How I’m backing up my Samsung Messages before the service ends in July – local and cloud options
You texts don’t have to disappear with the app. Here’s how to keep them – before they’re gone for good.
Latest news – Read More
You texts don’t have to disappear with the app. Here’s how to keep them – before they’re gone for good.
Latest news – Read More
Dubbed Bleeding Llama, the heap out-of-bounds read issue can be exploited remotely, without authentication.
The post Critical Bug Could Expose 300,000 Ollama Deployments to Information Theft appeared first on SecurityWeek.
SecurityWeek – Read More
An anti-ICE website, GTFO ICE, linked to Miles Taylor, is accused of exposing the personal details of 17,662 activists, sparking concerns that the data may have reached government agencies.
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
The Cyber Incident Review Board will carry out no-fault, post-incident reviews of significant cyberattacks on Australian government and industry, focusing on systemic lessons rather than individual or corporate culpability.
The Record from Recorded Future News – Read More
Our experts have discovered a large-scale supply chain attack via DAEMON Tools – software for emulating optical drives. The attackers managed to inject malicious code into the software installers, and all trojanized executable files are signed with a valid digital signature of AVB Disc Soft – the developer of DAEMON Tools. The malicious version of the program has been circulating since April 8, 2026. At the time of writing, the attack is still ongoing. Researchers at Kaspersky believe this is a targeted attack.
After the Trojanized software is installed on the victim’s computer, a malicious file is launched every time the system starts up – sending a request to a command-and-control server. In response, the server may send a command to download and execute additional malicious payloads.
First, the attackers deploy an information gatherer that collects the MAC address, hostname, DNS domain name, lists of running processes and installed software, and language settings. The malware then sends this information to the command-and-control server.
In some cases, in response to the collected information, the command server sends a minimalistic backdoor to the victim’s machine. It’s capable of downloading additional malicious payloads, executing shell commands, and running shellcode modules in memory.
The backdoor can be used to deploy a more sophisticated implant dubbed as QUIC RAT. It supports multiple communication protocols with the command-and-control server, and is capable of injecting malicious payloads into the notepad.exe and conhost.exe processes.
More detailed technical information, along with indicators of compromise, can be found in the experts’ article on the Securelist blog.
Since early April, several thousand attempts to install additional malicious payloads via infected DAEMON Tools software have been detected. Most of the infected devices belonged to home users, but approximately 10% of installation attempts were detected on systems running in organizations. Geographically, the victims were spread across around a hundred different countries and territories. Most victims were located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.
Most often, the attack was limited to installing an information collector. The backdoor infected only a dozen machines in government, scientific, and manufacturing organizations, as well as in retail businesses in Russia, Belarus, and Thailand.
The malicious code was detected in DAEMON Tools versions ranging from 12.5.0.2421 to 12.5.0.2434. The attackers compromised the files DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, which are installed in the main DAEMON Tools directory.
If DAEMON Tools software is used on your computer (or elsewhere in your organization), our experts recommend thoroughly checking the computers on which it is installed for any unusual activity starting from April 8.
In addition, we recommend using reliable security solutions on all home and corporate computers used to access the internet. Our solutions successfully protect users from all malware used in the supply chain attack via DAEMON Tools.
Kaspersky official blog – Read More
A new large-scale phishing campaign is targeting U.S. organizations with fake event invitations that lead to credential theft, OTP interception, or RMM tool installation.
ANY.RUN researchers found that the campaign uses a repeatable phishing framework to create event-themed lure pages at scale. Some pages steal email credentials and OTP codes, while others deliver legitimate remote management tools such as ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue.
For CISOs, the risk is not just another phishing wave. It is the combination of credential theft, trusted remote access tools, and infrastructure designed to look legitimate. That mix can delay detection, stretch SOC triage, weaken response confidence, and create a path to remote access before the business fully understands what happened.
/Image/*.png, and requests to /favicon.ico and /blocked.html help connect related activity.Most enterprise security programs are built to catch obvious signs of compromise: known malicious domains, suspicious payloads, credential abuse, or unauthorized remote access. This campaign creates a harder problem because the early stages can look like normal user behavior.
The attack starts with a CAPTCHA check and a fake event invitation. From there, it can lead to credential theft, OTP interception, or the installation of a legitimate RMM tool. Each step may look harmless inisolation, but together they create a path to account compromise or remote access.
For CISOs, the risk is clear: if the SOC only reacts after credentials are stolen or remote access is established, the organization is already behind the attack.
The outcome can be serious:
ANY.RUN’s Threat Intelligence shows that most analysis tasks related to this campaign came from the United States, suggesting that U.S. organizations may be the primary target.
As of April 27, nearly 160 suspicious links related to this campaign had been analyzed in ANY.RUN’s sandbox, with around 80 phishing domains identified. Most of these domains were registered underthe .de top-level domain, starting from December 2025.
TI Query: url:”/blocked.html” AND url:”/favicon.ico” and url:”/Image/*.png”

The most affected industries include Education, Banking, Government, Technology, and Healthcare — sectors where email access, identity, and remote administration are part of everyday operations.
For CISOs in these sectors, the concern is practical: one fake invitation can lead to stolen mailbox access, intercepted OTP codes, or a remote access tool running inside the environment.
The campaign also shows signs of scale. Threat actors appear to use a single framework to mass-deploy event-themed lure sites, while some page elements suggest possible AI-assisted generation. For security teams, this means the attack surface can change quickly, but the repeatable structure creates detection opportunities. When SOC teams can catch these patterns early, they can reduce investigation uncertainty, validate threats faster, and contain phishing activity before it turns into account compromise or remote access.
On April 22, 2026, ANY.RUN researchers identified a phishing campaign targeting email service credentials and, in some cases, delivering remote management software.
The campaign uses fake event invitation pages as the main lure. Victims are first taken through a CAPTCHA check, most often from Cloudflare, although other providers also appear in some cases. After that, they land on a phishing page telling them they have received an invitation.
From there, the campaign can move in two directions. Some pages are built to steal credentials. Others are designed to deliver remote management tools.
In the RMM delivery flow, the page may show a single download button or skip the button entirely and start the download automatically. In one ANY.RUN analysis session, the lure page starts the download without requiring further action from the user:
View analysis session with lure

In another session, the page includes a download button, but the file still begins downloading automatically:
View analysis session with download button

Additional lure pages following the same pattern were also observed:

Check out other sandbox sessions with the fake invitation:
ANY.RUN researchers also found signs that some pages were created using a shared phishing site toolkit, or phish kit. The code in several sessions contained instructions for the campaign operator on how to edit the page, suggesting a reusable setup for building and launching new lure sites quickly:


The examples above represent a sample of the activity observed by ANY.RUN researchers and illustrate the common structure used in phishing pages that deliver RMM tools.
The remote management tools most often installed in these campaigns include ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue.
When the goal is credential theft, the page changes, but the entry point stays the same. In this analysis session, the chain also begins with a CAPTCHA check:
After the check, the user is shown an event invitation message and prompted to sign in with one of the available services. An example of this message is shown below:

The credential theft pages follow a consistent structure across the phishing domains. In most cases, only the logo at the top of the page changes.
The phishing URLs also follow a repeatable format: https://<phish-site>/<url-pattern>/<endpoint>
Domain names often include words related to events, invitations, greetings, parties, and similar themes. Examples include festiveparty.us, getceptionparty[.]de, and celebratieinvitiee[.]de, all of whichwere observed in related ANY.RUN analysis sessions:
Another campaign marker is the way service icons are loaded on the phishing page. The icons are consistently stored under the same path: /Image/*.png
The typical icon set includes:
Another distinctive feature of this campaign is the sequential request for the following resources: <evilsite>/favicon.ico <evilsite>/blocked.html
As a result, when a user opens the phishing link, the following request chain is always observed:
GET /
├─ GET /favicon.ico
├─ GET /blocked.html
└─ GET /<url-pattern>/Image/*.png
This request chain can be observed in the following ANY.RUN analysis session:
Check analysis with observed request chain

<url-pattern> is unique for each domain, but it often follows the same naming logic and includes repeated event-related keywords.
Analysts can use this pattern to find related phishing domains in ANY.RUN’s Threat Intelligence Lookup with the following query: url:”/blocked.html” AND url:”/favicon.ico” and url:”/Image/*.png”
The campaign uses two credential interception flows: one for Google accounts and another for non-Google services. The following ANY.RUN analysis session shows both flows in action:
Check analysis session with both interception flows

When the user selects any service other than Google, the phishing page opens a login window asking for an email address and password, as shown below.
After the first password entry, the page always displays an “Incorrect Password” message. This prompts the user to enter the password again, helping the attackers capture a second attempt in case the first one contained a typo.

When the user enters their credentials and clicks Login, the page sends a POST request to the same server at the /processmail.php endpoint, submitting the email address and password.


Then, an OTP code entry form appears. This form is also the same across all phishing sites used in this campaign.

When the user enters the code and clicks Submit, the page sends a POST request to the same server at the /process.php endpoint, submitting the OTP code.


After the OTP is entered, the page displays a placeholder message, as shown in the image below. At this stage, the credentials needed to access the service are already in the attacker’s hands.

When the user selects Gmail as the login method, a different chain is observed. First, the user is redirected to a page disguised as a Google authorization form.

When the user enters their login and password, the page sends POST requests to the /pass.php and /mlog.php endpoints.

The request to /pass.php sends the login and the request to /mlog.php sends the password:

Then, the page sends a request to the `/check_telegram_updates.php` endpoint, with the user ID included in the request body.

At the end of the chain, the victim is redirected to the legitimate google.com page.
Campaigns like this are difficult because they do not create one obvious security event. The same lure can lead to credential theft, OTP interception, or remote access tool installation. For SOC teams, that means the risk is spread across several small signals that need to be connected quickly.
To reduce exposure, security leaders need visibility earlier in the chain, before stolen credentials are used, before OTP codes are intercepted, and before a remote access tool becomes a foothold inside the environment.
ANY.RUN brings that visibility into the full SOC investigation process. During triage, analysts can open suspicious links safely inside a cloud-based, interactive sandbox and quickly confirm whether the page leads to a fake invitation, credential form, OTP prompt, or RMM download. During behavioral analysis, they can observe network requests, credential submission endpoints, file downloads, execution behavior, and remote access activity as it happens.

That visibility gives teams a stronger basis for response. Teams will understand what was exposed, whether access was attempted, and which containment steps are needed. With ANY.RUN Threat Intelligence, they can extend the investigation into threat hunting by finding related domains, repeated URL patterns, shared phishing infrastructure, and similar analyses across industries.

For CISOs, this supports the outcomes that matter most:
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams detect, investigate, and respond to threats faster.
ANY.RUN solutions include Interactive Sandbox, Threat Intelligence Lookup, Threat Intelligence Feeds, and integrations for SOC workflows across SIEM, SOAR, EDR, and other security tools. Together, they help teams safely analyze suspicious links, files, and scripts, uncover phishing behavior, trace credential theft and remote access activity, and enrich investigations with real-world threat context.
Built for security-conscious organizations, ANY.RUN is SOC 2 Type II attested and supports enterprise-ready controls such as SSO, MFA, granular privacy settings, and AES-256-CBC encryption.
Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN gives SOC teams the visibility they need to move from uncertain alerts to evidence-based decisions.
URL patterns:
hxxps://<phish_site>/<url-pattern>/Image/office360.png
hxxps://<phish_site>/<url-pattern>/Image/office.png
hxxps://<phish_site>/<url-pattern>/Image/yahoo.png
hxxps://<phish_site>/<url-pattern>/Image/google.png
hxxps://<phish_site>/<url-pattern>/Image/aol.png
hxxps://<phish_site>/<url-pattern>/Image/email.png
hxxps://<phish_site>/blocked.html
hxxps://<phish_site>/<url-pattern>/processmail.php
hxxps://<phish_site>/<url-pattern>/process.php
hxxps://<phish_site>/<url-pattern>/pass.php
hxxps://<phish_site>/<url-pattern>/mlog.php
hxxps://<phish_site>/<url-pattern>/check_telegram_updates.php
Domains:
The current list of domains can be retrieved using the following query in ANY.RUN Threat Intelligence Lookup: url:”/blocked.html” AND url:”/favicon.ico” and url:”/Image/*.png”
The post New Phishing Campaign Targets US with Credential Theft: What CISOs Need to Know appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Cross-device syncing isn’t always safe. Here’s everything you need to know about this threat.
Latest news – Read More
While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security.
In the wake of the
The Hacker News – Read More
A massive fraud network called FEMITBOT uses Telegram Mini Apps and fake brand names like Apple, Disney, and…
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
Deniss Zolotarjovs was directly involved in extortion strategies and in negotiations with victim companies.
The post Karakurt Ransomware Negotiator Sentenced to Prison appeared first on SecurityWeek.
SecurityWeek – Read More