ICYMI: DomainTools Investigations released new research this week!

Skeleton Spider (aka FIN6) is leveraging trusted cloud services like AWS to deliver malware through fake job applications and resume-themed phishing campaigns.

🔍 Learn how this financially motivated group is:

🔹Exploiting cloud infrastructure to evade detection
🔹Using social engineering to lure victims
🔹Building resilient, scalable malware delivery systems

Read the full analysis here: https://dti.domaintools.com/skeleton-spider-trusted-cloud-malware-delivery/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Skeleton-Spider

#CyberSecurity #ThreatIntelligence #Malware #CloudSecurity #Phishing #FIN6 #SkeletonSpider #InfoSec

Cybercrime group FIN6 (aka Skeleton Spider) is leveraging trusted cloud services like AWS to deliver malware through fake job applications.

Our latest analysis breaks down:
🔹 How attackers use LinkedIn & Indeed to build trust
🔹 The use of resume-themed phishing lures
🔹 Cloud-hosted infrastructure that evades detection
🔹 The delivery of the More_eggs backdoor via .LNK files
🔹 Key defense strategies for recruiters and security teams

This campaign is a masterclass in low-complexity, high-evasion phishing

📖 Read the full breakdown: https://dti.domaintools.com/skeleton-spider-trusted-cloud-malware-delivery/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Skeleton-Spider

#CyberSecurity #ThreatIntel #FIN6 #Phishing #CloudSecurity #MalwareAnalysis #InfoSec #SkeletonSpider

We hope you enjoyed @danonsecurity and Jon DiMaggio’s presentation on Mapping Hidden Alliances in Russian-Affiliated Ransomware at hashtag#SleuthCon. Key takeaways from the mapping include:

🔹Reuse does not equal identity. Different groups may share code or have human overlap but are not the same entity.
🔹Group labeling is increasingly obsolete.
🔹The modern threat landscape is best understood by tracking clusters of activity, not just named groups, and focusing on similar activity rather than specific names.

Find the writeup and infographic here: https://dti.domaintools.com/mapping-hidden-alliances-russian-affiliated-ransomware/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Russian-Ransomware

DomainTools Investigations’ (DTI) latest analysis uncovers a technically sophisticated malware campaign that uses fake CAPTCHAs and spoofed document verification pages (like Docusign) to trick users into self-infecting their machines with the NetSupport RAT.

Key tactics include:

🔹 Clipboard poisoning via fake CAPTCHA pages
🔹Multi-stage PowerShell downloaders
🔹Spoofed Gitcodes and Docusign domains
🔹Infrastructure overlap with known threat groups like SocGholish, FIN7 and STORM-0408

Read the full breakdown including security recommendations here: https://dti.domaintools.com/how-threat-actors-exploit-human-trust/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Prove-You-Are-Human

#ThreatIntelligence #CyberSecurity #SocGholish #Malware

🎵 Ladies and gentlemen, this is Newsletter No. 5

Daniel Schwalbe, CISO and Head of Investigations, shares the 5th iteration of his newsletter this week. It highlights research published by the DomainTools Investigations team including:

🔹 An analysis on a malicious campaign using a fake website to spread VenomRAT
🔹 An unknown actor continuously creating malicious Chrome Browser extensions
🔹 How bad actors take advantage of viral media events

Find it here: https://www.domaintools.com/resources/blog/domaintools-investigations-may-2025-newsletter/?utm_source=Mastodon&utm_medium=Social&utm_campaign=DTI-Newsletter-May

"A new warning has issued for Microsoft users, after a raft of websites were caught installing dangerous apps onto Windows PCs. The attackers used websites that mimicked popular brands to trick users into installing the apps that had been laced with malware designed to steal passwords and digital wallets.

The warning comes courtesy of the security researchers at DomainTools, and there’s a nasty sting in the tail with this one. Not only do victims put their passwords and wallets at risk, but the attackers have also been 'potentially selling access to their systems.' it all starts with a 'Download for Windows' button on a fake website."

Read more from Zak Doffman (Forbes) here: https://www.forbes.com/sites/zakdoffman/2025/05/27/microsoft-windows-warning-do-not-install-these-apps-on-your-pc/

🔥 Hot off the presses!

DomainTools Investigations shares that a spoofed antivirus download page is delivering VenomRAT, StormKitty, and SilentTrinity—a powerful combo for credential theft, persistence, and long-term access.

🔎 We traced the infrastructure, payloads, and attacker tactics.

Full breakdown: https://dti.domaintools.com/venomrat/?utm_source=Mastodon&utm_medium=Social&utm_campaign=VenomRAT

#CyberSecurity #ThreatIntel #MalwareAnalysis #Infosec

In an effort to share not just what we’re observing on the net, but what we’re reading and listening to elsewhere, @neurovagrant compiles an abbreviated digest of media being passed around within our team as well as what we’re seeing in the security community at large.

This week we're enjoying works from:

🔸 Maltego's Human Element Podcast (hosted by Ben April)
🔸 Citizen Lab (Rebekah Brown, Marcus Michaelsen, Matt Brooks, and Siena Anstis)
🔸NextGov (David DiMolfetta)
🔸Proofpoint (Genina Po, Kyle Cucci, Selena Larson, and the Proofpoint Threat Research Team)

Find the full reading list here: https://dti.domaintools.com/cybersecurity-reading-list-week-of-2025-05-19/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Reading-List-May

"A Google Chrome Web Store campaign uses over 100 malicious browser extensions that mimic legitimate tools, such as VPNs, AI assistants, and crypto utilities, to steal browser cookies and execute remote scripts secretly.

The extensions offer some of the promised functionality, but also connect to the threat actor's infrastructure to steal user information or receive commands to execute. Additionally, the malicious Chrome extensions can modify network traffic to deliver ads, perform redirections, or proxying."

Read more from Bill Toulas (Bleeping Computer) here: https://www.bleepingcomputer.com/news/security/data-stealing-chrome-extensions-impersonate-fortinet-youtube-vpns/

"An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code.

While the browser add-ons appear to offer the advertised features, they also enable credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation."

Read more from Ravie Lakshmanan (The Hacker News) here: https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html