Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: social-engineering (30 articles)Clear

Russia behind Signal phishing campaign that compromised Bundestag President Julia Klöckner - 300+ German officials affected

Der Spiegel reported on April 25 that German government sources now blame Russia for a large-scale Signal phishing campaign that compromised the account of Bundestag President Julia Klöckner. At least 300 Signal accounts of German political figures were targeted; investigators say attackers accessed chat histories, files, and phone numbers. Chancellor Friedrich Merz was in the same CDU group chat as Klöckner but his device showed no signs of compromise. The attack used pure social engineering - operators posed as Signal support and asked victims to share verification codes or PINs.

Check
Brief executives, board members, and political-staff who use Signal that anyone messaging them claiming to be 'Signal support' is hostile - Signal never asks for codes by message.
Affected
Signal users in any role attractive to a state intelligence service: politicians, military, diplomats, defense contractors, investigative journalists, NGOs working on Russia or Ukraine, and the executives and assistants of all of the above. The attack works by tricking users into sharing codes - it does not exploit a Signal flaw.
Fix
Train high-risk staff that Signal will never ask for verification codes via message. Enable Signal's Registration Lock PIN. Periodically check Linked Devices and remove anything unfamiliar. Add detection for Signal phishing pages on perimeter URL filters and add Signal account-takeover scenarios to your tabletop catalogue.

Lazarus 'Mach-O Man' macOS malware kit hitting fintech and crypto execs through fake Telegram meeting invites and ClickFix terminal commands

ANY.RUN and Dark Reading published research on Mach-O Man, a new macOS malware kit Lazarus is deploying against fintech and crypto executives. The chain begins on Telegram with what looks like a legitimate meeting invite from a known contact, leading to a fake Zoom/Teams/Meet page that displays a fake 'connection issue' and instructs the executive to copy-paste a command into Mac Terminal. That ClickFix command grabs credentials, browser sessions, and Keychain data and exfiltrates over Telegram bot APIs. Lazarus has used the same template across the Drift and KelpDAO compromises, totaling more than $500M stolen in two weeks.

Check
Brief executive, finance, and treasury staff who use Telegram for business communication this week. The lure is a meeting invite from someone they trust, not a cold approach.
Affected
macOS users in executive, finance, business development, and partner-relations roles - particularly those who use Telegram for business. The technique works because the user runs the command themselves, bypassing most preventive controls including macOS endpoint protection. Mach-O Man is not Lazarus-only; other criminal groups have already adopted the kit.
Fix
Train executives never to copy-paste a 'fix' command into Terminal at a meeting page's request, regardless of how legitimate the invite looks. Log and alert on Terminal launches that fetch and execute remote content via curl, wget, osascript, or bash. Hunt for processes in tight infinite loops with Keychain access. Consider Lockdown Mode for high-risk roles.

NASA OIG details how Chinese national Song Wu spear-phished aerospace software from NASA, Air Force, Navy, FAA, universities, and private firms over four years by impersonating colleagues

NASA's Office of Inspector General published a retrospective on April 24 detailing how Chinese national Song Wu, an engineer at a state-owned Chinese aerospace and defense conglomerate, ran a multi-year spear-phishing campaign from January 2017 to December 2021. Song impersonated real US engineers known to his targets and asked over email for copies of specific aerospace modeling software and source code that could design or modify weapons platforms. Targets included staff at NASA, US Air Force, Navy, Army, FAA, major universities, and private aerospace firms. Several victims, believing they were helping a friend, sent the requested software - inadvertently violating US export control laws.

Check
Use the NASA OIG release as a case study in awareness training for engineering and research staff who handle export-controlled or proprietary technical artifacts.
Affected
Aerospace, defense, advanced manufacturing, and dual-use research organizations are the named target set, but the technique generalizes. Any organization whose staff regularly share technical artifacts with external collaborators based on personal trust is at risk. Universities and contractors holding ITAR or EAR-controlled materials face both security risk and legal liability for export-control violations.
Fix
Brief engineering staff on the Song Wu pattern: the lure is an email from someone you actually know asking for software you actually have. Require a non-email verification step (voice or video call) for any inbound request for source code or controlled software. Tighten outbound DLP around CAD, source code, and simulation file transfers, with managerial approval above a defined threshold.

Mandiant outs UNC6692 running IT-helpdesk impersonation over Microsoft Teams to deploy custom SNOW malware suite

Google's Mandiant team published a report on April 22 naming UNC6692, a previously untracked threat cluster running a high-conversion social engineering playbook against senior enterprise staff - 77% of observed targets were senior employees between March 1 and April 1, 2026. The attack opens with an email bombing burst, flooding the victim's inbox with spam to create urgency. The operator then sends a Microsoft Teams chat invite from an external account, posing as internal IT help, and offers to fix the spam problem via a link to a convincing phishing page called 'Mailbox Repair and Sync Utility v2.1.5'. The page forces Microsoft Edge via the microsoft-edge: URI scheme, harvests credentials through a fake 'Health Check' button, and downloads an AutoHotkey script from attacker-controlled AWS S3 that installs the SNOW malware family: SNOWBELT (a malicious Edge/Chromium extension disguised as 'MS Heartbeat' that holds persistence through Scheduled Tasks and a Startup-folder shortcut), SNOWGLAZE (a Python WebSocket tunneler wrapping traffic in Base64-encoded JSON), and SNOWBASIN (a Python bindshell for interactive remote control). Post-exploitation includes LSASS dumps, Pass-the-Hash lateral movement, PsExec and RDP over the SNOWGLAZE tunnel, and exfil via LimeWire.

Check
Block external Microsoft Teams chat invites to staff who do not need external collaboration (this should be the default for most organizations) and brief senior staff this week that an IT-helpdesk message over Teams asking them to install a fix is almost certainly hostile.
Affected
Any organization using Microsoft Teams with federated/external chat enabled by default, especially those without a standing 'IT never messages you on Teams without a pre-existing ticket' policy. Senior employees are disproportionately targeted. Windows endpoints are the payload platform, but the human layer is the actual vulnerability.
Fix
In Teams Admin Center, restrict external access so that external users cannot initiate chats with internal staff - require an internal user to invite them first. Alert on AutoHotkey binary execution from any path, on unexpected Chromium/Edge extensions appearing under Scheduled Tasks or Startup folders (especially ones named 'Heartbeat'), and on new outbound WebSocket traffic to AWS S3, CloudFront, or Heroku-hosted endpoints from user endpoints. Run a targeted awareness push to senior staff: show them the 'Mailbox Repair Utility' lure screenshots, emphasize that IT will never ask them to run a 'local patch' over Teams, and give them a one-click way to report a suspicious Teams DM.

Microsoft warns of external Teams chats abused for helpdesk impersonation - 9-stage attack chain uses Quick Assist and Rclone for data theft

Microsoft Threat Intelligence is warning of a surge in attacks where threat actors pose as IT or helpdesk staff in external Microsoft Teams cross-tenant chats to trick employees into granting remote access - then use legitimate tools to steal data while blending into normal IT activity. The attack chain has nine stages. First, the attacker opens an external Teams chat claiming to be internal IT addressing an account issue. They talk the target into starting a Quick Assist remote support session, giving the attacker direct control of the machine. From there they do quick recon via Command Prompt and PowerShell, drop a small payload in user-writable locations like ProgramData, and execute it through DLL side-loading using a trusted signed application (Autodesk, Adobe Reader, Windows Error Reporting, or even data loss prevention software - any binary with a valid Microsoft-trusted signature). HTTPS C2 blends into normal outbound traffic. They establish persistence via Windows Registry, then use Windows Remote Management (WinRM) to move laterally to domain controllers and high-value assets. Final stage: Rclone exfiltrates filtered data to external cloud storage. Microsoft's detection guidance is blunt - this blends into legitimate admin activity and is hard to distinguish from routine IT support.

Check
Audit your Teams tenant configuration today. Do external users from unknown tenants have the ability to start chats with your employees? If yes, this attack vector is open.
Affected
Any organization using Microsoft Teams with external collaboration enabled, particularly with 'Anyone' or broad external access allowed. Non-technical staff who may not recognize the pattern of an external Teams contact impersonating IT. Environments where Quick Assist is not restricted and WinRM is widely enabled.
Fix
In Teams Admin Center, set External Access to allow only specific trusted domains (not 'Anyone'). Train staff to treat any external Teams contact claiming to be IT as hostile by default - legitimate internal IT does not chat from an external tenant. Restrict or audit Quick Assist: if you don't use it, disable it via GPO or Intune. Limit WinRM to specific admin jump boxes rather than allowing it across the domain. Monitor for Rclone execution (filename and parent process) - there's essentially no legitimate business reason for Rclone to run on endpoint machines. Flag any outbound HTTPS traffic from endpoints to consumer cloud storage domains (Mega, Dropbox, Google Drive) that doesn't match expected user behavior.

Axios npm attack attributed to North Korean hackers UNC1069 - part of broader campaign targeting open-source maintainers

The Axios supply chain attack we covered on March 31 has now been attributed to UNC1069, a North Korean threat group linked to BlueNoroff that specializes in financially motivated attacks against crypto exchanges and financial institutions. Google's Mandiant confirmed the attackers social-engineered the lead maintainer through a fake video call, deploying a RAT via the compromised npm account. Socket warns this wasn't a one-off - the same actors have compromised accounts spanning some of the most widely depended-upon packages in the npm registry.

Check
Re-check your environments for axios 1.14.1 or 0.30.4. If you found and removed them previously, verify credential rotation was completed.
Affected
axios 1.14.1 and 0.30.4 on npm. Socket warns additional high-trust npm packages may be compromised by the same actor - monitor for advisories.
Fix
Pin to axios 1.14.0 or 0.30.3. Rotate all credentials on any system that ran the poisoned versions. Block sfrclak[.]com and 142.11.206.73 on port 8000. Enforce OIDC-backed provenance verification for critical npm dependencies.

Hims & Hers discloses breach after ShinyHunters steal millions of Zendesk support tickets via Okta SSO

Telehealth giant Hims & Hers - nearly $1 billion in annual revenue, millions of subscribers - disclosed that hackers stole customer support tickets from its Zendesk instance between February 4-7. The ShinyHunters extortion gang conducted the breach by compromising Okta SSO credentials through social engineering, then pivoting into the Zendesk platform. Stolen data includes names, contact information, and details from support requests. No medical records or doctor communications were compromised. The company took two months to disclose.

Check
Review whether your organization uses Zendesk with Okta SSO integration - this same attack pattern has hit multiple companies recently.
Affected
Any organization using Zendesk integrated with Okta SSO for authentication. Hims & Hers, ManoMano, and Crunchyroll were all breached through this pattern.
Fix
Enforce phishing-resistant MFA (FIDO2 hardware keys) on all Okta accounts - standard TOTP/push MFA can be bypassed by social engineering. Audit Okta sign-in logs for SSO sessions accessing Zendesk from unusual locations. Review third-party SaaS integrations connected through your identity provider.

macOS Tahoe 26.4 blocks ClickFix paste attacks in Terminal - update your Mac fleet now

Apple shipped an undocumented security feature in macOS Tahoe 26.4 that directly targets ClickFix attacks - the social engineering technique behind the Infinity Stealer campaign we covered last week. When a user tries to paste a potentially harmful command into Terminal, macOS now intercepts it with a warning before anything executes. The feature only covers Apple's built-in Terminal app, not third-party alternatives like iTerm2. A 'Paste Anyway' option remains for power users.

Check
Check if your Mac fleet is running macOS Tahoe 26.4 or later.
Affected
Any macOS user on versions prior to 26.4 who may encounter ClickFix social engineering attacks via fake CAPTCHA pages or tech support sites.
Fix
Update to macOS Tahoe 26.4. Push the update via MDM for managed fleets. Train staff to never paste commands from websites into Terminal regardless of the prompt - the protection only covers Terminal.app, not third-party terminals.

New Infinity Stealer malware targets macOS through fake Cloudflare CAPTCHA pages

A new macOS infostealer called Infinity Stealer tricks users through fake Cloudflare CAPTCHA pages - a technique called ClickFix. Victims paste a command into Terminal thinking they're verifying their identity, but it silently installs malware. The payload is compiled with Nuitka - turning Python into native macOS binaries that are much harder for security tools to detect. It steals browser credentials, Keychain data, and crypto wallets.

Check
Alert your team - especially Mac users - to never paste unknown commands into Terminal from websites.
Affected
Any macOS user who encounters a Cloudflare-style CAPTCHA asking them to open Terminal.
Fix
Train staff to recognize fake CAPTCHA pages. Block the domain update-check[.]com. Run endpoint detection on macOS devices.

Fake VS Code security alerts flooding GitHub Discussions to spread malware

Thousands of fake Visual Studio Code vulnerability warnings are being posted across GitHub Discussions in automated waves - all from freshly created accounts. The posts use realistic titles like 'Severe Vulnerability - Immediate Update Required' with fabricated CVE IDs to pressure developers into downloading malware from Google Drive links. The payloads fingerprint victims before delivering secondary attacks, acting as a traffic distribution system.

Check
Warn your development team - never download VS Code updates from GitHub Discussion links or Google Drive.
Affected
Any developer using GitHub who encounters a VS Code security alert in Discussions with an external download link.
Fix
Only update VS Code through the built-in updater or code.visualstudio.com. Verify any CVE IDs against NVD or CISA KEV before acting on them.