Smishing Triad spawns toll phishing wave

SMS messages impersonate various tollway systems in the U.S.

A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition’s top stories -

↘️ A new malvertising campaign targeting SEO professionals is using fake Semrush ads to harvest victims’ Google account credentials and data. In doing so, the idea is to create new malvertising campaigns using the hijacked accounts, leading to a type of “cascading fraud” that creates a never-ending cycle of more and more compromised accounts. The activity builds on a recent campaign targeting Google accounts via Google Ads by abusing Google Sites. A Brazilian threat group is said to be behind the activity. “While the phishing page uses the Semrush brand, only the ‘Log in with Google’ option is enabled, forcing victims to authenticate with their Google account username and password,” Malwarebytes said. [Malwarebytes]

↘️ The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to terminate anti-malware tools. The driver samples are signed using likely stolen, revoked certificates from Chinese companies, allowing it to sidestep security defenses. The development comes as cybercriminals are abusing Microsoft's Trusted Signing platform to sign malware executables with short-lived three-day certificates. [The Hacker News]

via Tenor

↘️ The China-aligned Aquatic Panda has been linked to a “global espionage campaign” that took place in 2022 targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the United States. The attacks, which occurred between January and October 2022, have been codenamed Operation FishMedley. The intrusion set made use of an as-yet-unknown initial access vector to deploy malware families such as ShadowPad, Spyder, SodaMaster, and a previously undocumented C++ implant called RPipeCommander. [The Hacker News]

↘️ UNC3886, a China-nexus hacking group previously known for breaching edge devices and virtualization technologies, targeted end-of-life MX Series routers from Juniper Networks as part of a campaign designed to deploy six distinct TinyShell-based backdoors. Less than 10 organizations have been targeted as part of the campaign. “The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device,“ Mandiant said. Further analysis by Juniper Networks has revealed that at least one security vulnerability (CVE-2025-21590) contributed to a successful attack that allowed the threat actors to bypass security protections and execute malicious code. [The Hacker News]

↘️ A threat actor known as Storm-1865 has been observed leveraging the increasingly popular ClickFix strategy as part of a phishing campaign that uses Booking.com lures to direct users to credential-stealing malware. The campaign, ongoing since December 2024, casts a wide geographical net, spanning North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe. [The Hacker News]

↘️ Cybersecurity ad intelligence agencies from Australia, Canada, New Zealand, and the United States have published a joint advisory about the risks associated with a technique called fast flux that has been adopted by threat actors to obscure command-and-control (C2) channels and deliver malware. The sheer number of IP addresses used in fast flux operations makes it a formidable challenge to take down such domains. With these IP addresses connected to a DNS record for minutes before being swapped out for another, the rapid turnover makes it harder to block such domains at the IP address level. As CyberScoop puts, the scenario is “akin to searching for needles in a constantly shifting haystack.” The first step in fast flux is to enlist a botnet — swathes of infected computers, each with their own IP, that serve as proxies and relay points, thereby making it more difficult to block or take down malicious infrastructure. [The Hacker News]

↘️ The China-nexus cyber espionage group tracked as UNC5221 exploited a now-patched flaw in Ivanti Connect Secure, CVE-2025-22457 (CVSS score: 9.0), to deliver an in-memory dropper called TRAILBLAZE, a passive backdoor codenamed BRUSHFIRE, and the SPAWN malware suite. The vulnerability was originally patched by Ivanti on February 11, 2025, indicating that the threat actors studied the patch and figured out a way to exploit prior versions to breach unpatched systems. UNC5221 is believed to share overlaps with clusters tracked by the broader cybersecurity community under the monikers APT27, Silk Typhoon, and UTA0178. [The Hacker News]

↘️ An up-and-coming threat actor operating under the alias EncryptHub has been exposed due to a series of operational security blunders. What distinguishes EncryptHub from other typical cybercriminals is the dichotomy of their online activities – while conducting malicious campaigns, the individual simultaneously contributed to legitimate security research, even receiving acknowledgment from the Microsoft Security Response Center (MSRC) last month for discovering and reporting CVE-2025-24061 and CVE-2025-2407. Another interesting aspect of EncryptHub is their use of OpenAI ChatGPT as a “partner in crime,” leveraging it for malware development and translation tasks. In some particularly revealing conversations with the artificial intelligence (AI) chatbot, EncryptHub asked it to evaluate whether he was better suited to be a “black hat or white hat” hacker and if would be better being a “a cool hacker or a malicious researcher,” even going to the extent of confessing to his criminal activities and the exploits he had developed. “When people think of cybercriminals, they tend to imagine high-tech, government-backed teams and elite hackers using cutting-edge technology,” Outpost24 said. “However, many hackers are normal people who at some point decided to follow a dark path.” [The Hacker News]

↘️ The North Korean threat actors behind the ongoing Contagious Interview campaign have been observed adopting the infamous ClickFix social engineering strategy to deliver a previously undocumented backdoor called GolangGhost. The adversarial collective have also published as many as 11 npm packages that deliver the BeaverTail information stealer malware, as well as a new remote access trojan (RAT) loader. The packages were downloaded more than 5,600 times prior to their removal. [The Hacker News]

↘️ DrayTek is warning that its routers “were targeted to repeated, suspicious, and potentially malicious TCP connection attempts originating from IP addresses with known bad reputations,” adding the attacks appear to mainly involve older router models running outdated firmware. “These attempts could trigger the router to reboot in unpatched devices if those devices have SSL VPN Enabled, or Remote Management enabled without the protection of an Access Control List (ACL),” it noted. As mitigations, the company is urging customers to keep their firmware up-to-date. In the meanwhile, threat intelligence firm GreyNoise has revealed that it has observed several known vulnerabilities in DrayTek devices being exploited in the wild, including CVE-2020-8515, CVE-2021-20123, and CVE-2021-20124. [DrayTek / GreyNoise]

↘️ The Chinese cybercriminal group known as Smishing Triad are now targeting customers of international financial institutions, while simultaneously expanding their cybercrime infrastructure and support staff. The threat actor is known for SMS phishing kits that are designed to steal sensitive personal and financial information by impersonating toll road operators, retailers, shipping companies, postal services, private couriers, and global shipping firms. The phished payment card data is then enrolled into mobile wallets from Apple and Google to facilitate cash out operations at scale. A notable aspect of the campaigns is the use of Apple iMessage and Google RCS messages to send the phishing missives. In a significant expansion of the fraud campaign, Smishing Triad now spoofs recognizable brands in a variety of industry verticals across at least 121 countries and a vast number of industries, including the postal, logistics, telecommunications, transportation, finance, retail and public sectors. Around 200,000 domains have been used by the group in recent years, per Silent Push, with around 187 top-level domains, such as .top, .world, and .vip, being used. There were more than 1 million page visits to scam websites operated by the threat actor within a period of only 20 days, averaging 50,000 per day. Smishing Triad is part of a group of loosely linked cybercriminals from the Chinese cybercrime ecosystem that have released phishing kits like Lucid and Darcula with overlapping characteristics, turning it into a large-scale fraudulent enterprise. [The Hacker News / Krebs on Security / WIRED]

↘️ Threat actors could leverage stolen certificates and private keys left exposed in container images to impersonate users and enable the attacks to remain hidden longer, according to Trend Micro. The research found 2,278 unique private keys, out of which 169 are SSH private keys. Eighty-eight of the most vulnerable private keys lack any password protection, exposing them to potential security threats. “As a rule of thumb, any secret or credential, including certificates and private keys, should never be baked into a container image,” Trend Micro said. “Instead, consider using environment variables or secrets management solutions (like HashiCorp Vault, AWS Secrets Manager, or Docker/Kubernetes secrets) that inject credentials at runtime.” [Trend Micro]

via Trend Micro

↘️ Google has addressed a high-severity security flaw in its Chrome browser for Windows that has been exploited by unknown actors as part of a sophisticated attack aimed at Russian entities. The flaw, CVE-2025-2783 (CVSS score: 8.3), is said to have been combined with another exploit to break out of the browser's sandbox and achieve remote code execution. The attacks involved distributing specially crafted links via phishing emails that, when clicked and launched using Chrome, triggered the exploit. A similar flaw has since been patched in Mozilla Firefox and Tor Browser (CVE-2025-2857), although there is no evidence that it has been exploited. [The Hacker News]

↘️ RedCurl, a threat actor known for its corporate espionage attacks since late 2018, has been observed delivering a custom ransomware family called QWCrypt via a sophisticated multi-stage infection chain. Bitdefender, which flagged the activity, said the “unusual deviation” in tactics poses more questions than answers about their motivations, raising the possibility that it may be either a cyber mercenary group or a discreet operation designed to generate consistent revenue. [The Hacker News]

↘️ A security affecting the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets, Microsoft revealed. The flaw, CVE-2025-29824, is a privilege escalation vulnerability that could allow an attacker to obtain SYSTEM privileges. An exploit for the vulnerability has been found to be delivered via a trojan called PipeMagic, with the unknown threat actors, tracked by Microsoft as Storm-2460, conducting credential harvesting and dropping a ransomware payload as part of post-compromise exploitation activities. The exact nature of the payload is unclear, however, the ransom note dropped after encryption included a TOR domain tied to the RansomEXX ransomware family. CVE-2025-29824 was addressed by Microsoft as part of its Patch Tuesday update for April 2025. [The Hacker News]

↘️ Fortinet revealed that threat actors have found a way to maintain read-only access to FortiGate devices even after the initial access vector used to breach the devices was patched. “This was achieved via creating a symbolic link (aka symlink) connecting the user file system and the root file system in a folder used to serve language files for the SSL-VPN,” the company said. Fortinet has released patches to eliminate the behavior. [The Hacker News]

↘️ The Russia-linked threat actor known as Gamaredon targeted a foreign military mission based in Ukraine to deliver an updated version of a known malware called GammaSteel using what appears to be an already infected removable drive. The attack paves the way for a reconnaissance utility and an improved version of GammaSteel, an information stealer that’s capable of exfiltrating files from a victim based on an extension allowlist from the Desktop and Documents folders. [The Hacker News]

↘️ The China-aligned ToddyCat advanced persistent threat (APT) group exploited a vulnerability in ESET’s antivirus software to silently execute a malicious payload called TCESB on infected devices. The dynamic link library (DLL) search order hijacking vulnerability (CVE-2024-11859) was patched in January after responsible disclosure. DLL search order hijacking is a kind of vulnerability that occurs when an application searches and loads a required DLL in an insecure order, such as starting with the current directory rather than a trusted system directory. In such instances, an attacker can try to trick the application into loading a malicious DLL as opposed to its legitimate counterpart. Once executed, TCESB reads the running kernel version and disables notification routines, installs a vulnerable driver for defense evasion, and launches an unspecified payload. [The Hacker News]

↘️ Apple disclosed that two zero-day vulnerabilities were exploited in “extremely sophisticated attacks.” The flaws, CVE-2025-31200, a memory corruption flaw in CoreAudio, and CVE-2025-31201, which affects the Reconfigurable Processing Architecture Core (RPAC), affect iOS, iPadOS, macOS, tvOS, and visionOS. Apple offered little details about how they were weaponized in the wild or who were the targets, as is typically the case to prevent other threat actors from exploiting them before a patch could be applied. However, it acknowledged the issues may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS." But given the targeted nature of these campaigns, it was likely conducted by a some kind of state-sponsored threat actor. “More zero days needed to hit a target means a higher cost per target. Overall this means less targets for the same budget so less attacks,” security researcher Costin Raiu said in a post on X. “Still, would be great to know who was behind it, how to check if you were hit and who were the targets.” [The Hacker News]

↘️ The China-linked threat actor known as Mustang Panda targeted an unspecified organization in Myanmar with an updated version of its signature backdoor, TONESHELL, in addition to debuting four new attack tools: two keyloggers (PAKLOG and CorKLOG), a utility for facilitating lateral movement (StarProxy), and a driver to evade endpoint detection and response (EDR) software (SplatCloak). The findings demonstrate the continued evolution of the threat actor's tradecraft to sidestep detection. [The Hacker News]

↘️ Google’s DeepMind division has outlined CaMeL (short for CApabilities for MachinE Learning) to tackle en emerging class of artificial intelligence threat called prompt injection attacks that arise from handling untrusted data, causing large language models (LLMs) to ignore their ethical and safety guardrails. CaMeL is described as a defense mechanism that works even when the underlying model is susceptible to prompt injections. “To operate, CaMeL explicitly extracts the control and data flows from the (trusted) query; therefore, the untrusted data retrieved by the LLM can never impact the program flow,” the researchers said. “To further improve security, CaMeL relies on a notion of a capability to prevent the exfiltration of private data over unauthorized data flows.” However, that doesn’t mean CaMeL is a panacea. "CaMeL suffers from users needing to codify and specify security policies and maintain them,” DeepMind said. “CaMeL also comes with a user burden. At the same time, it is well known that balancing security with user experience, especially with de-classification and user fatigue, is challenging.” [arXiv / Simon Willison]

↘️ SentinelOne is alerting of a new supply chain threat that could arise as a result of subdomain takeovers, which occur when an attacker gains control of an organization’s improperly configured or unused subdomain — a scenario called Dangling DNS. “If a business stops using a SaaS provider but fails to remove or update the associated CNAME records, or if a service subscription payment lapse, attackers may be able to register the subdomain with that provider, potentially gaining control over it,” SentinelOne said. Dangling DNS could also involve scenarios where DNS records point to a deprovisioned or deleted cloud resource, an oversight that could be abused by an attacker to register their own S3 bucket with the same subdomain and upload content of their choice, including hosting malware and phishing landing pages. [SentinelOne]

↘️ More than 60 people in Tibetan areas of China have been arrested since 2021 for offenses connected to phone and internet use. “The more than 60 reported cases appear related to an increase in government surveillance during this period, including through mass phone searches and the use of mandatory phone apps with built-in government surveillance, as well as a tightened regulatory regime on data and religion,” Human Rights Watch said. The disclosure comes amid revelations that a Chinese state-owned company named SDIC Intelligence Xiamen Information Co Ltd (aka Meiya Pico) that was previously sanctioned by the U.S. for facilitating human rights abuses against Uyghurs is now training police officers in Tibet on hacking techniques and digital forensics. [Human Rights Watch]

↘️ Cybersecurity researchers have detailed a novel attack paradigm called Channel-System Triggered Backdoor Attack (CT-BA), where the backdoor trigger is a specific wireless channel. “This attack leverages fundamental physical layer characteristics, making it more covert and potentially more threatening compared to previous input-level attacks,” a group of IEEE Graduate Student Members said. “Specifically, we utilize channel gain with different fading distributions or channel noise with different power spectral densities as potential triggers. This approach establishes unprecedented attack flexibility as the adversary can select backdoor triggers from both fading characteristics and noise variations in diverse channel environments.” The researchers described CT-BA as a novel Semantic Symbol backdoor attack method that utilizes wireless channel as triggers. “CT-BA incorporates the time-varying characteristics of wireless channels and trains the backdoor task on specific channel conditions. During the testing phase, the backdoored model reconstructs the target images under preset channel conditions,” according to the study. [arXiv]

↘️ Cybersecurity researchers have revealed how "incorrect implementation" in Intel's Converged Security and Management Engine (CSME) security architecture could "lead to severe consequences, allowing access to root encryption keys and rendering the security model ineffective." To date, two security flaws have been discovered in CSME (CVE-2019-0090 and CVE-2021-0146). "There is a serious flaw in the implementation of SKS that allows extracting the binary data for the Fuse Encryption Key and thus decrypting the Security Fuses, which already means full platform compromise," Positive Technologies said. "The non-monolithic design of OCS and the required interaction methods between IP blocks led to a serious architectural issue that was overlooked by Intel engineers during the implementation of OCS. This architectural flaw resulted in a vulnerability and allowed us to extract the Fuse Encryption Key and fully compromise the Intel CSME security model." [PT Swarm]

↘️ A group of researchers from the Graz University of Technology has demonstrated a new side-channel leakage that bypasses Kernel Address Space Layout Randomization (KASLR) defenses and compromise the Linux kernel. Specifically, the study found that enabling any of three of the 127 defenses recommended by the Kernel Self-Protection Project (KSPP), such as enforcing strict memory permissions or virtualizing the kernel heap or kernel stack, could be weaponized to leak the locations of security-critical kernel objects. "These location disclosure attacks enable successful exploitations on the latest Linux kernel, facilitating reliable and stable system compromise both with re-enabled and new exploit techniques," the researchers said. The net result the so-called the Evict+Reload Translation Look-aside Buffer (TLB) side-channel attack is that it could be used to sidestep randomization protections and perform privilege escalation on modern kernels (e.g., v6.8) without crashes and nearly 100% reliability. [Lukas Maar]