Fake judicial review phishing emails deliver SapphireRAT to Latin American organisations
Cofense researchers discovered a new wave of phishing attacks that leverages judicial receipts for legal processes with multi-layer techniques to distribute and execute SapphireRAT. The attack primarily focuses on organisations across Latin America and targets industries with valuable data or critical infrastructure. The attack can bypass traditional security measures, including email filtering and antivirus solutions. The email claims that the Juzgado Segundo Civil Municipal de Bogotá has initiated legal proceedings regarding an outstanding debt and instructs the recipient to review and sign an attached document. Opening the document redirects the victim to a webpage that leads to the installation of SapphireRAT via a RAR archive.
GreenSpot APT targets 163[.]com users with malicious download pages and spoofed domains
Hunt[.]io researchers observed a campaign, attributed to the GreenSpot advanced persistent threat (APT) group, targeting 163[.]com users with download pages and spoofed domains. One of the domains hosted a malicious login page, while others contained fake download pages aimed at capturing usernames and passwords. Once a user submits their credentials on the malicious login page, JavaScript code is executed, which dynamically constructs a redirection link based on the URL’s domain and displays a 404 page. The user is then redirected to the legitimate email login page. The researchers also identified the use of multiple web pages, likely distributed via phishing emails, which initiate a countdown once they are visited to pressure victims into entering their credentials and downloading a document.
Phishing campaign spoofs Microsoft ADFS for credential harvesting and account takeover
Abnormal Security researchers identified an ongoing phishing campaign targeting users relying on Microsoft Active Directory Federation Services (ADFS). The attackers use spoofed ADFS login pages to harvest user credentials and bypass multi-factor authentication (MFA), which could be used for account takeover and to gain access to critical systems and data. The attack chain involves spoofed emails made to appear to come from the targeted organisation’s IT help desk. Users are prompted to visit a fake ADFS login page, where usernames, passwords, and MFA codes are collected. To appear more legitimate, the phishing pages are personalised to match the targeted organisation’s specific MFA setup, while lateral phishing involving previously compromised accounts was also observed. The campaign has targeted over 150 organisations to date, the majority of which are in the education sector, followed by healthcare and government.
Phishing campaign targets high-profile X accounts to promote crypto scams
SentinelLabs researchers reported an ongoing phishing campaign seeking to hijack and exploit high-profile social media accounts to promote cryptocurrency scams. The campaign has been active since mid-2024 and targets accounts linked to United States political figures, international journalists, and cryptocurrency and technology organisations, on X and other social media platforms. The threat actors recently began abusing Google’s ‘AMP Cache’ domain to evade email detections and redirect users to credential harvesting sites. Once attackers gain access to an account, they begin to post fraudulent crypto-related content to lure more victims for financial gain.
Malicious PyPI packages used to target DeepSeek users
Positive Technologies researchers detected and prevented a malicious campaign in the PyPI package repository, which targeted developers, machine learning engineers, and artificial intelligence enthusiasts potentially interested in integrating DeepSeek into their systems. On January 29th, 2025, a user named ‘bvk’ uploaded two malicious packages, dubbed ‘deepseeek’ and ‘deepseekai’, which were designed to collect user and computer data and steal environment variables. The payload is executed when the user runs the commands ‘deepseeek’ or ‘deepseekai’ in the command-line interface. The author of packages used the Pipedream integration platform as the C2 server to receive stolen data.
Ransomware
Volume of blog posts by operators during the last week.
35% Year-over-Year Decrease in Ransomware Payments, Less than Half of Recorded Incidents Resulted in Victim PaymentsChainalysis – Feb 05 2025Trustwave SpiderLabs: Examining How New Ransomware Groups EmergeTrustwave – Blog – Feb 04 2025Globe Life Ransomware Attack Exposes Personal and Health Data of 850,000+ UsersGBHackers On Security – Feb 03 2025Ransomware attack hit Indian multinational Tata TechnologiesSecurity Affairs – Feb 02 2025A ransomware attack forced New York Blood Center to reschedule appointmentsSecurity Affairs – Feb 01 2025Exposed SMB: The Hidden Risk Behind ‘WantToCry’ Ransomware AttacksSeqrite Blog – Jan 31 2025
Financial Services
Mobile Indian Cyber Heist: FatBoyPanel And His Massive Data BreachZimperium Blog – Feb 05 2025GetSmoked: UAC-0006 Returns With SmokeLoader Targeting Ukraine’s Largest State-Owned Bank CloudSEK Blog – Feb 05 2025Take my money: OCR crypto stealers in Google Play and App StoreKaspersky Lab – Feb 05 2025VidSpam: A New Threat Emerges as Bitcoin Scams Evolve from Images to Video Proofpoint US Blog – Feb 04 2025Coyote Banking Trojan: A Stealthy Attack via LNK Files Fortinet – Jan 30 2025
Geopolitics
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph AttacksTrend Micro Simply Security – Feb 04 2025WhatsApp says journalists and civil society members were targets of Israeli spywareThe Guardian – World – Jan 31 2025Ukraine’s military intelligence disrupts Gazprom’s digital services.The Kyiv Independent – Jan 31 2025CL-STA-0048: An Espionage Operation Against High-Value Targets in South AsiaUnit 42 – Palo Alto Networks Blog – Jan 29 2025Chinese State Influence – Selected Insights from Graphika’s ATLAS Intelligence Reporting on Chinese State Influence Actors and Adjacent CommunitiesThreat Reports – Graphika – Jan 29 2025
High Priority Vulnerabilities
| Name | name | Software | Base Score |
Temp Score |
|---|---|---|---|---|
| CVE-2024-53104 | Kernel | 7.8 | 5.3 | |
| Related: Google fixes Android kernel zero-day exploited in attacks | ||||
| CVE-2025-20124 | ISE Passive Identity Connector | 9.9 | 6.0 | |
| Related: Critical and high-severity flaws patched across Cisco products | ||||
| CVE-2024-45195 | OFBiz | 7.5 | 3.4 | |
| Related: Flaws in Apache, Microsoft, and Paessler products actively exploited | ||||
| CVE-2024-57968 | VeraCore | 9.9 | 6.0 | |
| Related: XE Group: From Credit Card Skimming to Exploiting Zero-Days | ||||
| CVE-2019-18935 | Argus Safety | 9.8 | 9.8 | |
| Related: Old Telerik UI flaw exploited to deliver reverse shells and JuicyPotatoNG | ||||