Cybercrime group FIN6 (aka Skeleton Spider) is leveraging trusted cloud services like AWS to deliver malware through fake job applications.

Our latest analysis breaks down:
🔹 How attackers use LinkedIn & Indeed to build trust
🔹 The use of resume-themed phishing lures
🔹 Cloud-hosted infrastructure that evades detection
🔹 The delivery of the More_eggs backdoor via .LNK files
🔹 Key defense strategies for recruiters and security teams

This campaign is a masterclass in low-complexity, high-evasion phishing

📖 Read the full breakdown: https://dti.domaintools.com/skeleton-spider-trusted-cloud-malware-delivery/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Skeleton-Spider

#CyberSecurity #ThreatIntel #FIN6 #Phishing #CloudSecurity #MalwareAnalysis #InfoSec #SkeletonSpider

In this week's episode of the Breaking Badness Cybersecurity Podcast we delve into the critical role of domains in modern cyber attacks. From sophisticated
nation-state operations to AI-powered phishing kits and malicious browser extensions, domains are the foundational infrastructure for threat actors.

Host @NotTheLinux is joined by four leading cybersecurity experts Joe Slowik, Robert Duncan, John Fokker and Vivek Ramachandran to break down how domains are weaponized and what organizations can do to defend themselves on this ever-evolving frontline.

Listen wherever you get your podcasts:

Apple: https://podcasts.apple.com/us/podcast/beyond-the-perimeter-how-attackers-use-domains/id1456143419?i=1000711183082

Spotify: https://open.spotify.com/episode/0trcyZliGZuEj591IVnZCu

YouTube: https://www.youtube.com/watch?v=CpcJXpWwfQo

Web: https://www.domaintools.com/resources/podcasts/how-attackers-use-domains-phishing-ai-and-how-to-fight-back/?utm_source=Mastodon&utm_medium=Social&utm_campaign=RSAC-Domains

DomainTools is an Exhibiting Sponsor at SLEUTHCON!

Check out our booth later this week at the show. Come for the shirt, stay to learn how domain intelligence can prevent, mitigate, and investigate attacks.

See the full show schedule here: https://www.sleuthcon.com/2025agenda

In 2024, our team found that the web-based version of HeartSender was leaking a significant amount of sensitive data to anyone who accessed it; no login required.

This included customer login details and internal emails from HeartSender staff. Malware infections on the attackers’ own devices revealed extensive account data, along with insights into the group’s structure, operations, and role within the broader cybercrime ecosystem.

Yesterday, Brian Krebs reported that 21 individuals accused of operating Heartsender have been arrested in Pakistan. This milestone was the result of incredible teamwork across borders and organizations, and we're proud to have been part of that global effort.

When we come together, we can give bad actors more bad days.

Find our original analysis and update here: https://www.domaintools.com/resources/blog/the-resurgence-of-the-manipulaters-team-breaking-heartsenders/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Manipulaters

🔥 Hot off the presses!

DomainTools Investigations shares that a spoofed antivirus download page is delivering VenomRAT, StormKitty, and SilentTrinity—a powerful combo for credential theft, persistence, and long-term access.

🔎 We traced the infrastructure, payloads, and attacker tactics.

Full breakdown: https://dti.domaintools.com/venomrat/?utm_source=Mastodon&utm_medium=Social&utm_campaign=VenomRAT

#CyberSecurity #ThreatIntel #MalwareAnalysis #Infosec

In an effort to share not just what we’re observing on the net, but what we’re reading and listening to elsewhere, @neurovagrant compiles an abbreviated digest of media being passed around within our team as well as what we’re seeing in the security community at large.

This week we're enjoying works from:

🔸 Maltego's Human Element Podcast (hosted by Ben April)
🔸 Citizen Lab (Rebekah Brown, Marcus Michaelsen, Matt Brooks, and Siena Anstis)
🔸NextGov (David DiMolfetta)
🔸Proofpoint (Genina Po, Kyle Cucci, Selena Larson, and the Proofpoint Threat Research Team)

Find the full reading list here: https://dti.domaintools.com/cybersecurity-reading-list-week-of-2025-05-19/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Reading-List-May

Did my usual thing where I collect articles, research, and resources that have caught our attention internally and lined them up for you in a nice neat cynical row.

https://dti.domaintools.com/cybersecurity-reading-list-week-of-2025-05-19/

#infosec #cybersecurity

"An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code.

While the browser add-ons appear to offer the advertised features, they also enable credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation."

Read more from Ravie Lakshmanan (The Hacker News) here: https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html