Phishing

Russian phishing campaign hits Ukraine with novel malware Attacks delivering novel malicious payloads have been deployed by a Russian state-sponsored threat operation against Ukrainian entities as part of a new phishing campaign, reports The Record, a news site by cybersecurity firm Recorded Future.

Major phishing-as-a-service platform Tycoon 2FA has been disrupted following a Microsoft-led operation that involved Europol and half a dozen law enforcement authorities, as well as 11 security organizations, including Proofpoint, Intel 471, and Trend Micro, CyberScoop reports.

The attackers are using compromised Extended Validation (EV) certificates, specifically one issued to TrustConnect Software PTY LTD, to sign malicious executables.

The report highlights a shift towards stealth and efficiency, with threat actors prioritizing speed, automation, and return on effort over complex exploits.

Starkiller operates by launching a headless Chrome browser within a Docker container, acting as a reverse proxy between the target and the genuine website.

The OAuth URLs intentionally include an invalid scope, forcing redirection to malicious sites.

The attack uses social engineering and PWA features, making users believe they are interacting with a legitimate Google security page.

Attackers are using IPv6 address ranges to gain control over .arpa subdomains, pointing them to servers hosting phishing pages.