2024-11-19 (Tuesday) We've discovered new infrastructure and domains for the #ApateWeb campaign that includes 2.4k new domains and 5 new IP addresses that lead to sites for potentially unwanted applications (#PUP) and #scam pages. More info at bit.ly/4fXarik

We discovered 1,000+ Christmas-themed #scam sites offering fake internet data giveaways. These pages bait victims into sharing with WhatsApp friends and lead to fake surveys, shopping sites or app store pages for potentially unwanted programs. More info at bit.ly/3OKJhQh

Study of malicious URL infrastructures through graph neural networks led us to a pattern of reusable and shared components among cyber threat actors. One of our case studies from this research details an international postal services phishing campaign. bit.ly/3PyJ6b6

Graph AI is a powerful tool for proactively discovering malicious URL infrastructure. Explore our case studies on various threat actors and campaigns in the latest Unit42 blog #FIN7 #16shop #ProlificPuma #TA569 #TridentUrsa #USPSphishing #webskimmers #phishing

Ongoing "wp3[.]xyz" campaign loads JavaScript to install a malicious WordPress plugin, active since Oct 2024 and compromised 10K+ websites. Attackers distributed several polymorphic versions of a script that may have helped avoid detection. More info at: bit.ly/3Ecpbwg

Open-source phishing kits include features to utilize popular tunneling platforms. This simplifies the process for attackers to exploit popular tunneling services as we continue to discover phishing pages hosted on them. More details at bit.ly/3Xiffbb

Domain fronting, matching design elements and Telegram channels with thousands of users: our research on a scam crypto platform campaign describes a multi-level affiliate program designed to lure victims with impossible ROIs for their crypto investments: bit.ly/4iqRZ37

We uncovered a campaign distributing Chinese-language #trojanized installers for Chinese-marketed Windows programs by DeepSeek, i4 and Youdao. Hidden #malware appears to be #GhostRAT. 2K+ domains in this #campaign with new ones registered daily. Details at bit.ly/4iIdRqA

A web campaign uses #pastejacking/#ClipboardHijacking method to lure viewers into installing an MSI for #LegionLoader #malware. This campaign uses cloaking strategies like turnstile/CAPTCHA pages and disguising download domains as blog sites. More info: bit.ly/4hWXwNM

Since last year's IC3 report (bit.ly/4lKWW93), we've found and blocked 91.5k+ #smishing domains. This activity gained momentum in March 2025 with a peak in registration of 26k domains. We've noted four general domain naming patterns. More info at bit.ly/441p6pX

We've observed a growing volume of domains used for deceptive search pages. This type of activity is typically associated with #BrowserHijacking. These pages more closely mimic Chrome's "New Tab" page than we've seen from prior activity. Details at bit.ly/3YYVIx5

#AI-powered summary-related Chrome extensions are on the rise, posing serious #DataSecurity risks. We found multiple #BrowserExtensions sending sensitive user data (e.g., email, chat logs) to low-reputation domains. Examples at bit.ly/4maWFvN

Be mindful of #BrowserExtensionSecurity! A new Chrome #BrowserExtension campaign utilizes an extension's onInstalled event to open post-install "thank you" pages with hidden iframes for suspicious domains, exposing users to #adware and #PUP. Details at bit.ly/4lDRgwr

A #phishing campaign we call C2-Sock uses script to #keylog, steal creds & even allow redirects/popups by building a persistent #WebSockets connection. It streams everything you type in the phishing page & fingerprints your device for tracking. Details at bit.ly/4oguf48

A malicious #TDS campaign uses multi-layer #cloaking measures to evade detection, including anti-bot #CAPTCHA and multiple #fingerprint libraries (ThumbmarkJS & FingerprintJS). Our investigation revealed it distributes #PUP payloads. More info at bit.ly/4p7yeR9

We're tracking ongoing sample testing of a malicious Chrome extension on VirusTotal, likely to evade detection before deployment. These samples impersonate a legitimate extension and use highly obfuscated JavaScript for C2 communication. Details at bit.ly/48nlVJT

Browser-update-themed lures are fueling a surge in #ClickFix activity. We've seen 10K-plus hits on sites that lead to ClickFix pages pushing a variety of malware types through #pastejacking. Details at bit.ly/4iyA4s6

We've identified a real-world example of malicious indirect #promptInjection that attempts to bypass AI-based ad reviewers and promote scam products. It uses multiple evasion techniques to hide the injected LLM prompts from security checks. Details at bit.ly/3XTuqYj

Criminals are increasingly sending fake calendar invites to push invoice #scams. They create a false sense of urgency to convince recipients to call the provided support number. NEVER engage. Delete these #CalendarScams and block the senders! More info at bit.ly/4jvRSVa

Our recent Unit 42 blog explores in-browser runtime assembly attacks using LLM APIs to generate polymorphic malicious code in real time. More details on prompt-based code obfuscation and bypassing safety guardrails to generate malicious code here: bit.ly/4sQ5hM3