Proofpoint researchers identified a targeted campaign against operations personnel at energy firms linked to projects in Pakistan.

We track the activity as UNK_VaporVibes.

The messages were sent on 18 March 2026, and mimicked invitations to the upcoming Pakistan Energy Exhibition & Conference (PEEC).

The actor used compromised accounts from a Pakistani university and a government organization to deliver PDF attachments with a fake Adobe Reader prompt.

The notable part came after the click. The PDF link used the “microsoft-edge:” URI scheme before redirecting to a Cloudflare Workers hosted (*[.]adobe-org[.]workers[.]dev) ClickOnce application resource.

We assess that the Edge scheme handoff was likely intended to direct victims into the browser path that supports the next stage.

This is consistent with UNK_VaporVibes’ repeated use of ClickOnce-focused delivery.

The redirect chain was also wrapped in geofencing and browser fingerprinting, limiting access to intended targets. That likely reduced the exposure to automated analysis while keeping the delivery path tightly scoped.

The ClickOnce execution chain leads to the Havoc Demon C2 framework (https://github.com/HavocFramework/Havoc), an open-source post exploitation tool.

The targeting, the PEEC-themed PDF lure, Edge redirection, and ClickOnce staging aligns with prior UNK_VaporVibes activity and shows overlaps with activity publicly associated with SloppyLemming. (https://arcticwolf.com/resources/blog/sloppylemming-deploys-burrowshell-and-rust-based-rat-to-target-pakistan-and-bangladesh/).

Indicators of compromise:

7487abe753e73070612c6e8573af9d58791389813a5b54ddcf740f1391e2cd20 (Adobe.application)
Demon C2 host: soc[.]pkcrt-0ea[.]workers[.]dev

Suricata rule to detect the Microsoft Edge redirect:
2068325 - ET HUNTING 302 Redirect to Microsoft Edge Browser

The cloud threat research team at Proofpoint has discovered an account takeover campaign targeting around 40,000 users. Malicious activity has been recorded as early as Feb. 2nd, with a surge on Feb. 10th and a peak on Feb. 12th.

For a large number of users, the attacker initially attempted to login with the correct credentials, although in most cases, conditional access policies and MFA denied access. This suggests the attacker relied, at least in part, on stolen or leaked credentials.

Malicious login attempts correlated to this campaign seem to originate from an outdated Google Chrome browser, namely version 72, initially released in January 2019. Nowadays, this specific user agent is rarely observed in legitimate activity.

Login attempts correlated to this campaign originated from more than 200 distinct domains, most of which are commercial VPN providers and TOR exit nodes.

Moreover, this campaign solely targets the Microsoft Office 365 Portal.

IoCs:

User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36

Application ID: 00000006-0000-0ff1-ce00-000000000000 (Microsoft Office 365 Portal)

Since the start of Operation Epic Fury on February 28, 2026, Proofpoint researchers have observed heightened cyber activity against Middle East targets tied to the war. Our new blog shares examples of how the conflict in Iran is accelerating cyber espionage across the Middle East.

🔗: https://brnw.ch/21x0EJ8

Iran-aligned #TA453 ( #CharmingKitten #APT42 ) recently attempted credential phishing against a U.S. thinktank, continuing its longstanding intelligence collection efforts. At the same time, multiple state-sponsored actors, including groups suspected to be linked to China, Belarus, Pakistan, and Hamas, are targeting Middle Eastern government entities using conflict-themed lures, often sent from compromised government or diplomatic accounts.

This reflects both opportunistic social engineering and a broader shift in intelligence collection priorities driven by the conflict.

View the full blog to see campaign examples observed by our researchers. We will continue monitoring the landscape and keep our customers and community informed as the situation evolves.

Be sure to catch Daniel's presentation, "Welcome to the Endgame," alongside co-presenter Europol during #RSAC 2026.

🗓️ Wednesday, March 25
🕣 8:30 a.m. - 9:20 a.m.
⭐️ Session code FRP-W01

🚨 A major cybercriminal player, Tycoon 2FA, has been disrupted by law enforcement and private sector partners, including Microsoft, Europol, Proofpoint, Cloudflare, and TrendAI.

See our blog for details on the takedown of the popular phishing-as-a-service (PhaaS) platform announced today. https://brnw.ch/21x0s5G

⚠️ #Tycoon2FA is the highest volume adversary-in-the-middle (AiTM) phishing threat observed in our email data. Its disruption and the associated lawsuit filed by Microsoft and Health-ISAC will have a significant impact on the threat landscape.

We were proud to extend our human- and agent-centric security mission to assist in this investigation. Our vast threat telemetry enabled us to share unique insight into Tycoon 2FA activity and campaign data.

This Valentine’s Day invite came with a payload no one asked for. 💔 As February 14th nears, Proofpoint researchers warn of malicious Valentine’s Day-themed lures and threats.

⚠️ The screenshot below is of an actual lure recently sent from a compromised account.

This example, which was observed and blocked by our team, leveraged legitimate remote monitoring and management (RMM) as a first-stage payload. RMM attacks can result in data collection, financial theft, lateral movement, and the installation of follow-on malware, including ransomware.

Cybercriminals will always attempt to capitalize on current events, and Valentine’s Day is no exception. Such lures are designed to appear as legitimate emails from trusted sources, increasing the likelihood that a target clicks or engages. 💌

Proofpoint recommends that organizations:

• Train users to identify and report suspicious activity

• Restrict the download/installation of any unapproved RMM tooling

• Ensure networks detections alert on any activity to RMM servers

TA584 is one of the most prominent #cybercriminal threat actors tracked by Proofpoint threat researchers. In a new blog, the team shared a detailed analysis of the threat actor, its campaigns, attack chains, targeting, payloads, and shared defensive recommendations.

Blog: https://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access

Our researchers have tracked #TA584 since 2020. In 2025, they observed shifts to TA584’s tactics, techniques and procedures (TTPs). Notably, it expanded global targeting; adopted ClickFix social engineering; and delivered new malware, Tsundere Bot.

⚠️ Such activity shows that static detections alone are not reliable against constantly evolving threat actors.

Explore the blog for more details along with protection tips, Emerging Threats Rules and IOCs.

Cloud threat researchers at Proofpoint have identified a peak in an ongoing brute force campaign targeting ‘Azure Active Directory Powershell.’

Behind the campaign—which has impacted over 100,000 users in over 3,000 tenants—is a cluster tracked as #UNK_BareZilla.

The campaign is signatured by the user agent ‘Mozilla/5.0’. As a standalone user agent, this string is uncommon and likely an attempt to blend in as generic activity.

Brute forcing attempts were primarily seen against ‘Azure Active Directory PowerShell’ (1b730954-1685-4b74-9bfd-dac224a7b894).

CLI applications can be an attractive target for brute force attacks, as access is more likely to be protected by single-factor authentication only.

The education sector has emerged as a primary victim of this campaign, with instances of post-access activity including spam sending and malicious mailbox rules for user accounts that were not protected by MFA.

In one instance of compromise, the actor used ‘One Outlook Web’ to create an inbox rule named “x” that deleted all incoming emails.

We continue to track this activity and will share any notable updates.

Did you catch the latest livestream of Intercepted, the new #webinar series hosted by our threat research team? 👀 If you missed it, view the on-demand recording here: https://www.proofpoint.com/uk/resources/webinars/intercepted-january-2026

This session covered 𝙖 𝙡𝙤𝙩, including how threat actors are using #AI and how #cybercriminals are abusing legitimate services and techniques, such as device code phishing.

Mark your calendars and plan to join Selena and Sarah for the next livestream on February 25. https://www.proofpoint.com/us/resources/webinars/intercepted

🔍 Until then, explore the campaign below, which used the same sender and similar lure copy as seen in a large wave of emails that delivered LockBit Black in April 2024 (https://www.proofpoint.com/us/blog/threat-insight/security-brief-millions-messages-distribute-lockbit-black-ransomware).

• This campaign was observed in early January 2026.

• Messages contained compressed LNK files, which, if executed, will download and run what is expected to be Mamona Ransomware associated with GLOBAL GROUP.

• Observed samples encrypted files, renaming the encrypted files with one of two appended extensions: .Reco or .gzeqi.

• The attached screenshots show the email lure and ransom note.

It’s unusual to see #ransomware delivered as a first-stage payload in emails these days, so the campaign was notable.

Hear more about recent campaigns like this, TTPs, and what’s top of mind for our researchers live on February 25.