Threat Actors Weaponize Tiflux RMMs in Malspam Attacks

Pulse ID: 6a016038daea3ca1a2762d7b
Pulse Link: https://otx.alienvault.com/pulse/6a016038daea3ca1a2762d7b
Pulse Author: Tr1sa111
Created: 2026-05-11 04:51:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #MalSpam #OTX #OpenThreatExchange #Spam #bot #Tr1sa111

Threat Actors Weaponize Tiflux RMMs in Malspam Attacks

Since late February, there has been an uptick in incidents involving Tiflux, a lesser-known Brazilian commercial remote management tool being weaponized by threat actors. The attack chain begins with phishing emails containing fake document lures that deliver a malicious MSI installer. Once executed, the installer deploys multiple remote access tools including UltraVNC, Splashtop, and ScreenConnect for persistent access. The Tiflux installer contains concerning components such as outdated VNC versions from 2014, expired certificates, hardcoded passwords, and a vulnerable HwRwDrv.sys driver known for privilege escalation abuse. The threat actors leverage these tools to establish persistence, capture screenshots, and collect system profiling information. This campaign exemplifies the continuing pattern of adversaries abusing legitimate remote management software for stealthy access to victim environments while chaining multiple tools together to maintain control.

Pulse ID: 69fd4f31a337de81bfb907d5
Pulse Link: https://otx.alienvault.com/pulse/69fd4f31a337de81bfb907d5
Pulse Author: AlienVault
Created: 2026-05-08 02:49:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Brazil #CyberSecurity #Email #InfoSec #MalSpam #OTX #OpenThreatExchange #Password #Passwords #Phishing #ScreenConnect #Spam #VNC #Word #bot #AlienVault

An on time (yay) csv formatted list of #malspam campaigns that crossed my path in April to include #malware type, c2, hash, subject, and email exfil addresses:

https://gist.github.com/silence-is-best/bc95a949f272f8c5487d057bbd74d14f

#retrohunt

When your #malspam threat actor forgets to properly configure their #remcos ....ya "Juniorer" indeed 🤣

https://app.any.run/tasks/1ff77354-94ca-4d30-b6f7-a86aff32e1af

Trust this “Amazon” phishing email in Japan—and you’re Prime sashimi 🎣 🍣

Looking into our malspam data, we identified an active campaign impersonating Amazon and targeting Japanese citizens. The emails use subjects such as 「至急 Amazonプライム会員情報の確認」 (“Urgent: Confirm Amazon Prime member information”).

The URLs within the emails ultimately lead to an Amazon phishing page, but only after routing victims through a TDS. Interestingly, instead of keeping the TDS step invisible, the actors chose to show it off—repackaging it as a reassuring security check.

Upon clicking the link within the email, victims are first redirected to an RDGA TDS domain, where fingerprinting occurs. If the user does not match the targeting criteria (e.g., connecting from outside Japan), access is blocked. If they do match, potential victims are redirected to a second RDGA domain.
This second and last domain is not a TDS domain, but funny enough, these actors decided they would emulate it anyway!

At that step victims are already at the landing page but instead of immediately displaying a standard Amazon phishing page, the website displays a CAPTCHA and fake console interface simulating environment fingerprinting checks to “make sure your environment and connection is safe” before "proceeding to the landing page". Ironically, part of their message is true: fingerprinting did happen one domain earlier. It just wasn’t for the user’s benefit—it was to make sure the environment was safe… for the scammers. A few seconds later, without added user interaction needed, a fake Amazon login page is displayed.

Domains samples:
qqc10c[.]cyou
51wang11c[.]cyou

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #amazon #malspam #email #fingerprinting #japan

A very late (due to work travel) csv formatted list of #malspam campaigns that crossed my path in March to include #malware type, subject, hash, c2, and email exfil addresses:

https://gist.github.com/silence-is-best/440abd3e683adf69f531371cf56cd338

#retrohunt

A csv formatted list of #malspam campaigns that crossed my path in February to include subjects, #malware type, hashes, c2's, and email exfil addresses:

https://gist.github.com/silence-is-best/49cbc51145478ed68d06e02e14ddc135

#retrohunt

New 2026 telemetry from Bitdefender indicates 41% of Valentine’s-themed email traffic contained scam elements.

Threat vectors observed:
• Brand impersonation campaigns
• AI-generated dating personas
• Advance-fee survey funnels
• Delivery notification phishing
• Pharma spam distribution
• Healthcare provider impersonation (e.g., Techniker Krankenkasse)
Geographic targeting concentrated in the U.S. (55%) and key European markets.

Question for defenders:
Are current email filtering models sufficiently adaptive to seasonal emotional triggers amplified by generative AI?
Engage below.

Follow @technadu for threat intelligence reporting.

#ThreatIntel #Phishing #EmailSecurity #AIThreats #SOC #BlueTeam #FraudDetection #BrandAbuse #SecurityResearch #CyberDefense #Malspam #DigitalRisk

A csv formatted list of #malspam campaigns that crossed my path in January to include #malware, c2, hash, subject, and some email exfil addresses:

https://gist.github.com/silence-is-best/8b91cfa90b598f71dbd7169f0391c98c

#retrohunt