If you think AI and deepfakes are THE name of the game in "sophisticated" social engineering attacks, think again. AI-generated deepfakes are often just one step (a final blow) in a larger social engineering kill-chain.

In this week's social engineering case, we see a layered intrusion involving a compromised Telegram account, a fake Zoom meeting, a ClickFix-style infection vector and, as a last step, an AI-generated video.

𝐖𝐡𝐚𝐭 𝐡𝐚𝐩𝐩𝐞𝐧𝐞𝐝?

🔸 The threat actor initiates contact with a specific victim via Telegram, using a legitimate but compromised account of an executive, to leverage existing trust.

🔸 After building rapport through industry-specific conversation, the actor invites the victim to a call, and sends a Calendly link to schedule it.

🔸 The Calendly link redirects to a spoofed Zoom meeting hosted on the threat actor's infrastructure: zoom[.]uswe05[.]us
𝘛𝘩𝘪𝘴 𝘪𝘴 𝘵𝘩𝘦 𝘧𝘪𝘳𝘴𝘵 𝘰𝘣𝘷𝘪𝘰𝘶𝘴 𝘳𝘦𝘥 𝘧𝘭𝘢𝘨 𝘵𝘩𝘢𝘵 *𝘤𝘰𝘶𝘭𝘥* 𝘩𝘢𝘷𝘦 𝘣𝘦𝘦𝘯 𝘴𝘱𝘰𝘵𝘵𝘦𝘥. 
𝘉𝘶𝘵, 𝘸𝘩𝘦𝘯 𝘢 𝘵𝘩𝘳𝘦𝘢𝘵 𝘢𝘤𝘵𝘰𝘳 𝘵𝘢𝘬𝘦𝘴 𝘵𝘩𝘦 𝘵𝘪𝘮𝘦 𝘵𝘰 𝘣𝘶𝘪𝘭𝘥 𝘵𝘳𝘶𝘴𝘵 𝘸𝘪𝘵𝘩 𝘢 𝘵𝘢𝘳𝘨𝘦𝘵 𝘧𝘪𝘳𝘴𝘵, 𝘵𝘩𝘦 𝘵𝘳𝘶𝘴𝘵-𝘵𝘳𝘢𝘯𝘴𝘧𝘦𝘳𝘦𝘯𝘤𝘦 𝘮𝘦𝘤𝘩𝘢𝘯𝘪𝘴𝘮 𝘬𝘪𝘤𝘬𝘴 𝘪𝘯. 𝘈𝘯𝘥 𝘵𝘩𝘦𝘯, 𝘵𝘩𝘦 𝘭𝘪𝘵𝘵𝘭𝘦 𝘳𝘦𝘥 𝘧𝘭𝘢𝘨𝘴 𝘵𝘩𝘢𝘵 𝘧𝘰𝘭𝘭𝘰𝘸 𝘵𝘦𝘯𝘥 𝘵𝘰 𝘨𝘦𝘵 𝘰𝘷𝘦𝘳𝘭𝘰𝘰𝘬𝘦𝘥. 𝘈𝘴 𝘵𝘩𝘦𝘺 𝘥𝘪𝘥.

🔸 The call begins. The victim sees the video of a CEO from another company. Or, purportedly, their deepfake version.

🔸 And then hey, "the audio is broken!". If only that could quickly get fixed...there are only 20 minutes left in the call.
This is where the ClickFix-style social engineering begins. The the threat actor directs the victim to run troubleshooting commands on their system to fix the issue.

🔸 Embedded within the string of commands is a single command that initiates a multi-stage infection chain, ultimately deploying 7 distinct malware families (described in the report).

"Proven play? Replay".
This is not a one time hit. Mandiant has observed UNC1069 using these techniques to target both corporate entities and individuals within the cryptocurrency industry, as well as venture capital firms and their employees or executives. The list will expand.

Sophisticated social engineering attacks remain the ones that contain multiple elaborate steps that eventually build on each other to make the scheme work.

Full report:
https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering

#socialengineering #deepfakes #infosec #threatintelligence

𝐎𝐮𝐫 "𝐅𝐮𝐧𝐝𝐚𝐦𝐞𝐧𝐭𝐚𝐥𝐬 𝐨𝐟 𝐂𝐲𝐛𝐞𝐫 𝐈𝐧𝐯𝐞𝐬𝐭𝐢𝐠𝐚𝐭𝐢𝐨𝐧𝐬 𝐚𝐧𝐝 𝐇𝐮𝐦𝐚𝐧 𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐜𝐞" 𝐜𝐥𝐚𝐬𝐬 𝐢𝐬 𝐫𝐞𝐭𝐮𝐫𝐧𝐢𝐧𝐠 𝐭𝐡𝐢𝐬 𝐬𝐩𝐫𝐢𝐧𝐠 𝐭𝐨 Black Hat Asia 𝐢𝐧 𝐒𝐢𝐧𝐠𝐚𝐩𝐨𝐫𝐞! 🎉

Join Samuel Lolagar and me on the 21st & 22nd of April for two days full of learning, hands-on exercises, real life case studies and the latests developments in #OSINT #SOCMINT and #HUMINT.

You will learn how to conduct an in-depth digital investigation on a subject, discover new leads, uncover and utilize all the evidence that are hiding in plain sight (and beyond) and conduct virtual HUMINT in an uncomplicated, step-by-step process.
We have seen firsthand the power of these techniques and we firmly believe in the effectiveness of combining these complementary intelligence disciplines.

We are looking forward to passing these skills on to our new group of attendees.
Hope to see you there!

P.S. There will be a class challenge, and a reward :)

Training details & registration: https://blackhat.com/asia-26/training/schedule/?track[]=human

#BlackHatAsia #BHAsia #OSINT #opensourceintelligence #humanintelligence #socialengineering

Berlin was faced with a 2nd arson attack on their power grid within a few months, leaving again thousands of households without power, for days. During this incident, several systems were damaged simultaneously deeming any backup systems, ineffective.
An attack like this requires planning, and it starts from reconnaissance.

How did the attackers know to set fire on one specific bridge that contained five high-voltage and ten medium-voltage cables, causing a major power outage in the area?
Can someone find sufficient information on a city's power grid infrastructure available on the internet?
Yes, they can. With more detail than there should be.

This is where platforms like the Open Infrastructure Map ("OpenInfraMap") enter the game.
𝐎𝐩𝐞𝐧𝐈𝐧𝐟𝐫𝐚𝐌𝐚𝐩 (𝐡𝐭𝐭𝐩𝐬://𝐨𝐩𝐞𝐧𝐢𝐧𝐟𝐫𝐚𝐦𝐚𝐩.𝐨𝐫𝐠/) is an open-source web platform that provides a layered, detailed visualization on global infrastructure data like 𝘱𝘰𝘸𝘦𝘳, 𝘵𝘦𝘭𝘦𝘤𝘰𝘮, 𝘰𝘪𝘭 𝘢𝘯𝘥 𝘨𝘢𝘴 𝘯𝘦𝘵𝘸𝘰𝘳𝘬𝘴, 𝘸𝘢𝘵𝘦𝘳 𝘪𝘯𝘧𝘳𝘢𝘴𝘵𝘳𝘶𝘤𝘵𝘶𝘳𝘦 𝘢𝘯𝘥 𝘮𝘢𝘫𝘰𝘳 𝘳𝘢𝘪𝘭 𝘱𝘰𝘸𝘦𝘳 𝘴𝘺𝘴𝘵𝘦𝘮𝘴 𝘪𝘯𝘧𝘳𝘢𝘴𝘵𝘳𝘶𝘤𝘵𝘶𝘳𝘦 (the data is crowdsourced from OpenStreetMap).

Don't think that searching this map needs to take time, by using Overpass Turbo (also with the help of with any LLM that it is compatible with) one can significantly trim the search time and concentrate their research through queries.

Looking at the OpenInfraMap data in combination with satellite imagery, it is easy to see why this point of attack was chosen: all the 110 Κilovolt high-voltage lines that supply southwest Berlin converge into a single cable bridge that is overground, accessible, near a sparsely populated area, with plenty of hiding spaces (trees, etc).

The Google street view imagery provides some extra help in reviewing some of the physical security and the surrounding area in preparation of a better plan.

The OpenInfraMap in combination with Google maps is just one simple example of potential adversarial OSINT. There is more publicly available information and databases that can be researched, found, and used in similar acts of sabotage (or worse, given the geopolitical state we are currently in).

It is scary easy for saboteurs or other attackers to find vulnerabilities on critical infrastructure free & available online, and to focus on the locations/points where an attack could have the maximum impact.
This incident has not been an isolated event.

What can be done? If you work on securing a critical infrastructure entity:

🔹 Run your own OSINT analysis to identify vulnerabilities in advance. Know your level of exposure.

Control what you can:
🔹 Where possible, ask platforms to add blur or remove certain imagery. Aim for less detail in what can be visible, even through crowdsourced images.

🔹 Prioritize based on risk and take practical steps to implement better security measures on those vulnerable, identified spots before an adversary exploits them.

#OSINT #BerlinBlackout

3 resources / 1 post

Open AI has released a new report outlining the ways in which threat actors used their generative AI products to support their social engineering attack operations. They provide the case studies.

https://openai.com/global-affairs/disrupting-malicious-uses-of-ai-june-2025/

Why is this useful?

🔹 The operations described in the report help give us a better understanding of how threat actors are *realistically* trying to abuse GenAI models. No guesses, no fancy assumptions, just the observed TTPs.

🔹 I know that some of you in my network (and some of our clients) had to deal with the attacks documented. This will hit home.

🔹 Ultimately, we can use this report help us further improve our defense strategies with reality in mind.

🔹 In the comments, you will find 2 additional reports (from Anthropic & Google) on how GenAI has been used in social engineering attacks. They provide a more holistic understanding on how these tools are being used by adversaries.

---------

2 additional reports on how GenAI has been used in social engineering attacks. They provide a more holistic understanding on how these tools are being used by adversaries:

Report by Anthropic (Claude): https://www.anthropic.com/news/detecting-and-countering-malicious-uses-of-claude-march-2025

Report by Google (government-backed threat actor use of the Gemini): https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai

Happy news!! This September at BruCon we will be taking a deep dive into #socialengineering and #OSINT through a 3-day, hands-on training class!
I SO look forward to it and to meeting the participants!! 🤩👩🏻‍💻

Full class content & details:
https://www.brucon.org/training-details/social-engineering-open-source

The rise of Agentic AI has opened new frontiers for adversaries looking to automate and scale social engineering attacks. We are entering a phase where Agentic AI systems will be able act autonomously, make decisions, adapt based on feedback, and complete goal-oriented operations with minimal human intervention.

I wrote an article explaining what Agentic AI really is, and how it can shape the future of social engineering attacks. ⬇️

https://christina-lekati.medium.com/when-ai-goes-rogue-how-agentic-ai-will-reshape-social-engineering-attacks-b795838c1aaa

#AgenticAI #SocialEngineering #cybersecurity

If you are using HUMINT techniques in your cyber threat intelligence process, this is a talk worth watching!
Eliska and Julien do a very good job in breaking down some important concepts including the risks, benefits and analytical aspects of using HUMINT tactics in a CTI workflow and provide some of their own experiences in an easy to understand way.

As a side note, HUMINT in CTI is not meant to replace the technical analysis, but to complement it. It is meant to fill in some gaps with intel that cannot be found through a technical analysis or other passive intelligence collection disciplines. That may include a threat actor's motives, future targets, skill/group developments, future plans, etc.

Happy watching!

https://youtu.be/o1TTO5d1DXQ?si=ScY3uyG63ixNl2Zs

Surprise! Really excited to announce that the next "𝑺𝒐𝒄𝒊𝒂𝒍 𝑬𝒏𝒈𝒊𝒏𝒆𝒆𝒓𝒊𝒏𝒈 & 𝑶𝒑𝒆𝒏-𝒔𝒐𝒖𝒓𝒄𝒆 𝑰𝒏𝒕𝒆𝒍𝒍𝒊𝒈𝒆𝒏𝒄𝒆 𝒇𝒐𝒓 𝑺𝒆𝒄𝒖𝒓𝒊𝒕𝒚 𝑻𝒆𝒂𝒎𝒔" open class will be happening at x33fcon in Gdynia, Poland!!

This is an intensive, 2-day training. We will cover:

🔹 Timeless Social Engineering Attack Scenarios: The tricks that keep working (and why).

🔹 The Psychology behind social engineering (we will go well beyond influence tactics!!)

🔹 Hybrid & advanced attack techniques that combine multiple attack verticals.

🔹 The use of AI in all phases of the social engineering kill-chain.

🔹 OSINT: How to conduct reconnaissance on a target (business / person) and what to look for.

🔹 Highly practical open-source intelligence (OSINT) tools & techniques that facilitate attack scenarios.

🔹 Blue Team Countermeasures: How to disrupt social engineering attacks & create a defense strategy.

...but there will also be some surprises 🤫 ✨ ✨

If you're attending #x33fcon this year I look forward to seeing you there!

Class Details & Registration: https://www.x33fcon.com/?fbclid=IwAR2B-2KwiZ3dJeKl-#!t/SE_OSINT.md

#SocialEngineering #OSINT #x33fcon #RedTeam #BlueTeam