Attackers are refining their tactics by abusing trust, combining phishing, legitimate platforms, and email authentication loopholes to amplify their reach. The Phorpiex botnet is actively distributing phishing emails containing malicious .LNK attachments that trigger a downloader, ultimately deploying the GLOBAL GROUP ransomware. In parallel, a Telegram-based phishing campaign is abusing the platform’s official API to deceive users into authorizing attacker-controlled sessions, giving adversaries full account access and allowing the scam to propagate further. Meanwhile, attackers are leveraging DKIM replay attacks by resending legitimate Apple and PayPal invoice emails, enabling them to bypass email security defenses and carry out large-scale invoice fraud and abuse. Keep reading further for more cybersecurity updates.
01
The Phorpiex botnet delivers phishing emails with malicious .lnk attachments that load a downloader and ultimately install the offline-capable GLOBAL GROUP ransomware, which encrypts files locally without C2 contact.
02
A new Telegram phishing operation abuses the platform’s official API to trick users into authorizing attacker-controlled sessions, granting full access to accounts and enabling further phishing spread.
03
A suspected state-sponsored threat group is impersonating “Signal Support” and using social engineering (SMS codes and QR link tricks) to take over or silently spy on high-profile military, diplomatic, and journalism accounts on Signal.
04
Analysis reveals that Windows Error Reporting contains missing authorization checks that could allow unauthorized parties to view or manipulate crash reports, posing security and privacy risks.
05
Technical analysis shows GuLoader uses layered obfuscation and trusted cloud infrastructure to evade detection by hiding malicious payloads and abusing legitimate services for delivery.
06
Threat actors are exploiting DKIM replay techniques by resending legitimate Apple and PayPal invoice emails to bypass email security controls and carry out invoice abuse and fraud.
07
LTX Stealer, a Node.js-based credential theft malware, exfiltrates login credentials and other sensitive data from compromised systems as part of broader credential harvesting campaigns.
08
The sophisticated VoidLink Linux malware framework, likely AI-assisted in development, targets multi-cloud environments (AWS, Azure, GCP, etc.) to harvest credentials, persist, and adapt via modular plugins across container and kernel contexts.
09
China-linked UNC3886 targeted Singapore's telecom sector in a sophisticated cyber espionage campaign. CSA initiated CYBER GUARDIAN to mitigate the threats and improve security measures.
10
A remote code execution vulnerability in Claude desktop extensions affecting over 10,000 users can be exploited by attackers to execute arbitrary code locally or hijack sessions.
