A new phishing campaign leveraging the Tycoon2FA Phishing-as-a-Service (PhaaS) platform has been linked to the threat actor Storm-1575, also known for the Dadsec platform.

Trustwave SpiderLabs uncovered a resurgence of malicious campaigns in March 2025 that exploit deceptive CAPTCHA verifications to deploy NodeJS-based backdoors. The campaign is referred to as "Yet Another NodeJS Backdoor (YANB)."

A recent surge in malicious activity has been observed originating from the Proton66 ASN. This activity includes mass scanning, credential brute forcing, and exploitation attempts. The observed activity is targeting organizations worldwide.

The Strela Stealer is an infostealer that exfiltrates email log-in credentials and has been in the wild since late 2022. It is a precisely focused malware, targeting Mozilla Thunderbird and Microsoft Outlook on systems in chosen European countries.

The campaign begins with a phishing email that contains an HTML attachment disguised as a routine document in a ZIP archive. The HTML file uses obfuscation techniques to evade detection and exploit vulnerabilities in Windows system functionalities.

Trustwave SpiderLabs recently discovered a dangerous backdoored DLL module within a fake version of the Advanced IP Scanner installer. The malicious version of the installer contains a DLL named pcre.dll.

The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice. The email header has an email address format that uses the domain ‘temporary[.]link’.

Recently, SpiderLabs identified a phishing email with an attached archive that included a Windows executable disguised as a fraudulent bank payment. This action initiated an infection chain culminating in the deployment of Agent Tesla.

The malware is distributed through a multi-stage infection chain involving weaponized PDF files, internet shortcuts, and PowerShell loaders, with similarities to the previously disclosed Phemedrone Stealer.

Trustwave researchers reported that over the recent days, they had observed phishing attacks that employed a mix of compromised Microsoft 365 accounts and .rpmsg encrypted emails to distribute the phishing message.