorization Grant flow using a preconfigured client ID.   A second email is then sent to the user from a Microsoft tenant, containing the device code, prompting them to complete the authentication process. SquarePhish2 can also automatically redirect users to the verification page, without needing to prompt for a second email. Once the user enters the code and authenticates, the tool polls the Microsoft endpoint for access. While SquarePhish2 offers advanced capabilities, its user-friendly configuration and automation features mean that it does not require deep technical expertise to operate, making it accessible to a broader range of threat actors. The ultimate objective is unauthorized access to sensitive Microsoft account data, enabling further exploitation such as account takeover, lateral movement, data exfiltration, or persistence within targeted environments.  Graphish tool Threat actors have increasingly adopted tools like the Graphish phishing kit to target Microsoft accounts with efficiency. The tool was shared in criminal hacking forums, where members are vetted, and made available for free. This tool has a multitude of capabilities, including facilitating the creation of highly convincing phishing pages by leveraging Azure App Registrations and reverse proxy setups for adversary-in-the-middle (AiTM) attacks, hosted on attacker-controlled infrastructure. A typical AiTM attack begins with the user receiving a phishing message containing a link to a malicious webpage design to mimic a legitimate login page. The fake domain is connected to a reverse proxy server, which relays traffic between the user and the actual service. When the user enters their credentials, they are instantly intercepted by the attacker. If the user successfully completes an MFA challenge (like entering a one-time code), this enables a complete session hijacking.   The attack requires the actor to own a domain name and register an SSL certificate, to enhance the credibility of the phishing site. By registering an application in Azure and extracting the client ID, the attacker can initiate OAuth-based phishing attempts that prompt users to grant access to their Microsoft accounts. For targeting enterprise environments, the tool includes guidance on bypassing organizational restrictions by verifying the malicious app with Azure, which increases its success rate against accounts. Similar to Squarephish, the tool is designed to be user-friendly and does not require advanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct sophisticated phishing campaigns. The ultimate objective is unauthorized access to sensitive personal or organizational data, which can be exploited for credential theft, account takeover, and further compromise.  Campaigns  “Salary Bonus + Employer Benefits Reports 25”  Proofpoint tracks multiple campaigns leveraging OAuth device code phishing. For example, on 8 December, researchers identified a campaign that used a shared document reminder alert to trick users into clicking a Google Share URL hyperlinked as text, to access a fictitious document called “Salary Bonus + Employer Benefit Reports 25”. Email messages were sent from attacker-controlled addresses and claimed to be the file.  Figure 1: Example of phishing message purporting to be “Salary Bonus + Employer Benefits Reports 25”. Once clicked, the URL embedded in the email leads the user to an attacker-controlled website with a domain that is localized according to browsing IP and shows the targeted company branding. The website prompts the user to input their email address. Once done, the user is presented with a pop-up to “complete secure authentication” that includes a code and directions to input that code on the legitimate Microsoft device authorization page - hxxps://microsoft.com/devicelogin. This pop-up is purporting to be for MFA-token secure authentication. However, inputting the provided code into the Microsoft-provided OAuth page provides the threat actor access to the user’s Microsoft 365 account. Figure 2: Redirection to adding authorized device.  TA2723   TA2723 is a financially-motivated, high-volume credential phishing threat actor that is notable for its campaigns spoofing Microsoft OneDrive, Linkedin and DocuSign. Beginning October 2025, Proofpoint Threat Research observed TA2723 conducting OAuth device code phishing.  In one campaign from 9 to 10 October, the email messages purported to be “[organization name] OCTOBER_SALARY_AMENDED RefID:6962_yslFRVQnQ”. The email message body appeared as if a document had been shared with the recipient and was customized to show the recipient’s name and the name of the shared file, consistent with the subject line. The message contained a virtoshare.com URL embedded as a “button” to Open the file.   Figure 3: Example TA2723 email message.  When clicked, the recipient is redirected to a device code authorization page where they are prompted to input their email address and click a button to generate the one-time passcode (OTP).   Figure 4: URL redirect from email message to OTP generation site When clicked, the URL behind this button - which then shows as “Access Document” - is updated to redirect the user to the legitimate device authorization page from Microsoft, where they will have authorized access to the attacker-controlled application.   Figure 5: OTP and updated 'Access Document' button URL redirect.  Proofpoint Threat Research suspects that SquarePhish2 could have been used in this TA2723 campaign from 6 to 8 October, and the Graphish kit could have been used in a second wave of this campaign from 9 to 10 October. The assessment is due to the timing and evolution of the campaigns, TTP changes, and that the Graphish kit had been recently published on the vetted forum in the prior weeks. A successful attack would enable the threat actor to have access to the user’s M365 account, which could lead to account takeover, data exfiltration, lateral movement, and other follow-on activity.   State-aligned threat actors using device code phishing  Since January 2025, Proofpoint Threat Research has tracked multiple state-aligned threat actors abusing OAuth device code authorization for account takeover, which aligns with a wider trend of state-aligned threat actors increasingly adopting password-less phishing techniques. This technique has been most widely used by Russia-aligned threat actors, as noted in prior public reporting by Volexity covering the initial adoption of this technique. We have also observed suspected China-aligned activity and other unattributed espionage campaigns using this attack vector.   State-aligned threat actors often conduct patient rapport building via benign outreach prior to a device code phishing attempt, with some campaigns showing evidence of multi-channel targeting via both email and other communication channels. One particularly notable threat actor we have observed conducting device code phishing since at least September 2025 is a suspected Russia-aligned group we are tracking as UNK_AcademicFlare.   UNK_AcademicFlare activity  Since September 2025, Proofpoint has observed UNK_AcademicFlare using compromised email addresses belonging to multiple government and military organizations to target entities within government, think tank, higher education, and transportation sectors in the U.S. and Europe. Typically, these compromised email addresses are used to conduct benign outreach and rapport building related to the targets’ area of expertise to ultimately arrange a fictitious meeting or interview. The threat actor then claims to share a document with questions or topics for the target to review. To do so, they provide a link to a Cloudflare Worker URL that spoofs a OneDrive account associated with the compromised sender’s organization, which leads to a device code phishing workflow.  Figure 6: UNK_AcademicFlare benign conversation starter.  Figure 7: UNK_AcademicFlare email linking to Cloudflare worker URL.  In the above example, UNK_AcademicFlare sent a benign conversation starter email to an individual working for a U.S. university using a compromised Zambian government email address. The threat actor later provided a link to a Cloudflare Worker domain spoofing a Zambian government OneDrive account: onedrive[.]gov-zm[.]workers[.]dev.  Figure 8: UNK_AcademicFlare Cloudflare worker device code landing page.  This link redirects to a landing page stating that the sender has shared a document and instructs the user to copy the provided code and click 'Next' to gain access. The presented code is a unique device code that is dynamically generated for the target and clicking 'Next' redirects the user to the Microsoft device code login URL  hxxps://login.microsoftonline[.]com/common/oauth2/deviceauth.  Proofpoint assesses that UNK_AcademicFlare is likely a Russia-aligned threat actor based on the targeting of Russia-focused specialists at multiple think tanks, as well as government and energy sector organizations in Ukraine. This assessment is further supported by the actor’s repeated use of Russia and Ukraine-themed lure content and reliance on device code phishing techniques.    Recommendations  Block device code flow where possible  The strongest mitigation is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. Conditional Access policies can first be deployed in a report only mode, or the ‘Policy impact’ viewed over historic sign in log records, to determine the impact for an environment.   If blocking device code flow completely is not feasible, Conditional Access can be used to create an allow-list approach based on accepted use cases. For example, only enabling device code authentication for approved users, operating systems, or IP ranges such as using ‘Named locations’.  Require compliant or joined devices  If organizations use device registration or Intune, Conditional access policies requiring that sign ins originate from a compliant or registered device will protect users from device code phishing. This should be deployed as a defense in depth strategy, as there will likely be exclusions from this requirement, when compared with a dedicated device code flow policy.   Enhance user awareness regarding device code phishing attacks   Traditional phishing awareness often emphasizes checking URLs for legitimacy. This approach does not effectively address device code phishing, where users are prompted to enter a device code on the trusted Microsoft portal hxxps://microsoft.com/devicelogin. User training should include guidance on not entering device codes received from untrusted sources.   Conclusion  From the use of malicious OAuth applications for persistent access to the abuse of legitimate Microsoft authentication flows with device codes, threat actors’ tactics to achieve account takeover are evolving with quick adoption across the threat landscape. These campaigns rely heavily on social engineering, most often using lures with embedded URLs or QR codes to trick users into thinking they are securing their accounts. Proofpoint tracks multiple threat clusters that are using this device code authentication technique and recommends that organizations strengthen OAuth controls and enhance user awareness and education about these evolving threats. Proofpoint assesses that the abuse of OAuth authentication flows will continue to grow with the adoption of FIDO compliant MFA controls.  Indicators of compromise  Campaign Indicators  Indicator  Type  Description  First Seen  hxxps://sharefile.progressivesharepoint.top/  URL  Phishing landing page  20-Oct-2025  hxxps://progressiveweba.z13.web.core.windows.net  URL  Redirector  20-Oct-2025    hxxps://agimplfundmgt.z13.web.core.windows.net  URL  Redirector  20-Oct-2025  hxxps://blackrockfundmgt.z13.web.core.windows.net  URL  Redirector  20-Oct-2025  robert.pena@FirstTrustAdvisorsLP.onmicrosoft.com  Email address  Sender email address  20-Oct-2025  hxxps://onlinedocuments-[OrganizationName].vxhwuulcnfzlfmh.live/application/a[PII_Linkable_hex]9  URL  Device code generation landing page  14-Oct-2025  hxxps://onlinedocuments-[OrganisationName].vxhwuulcnfzlfmh.live/token/request?id=a[PII_Linkable_hex]9  URL  OTP generation   14-Oct-2025  xgjtvyptrjlsosv.live  Domain  OTP generation  9-Oct-2025  196.251.80.184  IP  OTP generation  9-Oct-2025  vaultally.com  Domain  Sender email domain  14-Oct-2025  docifytoday.com  Domain  Sender email domain  14-Oct-2025  filetix.com  Domain  Sender email domain  14-Oct-2025  nebulafiles.com  Domain  Sender email domain  14-Oct-2025  novodocument.com  Domain  Sender email domain  14-Oct-2025  spacesdocs.com  Domain   Sender email domain  14-Oct-2025  hxxps://www.vaultaliy.com/a[PII_Linkable_hex]9  URL  Link in email message  14-Oct-2025  hxxps://www.virtoshare.com/99[PII_Linkable]e9  URL  Link in email message  9-Oct-2025  hxxps://onlinedocuments-[OrganisationName].xgjtvyptrjlsosv.live/application/99[PII_Linkable]e9  URL  Device code generation landing page  9-Oct-2025  hxxps://onlinedocuments-[OrganisationName].xgjtvyptrjlsosv.live/token/request?id=99[PII_Linkable]e9  URL  OTP generation  9-Oct-2025  no-reply.doc333@ksmus.virtoshare.com  Email address  Sender email address  9-Oct-2025  acxioswan.com  Domain  Sender email domain  9-Oct-2025  acxishare.com  Domain  Sender email domain  9-Oct-2025  collabodex.com  Domain  Sender email domain  9-Oct-2025  infoldium.com  Domain  Sender email domain  9-Oct-2025  hxxps://www.renewauth.com/3a[PII_Linkable]59  URL  Link in email message  6-Oct-2025  hxxps://www.myfilepass.com/69[PII_Linkable]ed  URL  Link in email message  6-Oct-2025  hxxps://login.microsoftonline.com/common/oauth2/deviceauth[Abused]  URL  Device code prompt  6-Oct-2025  renewauth.com  Domain  Sender email domain  6-Oct-2025  myfilepass.com  Domain  Sender email domain  6-Oct-2025  confidentfiles.com  Domain  Sender email domain  6-Oct-2025  magnavite.com  Domain  Sender email domain  6-Oct-2025  97d7e46b-1bff-4f24-b262-8b0b3914d88a.us5.azurecomm.net  URL  Device code message sender  6-Oct-2025  bluecubecapital.com  Domain  Sender email address domain  29-Sept-2025  allspringglobalinvestmentsllc.onmicrosoft.com  Domain    Sender email address domain  29-Sept-2025  aresmanagementllc.onmicrosoft.com  Domain  Sender email address domain  29-Sept-2025  citadeladvisorsllc.onmicrosoft.com  Domain  Sender email address domain  29-Sept-2025  cpuhp.onmicrosoft.com  Domain  Sender email address domain  29-Sept-2025  millenniummanagementllc.onmicrosoft.com  Domain  Sender email address domain  29-Sept-2025  hxxps://clientlogin.blitzcapital.net/  URL  Device code prompt  29-Sept-2025  hxxps://onedrive[.]gov-zm[.]workers[.]dev  URL  Redirector  5-Nov- 2025  hxxps://portal.msprogresssharefile.cloud/  URL  Landing Page  2-Dec-2025  hxxps://sharingfilesystems.z13.web.core.windows.net  URL  Redirector  2-Dec-2025  hxxps://myapplicationinterfaces.s3.eu-north-1.amazonaws.com/index.html  URL  Redirector  2-Dec-2025  hxxps://corphostedfileservices.s3.eu-north-1.amazonaws.com/auth.html  URL  Redirector  2-Dec-2025    References https://aadinternals.com/post/phishing/#new-phishing-technique-device-code-authentication   https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/   https://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks   https://github.com/nromsdahl/squarephish2   https://www.praetorian.com/blog/introducing-github-device-code-phishing/   https://www.calypt.com/blog/index.php/a-phishing-technique-for-compromising-office-365-azure-ad-accounts/  https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html  https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code  

Security brief: VenomRAT is defanged

13 November 2025 at 19:07
What happened  VenomRAT is a commodity remote access trojan (RAT) used by multiple cybercriminal threat actors. Around since 2020 but first observed in Proofpoint data in 2022, VenomRAT was used most frequently by the hotel and hospitality targeting threat actor TA558. The malware is based on the open-source malware Quasar RAT. VenomRAT is essentially a clone of Quasar RAT with some extra components bolted on from other sources.  VenomRAT can be used for information gathering, exfiltration, lateral movement, and to download follow-on payloads. Some VenomRAT variants contain ransomware functionality.   On 13 November 2025, U.S. and international law enforcement announced the disruption of VenomRAT infrastructure and the arrest of the malware’s creator as part of ongoing Operation Endgame efforts. Both the malware advertising and distribution domain (remotesystem[.]in) and the licensing domain (venomlicense[.]com) were taken down as part of the operation. The main VenomRAT suspect was arrested in Greece. Figure 1. Screenshot of seized distribution domain.   Campaign details  Proofpoint frequently observes VenomRAT in email campaign data, with its prominence increasing among both unattributed threat actors and tracked TAs from mid-2024 through summer 2025.   Figure 2. VenomRAT campaigns observed over time.   The most prominent actor distributing VenomRAT is TA558. Tracked by Proofpoint since 2018, TA558’s targeting focus is mainly on Portuguese and Spanish speakers, typically located in the Latin America region, with additional targeting observed in Western Europe and North America. While the actor favors VenomRAT, TA558 also distributes other commodity malware including njRAT, Remcos RAT, and recently XWorm and PDQ Connect.   TA558 activity accounts for 58% of the amount of VenomRAT observed in Proofpoint email campaign data since 2022.     Figure 3. Distribution of VenomRAT by threat actor.   TA558 VenomRAT campaigns typically include 1,000 messages or less with lures in Portuguese, Spanish, and occasionally English. In recent campaigns, messages contained URLs leading to a JavaScript file. If executed, the file spawned PowerShell to download and run VenomRAT.  Figure 4. TA558 lure impersonating a complaints website, August 2025.   The number of unattributed threat clusters using VenomRAT increased in 2024, but another prominent threat actor occasionally included the malware in its arsenal: TA2541.  This actor impersonates aviation firms to distribute malware to firms globally, most frequently in North America and Europe. Campaigns typically include less than 1,000 messages and follow a similar attack chain to TA558, with URLs leading to JavaScript files that, if executed, download and run malware.  Figure 5. TA2541 lure impersonating an aviation charter company, April 2025.  Impact  The disruption to VenomRAT will cause threat actors using the malware to pivot to new payloads. Proofpoint has not observed VenomRAT in campaign data since September 2025, and TA558 has already begun favoring other malware including Remcos RAT and XWorm, with lower volumes of activity since October.   With every law enforcement action, especially those associated with Operation Endgame, Proofpoint observes notable behavior shifts among actors that use email as a first stage malware delivery method. Disruptions often have psychological impacts alongside financial and technological ones. In this case, in addition to pivoting to other payloads, it is possible the threat actors who used VenomRAT may become more wary and mistrustful of malware providers or even concerned about their own activities being monitored by law enforcement. An arrest will also prevent the malware author from developing and selling new tools in the future.   Operation Endgame is a widespread effort conducted by global law enforcement and private sector partners, including Proofpoint, to disrupt malware and botnet infrastructure and identify the alleged individuals associated with the activity. In May 2024, the first Operation Endgame disruption effort targeted multiple malware families including IcedID, Bumblebee, SystemBC, Pikabot, SmokeLoader, and more, and Europol called it the “largest ever operation against botnets, which play a major role in the deployment of ransomware.” The second major Operation Endgame action occurred in May 2025 and targeted additional malware families and their creators, including DanaBot, WarmCookie, Trickbot, and Hijack Loader. The major malware-as-a-service Lumma Stealer has also been targeted by law enforcement.   Operation Endgame disruptions have significantly affected the overall email threat landscape, specifically disrupting activity attributed to known initial access broker payloads (IABs) and supporting malware families delivered via email-based campaigns. For example, in February 2023, 17% of email malware campaigns in Proofpoint data were associated with malware targeted by Operation Endgame, while that number had dropped to 1% by September 2025.  Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever it is possible and appropriate to do so, and as is the case with Operation Endgame, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware threats. Proofpoint was proud to assist in the law enforcement investigations into VenomRAT activity. 

Operation Endgame Quakes Rhadamanthys

13 November 2025 at 17:16
Key takeaways  Rhadamanthys is a prominent malware observed since 2022, used by multiple cybercriminal threat actors.  The malware has been observed delivered via email, web injects, and malvertising campaigns.   It is a modular information stealer with multiple pricing plans, and the creators sell it alongside Elysium Proxy Bot and a Crypt Service.   International law enforcement disrupted Rhadamanthys and affiliates’ infrastructure as part of ongoing Operation Endgame efforts.  Overview  Rhadamanthys malware has evolved significantly over time, reflecting ongoing advancements in cybercriminal techniques. First observed in 2022, Rhadamanthys emerged as a sophisticated information stealer, primarily targeting sensitive user data such as login credentials, financial information, and system details. It quickly gained popularity on underground forums, where its capabilities and ease of customization attracted various cybercriminals.  Throughout its development, Rhadamanthys updates include new features, improving its evasion tactics and adaptability. Updates often allow it to avoid detection by security and detection controls more effectively, often through techniques involving obfuscation and anti-analysis. The malware authors introduced multi-stage payloads, which enabled the malware to bypass security layers by spreading across stages in discrete steps. Additionally, it became more modular, allowing threat actors to tailor capabilities to specific attacks or targets.  The operators sell access to Rhadamanthys for between $300 to $500 a month, with options for a higher price point for customized uses. Notably, some cybercriminal forums banned the sale of Rhadamanthys because it allowed the targeting of Russian and Commonwealth of Independent States countries.   Proofpoint observes Rhadamanthys delivered via email campaigns conducted by multiple threat actors. Techniques for payload delivery include leveraging the ClickFix social engineering technique, pairing URLs and aggressive filtering with instructions that advise people to copy, paste, and run PowerShell scripts to infect themselves with malware. Threat actors including TA585, TA2541, TA547, TA571, TA866, and numerous unattributed threat clusters have used Rhadamanthys in campaigns.   Proofpoint observed more Rhadamanthys campaigns so far in 2025 than previous years, in part due to more threat actors leveraging compromised websites to deliver malware, including Rhadamanthys. (Analyst note: it is possible there was additional low-volume activity observed in email threat data that was not campaigned by threat researchers.)  Figure 1. Timeline of Rhadamanthys campaigns.  Operation Endgame  On 13 November 2025, law enforcement disrupted Rhadamanthys’s infrastructure – specifically taking down multiple servers associated with the management and operation of the malware – as well as infrastructure associated with affiliates using the malware. This disruption was part of Operation Endgame, a collaboration between global law enforcement and private sector partners. Additional services like Elysium Proxy Bot were also affected. Notably, law enforcement also posted a video on the operation’s main website that suggested that the threat actor behind Rhadamanthys was not only facilitating information stealer operations but also stealing sensitive data from Rhadamanthys affiliates. In addition to the infrastructure disruption, it’s likely that this operation will also negatively affect the criminals’ reputation, leading affiliates to mistrust them.  Operation Endgame is a widespread effort conducted by global law enforcement and private sector partners, including Proofpoint, to disrupt malware and botnet infrastructure and identify the alleged individuals associated with the activity. In May 2024, the first Operation Endgame disruption effort targeted multiple malware families including IcedID, Bumblebee, SystemBC, Pikabot, SmokeLoader, and more, and Europol called it the “largest ever operation against botnets, which play a major role in the deployment of ransomware.” The second major Operation Endgame action occurred in May 2025 and targeted additional malware families and their creators, including DanaBot, WarmCookie, Trickbot, and Hijack Loader. The major malware-as-a-service Lumma Stealer has also been targeted by law enforcement.   Operation Endgame disruptions have significantly affected the overall email threat landscape, specifically disrupting activity attributed to known initial access broker (IAB) payloads and supporting malware families delivered via email-based campaigns. For example, in March 2023, 17% of email-based malware campaigns in Proofpoint data were associated with malware targeted by Operation Endgame, while that number had dropped to 1% by September 2025.  History  When Rhadamanthys first emerged in 2022, it was a commercially marketed information-stealer sold via underground forums by the alias “kingcrete2022”. It swiftly evolved from a simple malware to a modular Malware-as-a-Service (MaaS) offering as developers added plugins and staged loader architecture to make analysis and detection harder. Early development ascended into a cadence of rapid releases.   By 2024, the malware was shipped with a notable update that added AI-driven OCR capabilities to automatically identify and extract cryptocurrency seed phrases from images. This version included new evasion and encryption upgrades. The operator also offered new conveniences for customers that reflected popular trends in the threat landscape, one of which was MSI installer execution to assist in bypassing security detections.  In late 2024 through 2025, researchers noted an increase in Rhadamanthys campaigns which leveraged the malware’s modularity to tailor to threat actors with different objectives and levels of sophistication. In 2025, the developers pushed a new 0.9.X series that hardened network and packing obfuscation, expanded device and browser fingerprinting, reintroduced PNG steganography for hiding payloads, and adopted marketing changes. These changes included tiered pricing updates, enhanced features, and rebranding. The rebranding was reflected in a modernized site emphasizing a more professional MaaS business model, rapid feature growth, more useful distribution and monetization techniques, and an ecosystem that makes Rhadamanthys a favored malware of choice.  The takedown and disruption of many prominent loaders and top tier malware by Operation Endgame primed the market for Rhadamanthys to rise. Evidence suggests the malware is maintained and improved by capable developers. New releases have correlated to current and coveted resources and landscape trends, delivered in a way that makes it easy to utilize for customers.   Figure 2. Priority malware in campaign data and the impact of Operation Endgame.  Affiliations  As a MaaS, different affiliates may license the malware, attach custom plugins, and run campaigns independently. It is advertised on multiple forums, meaning it is not exclusive to a group of trusted affiliates but is instead available to a larger market. It is notable the creators developed the malware to be used by threat actors with varying expertise. As a result, Rhadamanthys has been observed in campaigns as simple as compressed executables attached to emails, and more sophisticated campaigns using distribution techniques like Google Ads, ClickFix, compromised websites, and priority threat actors’ more targeted campaigns.  Threat actors  Proofpoint first began tracking Rhadamanthys in December 2022 when it was distributed in a campaign attributed to priority cybercriminal threat actor TA571 with post exploitation activities attributed to TA866. TA571 has used both exclusive and more freely available malware, but TA866 has historically been observed using more exclusive and distinct malware. The actors’ use of Rhadamanthys immediately designated it as a priority malware to tracked.   Proofpoint subsequently observed TA2541, a capable actor classified on a lower tier who favors off-the-shelf RATs, use Rhadamanthys in February 2022. TA547, a priority threat actor who has used sophisticated banking malware and loaders, leveraged Rhadamanthys throughout 2024. TA585, a newly designated actor suspected of operating their entire attack chain through malware delivery, utilized Rhadamanthys frequently in 2025. In addition to the designated threat actors tracked by Proofpoint, the malware has been used in a large number of unattributed activity clusters in Proofpoint data, including the threat actor tracked by third-parties as “Aggah”, and by other threat actors tracked externally in distributing malware via other mediums like malvertising or SEO poisoning.   Actors across the crimeware spectrum from low-level actors to sophisticated operators using Rhadamanthys consistently over time demonstrates the apparent success of the malware as a product, the malware’s evolution and evasion efforts, and the successful MaaS strategy employed by its operators.  Malware  Threat actors may distribute Rhadamanthys as the sole malware payload, a companion malware delivered with others, or as a follow-on payload. In Proofpoint data, Rhadamanthys is frequently used in campaigns distributed by loaders. For example, we’ve seen the following drop Rhadamanthys as a follow-on payload:  SystemBC  DarkGate  GuLoader  SmartLoader  Resident Backdoor  DoubleLoader  DOILoader / Hijack Loader  Latrodectus  CastleLoader  Amadey  Proofpoint researchers have also observed Rhadamanthys delivered in campaigns as a companion to other malware, including: Remcos  zgRAT  Screenshotter / AHK Bot   BitRAT  XWorm  Lumma  XLoader  In these campaigns, Rhadamanthys is either delivered at the same time as other payloads, or is distributed to a limited target set within a broader campaign that drops multiple payloads to different recipients.   Recent attack chains  Rhadamanthys is currently distributed by multiple threat actors using many different attack chains to deliver malware. The following are a small sample of some of the most interesting campaigns Proofpoint researchers observed in recent months.   Compromised websites  Multiple threat clusters use compromised websites to distribute Rhadamanthys. In email data, we observe these messages because they contain links to compromised websites. Although neither the sender nor the site owner may intend harm, the websites have been compromised with a malicious injection.   In a campaign observed in October 2025, the injection prompted the website to load a malicious script which was hosted on actor-operated infrastructure, which, in turn loaded a counterfeit Cloudflare turnstile. Upon validation the browser switched to full screen and display a fake security update lure.  Figure 3. Cloudflare verification.  Figure 4. Fake update ClickFix instructions.  This attack chain used a technique called "Clickfix" which instructs the user to copy and paste a malicious command in the run box. In this way, the attacker is essentially tricking the user to infect themselves with malware. Many web inject campaigns use this technique. In this case, if the command was run, it would lead to the installation of Rhadamanthys.  URLs  Rhadamanthys payload delivery via URLs in emails is also common. For example, Proofpoint identified a campaign in October impersonating a logistics company. Messages contained URLs leading to a website instructing the recipient to sign a form and click “submit”. Then, the user would be redirected to a ClickFix landing page.   Figure 5. Impersonated company landing page with a fake confirmation.  Figure 6. ClickFix instructions.  If the target completed the ClickFix steps as instructed, a command was initiated to download a tar archive and run CastleLoader. CastleLoader was observed loading DOILoader and Rhadamanthys. DOILoader was observed loading zgRAT.   This campaign aligns with an increase in threat actors targeting the surface transportation industry to deliver malware or remote monitoring and management (RMM) tools.   PDFs  Another interesting campaign in August and September impersonated YouTube and targeted organizations in the entertainment and media industries. The messages contained a PDF with a link to a fake "Youtube DMCA" themed website built with Lovable App and used the ClickFix technique.   Figure 7. Fake YouTube “copyright appeal” website created by threat actors.  The app instructed recipients to enter their YouTube URL, retrieved real-time metadata for any submitted YouTube channel, and claimed that an appeal is needed. If the instructions were followed and the user copied and pasted the PowerShell script as directed, it executed an HTA script. The HTA enabled VBA macros via registry changes and built an Excel workbook via COM in-memory, opening it silently without user interaction. The workbook contained an AutoOpen macro, which the HTA constructed from split Base64 strings. This macro downloaded a .bin file containing shellcode and executed it via classic shellcode injection using VirtualAlloc + RtlMoveMemory + CreateThread into the Excel process to run Rhadamanthys in memory. While the macro included logic for both 32- and 64-bit Office, it only downloaded and ran 64-bit shellcode, so it crashed on 32-bit Excel.  The payload chain from HTA to shellcode execution was likely built with the commercial toolkit MacroPack Pro which is sold to red teams and "ethical hackers".  Impact  In general, disruptions to cybercrime threat actors and their malware have ripple effects across the ecosystem. Threat actors who rely on Rhadamanthys will have to find a new malware for distribution and spend time and money retooling their attack chains. It is possible that threat actors may pivot to newer malware such as Amatera Stealer, Monster V2, or CastleRAT. But while there may be other options tooling-wise, disruptions also sow distrust among the criminal ecosystem, and in some cases, lead to more restrictive policies and tighter controls about who can buy malware from certain brokers.   Proofpoint will continue to monitor where Rhadamanthys threat actors go next and continue defending against cybercriminal threats.   Conclusion  As law enforcement disruptions continue to alter threat actors’ behavior, it’s important to be aware of emerging trends and behaviors from prominent cybercriminal threat actors, such as the use of remote monitoring and management software (RMMs), increase in use of information stealers, and new social engineering techniques that target people not technology. By understanding the landscape, organizations can implement defenses against emerging trends and anticipate what decisions threat actors will make to stay ahead of them.  Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever it is possible and appropriate to do so, and as is the case with Operation Endgame, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware threats. Proofpoint was proud to assist in the law enforcement investigations into Rhadamanthys activity.  Through its unique vantage point, Proofpoint is able to identify the largest and most consequential malware distribution campaigns, providing the authorities with much-needed insight into the biggest threats to society, affecting the greatest number of people around the world.  Proofpoint Threat Research would like to thank Pim Trouerbach for his collaboration on investigations into Rhadamanthys and related malware.  Emerging Threats signatures  2864521  Rhadamanthys CnC Domain in DNS Lookup  2864523  Observed Rhadamanthys CnC Domain in TLS SNI  2864294  Observed Malicious SSL Cert (Rhadamanthys)  2862244  Observed Malicious SSL Cert (Rhadamanthys)  2862245  Observed Malicious SSL Cert (Rhadamanthys)  2054665  Win32/Rhadamanthys CnC Activity (GET)  2854802  Suspected Rhadamanthys Related SSL Cert  2043202  Rhadamanthys Stealer - Payload Download Request  2853001  Rhadamanthys Stealer - Payload Response  2853002  Rhadamanthys Stealer - Data Exfil    Example indicators of compromise  Indicator  Description  First Seen  13f0bf908679bea560806fd3c14ef581b3cadbab2ff07a6adf04d97995924707  shielders.msi   SHA256  25 August 2025  b0c9d619256fdf220fbb39945fac5a040b5e836f1eae0459b4fcbf2b451420a7  DpiChrysler.exe  SHA256  25 August 2025  hxxps://84[.]200[.]80[.]8/gateway/53c06hop.fp0g1  Rhadamanthys C2  25 August 2025  security[.]flacergurad[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flaegrudad[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flaezguerad[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flaezguered[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flavregurads[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flheregurend[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flqaergwaard[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flsaregursd[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]gueradflwre[.]com  Actor-Controlled Intermediate Domain  25 August 2025  theguardshield[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flheregurend[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flsaregursd[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flaezguerad[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flaezguered[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flcreagurade[.]com  Actor-Controlled Intermediate Domain  25 August 2025  theguardshield[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flnaresgurard[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flaxergaurds[.]com  Actor-Controlled Intermediate Domain  25 August 2025  cloudwardena[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flenieregurd[.]com  Actor-Controlled Intermediate Domain  25 August 2025  Budparbanjarnegara[.]com  ClickFix Payload Domain  25 August 2025  hxxps://google[.]strike-submit[.]com/DMCA_Notice.hta  Payload URL  30 August 2025  hxxps://google[.]strike-submit[.]com/DMCA_Notice[.]hta  ClickFix Payload URL  30 August 2025  hxxps://google[.]strike-submit[.]com/agreeses[.]bin  ClickFix Payload URL  30 August 2025  bc2508708feb0ccc652494f8e28620bd871a8b6e1d26c7cdd61ab070f2594bbc  ClickFix Payload SHA256  30 August 2025  ccdd8a6dc97eeba07e586f059eae7944dd767519f2c3b2233ff90d3dc4e8e3f0  ClickFix Payload SHA256  30 August 2025  hxxps://85[.]192[.]61[.]140/gateway/h2u7sp2d[.]ab87a  Rhadamanthys C2  30 August 2025  hxxps://policy[.]video  Optional Initial Redirecror in PDFs  30 August 2025  hxxps://support-review[.]org/  Optional Initial Redirecror in PDFs  30 August 2025  hxxps://appeal[.]strike-submit[.]com    ClickFix Landing Example  30 August 2025  support-review[.]org  Actor-Controlled Domain  30 August 2025  trust-review[.]org  Actor-Controlled Domain  30 August 2025  compliance-review[.]org  Actor-Controlled Domain  30 August 2025  channel-review[.]org  Actor-Controlled Domain  30 August 2025  application-review[.]org  Actor-Controlled Domain  30 August 2025  strike-submit[.]com  Actor-Controlled Domain  30 August 2025  submit-appeal[.]com  Actor-Controlled Domain  30 August 2025  policy[.]video  Actor-Controlled Domain  30 August 2025  tdsworkout[.]com  Example Web Inject  20 October 2025  103[.]136[.]68[.]61  Example Web Inject  20 October 2025  cashorix[.]xyz  Web Inject Domain  20 October 2025  xpoalswwkjddsljsy[.]com  Filtered Landing Page  20 October 2025  galaxyswapper[.]pro  Filtered Landing Page  20 October 2025  193[.]24[.]211[.]233  Filtered Landing Page  20 October 2025  hxxp://141[.]0x62[.]80[.]175/kick[.]dat  ClickFix Payload (HTA)  20 October 2025  141[.]98[.]80[.]175  ClickFix Payload (HTA)  20 October 2025  ff14b28408121ebe4a5d0c2f14b9dc99e987e89b56392dc214481197d4815456  ClickFix Payload (HTA) SHA256  20 October 2025  http://xoiiasdpsdoasdpojas[.]com/  ClickFix Payload (PS1)  20 October 2025  xoiiasdpsdoasdpojas[.]com  ClickFix HTA Payload (PS1)  20 October 2025  141[.]98[.]80[.]175  ClickFix HTA Payload (PS1)  20 October 2025  c9026ffc02f11204ac1eb1183376a5cee74f7897d948bdcd59c06f31de2671fa  ClickFix HTA Payload (PS1)  SHA256  20 October 2025  193[.]221[.]200[.]93  Rhadamanthys C2  20 October 2025 

Crossed wires: a case study of Iranian espionage and attribution

5 November 2025 at 13:00
Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report.  Key findings  Between June and August 2025, Proofpoint began tracking a previously unidentified threat actor dubbed UNK_SmudgedSerpent targeting academics and foreign policy experts.  UNK_SmudgedSerpent leveraged domestic political lures, including societal change in Iran and investigation into the militarization of the IRGC.  UNK_SmudgedSerpent used benign conversation starters, health-themed infrastructure, OnlyOffice file hosting spoofs, and Remote Management & Monitoring (RMM) tools.  Throughout the investigation, UNK_SmudgedSerpent demonstrated tactics resembling several Iranian actors: TA455 (C5 Agent, Smoke Sandstorm), TA453 (Charming Kitten, Mint Sandstorm), and TA450 (MuddyWater, Mango Sandstorm).  Overlapping TTPs prevent high confidence attribution, but several hypotheses could explain the nature of the relationship between UNK_SmudgedSerpent and other Iranian groups.  Overview   In June, Proofpoint Threat Research began investigating a benign email discussing economic uncertainty and domestic political unrest in Iran. While coinciding with the escalations in the Iran-Israel conflict, there was no indication that the observed activity was directly correlated with Israel’s attacks on Iranian nuclear facilities or Iran’s actions in response.  Initial analysis of the activity found tactics, techniques, and procedures (TTP) overlaps with multiple Iranian aligned groups, including TA455 (C5 Agent, Smoke Sandstorm), TA453 (Mint Sandstorm, Charming Kitten), and TA450 (MuddyWater, Mango Sandstorm). Given a lack of high confidence links to any one established threat group, we designated the activity as a temporary cluster called UNK_SmudgedSerpent.    Figure 1. UNK_SmudgedSerpent infection chain with known actor overlaps.  The infection chain began with a benign conversation, followed by an email exchange and a credential harvesting attempt. After this initial credential harvesting attempt, UNK_SmudgedSerpent continued to conduct phishing activity within the same email thread with a specific target and subsequently delivered a URL that hosted an archive file with an MSI that loaded RMM payloads.  Iranian connections  Initial TA453 leads  UNK_SmudgedSerpent’s first identified campaign within Proofpoint data spoofed a member of the Brookings Institute reaching out to over 20 members of a United States-based think tank in mid-June 2025. Targeting specific subject matter experts in Iran-related policy areas is often a characteristic of TA453 activity, particularly using a benign conversation starter. However, approaching a significant number of individuals at a single organization diverges from Proofpoint Threat Research’s observations of typical TA453 techniques.  In another deviation from typical TA453 activity, members of the targeted organization focused across almost all areas of expertise including national defense, advanced technology, economic security, and global health, along with region-specific experts. TA453 primarily focuses on Middle Eastern policy topics, such as Iranian nuclear negotiations or Iran’s foreign relations. Regardless of each recipient’s expertise, UNK_SmudgedSerpent leveraged the same collaboration lure about impending Iranian societal reform.  The attackers’ approach impersonated Suzanne Maloney – the vice president and director of the Foreign Policy program at the Brookings Institution and an expert on Iran – using a Gmail address and misspelled version of her name, “Suzzane Maloney.”  Figure 2. UNK_SmudgedSerpent initial approach.  Following a response, the Suzzane Maloney persona was more cautious than Proofpoint has observed in past interactions with TA453. The attacker insisted on verifying the identity of the target and authenticity of the email address before proceeding with any collaboration attempts.  Figure 3. UNK_SmudgedSerpent follow-up email.  As the engagement continued, the persona sent an appointed time for a meeting, using Israel time as a point of reference though the target was based in the US. At the delivery stage, the actor began to deviate from TA453’s typical TTPs and sent a link appearing to be an OnlyOffice URL belonging to "Suzzane Maloney” (again spelled incorrectly) with documents relevant to the upcoming meeting.  Figure 4. UNK_SmudgedSerpent URL delivery.  Transition to TA455  The URL was only masquerading as an OnlyOffice link in the email but instead hyperlinked to a health-themed attacker domain thebesthomehealth[.]com, which redirected to a second health-themed attacker domain mosaichealthsolutions[.]com that displayed a Microsoft 365 login page. The URL hosted a customized credential harvesting page with the user’s information pre-loaded.     Figure 5. Customized Microsoft credential harvesting page.  Delivery variation  Another version of this infection chain can be found on VirusTotal, where both domains were similarly used in a Microsoft-related redirection chain. hxxps://thebesthomehealth[.]com/[redacted15characterstring] masqueraded as a Microsoft Teams login before redirecting to the  mosaichealthsolutions[.]com domain.   Figure 6. Microsoft Teams meeting spoof (VirusTotal).  However, the next stages following clicking the “Join Now” button are unclear at the time of writing.  TA455 continued  In Proofpoint’s investigation, after the target communicated suspicions about the credential harvesting page, UNK_SmudgedSerpent removed the password requirement on the initial thebesthomehealth[.]com URL. The link then proceeded to a spoofed OnlyOffice login page.  Figure 7. UNK_SmudgedSerpent OnlyOffice login spoof.  Clicking on “Continue” or login loads another page also hosted on thebesthomehealth[.]com, which continues to resemble OnlyOffice and hosted two PDFs, an Excel document, and a ZIP archive.  Figure 8. Files hosted on thebesthomehealth[.]com.  UNK_SmudgedSerpent’s reference to OnlyOffice URLs and health-themed domains is reminiscent of TA455 activity. TA455 began registering health-related domains at least since October 2024 following a consistent stream of domains with aerospace interest, with OnlyOffice becoming popular to host files more recently in June 2025, as shown by the timeline below.  Figure 9. TA455 Domain Registration / First Seen Timeline (May 2024 – July 2025).  UNK_SmudgedSerpent domains began appearing in April 2025, several weeks before the first campaign was observed in June.  Completing the chain with TA450  Upon execution, UNK_SmudgedSerpent’s ZIP archive loaded an MSI file, which launched the PDQConnect Remote Monitoring & Management (RMM) software. The rest of the documents appeared to be decoys.  During our research, Threat Research observed UNK_SmudgedSerpent engaging in suspected hands-on-keyboard activity where the attackers leveraged PDQConnect to install additional RMM software, ISL Online.  Figure 10. ISL Online RMM pop-up.  The reason for the attackers' sequential deployment of two distinct RMM tools remains unclear. It is possible UNK_SmudgedSerpent may have deployed RMM software as a throwaway option after the credential harvesting attempt didn’t succeed, and the threat actor became suspicious of Proofpoint’s investigation. However, neither hypothesis can be confirmed at the time of writing.  While the use of RMMs is a generic technique abusing common legitimate tools, it is rare to see them associated with state-sponsored actors and have been documented in use by only one Iranian actor, in TA450 campaigns over the last several years.  Follow-on activity  Before the email exchange discussed ended on 26 June, Proofpoint identified an additional Gmail account on 23 June spoofing Dr. Maloney (with her name spelled correctly) – suzannemaloney68@gmail[.]com – targeting a US-based academic that appeared to be Israeli. In this lure, UNK_SmudgedSerpent asked for assistance investigating the IRGC.  Figure 11. Second UNK_SmudgedSerpent phishing email.  A different persona, one spoofing Patrick Clawson – a Director at the Washington Institute – used the exact same content one week later to target the same academic using patrickclawson51@gmail[.]com.  In early August 2025, UNK_SmudgedSerpent surfaced again, this time soliciting information and collaboration on Iran’s efforts in Latin America. The phishing email originated from another spoof of Patrick Clawson, this time using an Outlook email address: patrick.clawson51@outlook[.]com. However, the email in the signature did not match and included both potentially legitimate emails and patrickclawson51@gmail[.]com, which was the previously used spoofed email.  Figure 12. UNK_SmudgedSerpent Patrick Clawson Spoof #2.  The timeline below shows the campaigns and cadence of UNK_SmudgedSerpent activity, which appears to be topical and sporadic. After the initial approach that targeted over 20 individuals, Proofpoint data showed the actor focused only on solitary targets in further campaigns.  Figure 13. UNK_SmudgedSerpent phishing activity timeline.  Since early August, no further activity has been observed from this actor.  Infrastructure  Investigating suspected UNK_SmudgedSerpent infrastructure, such as healthcrescent[.]com, surfaced additional activity that further complicates UNK_SmudgedSerpent’s relationship and overlaps with TA455.  healthcrescent[.]com shares server configuration similarities with a set of domains, including  ebixcareers[.]com, that displays a fake Teams portal. The career-themed domain and Teams spoof are both reminiscent of previous TA455 activity.  Figure 14. Fake Teams portal landing page.  Related URLs resembled previously seen activity from TA453, using “meeting” themes.  hxxps://interview.ebixcareers[.]com/teams/join-online-room-homv-patm-elro/ fetched a payload from the following OnlyOffice URL:  hxxps://docspace-mpv1y2.onlyoffice[.]com/rooms/share?key=ZXVSTEhNKzM3NHBIeHg3R3M4cnBRcDFDUnk0b[…]0_Ijg4YzkzZTRhLWNmYzktNGJkMy1iYzYyLWY2NWY0OTczNTBlZCI   Figure 15. Files Hosted on OnlyOffice URL.  Files hosted on this page in mid-September included benign recruitment-related PDFs for Boeing, a traditional aspect of TA455’s operations involving both aerospace and career-themed interests.  Figure 16. Benign PDFs.  Hiring Portal.zip contained two DLLs and an executable; the legitimate EXE sideloads userenv.dlland through another legitimate EXE, sideloads xmllite.exe. userenv.dll is a TA455 custom backdoor termed MiniJunk in public reporting, a version of previously reported malware called MiniBike. While the infrastructure likely aligns with UNK_SmudgedSerpent, it remains unclear why it is simultaneously hosting TA455 custom malware.  The final file hosted on the OnlyOffice URL was Interview time.msi, a loader responsible for installing the RMM tool PDQConnect, seen deployed in both UNK_SmudgedSerpent and TA450 activity, though not previously seen associated with TA455.  The exploration of infrastructure and operations connected to UNK_SmudgedSerpent activity further blurs the lines of attribution and the nature of the relationship to TA455.  Attribution  Proofpoint Threat Research is currently tracking this activity separately as a new threat actor – UNK_SmudgedSerpent – and clustered distinctly from TA453, TA455, and TA450. While there are several overlaps with established threat actors in various stages of the infection chain, which are shown below, they remain tenuous in some cases without high confidence links.  TTP  UNK_SmudgedSerpent  TA453  TA455  TA450  Sender emails  Freemail (Outlook, Gmail)  Freemail (Outlook, Gmail, ProtonMail, Yahoo)  Attacker-owned domains  Compromised corporate accounts  Initial approach  Benign conversation  Benign conversation  Malicious recruitment applications  Malicious event invitations  Targeting  Policy experts, thinktanks  Policy experts, thinktanks  Aerospace and defense, transportation/logistics, technology  Government, telecommunications, transportation  Delivery  OnlyOffice spoof, Teams spoof  Teams spoof, Scalingo, OneDrive  OnlyOffice  Mega.nz, FliQR  Objective  Credential theft, malware delivery  Credential theft, malware delivery  Malware delivery  Malware delivery  Domain themes  Health and recruitment, organization spoofs  Organization, meeting, Google, Microsoft, and technology spoofs  Health, aerospace, and recruitment  Technology, other  Infrastructure  Cloudflare, Namecheap  Hetzner, OVH, RouterHosting, Namecheap  Cloudflare, Namecheap  NordVPN, Cloudflare Namecheap  Malware  RMM (PDQConnect)  PowerShell backdoors (occasional)  Custom backdoors (MiniJunk, MINIBIKE, MINIBUS)  RMMs, custom PowerShell and .NET backdoors (Phoenix)    Given the dynamic nature of the Iranian ecosystem and its heavy use of contracting companies, there are often instances where groups, activity, malware, and infrastructure intersect. We hypothesize there are several possibilities for the group’s convergence of TTPs with varying degrees of likelihood, which include:  Centralized procurement: a shared resource that registers and distributes infrastructure or a shared malware developer.  Personnel mobility: one group dissolves, and another absorbs team members, or groups merge based on new requirements or shared remits.  Interpersonal relationships: individual members of the same team have TTP preferences, and operators share their preferred techniques with one another.  Parallel contractor deployment: the parent/sponsoring agency tasks more than one contracting company to a particular threat group or campaign.  Institutional collaboration: cross-agency exchanges between IRGC and MOIS at an organizational level due to the groups’ affiliations with differing agencies.  Conclusion  UNK_SmudgedSerpent’s first observed campaign was in June 2025, after which the group was seen a few times targeting policy experts in the US using lures about internal political developments in Iran. The subsequent investigation revealed multiple overlaps in TTPs with TA453, TA450, and TA455. However, the abundance of links prevents high confidence attribution to any one of these groups.  While UNK_SmudgedSerpent has not been observed in email campaigns since August 2025, related activity likely remains ongoing. The appearance of a new actor with borrowed techniques suggests there may be personnel mobility or exchange between teams, but with a consistent remit; however, there is no confirmed attribution for UNK_SmudgedSerpent at the time of writing. The TTPs and infrastructure are an extension of previously observed behavior from Iranian threat groups, and the targeting of Iran foreign policy experts continues to reflect the Iranian government’s intelligence collection priorities.  ET rules  2054935 - ET INFO PDQ Remote Management HTTP Header Observed (x-pdq-key-ids)  2054936 - ET INFO PDQ Remote Management User-Agent Observed (PDQ rover)  2054937 - ET INFO PDQ Remote Management Agent HTTP Activity  2054938 - ET INFO PDQ Remote Management Agent Checkin  2062767 - ET INFO Observed DNS Query to Online Document Sharing Service (onlyoffice .com)  2062768 - ET INFO Observed Online Document Sharing Service Domain (onlyoffice .com in TLS SNI)  2065399 - ET PHISHING Observed UNK_SmudgedSerpent Style URI  2065427 - ET MALWARE Observed DNS Query to TA455 Domain (msnapp .help)  2065434 - ET MALWARE Observed DNS Query to TA455 Domain (accountroyal .com)  2065439 - ET MALWARE Observed DNS Query to TA455 Domain (palaerospace .careers)  2065444 - ET MALWARE Observed DNS Query to TA455 Domain (msnapp .live)  2065448 - ET MALWARE Observed DNS Query to TA455 Domain (healthiestmama .com)  2065449 - ET MALWARE Observed DNS Query to TA455 Domain (mojavemassageandwellness .com)  2065450 - ET MALWARE Observed DNS Query to TA455 Domain (alwayslivehealthy .com)  2065451 - ET MALWARE Observed DNS Query to TA455 Domain (rhealthylivingsolutions .com)  2065452 - ET MALWARE Observed DNS Query to TA455 Domain (rheinmetallcareer .org)  2065453 - ET MALWARE Observed DNS Query to TA455 Domain (chakracleansetherapy .com)  2065454 - ET MALWARE Observed DNS Query to TA455 Domain (clearmindhealthandwellness .com)  2065455 - ET MALWARE Observed DNS Query to TA455 Domain (joinboeing .com)  2065456 - ET MALWARE Observed DNS Query to TA455 Domain (healthcarefluent .com)  2065459 - ET MALWARE Observed DNS Query to TA455 Domain (rheinmetallcareer .com)  2065464 - ET MALWARE Observed DNS Query to TA455 Domain (zytonhealth .com)  2065470 - ET MALWARE Observed DNS Query to TA455 Domain (sulumorbusinessservices .com)  2065475 - ET MALWARE Observed DNS Query to TA455 Domain (airbushiring .com)  2065481 - ET MALWARE Observed DNS Query to TA455 Domain (healthinfusiontherapy .com)  2065484 - ET MALWARE Observed DNS Query to TA455 Domain (bodywellnessbycynthia .com)  2065486 - ET MALWARE Observed DNS Query to TA455 Domain (careers-portal .org)  2065487 - ET MALWARE Observed TA455 Domain (msnapp .help in TLS SNI)  2065488 - ET MALWARE Observed TA455 Domain (accountroyal .com in TLS SNI)  2065489 - ET MALWARE Observed TA455 Domain (palaerospace .careers in TLS SNI)  2065490 - ET MALWARE Observed TA455 Domain (msnapp .live in TLS SNI)  2065491 - ET MALWARE Observed TA455 Domain (healthiestmama .com in TLS SNI)  2065493 - ET MALWARE Observed TA455 Domain (mojavemassageandwellness .com in TLS SNI)  2065495 - ET MALWARE Observed TA455 Domain (alwayslivehealthy .com in TLS SNI)  2065498 - ET MALWARE Observed TA455 Domain (rhealthylivingsolutions .com in TLS SNI)  2065501 - ET MALWARE Observed TA455 Domain (rheinmetallcareer .org in TLS SNI)  2065502 - ET MALWARE Observed TA455 Domain (chakracleansetherapy .com in TLS SNI)  2065503 - ET MALWARE Observed TA455 Domain (clearmindhealthandwellness .com in TLS SNI)  2065504 - ET MALWARE Observed TA455 Domain (joinboeing .com in TLS SNI)  2065505 - ET MALWARE Observed TA455 Domain (healthcarefluent .com in TLS SNI)  2065506 - ET MALWARE Observed TA455 Domain (rheinmetallcareer .com in TLS SNI)  2065507 - ET MALWARE Observed TA455 Domain (zytonhealth .com in TLS SNI)  2065508 - ET MALWARE Observed TA455 Domain (sulumorbusinessservices .com in TLS SNI)  2065509 - ET MALWARE Observed TA455 Domain (airbushiring .com in TLS SNI)  2065510 - ET MALWARE Observed TA455 Domain (healthinfusiontherapy .com in TLS SNI)  2065511 - ET MALWARE Observed TA455 Domain (bodywellnessbycynthia .com in TLS SNI)  2065512 - ET MALWARE Observed TA455 Domain (careers-portal .org in TLS SNI)  2065513 - ET PHISHING Observed DNS Query to UNK_SmudgedSerpent Domain (mosaichealthsolutions .com)  2065514 - ET PHISHING Observed DNS Query to UNK_SmudgedSerpent Domain (ebixcareers .com)  2065515 - ET PHISHING Observed DNS Query to UNK_SmudgedSerpent Domain (healthcrescent .com)  2065516 - ET PHISHING Observed DNS Query to UNK_SmudgedSerpent Domain (thebesthomehealth .com)  2065517 - ET PHISHING Observed UNK_SmudgedSerpent Domain (mosaichealthsolutions .com in TLS SNI)  2065518 - ET PHISHING Observed UNK_SmudgedSerpent Domain (ebixcareers .com in TLS SNI)  2065519 - ET PHISHING Observed UNK_SmudgedSerpent Domain (healthcrescent .com in TLS SNI)  2065520 - ET PHISHING Observed UNK_SmudgedSerpent Domain (thebesthomehealth .com in TLS SNI)    Indicators  UNK_SmudgedSerpent  Indicator  Type  Description  First Seen  suzzanemaloney@gmail[.]com  Email address  Phishing  June 2025  suzannemaloney68@gmail[.]com  Email address  Phishing  June 2025  patrickclawson51@gmail[.]com  Email address  Phishing  June 2025  patrick.clawson51@outlook[.]com  Email address  Phishing  August 2025  hxxps://suzzanemaloney2506090953.onlyoffice[.]com/s.-k6vjflsdagdsfgh  URL  Delivery  June 2025  thebesthomehealth[.]com  Domain  Delivery  April 2025  mosaichealthsolutions[.]com  Domain  Delivery  April 2025  healthcrescent[.]com  Domain  Delivery  May 2025  ebixcareers[.]com  Domain  Delivery  July 2025  6eb7df21d6f1e3546c252a112504eefbb19205167db89038f2861118bbc8871c  SHA256  Benign PDF  September 2025  0bdb64fc1d5533f7b3fffaf821e89f286ad2d7400a914f21abdcbb7bb8a39e63  SHA256  Benign PDF  September 2025  cac018dccdf6ce4bef19ab71e3e737724aed104bc824332a5213c878b065ff50  SHA256  EXE  September 2025  7b5fb8202bff90398ab007579713f66430778249e43b46f35df6c3ded628f129  SHA256  DLL  September 2025  129a40e38ef075c7d33d8517b268eb023093c765a32e406b58f39fab6cc6a040  SHA256  DLL  September 2025  85858880ee7659cc1152b6a126bc20b9b4fb1b46dddea5af2d65d48d58cd0589  SHA256  MSI  September 2025  0fcdaa2f4db94e0589617830d3d80430627815ef0e4b0c7b7ff5c1ebb82a4136  SHA256  Benign PDF  September 2025  1e9c31ce0eba2100d416f5bc3b97dafe2da0d3d9aee96de59ec774365fe3fe89  SHA256  ZIP  September 2025    TA455  Indicator  Type  Description  First Seen  emiratesgroup-careers[.]com  Domain  Related infrastructure  May 2024  flydubai-careers[.]com  Domain  Related infrastructure  May 2024  airbusgroup-careers[.]com  Domain  Related infrastructure  May 2024  gocareers[.]org  Domain  Related infrastructure Related infrastructure  June 2024  rheinmetallcareers[.]com  Domain  Related infrastructure  June 2024  careers2find[.]com  Domain  Related infrastructure  June 2024  opportunities2get[.]com  Domain  Related infrastructure  June 2024  emiratescareers[.]org  Domain  Related infrastructure  July 2024  droneflywell[.]com  Domain  Related infrastructure  July 2024  usa-careers[.]com  Domain  Related infrastructure  August 2024  careers-hub[.]org  Domain  Related infrastructure  September 2024  global-careers[.]com  Domain  Related infrastructure  September 2024  ehealthpsuluth[.]com  Domain  Related infrastructure  September 2024  worldcareers[.]org  Domain  Related infrastructure  September 2024  uavnodes[.]com  Domain  Related infrastructure  September 2024  careersworld[.]org  Domain  Related infrastructure  September 2024  thecareershub[.]org  Domain  Related infrastructure  September 2024  germanywork[.]org  Domain  Related infrastructure  September 2024  easymarketing101[.]com  Domain  Related infrastructure  September 2024  collaboromarketing[.]com  Domain  Related infrastructure  September 2024  virgomarketingsolutions[.]com  Domain  Related infrastructure  September 2024  marketinglw[.]com  Domain  Related infrastructure  September 2024  anteromarketing[.]com  Domain  Related infrastructure  September 2024  airbusaerodefence[.]nl  Domain  Related infrastructure  November 2024  dronetechasia[.]org  Domain  Related infrastructure  November 2024  asiandefenses[.]com  Domain  Related infrastructure  November 2024  msnclouds[.]com  Domain  Related infrastructure  November 2024  kibanacore[.]com  Domain  Related infrastructure  November 2024  boeingspace[.]com  Domain  Related infrastructure  November 2024  airbusaerodefence[.]com  Domain  Related infrastructure  December 2024  jadehealthcenter[.]com  Domain  Related infrastructure  December 2024  clearmindhealthandwellness[.]com  Domain  Related infrastructure  January 2025  accountroyal[.]com  Domain  Related infrastructure  January 2025  msnapp[.]help  Domain  Related infrastructure  January 2025  msnapp[.]live  Domain  Related infrastructure  January 2025  zytonhealth[.]com  Domain  Related infrastructure  February 2025  alwayslivehealthy[.]com  Domain  Related infrastructure  February 2025  healthiestmama[.]com  Domain  Related infrastructure  February 2025  healthcarefluent[.]com  Domain  Related infrastructure  February 2025  healthinfusiontherapy[.]com  Domain  Related infrastructure  February 2025  mojavemassageandwellness[.]com  Domain  Related infrastructure  February 2025  chakracleansetherapy[.]com  Domain  Related infrastructure  February 2025  bodywellnessbycynthia[.]com  Domain  Related infrastructure  February 2025  palaerospace[.]careers  Domain  Related infrastructure  February 2025  rhealthylivingsolutions[.]com  Domain  Related infrastructure  April 2025  sulumorbusinessservices[.]com  Domain  Related infrastructure  April 2025  airbushiring[.]com  Domain  Related infrastructure  April 2025  joinboeing[.]com  Domain  Related infrastructure  May 2025  rheinmetallcareer[.]org  Domain  Related infrastructure  May 2025  rheinmetallcareer[.]onlyoffice[.]com  Domain  Related infrastructure  May 2025  rheinmetallcareer[.]com  Domain  Related infrastructure  May 2025  careers-portal[.]org  Domain  Related infrastructure  May 2025  boeinginformation[.]onlyoffice[.]com  Domain  Related infrastructure  May 2025  airbus-careers[.]onlyoffice[.]com  Domain  Related infrastructure  June 2025  airbus-survay[.]onlyoffice[.]com  Domain  Related infrastructure  July 2025  malebachhew2506090936.onlyoffice[.]com  Domain  Related infrastructure  July 2025  randcorp.onlyoffice[.]com  Domain  Related infrastructure  July 2025 

Remote access, real cargo: cybercriminals targeting trucking and logistics

3 November 2025 at 16:03
Key findings  Cybercriminals are compromising trucking and freight companies in elaborate attack chains to steal cargo freight.  Cargo theft is a multi-million-dollar criminal enterprise, and digital transformation has led to an increase in cyber-enabled theft.    Threat actors compromise these companies and use their access to bid on cargo shipments, to then steal and sell them.  The threat actors typically deliver remote monitoring and management (RMM) tools, aligning with the broader trend of cybercriminals adopting these as a first-stage payload across the threat landscape.  Overview  Proofpoint is tracking a cluster of cybercriminal activity that targets trucking and logistics companies and infects them with RMM tooling for financial gain. Based on our ongoing investigations paired with open-source information, Proofpoint assesses with high confidence that the threat actors are working with organized crime groups to compromise entities in the surface transportation industry — in particular trucking carriers and freight brokers — to hijack cargo freight, leading to the theft of physical goods. The stolen cargo most likely is sold online or shipped overseas. Such crimes can create massive disruptions to supply chains and cost companies millions, with criminals stealing everything from energy drinks to electronics.   In the observed campaigns, threat actors aim to infiltrate companies and use their fraudulent access to bid on real shipments of goods to ultimately steal them. The observed campaigns described in this report are similar to activity Proofpoint researchers previously detailed in September 2024. However, we cannot assess with high confidence whether historic and current campaigns are conducted by the same or multiple groups; thus, Proofpoint is not attributing the activity to a tracked threat actor.   Old crimes, new tools: the digital transformation of cargo theft   According to the National Insurance Crime Bureau, cargo theft leads to $34 billion in losses annually. Cargo theft can refer to many different types of activities leading to the theft of commercial shipments while cargo is in transit. Much of this activity is conducted by organized criminal groups, according to U.S. law enforcement, and Congress has introduced legislation to combat organized retail theft as it has skyrocketed since the COVID-19 pandemic. (Cargo theft conducted by organized crime has been a problem for decades – from “Old West Train Robbers” to 1960s mobsters to our modern cyber-enabled heists.) Proofpoint previously published details on a similar type of cybercrime targeting cargo that impersonates various companies to steal medical and electronic equipment.  While the campaigns that Proofpoint discusses in this report relate to North American cargo theft, it’s a global problem. According to Munich RE, global cargo theft hotspots include Brazil, Mexico, India, the U.S., Germany, Chile, and South Africa, while the most targeted commodities are food and beverage products.   Cyber-enabled theft is one of the most common forms of cargo theft and relies on social engineering and a knowledge of how the trucking and transportation industries work. According to IMC Logistics, opportunities for cyber-enabled theft are partly responsible for the dramatic increase in cargo theft in recent years: “…the digitization of domestic and international supply chains has created new vulnerabilities and thus opportunities for [Organized Theft Groups] to exploit gaps using sophisticated and ever-evolving cyber capabilities. These groups can steal freight remotely by exploiting the technology that has been embedded into supply chains to move cargo more efficiently.”  The attack chain in the observed campaigns leading to cargo theft attempts, which will be described in subsequent sections, is as follows: the threat actor will compromise a broker load board account (a marketplace companies use to facilitate booking loads for trucks), post a fake load, and kick off the attack chain when a carrier responds.   Figure 1. Attack flow.  Campaign details  The threat cluster engaged in suspected cargo theft has been active since at least June 2025, though evidence suggests the group’s campaigns began as early as January. The actor has delivered a range of RMM tools (or in some cases remote access software), including ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able and LogMeIn Resolve. These RMMs/RAS are often used in tandem; for example, PDQ Connect has been observed downloading and installing both ScreenConnect and SimpleHelp. Once initial access is established, the threat actor conducts system and network reconnaissance and deploys credential harvesting tools such as WebBrowserPassView. This activity indicates a broader effort to compromise accounts and deepen access within targeted environments.   Researchers have identified related network infrastructure and similar tactics, techniques, and procedures (TTPs) in campaigns delivering NetSupport and ScreenConnect going back to January 2025, suggesting a longer operational timeline. Separately, from 2024 through March 2025, Proofpoint also tracked a threat actor targeting ground transportation organizations distributing DanaBot, NetSupport, Lumma Stealer, and StealC, which we previously reported on. It is possible these clusters of activity are all related; however, we cannot attribute this with high confidence. All appear to have knowledge about the software, services, and policies around how the cargo supply chain operates. Regardless of the ultimate payload, stealers and RMMs serve the same purpose: remotely access the target to steal information. However, using RMM tools can enable threat actors to fly further under the radar. Threat actors can create and distribute attacker-owned remote monitoring tools, and because they are often used as legitimate pieces of software, end users might be less suspicious of installing RMMs than other remote access trojans. Additionally, such tooling may evade anti-virus or network detections because the installers are often signed, legitimate payloads distributed maliciously. Cargo theft actors using RMMs aligns with an overall shift in the cybercrime landscape where threat actors increasingly are adopting RMMs as a first stage payload.   In just the last two months, Proofpoint has observed nearly two dozen campaigns, with volumes ranging from less than 10 to over 1,000 messages per campaign.   Figure 2. Most frequently observed first-stage payloads targeting surface transportation since August 2025.  The threat cluster has employed three tactics to deliver RMM tools:   Compromising load boards. The actor posts fraudulent freight listings using compromised accounts on load boards and then sends emails containing malicious URLs to carriers who inquire about the loads. This tactic exploits the trust and urgency inherent in freight negotiations (see Figure 3).  Email thread hijacking. Using compromised email accounts, the threat actors inject malicious content and URLs into existing conversations (see Figure 4).  Direct targeting via email campaigns. The cluster has launched direct email campaigns against larger entities, including asset-based carriers, freight brokerage firms, and integrated supply chain providers. Gaining access to these entities may allow the actors to identify high-value freight loads or uncover other opportunities to further their objectives—such as posting fraudulent loads on load boards (see Figure 5).  Figure 3. Email sent to a carrier responding to a fraudulent load posted on a load board.  Figure 4. Threat actor using a compromised email account and inserting a malicious link into an ongoing conversation.  Figure 5. Direct email sent to hundreds of organizations in the ground transportation industry.  Typically, emails contain URLs that lead to an executable (.exe) or an MSI (.msi) file.  When clicked, these files install an RMM tool, granting the threat actor full control of the compromised machine. In some cases, the threat actor will create domains and landing pages that impersonate legitimate brands or generic transportation terms to further the believability of the social engineering.  Based on campaigns observed by Proofpoint, the threat actor does not appear to attack specific companies, and targets range from small, family-owned businesses to large transport firms as described above. The threat actor appears to be opportunistic about the carriers that it targets and will likely attempt to compromise any carrier who responds to the fake load posting. Once a threat actor has compromised a carrier, they probably will use their knowledge of the industry and any insider information derived from other compromises to identify and bid on loads that are likely to be profitable if stolen.   While investigating the objectives of this threat cluster, Proofpoint researchers found multiple public discussions on social media websites that aligned precisely with the phishing and account takeover activity we had observed by this actor. One public Reddit post shared an experience in which the attacker compromised the company via RMM delivery, deleted existing bookings and blocked dispatcher notifications, added their own device to the dispatcher’s phone extension, booked loads under the compromised carrier’s name, and coordinated the transport. According to the post, the initial compromise was a “nextgen.Carrierbrokeragreement type of link” which notably aligns with a payload URL from this cluster that Proofpoint researchers observed active in July, likely distributing ScreenConnect: hxxp://nextgen1[.]net/carrier.broker.agreement[.]html.   Best practices  Organizations operating in the surface transportation industry or other industries at risk of cargo theft may benefit from reviewing the National Motor Freight Traffic Association Cargo Crime Reduction Framework.   To defend against RMM abuse, Proofpoint recommends the following:  Restrict the download and installation of any RMM tooling that is not approved and confirmed by an organization’s information technology administrators.    Have network detections in place – including using the Emerging Threats ruleset – and use endpoint protection. This can alert on any network activity to RMM servers.    Do not download and install executable files (.exe or .msi) delivered via email from external senders.   Train users to identify the activity and report suspicious activity to their security teams. This training can easily be integrated into an existing user training program.    Conclusion  According to NICB, cargo theft losses increased 27 percent in 2024, and losses are expected to increase another 22 percent in 2025. Cargo theft is a profitable criminal enterprise, and based on Proofpoint data, cybercriminals are increasingly targeting surface transportation entities to steal real, physical goods. Proofpoint has observed nearly two dozen campaigns since August 2025 targeting such entities to deliver RMMs. Public discussion and reporting on cyber-enabled cargo theft suggests the problem is widespread, impacting organizations nationwide, and only increasing in scope and spread. Based on the growth of this activity in email threat data between 2024 and 2025, Proofpoint assesses this threat will continue to increase. Organizations should be aware of the cyber-enabled tactics and payloads used by cargo theft criminals, and implement cybersecurity measures to prevent successful exploitation.     Proofpoint would like to thank our colleagues at ConnectWise ScreenConnect, Red Canary, and the DFIR Report for collaborating on information sharing related to this activity.    Example Emerging Threats signatures  2837962 – ScreenConnect - Establish Connection Attempt   2050021 – Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain  2054938 – PDQ Remote Management Agent Checkin   2065069 – Observed RMM Domain in DNS Lookup (n-able .com)  2065076 – Observed RMM Domain in DNS Lookup (remote .management)  2049863 – simplehelp Remote Access Software Activity  2047669 – fleetdeck Remote Management Software Domain in DNS Lookup (fleetdeck .io)  2061989 – Observed DNS Query to RMM Domain (gotoresolve .com)  Select IOCs  Indicator  Description  First Seen  carrier-packets[.]net    Payload Staging Domain  October 2025    claimeprogressive[.]com  Payload Staging Domain  October 2025  confirmation-rate[.]com  Payload Staging Domain  October 2025  wjwrateconfirmation[.]com  Payload Staging Domain  October 2025  rateconfirm[.]net  Payload Staging Domain  October 2025  ilove-pdf[.]net  Payload Staging Domain  October 2025  vehicle-release[.]com  Payload Staging Domain  October 2025  carrierpack[.]net  Payload Staging Domain  October 2025  car-hauling[.]com  Payload Staging Domain  October 2025  carrier-packets[.]com  Payload Staging Domain  October 2025  i-lovepdf[.]net  Payload Staging Domain  September 2025  fleetcarrier[.]net  Payload Staging Domain  September 2025  scarrierpack[.]com  Payload Staging Domain  September 2025  carrieragreements[.]com   Payload Staging Domain  September 2025  brokeragepacket[.]com  Payload Staging Domain  September 2025  brokerpackets[.]com  Payload Staging Domain  September 2025  centraldispach[.]net  Payload Staging Domain  September 2025  carriersetup[.]net  Payload Staging Domain  September 2025  brokercarriersetup[.]com  Payload Staging Domain  September 2025  carrierpacket[.]online  Payload Staging Domain  September 2025  billpay-info[.]com  Payload Staging Domain  August 2025  nextgen223[.]com  Payload Staging Domain  August 2025  fleetgo0[.]com  Payload Staging Domain  July 2025  nextgen1[.]net  Payload Staging Domain  July 2025  nextgen01[.]net  Payload Staging Domain  June 2025  ratecnf[.]com  Payload Staging Domain  June 2025  ratecnf[.]net  Payload Staging Domain  June 2025  dwssa[.]top  ScreenConnect C2  June 2025  ggdt35[.]anondns[.]net  ScreenConnect C2  August 2025  qtq2haw[.]anondns[.]net  ScreenConnect C2  September 2025  officews101[.]com  ScreenConnect C2  September 2025  instance-hirb01-relay[.]screenconnect[.]com  ScreenConnect C2  September 2025  185[.]80[.]234[.]36  SimpleHelp C2  August 2025  147[.]45[.]218[.]66  SimpleHelp C2  September 2025  70983c62244c235d766cc9ac1641e3fb631744bc68307734631af8d766f25acf  LogMeIn SHA256 Hash  October 2025  4e6f65d47a4d7a7a03125322e3cddeeb3165dd872daf55cd078ee2204336789c  N-able SHA256 Hash  October 2025  cf0cee4a57aaf725341d760883d5dfb71bb83d1b3a283b54161403099b8676ec  ScreenConnect SHA256 Hash  October 2025  913375a20d7250f36af1c8e1322d1541c9582aa81b9e23ecad700fb280ef0d8c  Fleetdeck SHA256 Hash  September 2025  8a00b3b3fd3a8f6b3ec213ae2ae4efd41dd5738b992560010ab0367fee72cd2a  SimpleHelp SHA256 Hash  September 2025  559618e2ffbd3b8b849a6ad0d73a5630f87033976c7adccbd80c41c0b2312765  PDQ Connect SHA256 Hash  September 2025 

Proofpoint releases innovative detections for threat hunting: PDF Object Hashing

23 October 2025 at 18:28
Key findings Proofpoint created a new open-source tool for creating threat detection rules based on unique characteristics in PDFs called “PDF Object Hashing”.  This technique can help with identifying related documents and enable attribution when threat actors rely on PDFs for malware or credential phishing payloads.  Proofpoint uses this tool internally to help track multiple threat actors.  The tool is now available on GitHub.   Overview  The PDF format is widely used by threat actors to kickstart malicious activity. In email campaigns, Proofpoint researchers observe PDFs distributed in many ways. For example, threat actors often distribute PDFs that contain URLs leading to malware or credential phishing; PDFs with QR codes leading to malicious web pages; or PDFs with fake banking details or invoices to enable business email compromise (BEC) activity.   Figure 1. Example PDF lures used by threat actors impersonating various brands.  Due to the complex nature of the PDF format and the many ways threat actors use it to their advantage, detecting malicious PDF files can range from straightforward to nearly impossible. Proofpoint researchers have identified notable campaigns leveraging PDFs and have created a new tool called PDF Object Hashing designed to track and detect the unique characteristics of PDFs used by threat actors. The tool supports attribution by identifying PDFs that are likely associated with specific threat actors, even when attack chains or delivery methods change.   PDF Object Hashing  The PDF format is complex, which can cause issues when creating new detection signatures. One challenge detection engineers face with the PDF format is that, for compatibility reasons, the PDF specification permits multiple ways to represent a PDF that appears identical when viewed. This gives threat actors a multitude of options to introduce random variations in their malicious PDFs, making it difficult for threat detection engineers to write pattern-matching signatures that address all variations. Examples of the options for variation include the following:   Six different valid whitespace characters  Cross reference tables (think table of contents) can be stored in plaintext or compressed and stored in a separate format  Parameter values for an object can be embedded in that object, or referenced in another object  Additionally, some objects are present in the document as clear text and others are compressed in “stream objects.” A stream object is a compressed object within the PDF that the PDF viewer can still access. This means a domain that a security practitioner is trying to alert on might not be visible unless you are inspecting these compressed streams. While most detection engineers recognize that elements like URIs or lure images can change frequently, the PDF format includes numerous additional format-specific hurdles that must be considered when analyzing a file.   A specific challenge in defending against PDF threats occurs when the file is encrypted. When a PDF file is encrypted, the overall structure of the document remains visible, but the details or parameters of the individual objects are obscured. The following screenshot demonstrates how objects such as URI strings are hidden when the PDF is encrypted but are visible when not encrypted.   Figures 2 and 3. Example of both a standard (obj 5) and encrypted URI object (obj 10).  Proofpoint researchers created unique PDF Object Hashing detections to combat challenges presented with the PDF format. Instead of relying on more fragile or temporary detections such as file hashes, URLs, lure images, and metadata values, we are able to focus on the structure of the document. While more robust detections exist using techniques like dhash to compare image similarity, PDF Object Hashing applies to the overall structure of the document, allowing us to ignore specific lure images. By examining the type of objects and the order in which they appear - while ignoring their specific parameters and details - we can create a “skeleton” or “template” representing the PDF document’s overall structure. These object types are then used to create a unique "fingerprint" of the PDF by hashing their values. Doing so allows us to search across a wide range of PDF files to detect and identify other files which potentially match the “fingerprint”. The process starts by parsing the document, following the locations of all the objects that are in use and then parsing out a “type” for each object. Below are just some of the types we extract:   Pages  Catalog  XObject/Image  Annots/Link  Page  Metadata/XML  Producer  Font/Type1  We then concatenate the objects in order and hash that value creating what we’ve called the PDF Object Hash. This works similar to how imphash works in PE files. We can then cluster on these hashes to help identify variations and image lure updates that may have taken place with a particular document. This is useful for identifying documents where an image lure was updated, or a URI was changed, but the overall document is still similar, which could indicate a builder or process unique to a threat group.   Figure 4. Overlap with PDF Object Hash (green) and then the below PDFs (yellow).  Figure 5. Two distinct lures which all contain the same types of objects.  PDF Object Hashing can be a reliable way of generating signals which can be used with other detection logic to help create more robust rules and to cluster PDF files into groups for more focused analysis. Proofpoint researchers have used the tool internally to identify documents and related activity with high confidence, improving attribution in many cases.   Campaign examples  To illustrate how PDF Object Hashing can help with threat hunting and analysis, we can look at two interesting threat actors.   The threat cluster known as UAC-0050 targets Ukraine and frequently distributes encrypted PDFs delivering malware. In their campaigns, messages contain PDF files with URLs leading to NetSupport RAT. The URL typically downloads a compressed JavaScript file which, if executed, installs the NetSupport RAT payload.   Figure 6. Example PDF impersonating OneDrive. (SHA256: ee03ad7c8f1e25ad157ab3cd9b0d6109b30867572e7e13298a3ce2072ae13e5).   Because these malicious PDF files are encrypted, many cybersecurity tools and other PDF parsing systems are unable to extract the embedded content, including the URI, the lure image, and parameters associated with the content of the document. Regardless of encryption, PDFs retain an internal document structure (e.g., a hierarchy of objects and attributes) that can be parsed to reveal how those objects are organized and related within the file. Using PDF Object Hashing, Proofpoint developed a unique signature for these PDFs without needing to decrypt or analyze specific contents of their internal objects. This approach allowed for the rapid identification of other potentially related PDF documents that potentially share the same structure, while also allowing us to condemn and prevent payload delivery.   Another actor currently employing PDFs and tracked using PDF Object Hashing is UNK_ArmyDrive. Tracked by Proofpoint since May 2025, this actor is believed to operate out of India and has a history of using PDFs as part of their attack chain. While Proofpoint has traditional detection coverage of this group, we also have augmented that coverage with PDF Object Hashing. Doing so provides additional signals from the static characteristics in their documents that we can use to find samples that may otherwise be missed if the group were to pivot away from existing lures.  Figure 7. Example UNK_ArmyDrive PDFs impersonating the Bangladesh Ministry of Defense (08367ec03ede1d69aa51de1e55caf3a75e6568aa76790c39b39a00d1b71c9084).  The open source project for PDF Object Hashing can be found in the Proofpoint Emerging Threats public GitHub: https://github.com/EmergingThreats/pdf_object_hashing 

Beyond credentials: weaponizing OAuth applications for persistent cloud access

21 October 2025 at 17:01
Key takeaways        OAuth applications can be used to gain persistent access within compromised environments.  OAuth applications maintain their authorized access even if user credentials are reset, or multifactor authentication is enforced.  Such attacks can be fully automated as shown in a PoC and a dedicated tool created by Proofpoint researchers.  Threat actors are already actively exploiting those vulnerabilities.  Introduction  Cloud account takeover (ATO) attacks have become a significant concern in recent years, with cybercriminals and state-sponsored actors increasingly adopting malicious OAuth applications as a means to gain persistent access within compromised environments. These attacks allow malicious actors to hijack user accounts, conduct reconnaissance, exfiltrate data, and launch further malicious activities.  The security implications are particularly concerning. Once an attacker gains access to a cloud account they can create and authorize internal (second party) applications with custom-defined scopes and permissions. This capability enables persistent access to critical resources such as mailboxes and files, effectively circumventing traditional security measures like password changes.  To better understand and demonstrate this attack vector, Proofpoint researchers have developed a tool that automates the creation of malicious internal applications within a compromised cloud environment. This blog post provides an in-depth technical analysis of that tool and its implications for enterprise security. Additionally, we will examine a real-world incident detected through our telemetry, offering concrete evidence of how threat actors are actively exploiting such vulnerabilities in the wild.  OAuth application types: second-party vs. third-party  In the context of cloud environments, particularly Microsoft Entra ID, it's crucial to understand the distinction between second-party and third-party applications.  Second-party applications. These are applications registered directly within an organization's tenant. Also known as internal applications, they are generally created and managed by the organization's administrators or users with appropriate privileges. Second-party applications inherit a level of implicit trust within the environment, as they originate from within the organization's own directory.  Third-party applications. These applications are registered in external tenants and request access to resources in other organizations' tenants. Common examples include widely-used services like Zoom or DocuSign. Third-party applications typically undergo additional scrutiny through administrative consent workflows and organizational security policies before being granted access.  This distinction is particularly relevant from a security perspective, as threat actors often prefer creating second-party applications during post-exploitation phases. These internal applications can be more difficult to detect and may bypass security controls designed primarily for external application monitoring.  Attack flow  Initial access vector Cybercriminals often leverage a combination of techniques to gain initial access to cloud user accounts. One common tactic is the use of reverse proxy toolkits accompanied by individualized phishing lures that enable the theft of credentials and session cookies (more information can be found in our recent blog about FIDO downgrade attack).  Once the attackers have stolen a user's login credentials, they can establish unauthorized access to the targeted accounts, setting the stage for the next phases of the attack.  Establishing persistence through OAuth applications Following successful initial access, attackers often pivot to creation and deployment of malicious OAuth applications. This process typically involves:  Leveraging the compromised account's privileges to register new internal applications.  Configuring specific permissions and API scopes for maximum impact.  Authorizing these applications to access critical organizational resources.  The strategic value of this approach lies in its persistence mechanism: even if the compromised user's credentials are reset or multifactor authentication is enforced, the malicious OAuth applications maintain their authorized access. This creates a resilient backdoor that can remain undetected within the environment indefinitely, unless specifically identified and remediated.  Technical implementation: automating OAuth-based persistence  Proofpoint researchers have developed an automated toolkit which demonstrates methods by which threat actors establish persistent access through malicious OAuth applications. The PoC implements several key capabilities that mirror real-world attack scenarios.  Core functionality  Automated OAuth application registration and configuration  Customizable permission scope selection Persistent access mechanism independent of user credentials Configurable application naming conventions Operational workflow Starting from an initially compromised account, the tool streamlines the post-exploitation process through automated application creation. While this demonstration uses randomized application names, real-world threat actors typically employ deceptive naming strategies that mimic legitimate business applications to avoid detection.  Figure 1: Future Account Super-Secret Access tool, Version 1:  Welcome screen.  During the automated deployment process, an application is registered with pre-configured permission scopes that align with the attacker's objectives. A critical aspect of this implementation is the ownership attribution: the compromised user account becomes the registered owner of the newly created application, effectively establishing it as a legitimate internal resource within the organization's environment.  This ownership model provides several tactical advantages: The application appears as an internally developed resource and the authentication requests originate from within the organization's tenant. The application inherits trust relationships associated with internal resources and standard third-party application security controls may not detect or flag this activity.  Figure 2: Application creation process. In the example the app name is 'justSOMEniceAPP'.  Figure 3: Application scopes selected: Mail.Read and offline_access.  Upon successful application registration, the tool automatically establishes two critical authentication components.  Application secret generation  The tool first creates a cryptographic client secret for the application. This serves as the application's own authentication credential, required for confidential client authentication flows. This is essential for server-side applications requesting tokens.  Token harvest   The automation then proceeds to collect multiple OAuth token types, each serving distinct purposes in maintaining persistent access: an access token, a refresh token, and an ID token.  Figure 4: Tokens collected.  To validate the effectiveness of this persistence mechanism, this tool includes a practical demonstration of access retention.   Credential reset test - User's password is changed to simulate standard incident response. This action would typically terminate unauthorized access obtained through stolen credentials.  Figure 5: Demonstration of user password change.  Access verification - Despite the password change, the malicious application maintains full access. Some OAuth tokens and application secret continue to function, and all previously authorized permissions remain active.  Figure 6: New tokens generated after the password change.  Following the password reset, this tool demonstrates the sustained effectiveness of the malicious application's access through several key activities.  Email access demonstration - Successfully retrieves user mailbox contents and maintains continuous access to incoming and historical emails. The app now operates independently of user credential changes.  The scope of unauthorized access extends well beyond email, encompassing any resources specified in the application's configured permissions, which may include, for example:   SharePoint documents and collaborative content OneDrive stored files Teams messages and channel data Calendar information Organizational contacts Other Microsoft 365 resources Figure 7: User emails accessed even after password change.  The malicious application's footprint can be observed within the Microsoft Entra ID administrative interface, specifically:  Location and Navigation Path: Entra ID Portal → App Registrations   Application appears as a standard internal registration  Application configuration details under the application's management interface, several key components are visible:  Application configuration:   Basic application metadata Authentication settings API permissions and granted scopes Client secrets - Located under 'Certificates & Secrets' section:  Displays the active secret credentials. This is a critical component enabling persistent programmatic access. Expiration dates and secret status This visibility in standard administrative interfaces underscores the importance of regular application auditing and monitoring, as malicious applications may blend in with legitimate business applications unless specifically scrutinized.  Figure 8: Location of application secrets in Microsoft Azure. The malicious application's ability to maintain unauthorized access is directly tied to the absence of two critical factors.  Access termination conditions   Manual deletion of the application registration and explicit revocation of granted permissions.  Expiration of the client secret credentials.  In this demonstration, the application's client secret is configured with a two-year validity period, providing the attacker with:   Extended persistent access without requiring credential renewal Long-term capability to access protected resources Significant window of opportunity for data exfiltration Prolonged dwell time within the environment This extended persistence window presents substantial risks, potential for long-term undetected access, continued data exposure even after initial compromise discovery, challenges in identifying historical unauthorized access, and the need for proactive application lifecycle management.  Without active discovery and remediation efforts, the application remains a viable attack vector until either administrative action is taken, or the client secret naturally expires.  Real-world attack analysis  Our telemetry revealed a real-world account takeover (ATO) incident that persisted for four days. The initial compromise was detected through a successful login attempt using the user agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Iron Safari/537.36'. Based on our threat intelligence, this user agent signature is most likely associated with Adversary-in-the-Middle (AiTM) phishing attacks, specifically the Tycoon phishing kit.  The threat actor, operating through US-based VPN proxies, executed several malicious actions:  Created malicious mailbox rules Registered an internal application named 'test' Added application secrets with Mail.Read and offline_access permissions, enabling persistent access to the victim's mailbox even after password changes After approximately 4 days the user's password was changed, following which we observed failed login attempts from a Nigerian residential IP address, suggesting the threat actor's possible origin. However, the application remained active. This case study serves as a concrete example of the attack patterns discussed in our blog, demonstrating that these threats are not merely theoretical - but active, exploited risks in the current threat landscape.  Remediation and recommendations Upon discovery of a suspected malicious application in the environment, immediate remediation steps are critical.  Priority actions  Client secret revocation - Immediately invalidate all client secrets. Remove all existing certificates. This immediately terminates the application's ability to request new tokens.  User token revocation - Immediately revoke all existing user tokens.  Application removal - Delete the entire application registration and revoke all previously granted permissions. Remove all associated service principals.  Implement continuous monitoring - By continuously monitoring your line-of-business apps and applying automatic remediation, you may prevent attackers from establishing persistent access to valuable resources. This can also help to stop them from launching more attacks.   Empower your users - Your users are a vital part of your defense. Conduct regular trainings to educate them on how to:   Recognize malicious apps and tenants that seem credible.  Treat unexpected consent requests as suspicious.  Promptly report unusual application authorizations.  
❌