Proofpoint is proud to announce its acceptance into Europol EC3's Advisory Group on Internet Security (AGIS).

This milestone builds on years of collaboration between Proofpoint and Europol, including recent efforts supporting the disruption of the Tycoon 2FA phishing-as-a-service platform and Operation Endgame.

Cybercrime is a global challenge that no organization can tackle alone.

Through trusted public-private partnerships, intelligence sharing, and coordinated action, we can continue identifying, investigating, and disrupting the criminal infrastructure that threatens organizations across Europe and beyond.

We look forward to working even more closely with Europol and fellow AGIS members to strengthen the security and resilience of Europe's digital ecosystem.

🔗 https://www.proofpoint.com/us/blog/corporate-news/proofpoint-joins-europol-ec3-agis?utm_source=twitter&utm_medium=social_organic

#Europol #partnership #EC3 #cybercrime #OperationEndgame

SpaceX is preparing for a record initial public offering, and cybercriminals are taking note. 👀 

Our researchers have observed TA2730 using #SpaceX’s upcoming IPO in fraudulent emails to lure targets into handing over their credentials to investment platforms.

The campaigns impersonated two financial firms, CommSec and FSM One, to target people in #Australia and #Singapore. The messages purported to invite people to apply for eligibility to purchase SpaceX stock.

Emails contained a URL that led to counterfeit authentication pages designed to harvest user credentials.

🚨 About TA2730: This threat actor is opportunistic and financially motivated, focused on obtaining credentials from the financial sector. It targets organizations globally and usually uses lures related to the "W-8BEN" form, a U.S. tax form for non-U.S. taxpayers.

The SpaceX lure is a departure from TA2730’s typical #socialengineering. But given the attention and hype around the upcoming market debut, this could be an alluring lure, especially to those already customers of the impersonated trading platforms. 

⚠️ Beware of cybercriminals exploiting high-profile stock market debuts and other anticipated technology-sector listings, which may serve as effective social engineering lures.

#stock #stockmarket #emailfraud #TA2730 #cybersecurity

---

TA2730 Phishing Domains:

467jtzbkqcfl22t9hxh[.]live
ddgaoylh4h420fvm7o5[.]live
u7aq3ocwrexd70ulpdj[.]live
zavpejjyz432d577l2e[.]live
8fv4dxp7lx035f8ylk7[.]live
cd7yt860whhm7g7ylj8[.]live
g8iqelymkc4eya9zs49[.]live
hy0zu0fuf7rc2ou5aje[.]live
k1rg2oz4zpzw91pdx90[.]live
ogqw9cpz7t7et3j1rur[.]live

🚨 New threat research: A likely North Korea-aligned threat cluster, UNK_DeadDrop, is targeting software developers through trusted development platforms and workflows.

🔗 https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal?utm_source=twitter&utm_medium=social_organic

Over a six-week period, we observed the actor targeting organizations across the technology, cryptocurrency, finance, and education sectors.

Targets were lured through fake recruiter outreach, code review requests, and developer collaboration opportunities designed to deliver #malware and steal credentials and #cryptocurrency assets.

Some key findings:

🔑 Targeting of software developers worldwide, with a particular focus on cryptocurrency and blockchain organizations

🔑 In the observed campaigns, the group sent over 250 emails to individuals in almost 100 organizations, which gave us extensive visibility into the infection chain and evolving TTPs

🔑 Malicious #GitHub repositories and coding projects used to distribute malware

🔑 Abuse of trusted developer tools, including Visual Studio Code, Cursor, and VSIX extensions

🔑 Theft of browser credentials, cryptocurrency wallet data, and other valuable developer assets

This activity shows how North Korean threat actors are evolving beyond traditional fake #jobinterview campaigns and increasingly leveraging trusted developer ecosystems to gain access to cryptocurrency and sensitive credentials.

Our new threat research report is a comprehensive overview of TA4922, a newly designated Chinese-speaking, financially motivated threat actor.

We consider it one of the most unique actors we track. 👀

Why? Because it currently conducts more unique campaigns than any other cybercriminal in our telemetry, using a wide variety of lure themes, targeting, and objectives. You’ll see examples in our blog.

Read it now: https://www.proofpoint.com/us/blog/threat-insight/ta4922-suspected-chinese-crime-group-going-global?utm_source=twitter&utm_medium=social_organic

Campaigns mostly target organizations in Japan, but it’s been expanding globally. 🗺️

This actor blends malicious activity with legitimate tools, trusted software, and cloud hosting services—making its campaigns challenging to detect and defend against.

See our blog for all the details on TA4922, the new payloads it distributes, our defense recommendations, IOCs, and more.

Sarah Sabotka, staff threat researcher at Proofpoint, is speaking at #Layer8Conference — the only event dedicated to #OSINT and #socialengineering threats facing businesses today.

If you're a security leader, you won't want to miss it!

June 5–6 | Boston, MA
Event info: layer8conference.com

Device code phishing is exploding across the threat landscape, with new device code phishing tools emerging every week.

Research blog: https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover?utm_source=twitter&utm_medium=social_organic

The technique abuses legitimate enterprise resources for account takeovers. It involves social engineering to trick a target into authorizing a malicious app on their enterprise email accounts.

It was first observed around 2020 but has grown in popularity over recent years due to the publication of criminal device code phishing tools and on-demand code generation.

Successful attacks can lead to:

• Full account takeover
• Theft of sensitive information
• Fraud and business email compromise
• Lateral movement within a compromised environment
• Ransomware

Our new research blog explores why adoption of this technique has surged over the past year, shows real campaign examples, and offers defense recommendations.

#socialengineering #accounttakeover #BEC #fraud

Device code phishing is exploding, and AiTM actors are getting in on it.

We found ODx phishing-as-a-service providing device code capabilities in addition to their AiTM offerings. ODx is one of the most popular AiTM kits currently. It's also tracked as Storm-1167 and FlowerStorm.

In the observed campaign, the actor used compromised senders to deliver URLs leading to the ODx device code phishing landing page.

The landing pages included multiple different themes, including impersonating SharePoint, Adobe, and DocuSign.

The campaign leveraged ATO jumping, a technique where an attacker compromises an initial email account and then uses it to send phishing links to a wide set of contacts.

ODx’s device code capabilities are using Kali365, a device code PhaaS. Kali365 is just one of many such kits available for purchase. It’s unclear whether ODx stole or purchased Kali365, or partnered with them to integrate directly into their service.

🚨 Device code phishing is insidious. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 or other enterprise user accounts by approving access for actor-controlled applications.

⚠️ Organizations are advised to block device code authentication where possible; require compliant or joined devices via conditional access policies; and train users to recognize device code phishing attacks.

Read more about device code phishing: https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover?utm_source=twitter&utm_medium=social_organic

In a public service announcement, the FBI warned the transportation and logistics industry about a sharp rise in cyber-enabled cargo theft, an attack vector our researchers have been closely tracking since last year.

The scheme is a collaborative effort between cybercriminals and organized crime gangs, who use hacking and impersonation tactics to hijack high-value freight.

Estimated losses in the United States and Canada reached nearly $725 million in 2025.

Read the full PSA here: https://www.ic3.gov/PSA/2026/PSA260430

See here for our recent research on how these attacks are executed: https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook?utm_source=twitter&utm_medium=social_organic

Our award-winning threat research podcast series, Discarded, is celebrating 100 episodes this week! 🎉

Stream now for a trip down memory lane, a few laughs, and a look ahead to what's next in cybersecurity.

Cheers to 100 episodes! 🍾 https://www.proofpoint.com/us/podcasts/discarded#146302?utm_source=twitter&utm_medium=social_organic

A cargo threat actor’s playbook: revealed. 📖 Proofpoint researchers baited a logistics/transportation industry threat actor into performing its malicious activities in a decoy environment operated by Deception.Pro for over 30 days. 🚚

In a new blog, our team of experts shared their observations, complete with rare, extended visibility into post‑compromise operations, tooling, and decision‑making.

Activities the threat actor performed:

• Delivered malicious payloads via email
• Established persistence with multiple RMM tools
• Use of a previously unknown malware signing‑as‑a‑service capability
• Hands-on-keyboard interaction to access PayPal
• Executed 13 PowerShell scripts to understand targets' financial value

Cargo theft leads to $34 billion in losses annually. These findings offer never-before-seen insight into how financially motivated threat actors operate well beyond initial access.

Read the full blog here: https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook?utm_source=twitter&utm_medium=social_organic