🕵️ We also highlight multiple detection opportunities for AitM attacks in Microsoft Entra environments.

All technical details are available on our community GitHub: https://buff.ly/v5Y6amN

🔍 Phishing-as-a-Service (#PhaaS) is driving a wave of large-scale, sophisticated attacks against organisations.

In our new blogpost, we provide an overview of the key techniques, tactics and social engineering schemes that cybercriminals use in AitM phishing attacks.

🎣 Leveraging our telemetry and proactive hunting, we ranked the most widespread AitM phishing kits - #Tycoon2FA, #Storm1167, #NakedPages, #Sneaky2FA, and more.

Additionally, the article includes summary sheets covering 11 AitM phishing kits.

We hope SOC, CERT and CTI teams find our global analysis of AitM phishing threats both insightful and actionable.

Dive in here ⬇️
https://blog.sekoia.io/global-analysis-of-adversary-in-the-middle-phishing-threats

📝 Our latest #TDR report delivers an in-depth analysis of Adversary-in-the-Middle (#AitM) #phishing threats - targeting Microsoft 365 and Google accounts - and their ecosystem.

This report shares actionable intelligence to help analysts detect and investigate AitM phishing.

🧀 The Sharp Taste of #Mimo’lette: Analyzing Mimo’s Latest Campaign targeting #Craft CMS

https://blog.sekoia.io/the-sharp-taste-of-mimolette-analyzing-mimos-latest-campaign-targeting-craft-cms/

🪤 Sekoia #TDR's new exclusive research uncovers the #ViciousTrap, a honeypot network deployed on compromised edge devices.

https://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/

Our new report describes one of the latest observed infection chains (delivering #AsyncRAT) relying on the #Cloudflare tunnel infrastructure and the attacker’s #TTPs with a principal focus on detection opportunities.

https://blog.sekoia.io/detecting-multi-stage-infection-chains-madness/

Since the apparition of the #Interlock ransomware, the Sekoia #TDR team observed its operators evolving, improving their toolset (#LummaStealer and #BerserkStealer), and leveraging new techniques such as #ClickFix to deploy the ransomware payload.

https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/

🎉 It's not about a CTI investigation or a Detection Engineering topic, but today we are happy to announce that Sekoia.io has raised €26m!
https://www.sekoia.io/en/presse/sekoia-io-secures-e26-million-in-series-b-to-democratize-cyber-operations-with-ai-and-cyber-intelligence/

🇰🇵 Sekoia #TDR team investigated a malicious campaign that employs fake job interview websites to deliver backdoors on Windows and macOS - #GolangGhost using #ClickFix tactic. Dubbed #ClickFake Interview, this campaign has been attributed to #Lazarus, a #DPRK state-sponsored threat actor, which has been targeting the cryptocurrency industry since at least 2017.

https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/

This new variant introduces additional interactions with the Binance Smart Chain, as well as new ClickFix lures displaying:
- a fake Cloudflare Turnstile with unusual web traffic
- a fake reCAPTCHA along with a DNS error

As usual, IoCs are available in our Community GitHub repositiory:
https://raw.githubusercontent.com/SEKOIA-IO/Community/refs/heads/main/IOCs/clearfake/clearfake_iocs_20250318.csv

In early 2025, the ClearFake framework widely spread #Emmenhtal Loader as the initial stage, aiming to download #Lumma or #Rhadamanthys, or PowerShell scripts installing #Vidar.

We identified thousands of sites compromised with ClearFake distributing these malware.

TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic.

https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/

#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.

cc @sekoia_io

1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding

2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic

3. Malicious PowerShell command is copied into the user's clipboard data to be executed in the Run dialog box

4. Downloading Emmenhtal from:

bytes.microstorage.]shop (1st stage)
w66.discoverconicalcrouton.]shop (2nd stage)

5. Further downloading and executing Rhadamanthys from:

bytes.microstorage.]shop/code.bin (https://virustotal.com/gui/file/a88c153e1595f9d193b3f881ec77e0d7d338ae22c9f6e67ffdf39c3609fcdbf7)

6. Communicating with C2 at:

91.240.118.]2:9769

Public analysis of the recent ClearFake variant: https://security.szustak.pl/etherhide/etherhide.html

The conclusion (part three) of our series on #DetectionEngineering is finally here! https://blog.sekoia.io/detection-engineering-at-scale-one-step-closer-part-three/

Using our #honeypots, we uncovered an unreported #botnet that has been operational since at least the end of November 2023. This #PolarEdge botnet has been focusing on #edge devices, particularly those made by #Cisco, #Asus, #QNAP, and #Synology.

https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/

Cyber threats impacting the financial sector: focus on the main actors

We're thrilled to announce the release of the latest strategic report by Sekoia #TDR. This analysis highlights key cyber threats to the #financial sector in 2024.

https://blog.sekoia.io/cyber-threats-impacting-the-financial-sector-in-2024-focus-on-the-main-actors/

#StrategicThreatIntelligence

🐭 RATatouille: Cooking Up Chaos in the I2P Kitchen

🔍 Our Threat Detection & Research (TDR) team has been analyzing a sophisticated new malware, #I2PRAT, featured in our latest FLINT report- now available in our blog!

https://blog.sekoia.io/ratatouille-cooking-up-chaos-in-the-i2p-kitchen/