Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: social-engineering (30 articles)Clear

Signal phishing campaign impersonates Support to steal backup recovery keys from journalists and activists, enabling full message decryption

Security researchers are warning of a phishing campaign that impersonates Signal Support over text message to steal users' backup recovery keys, specifically targeting journalists and activists. Once an attacker obtains the recovery key, they can decrypt the victim's entire message-history backup. The campaign relies purely on social engineering - there is no flaw in Signal's cryptography - tricking targets into handing over the secret that protects their encrypted backups. The targeting of journalists and activists points to surveillance-motivated actors rather than financially-driven crime. Signal users should treat any unsolicited 'Support' contact requesting recovery keys or codes as hostile, since Signal never asks for them.

Check
Brief journalists, activists, and high-risk staff that Signal never requests backup recovery keys. Treat any 'Signal Support' text asking for keys or codes as a phishing attempt and report it.
Affected
Signal users - particularly journalists and activists targeted by surveillance-motivated actors. The attack is pure social engineering; Signal's encryption is not broken, but a handed-over recovery key decrypts all backups.
Fix
Never share Signal recovery keys or codes with anyone. Enable registration lock. For high-risk users, store recovery keys offline and verify any support contact through official Signal channels only.

Carnival Corporation confirms breach affecting 5,995,277 customers - April 10 social-engineering of employee account, ShinyHunters claimed

Carnival Corporation, the world's largest cruise-line operator with 90+ ships across Carnival, Princess, Holland America, Costa, P&O, Cunard, AIDA, and Seabourn, has confirmed a breach affecting 5,995,277 customers. The intrusion began April 10 when an employee was social-engineered into giving up account credentials; Carnival's IT team detected the unauthorized activity on April 14. ShinyHunters claimed responsibility in April and listed the company on its data leak site. Carnival served around 13.5 million guests in 2024 across its fleet. The company is now notifying affected individuals. The pattern aligns with the broader ShinyHunters SaaS-extortion playbook documented across Charter, Instructure, and others over the past quarter.

Check
If your @company.com domains include former Carnival, Princess, Holland America, Cunard, AIDA, or Seabourn customers, prepare for targeted phishing themed around bookings, refunds, and loyalty programs.
Affected
5,995,277 Carnival customers across nine cruise brands. Initial access via social-engineering an employee account on April 10. Same ShinyHunters playbook as Charter and Instructure.
Fix
Enforce phishing-resistant MFA across cruise/hospitality estate. Train front-line staff against social-engineering for account credentials. Audit Salesforce/Entra exports for bulk-data signals.

Storm-2949 abuses Microsoft 365 Self-Service Password Reset to hijack accounts, pivot from M365 into Azure production

Microsoft is tracking a financially motivated actor it calls Storm-2949 that abuses the Microsoft 365 Self-Service Password Reset flow to hijack high-value identities and then exfiltrate as much data as possible. The actor socially engineers IT staff and senior leaders, kicks off an SSPR reset, then poses as IT support and convinces the victim to approve the resulting MFA prompt. Once in, Storm-2949 uses Graph API and custom Python to enumerate the tenant, downloads thousands of OneDrive and SharePoint files in single actions, and pivots into Azure - VMs, Key Vaults, SQL, storage - via privileged custom RBAC roles.

Check
In Entra audit logs, find users who reset their password and within 24 hours added or had MFA removed. Pull Graph API calls enumerating users and service principals from new IPs.
Affected
Microsoft 365 tenants with SSPR enabled where help-desk identity is not strongly authenticated. High-privilege custom Azure RBAC roles assigned broadly amplify blast radius.
Fix
Require ticket-based identity verification for SSPR resets on admin and exec accounts. Enforce phishing-resistant FIDO2 MFA. Tighten custom-role assignments. Alert on mass OneDrive downloads via Defender for Cloud.

SHub Reaper macOS infostealer spoofs Apple, Google, and Microsoft in one chain - backdoor, wallet hijack, document theft

SentinelOne has documented a new variant of the SHub macOS infostealer family called Reaper. Victims are lured through fake WeChat and Miro installers hosted on typo-squatted Microsoft domains, then prompted to run what looks like an Apple security update. Reaper avoids macOS Tahoe's new Terminal protections by routing its commands through the applescript:// URL scheme. Once running, it steals browser credentials, crypto wallets, dev configs, iCloud data, and Telegram sessions, replaces legitimate Exodus, Ledger, and Trezor wallet apps with backdoored copies, and installs a persistent fake Google Software Update LaunchAgent that gives the attacker an ongoing remote shell. Files larger than 85MB are uploaded in 70MB chunks.

Check
Hunt macOS endpoints for LaunchAgents named com.google.keystone.agent.plist that point at unsigned scripts in ~/Library/Application Support/Google/GoogleUpdate.app/, and search proxy logs for traffic to hebsbsbzjsjshduxbs.xyz.
Affected
macOS users who can be social-engineered into running an installer or AppleScript prompt outside the App Store. Heavily targets developer, finance, and crypto-holding personas.
Fix
Remove the malicious LaunchAgent and persistence script. Rotate all credentials in the browser keychain, crypto wallets, iCloud, Telegram, and any tokens in shell history or .gitconfig. Enforce MDM blocking unsigned LaunchAgents.

Initial access broker KongTuke pivots from web lures to Microsoft Teams - impersonates IT help desk, drops ModeloRAT in five minutes

ReliaQuest researchers say initial access broker KongTuke has shifted from web-based ClickFix and FileFix lures to Microsoft Teams social engineering, taking as little as five minutes to gain persistent access. The attacker reaches employees from one of five rotating Microsoft 365 tenants, uses Unicode whitespace tricks to make the display name look like internal IT help desk, then talks the victim through pasting a PowerShell command. That command downloads a ZIP from Dropbox containing a portable WinPython runtime and a Python-based RAT called ModeloRAT. The new ModeloRAT variant adds a five-server C2 pool with automatic failover, self-update, and randomized URL paths, and several major EDR products did not detect it.

Check
Search Microsoft 365 audit logs for inbound external Teams chats from new or low-trust tenants, hunt endpoint telemetry for pythonw.exe running from %APPDATA%\WPy64-31401 (or similar WinPython paths), and review PowerShell logs for clipboard-paste-driven commands.
Affected
Any enterprise that accepts inbound Microsoft Teams chats and calls from external tenants, especially help-desk-themed approaches. Initial access broker activity is typically resold to ransomware operators within days of compromise.
Fix
Restrict external Teams chat to allowlisted partners, enforce verified caller display in Teams admin, train staff that real IT never asks for a PowerShell paste, and add EDR rules for portable Python interpreters spawning from %APPDATA%.

Mac malware campaign uses Google ads and 'Apple Support' Claude.ai chats to install infostealer

Hackers are buying Google ads that look like they go to claude.ai - and they do go to a real claude.ai page. But the page is a shared Claude chat dressed up as 'Apple Support' walking users through installing Claude on a Mac. The instructions tell people to paste a command into Terminal that quietly downloads MacSync, a Mac infostealer that grabs saved browser passwords, cookies, and contents of macOS Keychain (where Mac stores logins and keys). Because both the ad and the page are real claude.ai links, there is no fake domain to spot. Researcher Berk Albayrak first reported the campaign; BleepingComputer found a second active variant.

Check
Check macOS endpoint logs for Terminal executions of curl or base64 piped to bash in the last 7 days, and review who clicked sponsored Google results for 'Claude mac download'.
Affected
macOS users who searched Google for 'Claude mac download' or similar terms and ran a Terminal command from a shared Claude.ai chat attributed to 'Apple Support'. Two payload variants seen: a MacSync infostealer that exfiltrates Keychain and browser secrets, and a polymorphic in-memory shell payload that profiles the host and delivers a second stage via osascript.
Fix
Rotate browser-saved passwords and macOS Keychain credentials for any user who may have run the malicious command. Sign out and re-authenticate browser sessions to invalidate stolen cookies. Block the indicator domains customroofingcontractors[.]com and bernasibutuwqu2[.]com at network egress. Reinforce with users that they should never install software from chat or terminal instructions - only from official vendor download pages.

Vietnamese fraudsters used Google's no-code app platform to send Facebook phishing emails that passed every spam check, then sold the stolen accounts back to victims

Guardio documented a Vietnamese-linked fraud operation that has stolen roughly 30,000 Facebook business accounts by abusing Google's AppSheet no-code platform as a phishing relay. Because the phishing emails come from noreply@appsheet.com (a real Google address), they pass SPF, DKIM, and DMARC checks that normally catch fake-Meta emails. The lures impersonate Meta Support and threaten account deletion within 24 hours unless the user 'submits an appeal.' Stolen credentials, 2FA codes, and government ID photos are exfiltrated to Telegram. The operators then sell the stolen accounts back to victims through their own recovery service.

Check
Brief every staff member who manages a Facebook business account that any email from 'noreply@appsheet.com' claiming to be Meta is hostile, regardless of how legitimate the formatting looks.
Affected
Facebook Business account owners worldwide, with 68.6% of victims based in the US. Acute risk for marketing teams, social media managers, and small business owners who manage Facebook ad accounts. Any organization using the same Facebook business account for paid ads since 2024 is in the broader target pool. Stolen accounts often hold credit card data and ad spend history.
Fix
Block emails from noreply@appsheet.com unless your organization legitimately uses Google AppSheet. Train staff that real Meta support never asks for 2FA codes via email. Enable Meta Business Manager 2FA with hardware keys (not SMS). For organizations already compromised, contact Meta Business Help directly through facebook.com - the 'recovery service' is the same operation that took the account.

Microsoft confirms a Windows Shell flaw that lets attackers spoof anything in File Explorer is being exploited - patch now (CVE-2026-32202)

Microsoft confirmed yesterday that a Windows Shell spoofing flaw, CVE-2026-32202, is being exploited in the wild. The bug lets an attacker craft files that appear in File Explorer with fake names, icons, and paths - so a malicious .exe can show up looking like a benign PDF, leading users to double-click and run it. Microsoft patched the bug in the April 14 Patch Tuesday but only confirmed in-the-wild exploitation on April 28, raising urgency for any environment that hasn't deployed April patches. The flaw is particularly dangerous on shared file servers, USB drops, and email attachments - any path where users trust File Explorer to tell them what's what.

Check
Confirm every Windows endpoint has the April 14 Patch Tuesday update installed, especially any host that opens shared drives, USB drives, or email attachments.
Affected
Windows endpoints without the April 14, 2026 patch installed. CVE-2026-32202 affects all currently supported Windows versions including Windows 10, 11, and Server. Acute risk on hosts that handle external files: receptionists, finance staff opening invoices, IT staff handling user-submitted USB drives, anyone receiving email attachments from outside the organization.
Fix
Deploy the April 14 Patch Tuesday update via your usual patching process, prioritizing user endpoints over servers. Verify deployment with MDM rather than trusting WSUS compliance numbers. Enable 'show file extensions' as a Group Policy default. Re-train staff on file-trust basics this month. Watch for unusual process spawns from explorer.exe.

North Korean hackers are recording fake Zoom meetings with real crypto executives, then using the footage and AI-generated lookalikes to scam the next target

North Korea's BlueNoroff group has built a self-reinforcing deepfake pipeline that turns each victim into the lure for the next attack. Arctic Wolf documented the pattern: attackers send a Calendly invite that looks like a normal business meeting, then quietly swap the Google Meet link for a typo-squatted Zoom URL. When the target joins, a fake Zoom interface secretly records their webcam feed while a clipboard-injection attack drops malware. The captured footage is mixed with AI-generated lookalikes (built using ChatGPT for synthetic portraits) and recycled into the next attack. Arctic Wolf found 950 files in BlueNoroff's media server. 80% of identified targets are crypto executives.

Check
Brief every executive in your organization that any 'Zoom SDK update' prompt asking them to copy and paste commands into their terminal during a meeting is a North Korean malware drop.
Affected
Cryptocurrency executives, Web3 founders, and CEOs at fintech and blockchain companies - 45% of identified targets are CEOs and founders, 80% are in crypto or adjacent sectors. Anyone whose webcam footage was exfiltrated by BlueNoroff is now appearing as a fake meeting participant targeting their professional network.
Fix
Train executives that any 'SDK update' prompt during a meeting is hostile - real Zoom and Teams never ask users to paste commands into terminals. Verify out-of-band before joining any meeting from an unsolicited Calendly link. Block known BlueNoroff infrastructure (Petrosky Cloud LLC AS400897 and the 80 typosquat domains in Arctic Wolf's IoCs). Consider a dedicated meeting device for high-risk executives.

ADT customer breach details now public on Have I Been Pwned - 5.5 million records confirmed, more than the 10 million ShinyHunters originally claimed but with worse data

Update on the ADT breach we covered April 25: Have I Been Pwned added the leaked dataset yesterday with 5,488,888 unique email addresses confirmed - lower than ShinyHunters' original 10 million claim but still the largest US home-security customer leak on record. Beyond the email, name, phone, and address fields ADT originally disclosed, the leak includes details ADT downplayed: account creation dates, premise types, internal account flags, ADT installer IDs, and prospect/customer status. None catastrophic alone, but combined gives attackers enough context to run convincing 'security audit' phone scams against named customers with real install dates and installer names.

Check
If you're an ADT customer, treat any inbound call referencing your real install date or installer name as hostile - those details are now public.
Affected
All 5,488,888 ADT customers and prospects - now indexable on HIBP. Acute risk for customers whose installer IDs are in the leak: scammers can call referencing 'Mike from your install on March 14, 2022' and sound legitimate enough to social-engineer security code resets. Elderly customers and high-value households are the highest-risk segment for follow-on physical security scams.
Fix
ADT customers should set a verbal codeword with ADT's real customer service line and refuse to verify identity to any inbound caller without it. Treat any 'free security upgrade' as a scam unless you initiated the call. Brief elderly family members specifically - they're the prime target for follow-on scams using leaked install details. Pressure ADT for credit monitoring if the SSN/Tax ID subset includes you.