Threat Actors Mimic Popular Brands to Deceive Users and Deploy Malware in New Wave of Attacks

Cybercriminals have launched a sophisticated campaign that leverages brand impersonation techniques to distribute malware through deceptive SMS phishing (smishing) attacks.

This emerging threat demonstrates an evolution in social engineering tactics, where attackers strategically craft URLs containing trusted brand names to bypass user skepticism and security filters.

The attack methodology centers on manipulating URL structures to create false legitimacy.

Threat actors embed recognizable brand names before the “@” symbol in malicious URLs, followed by the actual malicious domain.

This technique exploits user psychology, as recipients often focus on familiar brand names rather than scrutinizing the complete URL structure.

Unit 42 researchers identified that this wave of attacks extends beyond simple URL manipulation, incorporating deceptively named group messaging campaigns and strategically aged hostnames to enhance credibility.

The attackers have demonstrated particular interest in utilizing .xin domain extensions, which provide an additional layer of obfuscation while maintaining apparent legitimacy.

The campaigns typically initiate through SMS messages appearing to originate from legitimate organizations, directing recipients to click malicious links for account verification, delivery notifications, or security alerts.

Upon interaction, these URLs redirect users to credential harvesting pages or trigger automatic malware downloads targeting mobile and desktop platforms.

Advanced Infection Mechanisms and Domain Tactics

The sophisticated nature of these attacks lies in their multi-stage infection process and domain preparation strategies. Attackers pre-register domains months in advance, allowing them to establish domain reputation scores that evade automated security screening.

The malicious infrastructure employs rotating subdomains and URL shortening services to complicate tracking efforts.

Example malicious URL structure:
hxxps://amazon-security@malicious-domain.xin/verify-account

The payload delivery mechanism utilizes progressive profiling, where initial clicks gather device fingerprinting data before deploying platform-specific malware variants.

This approach maximizes infection success rates while minimizing detection by security solutions that rely on static URL analysis.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.