Fałszywe strony Claude Code w sponsorowanych wynikach dostarczają malware

Badacze bezpieczeństwa z Push Security odkryli nową kampanię fałszywych stron, które podszywają się pod popularne narzędzia takie jak Claude Code. Na stronach zamieszczone są instrukcje instalacji, nakłaniające ofiary (przekonane, że uruchamiają wiarygodny program) do instalowania złośliwego oprogramowania. Strony te są promowane w Google Ads, dzięki czemu pojawiają się wysoko w...

#WBiegu #Claude #Installfix #Malvertising #Malware

https://sekurak.pl/falszywe-strony-claude-code-w-sponsorowanych-wynikach-dostarczaja-malware/

AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion

A new phishing campaign is targeting TikTok for Business accounts using adversary-in-the-middle (AitM) techniques. The attackers employ Cloudflare Turnstile to evade detection and create convincing lookalike pages impersonating TikTok for Business or Google Careers. Victims are tricked into clicking malicious links, leading to credential theft. The campaign aims to seize control of business accounts, which can be used for malvertising and malware distribution. Multiple domains are involved in hosting the phishing pages. Additionally, a separate campaign using SVG file attachments to deliver malware has been observed in Venezuela, with potential links to BianLian ransomware activity.

Pulse ID: 69c6d346df59de3f16b61387
Pulse Link: https://otx.alienvault.com/pulse/69c6d346df59de3f16b61387
Pulse Author: AlienVault
Created: 2026-03-27 18:58:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #AitM #BianLian #Cloud #CyberSecurity #Google #InfoSec #Malvertising #Malware #OTX #OpenThreatExchange #Phishing #RAT #RansomWare #SVG #bot #AlienVault

Inside Keitaro Abuse Part 2: One Platform, Many Threats

This analysis examines how threat actors abuse Keitaro, an advertising performance tracker, for various malicious purposes. The report covers a wide range of threats, including malware delivery, phishing, scams, and illegal content distribution. Key findings include the use of Keitaro for cloaking and traffic distribution in malvertising campaigns, spam operations leveraging Keitaro for cryptocurrency wallet draining, and the abuse of Keitaro in investment scams. The report also highlights specific threat actors and their tactics, such as domain hijacking for adult content delivery and the use of fake arrests as clickbait for investment scams. Overall, the analysis demonstrates how Keitaro's features make it attractive to cybercriminals seeking to maximize their reach with minimal effort.

Pulse ID: 69c643d531ed0d8ae740f7dc
Pulse Link: https://otx.alienvault.com/pulse/69c643d531ed0d8ae740f7dc
Pulse Author: AlienVault
Created: 2026-03-27 08:46:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Malvertising #Malware #Nim #OTX #OpenThreatExchange #Phishing #RAT #Spam #bot #cryptocurrency #AlienVault

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

A Top #Google Search Result for #Claude Plugins Was Planted by Hackers

https://www.404media.co/a-top-google-search-result-for-claude-plugins-was-planted-by-hackers/

#cybersecurity #malvertising

How a Tax Search Leads to Kernel-Mode AV/EDR Kill

A large-scale malvertising campaign targeting U.S. tax form searchers has been uncovered. The attack chain begins with Google Ads, using dual commercial cloaking services to evade detection. Victims are directed to rogue ScreenConnect installers, leading to a multi-stage crypter that ultimately deploys a BYOVD (Bring Your Own Vulnerable Driver) tool. This tool, named HwAudKiller, exploits a previously undocumented Huawei audio driver to terminate antivirus and EDR processes from kernel mode. The campaign's sophistication lies in its use of commodity tools and services, combining free-tier ScreenConnect instances, off-the-shelf crypters, and a signed driver with an exploitable weakness. The attackers consistently deploy multiple remote access tools on compromised hosts for redundancy, indicating a likely pre-ransomware or initial access broker operation.

Pulse ID: 69bc8d909b5c7bee4ed80899
Pulse Link: https://otx.alienvault.com/pulse/69bc8d909b5c7bee4ed80899
Pulse Author: AlienVault
Created: 2026-03-19 23:58:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #ELF #Google #GoogleAds #InfoSec #Malvertising #OTX #OpenThreatExchange #RAT #RansomWare #ScreenConnect #bot #AlienVault

🔴 A threat isn't much of a threat if it can't reach the right victims. 📦 That's why many modern threat actors rely on cloakers and traffic distribution systems (TDS) to target, route, and hide at scale. In a six‑month joint effort analyzing four months of data with Confiant, we identified 15,500 domains configured to Keitaro instances and actively used in cyber campaigns. Keitaro is a legitimate ad tracker, but it is frequently misused by cybercriminals as an all‑in‑one tracker + TDS + cloaker in scam and malware campaigns. We encounter Keitaro in our investigations nearly every day, and we set out to quantify that abuse in the broader landscape. We're publishing a three‑part series to share what we learned. Part 1 focuses on a subset of actors who leverage AI in their operations, most of whom are tied to investment scams. At the end of the report, you'll find a link to our github repository that contains thousands of related Keitaro iocs.

https://www.infoblox.com/blog/threat-intelligence/inside-keitaro-abuse-a-persistent-stream-of-ai-driven-investment-scams/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising

ZDNet: A Meta-powered investment scam is spreading across 25 countries – how to spot (and avoid) it. “Malvertising — the practice of using fake ads and websites in scams — is nothing new. However, several noteworthy insights emerged from the report regarding how a sprawling, coordinated network is using sponsored and paid Meta advertising to reach new victims on every corner of the globe.”