Device Code Phishing is an Evolution in Identity Takeover

Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods.

Pulse ID: 6a05af080ae591ea2bf00e87
Pulse Link: https://otx.alienvault.com/pulse/6a05af080ae591ea2bf00e87
Pulse Author: AlienVault
Created: 2026-05-14 11:16:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #Email #InfoSec #Microsoft #MultiFactorAuthentication #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #bot #AlienVault

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

ShinyHunters claims data theft from 8,800 schools (Instructure/Canvas)

https://www.bleepingcomputer.com/news/security/instructure-hacker-claims-data-theft-from-8-800-schools-universities/

#HackerNews #ShinyHunters #DataTheft #Schools #Instructure #Canvas #Cybersecurity #EducationSecurity

Zero accountability, as expected. 😑

One of the major findings was that “after having indiscriminately collected personal information of millions of individuals in Canada and used it … without valid consent,” the firm deployed the service without checking the accuracy. It took a remedial approach to correct only after errors were discovered.

On the subject of correcting or deleting personal information, Open AI revealed during the investigation that it “is not currently feasible.”

So they stole everybody’s data, and they’re keeping it. And that’s fine because the new version is better. 🙄

#DataPrivacy #InfoSec #DataTheft
https://www.timescolonist.com/opinion/les-leyne-no-penalties-for-chatgpt-privacy-violations-12245373

Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.

Pulse ID: 69fa3aacdd4e111bac9bad11
Pulse Link: https://otx.alienvault.com/pulse/69fa3aacdd4e111bac9bad11
Pulse Author: AlienVault
Created: 2026-05-05 18:45:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DataTheft #Encryption #InfoSec #Linux #Mac #MacOS #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Remcos #RemcosRAT #Rust #SSH #Windows #bot #cryptocurrency #developers #AlienVault

Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft

Pulse ID: 69f97a8dd96a037ffe45c661
Pulse Link: https://otx.alienvault.com/pulse/69f97a8dd96a037ffe45c661
Pulse Author: Tr1sa111
Created: 2026-05-05 05:05:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #InfoSec #OTX #OpenThreatExchange #RAT #Trigona #bot #Tr1sa111

Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft

Trigona ransomware affiliates deployed a custom exfiltration tool called uploader_client.exe during attacks in March 2026, marking a tactical shift from relying on off-the-shelf utilities like Rclone. The tool features parallel streams with five default connections, connection rotation after 2,048 MB transfers to evade network monitoring, and granular filtering to exclude low-value files. Prior to exfiltration, attackers disabled security defenses using kernel-level tools including HRSword, PCHunter, Gmer, YDark, and WKTools with vulnerable drivers. Remote access was established via AnyDesk, while credentials were harvested using Mimikatz and Nirsoft utilities. The custom tooling demonstrates higher technical maturity compared to typical ransomware operations, providing enhanced stealth capabilities while requiring greater development resources. Targeted data included invoices and high-value PDF documents from networked drives.

Pulse ID: 69f4e8812c7240e62187fe72
Pulse Link: https://otx.alienvault.com/pulse/69f4e8812c7240e62187fe72
Pulse Author: AlienVault
Created: 2026-05-01 17:53:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AnyDesk #CyberSecurity #DataTheft #ELF #InfoSec #OTX #OpenThreatExchange #PDF #RAT #RCE #RansomWare #Rclone #Trigona #Word #bot #AlienVault

Extortion in the Enterprise: Defending Against BlackFile Attacks

Since February 2026, multiple incidents involving data theft and extortion have been attributed to activity cluster CL-CRI-1116, also known as BlackFile, UNC6671, and Cordial Spider. These financially-motivated attackers, likely associated with "The Com" collective, employ voice-based phishing combined with credential harvesting through fraudulent login pages. They impersonate IT support staff to steal credentials and bypass multi-factor authentication. The attackers focus on Living Off the Land techniques, abusing legitimate APIs like Microsoft Graph to access SharePoint sites and Salesforce data. They search for confidential information and employee data within SaaS environments, then exfiltrate it through browser downloads or API exports. To pressure victims into paying seven-figure ransoms, attackers send demands via Gmail and compromised email accounts, sometimes employing SWATting tactics against executives.

Pulse ID: 69ef8ab862c07db686ca4572
Pulse Link: https://otx.alienvault.com/pulse/69ef8ab862c07db686ca4572
Pulse Author: AlienVault
Created: 2026-04-27 16:11:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataTheft #Email #Extortion #ICS #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #RAT #RCE #bot #AlienVault