Proofpoint has observed a notable increase in high-volume Japanese language campaigns targeting organizations in Japan to deliver a phishing kit named CoGUI. Most of the campaigns abuse Amazon, PayPay, Rakuten, and others.

TA2900, is targeting French-speaking individuals with fraudulent rental payment schemes. The campaigns are designed to steal funds by impersonating rental agencies and redirecting rent payments to attacker-controlled bank accounts.

Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware over three months from late 2024 through the beginning of 2025.

Most HTTP-based cloud attacks utilize brute force methods, resulting in low success rates. Proofpoint found that a recent campaign using the unique HTTP client Axios had an especially high success rate, compromising 43% of targeted user accounts.

The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads.

Proofpoint researchers have identified an increase in ClickFix. The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick people into copying, pasting, and running malicious content on their own computer.

Hackers posed as the UK's Royal Mail to spread Prince ransomware in a destructive campaign that targeted organizations in the US and UK in mid-September. Unlike typical ransomware attacks, this campaign had no decryption methods.

The campaign, which targeted organizations worldwide, involved impersonating tax authorities from various countries and utilizing Google Sheets for command and control (C2).

Iran-linked TA453 targeted a religious figure with a fake podcast interview invitation, attempting to deliver the BlackSmith malware toolkit. The initial lure involved an email leading to a malicious link containing the AnvilEcho PowerShell trojan.

Hackers are exploiting the free TryCloudflare service to distribute remote access trojans (RATs) like AsyncRAT, GuLoader, and Remcos RAT. This activity was first detected in February and has been linked to campaigns targeting various industries.