Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: phishing (20 articles)Clear

Avalon malware framework bundles phishing, remote access, and CrownX ransomware

Blackpoint Cyber documented Avalon, a previously undocumented modular malware framework that pulls credential theft, lateral movement, remote access, backup disruption, and ransomware into one toolkit, with its ransomware component named CrownX. The attack starts with a spoofed legal-document email pointing to a password-protected archive on Proton Drive. Inside is an ISO image rather than a direct attachment, which helps it slip past email scanning, and opening a document-themed Windows shortcut inside the mounted image kicks off the infection chain. By combining evasive delivery with a full attack toolkit under one roof, Avalon lets operators run an intrusion from initial access through data theft to encryption.

Check
Alert staff to legal-themed emails that link to password-protected archives on cloud storage, and hunt for mounted ISO images spawning shortcut files and the follow-on scripts that behavior triggers.
Affected
Organizations whose staff can open ISO images and shortcut files delivered through cloud-hosted archives; Avalon then chains credential theft, remote access, and backup disruption into CrownX ransomware deployment.
Fix
Block or restrict automatic mounting of ISO images and execution of shortcut files from downloads, filter links to shared cloud archives, maintain tested offline backups, and train staff on legal-document lures.

Hotel phishing campaign launders email authentication to drop a Node.js implant

Microsoft is tracking a phishing campaign hitting hotels across Europe and Asia since April, using guest-complaint and inspection-themed emails to get front-desk staff to open photo-themed ZIP files. The lures pass email authentication through what Microsoft calls authentication laundering, routing messages through Calendly's notification system and Google redirects so they appear legitimate. The ZIP hides a shortcut posing as an image that runs obfuscated PowerShell, quietly installs a legitimate Node.js runtime, and launches a JavaScript implant called TonRAT. TonRAT resolves its command servers through a blockchain API, communicates over encrypted WebSockets on unusual ports, disables Microsoft Defender for itself, and persists through the registry. The attackers' ultimate goal is still unclear.

Check
Alert front-desk staff to complaint-themed emails carrying photo ZIP files, and hunt for Node.js running from user paths, new Defender exclusions, and beacons to non-standard ports such as 8443 or 56001.
Affected
Hotels and hospitality organizations in Europe and Asia whose reception and reservations staff open image or document attachments; the campaign laundered email authentication and installs a persistent Node.js implant.
Fix
Block and alert on the campaign's domains and ports, restrict execution of shortcut files from archives, monitor for unauthorized Node.js runtimes and Defender exclusions, and remove both registry persistence keys during cleanup.

Healthcare AI vendor Xsolis breach exposes data on 1.4 million people

Xsolis, a US healthcare technology company whose AI software is used by more than 600 hospitals and insurers for utilization management and reimbursement decisions, has disclosed a breach affecting 1,396,519 people. Attackers got in through a targeted phishing attack on an employee in January, accessing files containing patient data Xsolis handles for its clients. The exposed information includes names, dates of birth, addresses, Social Security numbers, health insurance details, and medical treatment information. Because Xsolis is a vendor, affected individuals may never have dealt with it directly; downstream health systems including Mayo Clinic are among those whose patients are impacted.

Check
Healthcare organizations should check whether they share data with Xsolis and confirm their breach-notification obligations; affected individuals should watch for medical, insurance, and identity fraud and any Xsolis-related notice.
Affected
Patients and health-plan members whose data Xsolis processed for hospitals and insurers (1,396,519 affected); exposed Social Security numbers and medical information carry lasting identity-theft and medical-fraud risk.
Fix
Affected people should enroll in the offered monitoring, freeze credit, and watch insurance statements. Healthcare organizations should strengthen phishing-resistant MFA, map which vendors hold patient data, and tighten access to health-data repositories.

North Korea's ScarCruft uses fake Microsoft alerts to plant NarwhalRAT spyware

South Korea's Genians Security Center reports that the North Korean group ScarCruft (APT37) is sending spear-phishing emails dressed up as Microsoft Account security alerts to deliver a Python-based spy tool called NarwhalRAT. The emails warn of suspicious one-time-code activity and urge the recipient to open an attached advisory, which is actually a ZIP holding a malicious shortcut. Opening it kicks off a multi-stage, in-memory infection that leaves little on disk and gains persistence through a scheduled task. NarwhalRAT can log keystrokes, capture screenshots, record audio, and steal files from USB drives, and it disguises itself as the Korean browser Naver Whale while targeting South Korean users.

Check
Train staff to treat unexpected Microsoft account-security or OTP-alert emails with caution, verify the real sender domain, and never open attached archives or shortcut files from such messages.
Affected
Targets of North Korean espionage, with this campaign focused on South Korean users; victims are lured by fake Microsoft account-security emails carrying a ZIP with a malicious shortcut file.
Fix
Block or quarantine inbound archives containing shortcut files, enforce phishing-resistant MFA so OTP-themed lures lose value, and alert on scheduled tasks that launch scripts fetching payloads into memory.

Meta disrupts new NSO spyware phishing aimed at WhatsApp users

Meta says it caught and shut down fresh spear-phishing attempts linked to Israeli spyware maker NSO Group that tried to lure WhatsApp users into clicking malicious links leading to sites outside the app, mirroring the one-click attacks NSO has used to plant its Pegasus spyware. Meta also found and removed NSO-created test accounts and groups, and published the malicious domains involved. The company is now asking a US federal court to hold NSO in contempt for violating the permanent injunction issued last year barring it from targeting WhatsApp. High-risk users such as journalists, activists, and officials are the usual targets of this kind of mercenary spyware.

Check
Block the NSO-linked phishing domains Meta published at your web and DNS gateways, and review whether high-risk staff received WhatsApp messages pushing links to external sites.
Affected
WhatsApp users targeted by one-click social-engineering links, especially high-risk individuals like journalists, activists, and government officials who are typical mercenary-spyware targets.
Fix
Avoid clicking links in unsolicited WhatsApp messages, enable Lockdown Mode on iOS and Android for high-risk users, keep devices fully updated, and block the published malicious domains.

FIFA World Cup 2026 fraud wave hits fans before June 11 kickoff

With the FIFA World Cup kicking off June 11 across the US, Canada, and Mexico, the FBI and researchers at Group-IB and Fortinet warn that a large fraud operation is already running. Group-IB tracked more than 4,300 fake FIFA websites and a Chinese-speaking crew, GHOST STADIUM, that cloned the official site pixel-for-pixel, fake login and all, across 300-plus domains. Scams include bogus ticket, merchandise, and hospitality sites, fake streaming apps that hide banking malware, and betting sites that harvest passport scans for identity theft. With tickets scarce and 150 million requests filed, scammers are exploiting fans' urgency to steal logins, money, and personal data.

Check
Warn staff and remind yourself to verify any World Cup ticket, merchandise, or streaming offer, and check security logs for employee visits to lookalike FIFA domains.
Affected
Anyone buying World Cup tickets, merchandise, hospitality, or streaming access, plus job seekers; employees using work devices or accounts to shop for the tournament.
Fix
Buy only via fifa.com typed directly into the browser, avoid sponsored search results and emailed links, and block known fraudulent FIFA domains at your web gateway.

ChatGPhish: ChatGPT auto-renders attacker Markdown links, images, and QR codes from summarized web pages as trusted clickable phishing

Permiso Security has disclosed ChatGPhish, a vulnerability in OpenAI ChatGPT that abuses the assistant's implicit trust in Markdown links and images sourced from third-party pages it has just summarized. The chatgpt.com response renderer auto-fetches those images and surfaces the links as live clickable elements inside the trusted assistant UI. An attacker who appends a small payload to any web page a victim later asks ChatGPT to summarize can leak the victim's IP, User-Agent, and Referer via attacker-hosted images, render fake system-style security alerts, plant malicious clickable links, and serve a QR code from an S3 bucket to bypass desktop URL filters via the victim's phone.

Check
Warn staff that ChatGPT summaries of untrusted pages can render attacker links, fake alerts, and QR codes. Treat clickable elements in AI summaries with the same caution as email links.
Affected
Any organization using ChatGPT for research or summarization of third-party web content. The trusted-UI rendering of attacker Markdown bypasses normal phishing-awareness instincts and desktop URL filters.
Fix
Apply OpenAI's fix once available. Train users not to scan QR codes or click links surfaced inside AI summaries without verification. Restrict enterprise ChatGPT connectors that auto-summarize untrusted URLs.

Signal phishing campaign impersonates Support to steal backup recovery keys from journalists and activists, enabling full message decryption

Security researchers are warning of a phishing campaign that impersonates Signal Support over text message to steal users' backup recovery keys, specifically targeting journalists and activists. Once an attacker obtains the recovery key, they can decrypt the victim's entire message-history backup. The campaign relies purely on social engineering - there is no flaw in Signal's cryptography - tricking targets into handing over the secret that protects their encrypted backups. The targeting of journalists and activists points to surveillance-motivated actors rather than financially-driven crime. Signal users should treat any unsolicited 'Support' contact requesting recovery keys or codes as hostile, since Signal never asks for them.

Check
Brief journalists, activists, and high-risk staff that Signal never requests backup recovery keys. Treat any 'Signal Support' text asking for keys or codes as a phishing attempt and report it.
Affected
Signal users - particularly journalists and activists targeted by surveillance-motivated actors. The attack is pure social engineering; Signal's encryption is not broken, but a handed-over recovery key decrypts all backups.
Fix
Never share Signal recovery keys or codes with anyone. Enable registration lock. For high-risk users, store recovery keys offline and verify any support contact through official Signal channels only.

FBI warns of fake FIFA World Cup 2026 sites (fiffa.com, alt-TLDs) collecting payment data ahead of June 11 kickoff

The FBI has issued a public service announcement warning of hundreds of fake FIFA-themed phishing and fraud sites ahead of the 2026 World Cup running June 11 to July 19 in the US, Canada, and Mexico. Domains include fiffa[.]com and alternative TLDs (.org, .xyz, .live, .sale) plus fake employment portals like jobs-fifa[.]com and fifa-hiring[.]com. The fraudulent sites collect names, addresses, phone numbers, and banking/payment details; the data is used for fake-ticket sales, hospitality-package scams, identity theft, and fraudulent account creation. Group-IB and Bitdefender confirmed parallel malvertising via Google Search, Facebook, Telegram, and WhatsApp, with one major operation attributed to a Chinese-speaking gang.

Check
Add FIFA-themed lookalike domains (fiffa.com, fifa-*[.]com, fifa with alt-TLDs) to email and web filters. Brief staff that the only official site is fifa.com - any other is suspicious.
Affected
Anyone considering buying World Cup tickets, hospitality packages, or FIFA-related employment ahead of June 11. Chinese-speaking gangs and Russian-speaking operations target English, Spanish, and Portuguese speakers.
Fix
Source tickets only via fifa.com or authorized partner sites. Pay via credit card or escrow for chargeback protection. Report fake FIFA sites to FBI IC3. Apply Group-IB and Bitdefender IoCs.

INTERPOL Operation Ramz disrupts MENA cybercrime: 201 arrests, 53 servers seized, 3,867 victims identified

INTERPOL says a coordinated operation called Ramz, run across 13 Middle East and North Africa countries, has produced 201 arrests, seized 53 servers, and identified 3,867 victims. Algerian authorities took down a phishing-as-a-service operation; Moroccan officials seized hard drives loaded with banking data and phishing kits; and Jordanian police uncovered 15 people running a fraudulent trading platform who turned out to be trafficking victims forced into the work. Group-IB and Team Cymru contributed intelligence on over 5,000 compromised accounts, including some tied to government systems. Participating countries included Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the UAE.

Check
Review phishing and credential-theft alerts for matches against the IP ranges in INTERPOL's advisory, especially for users with MENA business or travel ties.
Affected
Organizations with users, customers, or business operations in the 13 named MENA countries. Roughly 5,000 compromised accounts (including some tied to government infrastructure) were identified.
Fix
Force credential rotation for users matching the IoCs Group-IB shared. Coordinate with your local CSIRT for country-specific victim lists. Reinforce phishing-awareness training in MENA-facing teams.