Social-Engineering

A rapidly growing Chinese-language PhaaS ecosystem is shifting towards real-time interception of credentials and tokenization of stolen payment data, bypassing traditional SMS security filters with encrypted channels like RCS and iMessage, and employing AI-based automation to evade detection.

The SHub Reaper stealer combines credential theft, wallet hijacking, and document exfiltration with persistent backdoor access on macOS, distributed through fake WeChat and Miro installers while spoofing Apple, Google, and Microsoft to evade detection.

Storm-2949 compromised cloud identities through social engineering and abused the Self-Service Password Reset (SSPR) process to bypass MFA and gain persistent access, enabling lateral movement and data exfiltration from Microsoft 365 and Azure environments.

Financially motivated threat actors are using social engineering techniques like vishing and credential harvesting to compromise enterprise SaaS environments, leading to data exfiltration and extortion.

Threat actors are using social engineering to distribute malware via AI distribution platforms such as Hugging Face and ClawHub by tricking users into downloading malicious files, which leads to malware infections on Windows, macOS, Linux, and Android systems.

The 'BackgroundFix' ClickFix campaign uses social engineering to trick victims into downloading malware disguised as a free image-editing tool, leading to the deployment of CastleLoader, NetSupport RAT for remote access, and CastleStealer for credential theft.

A smishing campaign has been active since December 2025, targeting drivers in 12 countries with fraudulent text messages impersonating transport authorities, toll operators, and parking services, resulting in over 79,000 fraudulent messages sent as of April 2026.

UNC6692 is a newly discovered, financially motivated threat actor that combines social engineering via Microsoft Teams, custom malware named SNOWBELT, and abuse of legitimate AWS S3 cloud infrastructure in its attack campaigns to steal credentials and prepare for data exfiltration.

The Drift Protocol suffered a $280 million crypto theft orchestrated by North Korean hackers who spent six months building an in-person operational presence within the Drift ecosystem, engaging with contributors at crypto conferences and via Telegram.

North Korean threat actors (UNC1069) compromised the Axios npm package by socially engineering a maintainer with a fake Microsoft Teams update delivering a RAT, leading to the injection of a malicious dependency and a supply chain attack.

Attackers are leveraging AI to rapidly reconnoiter and tailor content for smaller organizations, making it easier to execute business email compromise (BEC) scams and scam smaller sums from many victims, as demonstrated by a recent attack targeting a small community organization.

Since August 2025, threat actors have been impersonating Palo Alto Networks talent acquisition staff in a sophisticated phishing campaign targeting senior professionals, using social engineering tactics to solicit fraudulent resume fees.

This rule detects potential fake CAPTCHA phishing attacks on Windows systems where victims are tricked into copying and pasting malicious commands into the Windows Run dialog box.