Cybersecurity researchers have discovered 57 suspicious extensions in the official Chrome Web Store with more than six million users. The plugins caught their attention because the permissions they request don’t match their descriptions.
What’s more, these extensions are “hidden” — meaning they don’t show up in Chrome Web Store searches, and search engines don’t index them. Installing such a plugin requires a direct link to it in the Chrome Web Store. This post details why extensions can be a dangerous tool in cybercriminal hands, explains the direct threat posed by these recently discovered plugins, and gives tips on how not to fall victim.
Why extensions are dangerous, and how convenience undermines security
We’ve posted many times about why browser extensions shouldn’t be installed thoughtlessly. Browser plugins often help users speed up routine tasks, such as translating information on websites or checking spelling; however, the minutes you save often come at the cost of privacy and security.
This is because, in order to work effectively, extensions typically need access to everything you do in the browser. Even Google Translate asks for permission to “Read and change all your data on all websites” you visit — that is, not only can it monitor what you do online, but also alter any information on a page. For example, it might display a translation instead of the original text. If that’s what an online translator can do, just imagine what a malicious extension with the same access can get up to!
The problem is that most users are unaware of the risks posed by plugins. Whereas executable files from untrusted sources have come to be viewed as potentially dangerous, browser extensions enjoy a broad level of trust — especially if downloaded from an official store.
Too many unnecessary permissions
In the case of the 57 suspicious extensions found in the Chrome Web Store, the main sign of malicious intent was the broad sweep of permissions requested, such as access to cookies — including authentication ones.
In practice, this allows attackers to steal session cookies from victims’ devices, and those session cookies are used to avoid entering a password each time they visit a website. Such cookies also enable scammers to sign in to victims’ personal accounts on social networks or online stores.
Browser Checkup for Chrome by Doctor is one of the suspicious extensions masquerading as an “antivirus” for the browser. Source
In addition, the permissions requested grant the malicious extensions a host of interesting capabilities, including:
Tracking user actions in Chrome
Changing the default search engine and modifying search results
Injecting and executing scripts on pages visited by users
Remotely activating advanced tracking of user actions
How the investigation began
Cybersecurity researcher John Tuckner got on the trail of the suspicious extensions after examining the code of one of them: Fire Shield Extension Protection. Tuckner initially spotted this extension because it was published in the official Chrome store as hidden — it didn’t show up in search results and was accessible only via a direct link to the page in the Chrome Web Store.
Note that hidden extensions and apps in official stores are not unheard-of. The big platforms allow developers to hide them from the eyes of ordinary users. Such a practice tends to be the preserve of owners of private corporate software, and intended for use only by employees of a particular company. Another valid reason for hiding a product is when it’s still in the development stage.
However, both these explanations could be ruled out in the case of Fire Shield Extension Protection, boasting 300 000-plus users: a private corporate tool in the development stage with such a user base? Not likely.
Suspicious extensions with 200–300 thousand users each. Source
What’s more, the plugin features didn’t fit the profile of a highly specialized corporate solution: the description said that Fire Shield checks permissions requested by other extensions installed by the user, and warns about unsafe plugins.
To perform such tasks, it only needed permission to use the chrome.management API, which would allow it to get information about, and manage other installed plugins. But Fire Shield wanted much broader rights, which we’ve listed above with a description of the threats associated with this level of access.
Suspicious plugin wants too many permissions — including access to all sites, cookies, and user activity. Source
57 plugins disguised as legitimate tools
While analyzing Fire Shield Extension Protection, Tuckner found a clue that led to 35 more suspicious plugins. Among the links extracted from the extension code, he noticed a domain called unknow[.]com (seemingly a misspelling of “unknown”). A typo in a domain is a red flag to any cybersecurity expert, since it’s a common trick used by scammers, who hope the victim won’t notice.
Using a special tool, Tuckner found 35 more extensions associated with the same suspicious domain. The names of the extensions also had a lot in common, which confirmed their being connected. And they all requested broad access rights that didn’t match their stated description.
Extensions associated with the domain unknow[.]com, which kickstarted John Tuckner’s investigation. Source
Most of the suspicious extensions Tuckner found had a fairly standard set of described features: blocking ads, improving search results, and protecting user privacy. In reality, however, many lacked the code to perform these tasks. Some of the extensions all came from the same companies.
Further research led Tuckner to unearth 22 more suspicious plugins, some of which were publicly available (not hidden). Here’s the full list of them — below we give only hidden extensions with the most downloads:
Fire Shield Extension Protection (300 000 users)
Total Safety for Chrome (300 000 users)
Protecto for Chrome (200 000 users)
Securify for Chrome (200 000 users)
Choose Your Chrome Tools (200 000 users)
Bottom line
All the evidence points to attackers hiding their malicious plugins to avoid detection by official store moderators. At the same time, such extensions are often distributed through search ads or malicious sites.
The researchers found no instances of detected suspicious extensions stealing user passwords or cookies. After a detailed study of the code, plus a series of experiments, they concluded that extended tracking of user activity doesn’t start immediately but some time after installation of the extension, and can be launched by a command from a remote server.
The nature of their code, the option of remote control, their repeating behavior patterns, and embedded functionality lead us to conclude that the extensions all belong to the same family of spyware or data-stealing programs. As such, we advise that you:
Check your device for suspicious extensions (see the full list).
Download only those extensions that you really need; periodically check the list in your browser, and delete any unused or suspicious ones immediately.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-29 16:06:422025-05-29 16:06:4257 suspicious Chrome extensions with millions of installs | Kaspersky official blog
Cisco Talos has discovered new threats, including the ransomware CyberLock, Lucky_Gh0$t, and a newly-discovered malware we call “Numero,” all of which masquerade as legitimate AI tool installers.
CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim’s system. The threat actor deceitfully claims in the ransom note that the payments will be allocated for humanitarian aid in various regions, including Palestine, Ukraine, Africa and Asia.
Lucky_Gh0$t ransomware is yet another variant of the Yashma ransomware, which is the sixth iteration of the Chaos ransomware series, featuring only minor modifications to the ransomware binary.
The newly-identified destructive malware, Numero, affects victims by manipulating the graphical user interface (GUI) components of their Windows OSs, rendering systems completely unusable.
AI has increasingly proliferated across various business verticals, leading to a transformation of industries through automation, data-driven decision-making and enhanced customer engagements. However, as AI continues to propel multiple industry sectors forward, malicious actors are exploiting its popularity by distributing a range of malware disguised as AI solutions’ installers and tools.
Threat actors are employing a variety of techniques and channels to distribute these fraudulent installers, including SEO-poisoning tactics to manipulate search engine rankings and cause their malicious websites or download links to appear at the top of search engine results, as well as platforms such as Telegram or social media messengers.
As a result, unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded. This practice poses a significant risk, as it not only compromises sensitive business data and financial assets but also undermines trust in legitimate AI market solutions. Therefore, organizations and users must exercise extreme caution, meticulously verify sources, and rely exclusively on reputable vendors to avoid falling prey to these threats.
Talos has recently uncovered multiple threats masquerading as AI solutions being circulated in the wild, including the CyberLock and Lucky_Gh0$t ransomware families, along with a newly discovered destructive malware, dubbed “Numero.” The legitimate versions of these AI tools are particularly popular within the B2B sales domain and the technology and marketing sectors, indicating that individuals and organizations in these industries are particularly at risk of being targeted by these malicious threats.
CyberLock ransomware
Talos observed a threat actor creating a lookalike fake AI solution website with the domain ‘novaleadsai[.]com’, likely masquerading as the original website domain ‘novaleads.app’, a lead monetization platform designed to help businesses maximize the value of their leads through various services and performance-based models.
Figure 1. Fake website advertising the AI tool.
On the fake website, the actor persuades users to download the product with an offer of free access to the tool for the first 12 months, followed with a monthly subscription of $95. The threat actor also used an SEO manipulation technique that made their fake website appear in the top search results for online search engines.
When a user downloads the fake AI product as a ZIP archive, it contains a .NET executable with the file name ‘NovaLeadsAI.exe’. The executable was compiled on Feb. 2, 2025, which is on the same day the fake domain ‘novaleadsai[.]com’ was created.
The ‘NovaLeadsAI.exe’ file is the loader that has the CyberLock ransomware PowerShell script embedded as the resource file. When the victim runs the loader executable, it deploys the ransomware.
Figure 2. Snippet of the CyberLock ransomware loader.
CyberLock ransom note
The CyberLock ransomware appeared to be operating as early as Feb. 2025. The ransom note claims that the threat actor has obtained full access to sensitive business documents, personal files and confidential databases, demanding a hefty ransom in exchange for decryption keys. Victims are instructed to communicate with the threat actor by emailing ‘cyberspectreislocked@onionmail[.]org’.
The CyberLock threat actor demands that the USD $50,000 ransom be paid exclusively in Monero (XMR) cryptocurrency and employs psychological tactics by falsely claiming that the ransom payments will be used for humanitarian aid in regions like Palestine, Ukraine, Africa and Asia. The actor splits the payment into two separate wallets, complicating defenders’ tracking efforts.
The ransom note is structured to intimidate and manipulate victims by threatening to expose stolen data if payment is not made within three days. However, Talos did not see any evidence of data exfiltration functionality within the ransomware code.
Figure 3. CyberLock ransom note.
CyberLock, the PowerShell ransomware
CyberLock ransomware is written in PowerShell, embedded with the CSharp code and delivered to the victims as an embedded resource of the .NET loader.
When CyberLock is executed, it initially uses the functions GetConsoleWindow from kernel32.dll and ShowWindow from user32.dll to hide the PowerShell window. Then it generates a secret by decrypting the encrypted public key and uses it to derive the AES key and IV during the encryption process.
Figure 4. Snippet of CyberLock ransomware.
CyberLock has the capability to elevate privileges and re-execute itself with administrative privileges if it is not already running in an elevated context.
Figure 5. Snippet of CyberLock ransomware.
CyberLocker enumerates folders and files of the logical partitions with the labels ‘C:’, ‘D:’ and ‘E:’. It encrypts the targeted files using AES and appends the file extension ‘.cyberlock’ to the encrypted files.
Figure 6. Snippet of CyberLock ransomware.
The targeted file extensions and the categories are shown below:
After encrypting the targeted files, CyberLock creates a ransom note on the victim machine desktop with the file name ‘ReadMeNow.txt’. Ransom note contents are written into it from the embedded strings in the ransomware PowerShell script.
Talos observed that the ransomware actor sets a wallpaper to the victim machine’s desktop after dropping the ransom note. The threat actor downloads a header image from a cybersecurity organization’s blog post to the victim machine user profile applications temporary folder. They configure the path of the downloaded image to the registry key “Wallpaper” and enable the wallpaper through PowerShell commands. Talos not fully certain of the actor’s motive for setting the victim machine’s desktop wallpaper to a security research blog post header image.
Figure 7. Snippet of CyberLock ransomware. Figure 8. Sample blog post header wallpaper.
Finally, CyberLock uses the living-off-the-land binary (LoLBin) ‘cipher.exe’ with the ‘/w’ option to erase free space on the victim’s hard drive partitions, hindering forensic recovery of deleted files.
Figure 9. Command execution to wipe the hard drive free space.
‘Cipher.exe’ is a built-in Windows command-line tool for managing file and folder encryption. One of its features allows users to prevent recovery of deleted files by overwriting free space with the ‘/w’ option. This was designed by Microsoft for legitimate purposes, such as securely wiping disks before reallocating them or complying with data protection laws to ensure sensitive data is unrecoverable by unauthorized parties.
Threat actors often misuse this feature to eliminate their malicious footprints or permanently delete files from victim machines. This technique was previously utilized by a Russian APT in their attacks, as noted by Volexity researchers. However, Talos has not observed any indication that this activity is related to the activity described in prior reporting.
Lucky_Gh0$t ransomware as fake ChatGPT installer
Talos discovered a threat actor distributing Lucky_Gh0$t ransomware in the wild, archived in a self-extracting archive (SFX) ZIP installer with the file name ‘ChatGPT 4.0 full version – Premium.exe’.
The malicious SFX installer included a folder that contained the Lucky_Gh0$t ransomware executable with the filename ‘dwn.exe’, which imitates the legitimate Microsoft executable ‘dwm.exe’. The folder also contained legitimate Microsoft open-source AI tools that are available on their GitHub repository for developers and data scientists working with AI, particularly within the Azure ecosystem. The threat actor’s intention in including the legitimate tools in the SFX archive is likely to evade the anti-malware file scanners detections by masquerading as a legitimate package.
The SFX script executes the ransomware when a victim runs the malicious SFX installer file.
Figure 10. Malicious SFX executable contents.
Lucky_Gh0$t ransomware is the Yashma ransomware variant with most features unchanged, including the evasion techniques, deleting the volume shadow copies and backups, and AES-256 and RSA-2048 encryption techniques. Talos observed a few minor modifications in the Lucky_Gh0$t binary with targeted file size limits that are to be considered by the ransomware during encryption.
Lucky_Gh0$t targets files on the victim machine that are approximately less than 1.2GB in size and encrypts the files with the RSA-encrypted AES key, appending a 4-digit random alphanumeric characters as the file extension. The targeted files category for encryption include:
Text, code and config files
Microsoft Office and Adobe files
Media formats and images
Archives and installers
Backup and database files
Android package kit, Java Server Pages and Active server pages
Certificate files
Visual Studio Solutions and PostScripts
Figure 11. Lucky_Gh0$t encryption function for files less than 1.2GB.
For the targeted files with a size larger than 1.2GB, the ransomware creates a new file the same size of the original file and writes a single character “?” as the file content. It appends a 4-digit random alphanumeric character file extension to the new file and deletes the original file, exhibiting destructive behavior.
Figure 12. Lucky_Gh0$t encryption function for files larger than 1.2GB.
Lucky_Gh0$t ransomware provides a personal ID to the victims in their ransom note. For further communication regarding ransom payment and decryption, it instructs the victims to contact the threat actor using a secure messenger platform at ‘getsession[.]org’ with a unique session ID.
Figure 13. Lucky_Gh0$t ransom note.
Numero pretending to be an AI video creation tool
Talos recently discovered a new destructive malware in the wild that we call “Numero,” designed to imitate the AI video creation tool installer, InVideo AI. InVideo AI is an online platform widely used for marketing videos, social media content, explainer videos and presentations. The threat actor impersonates the product and the organization names in the malicious file’s metadata.
Figure 14. A fake installer execution flow running the payload Numero.
The fake installer is a dropper containing a malicious Windows batch file, VB script and the Numero executable with the file name ‘wintitle.exe’. When the victim runs the fake installer, it drops the malicious components in a folder at the local user profile’s application temporary folder. Then it executes the dropped Windows batch file through Windows shell in an infinite loop. It first runs the Numero malware and then halts the execution for 60 seconds by executing the VB script through cscript.
After resuming the execution, the batch file terminates the Numero malware process and restarts its execution. By implementing the infinite loop in the batch file, the Numero malware is continuously run on the victim machine.
Figure 15. Malicious Windows bat loader.
Numero’s behavior is consistent with window manipulator malware. Numero is a 32-bit windows executable written in C++ and was compiled on Jan. 24, 2025.
Numero evades analysis by checking the process handles of various malware analysis tools and debuggers including IDA, x64 debugger, x32debugger, ollydbg, scylla, windbg, reshacker, ImportREC, Immunity debugger, Zeta debugger and Rock debugger.
Figure 16. Snippet of the Numero function and the malicious thread.
Numero malware creates and executes the thread in an infinite loop. The thread code interacts with the Windows GUI and manipulates the victim’s desktop window using the Windows APIs GetDesktopWindow, EnumChildWindows and SendMessageW. It monitors the victim machine desktop window continuously and hooks to the child window created in the victim desktop. Numero overwrites the window title, buttons and contents with the numeric string ‘1234567890’, corrupting the victim machine to become unusable.
Figure 17. Corrupted Windows Run terminal.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-29 10:06:402025-05-29 10:06:40Cybercriminals camouflaging threats as AI tool installers
A user wanted to safeguard their passwords, but inadvertently let attackers into their organization. This unexpected outcome has been documented in a recent investigation into a ransomware attack — an incident that began when an employee decided to download the popular password manager KeePass. A key detail, though, is that they visited a fake website. KeePass is an open-source project, so the attackers had no trouble copying it, modifying it, and adding malicious features. They then recompiled the application and distributed it through fake websites, which they promoted via legitimate online advertising systems.
What the fake KeePass was up to
The malicious campaign lasted at least eight months, starting in mid-2024. The attackers set up fake websites that mimicked the official KeePass site and used malvertising to redirect users who were searching for KeePass to domains with convincing names like keeppaswrd, keebass, and KeePass-download.
If the victim downloaded KeePass from a fake site, the password manager would function as expected, but it would also save all passwords from the currently open database to an unencrypted text file and install a Cobalt Strike beacon on the system. This is a tool that can be used both to assess an organization’s security and to conduct real cyberattacks.
With Cobalt Strike, the attackers were able not only to steal exported passwords, but also use them to compromise additional systems and ultimately encrypt the organization’s ESXi servers.
While searching for traces of this attack online, researchers discovered five different trojanized modifications of KeePass. Some of these were simpler: they immediately uploaded stolen passwords to the attackers’ server.
High-stealth malware
There’s nothing new about slipping malware to a victim along with legitimate software. Usually, however, attackers simply add malicious files to the installation package, so security solutions (if present) on the computer easily detect these. The fake KeePass attack was much more carefully planned and better concealed from security tools.
All fake KeePass installation packages were signed with a valid digital signature, so they didn’t trigger any alarming warnings in Windows. The five newly discovered distributions had certificates issued by four different software companies. The legitimate KeePass is signed with a different certificate, but few people bother to check what the Publisher line says in Windows warnings.
The Trojan functions were hidden inside the application’s core logic, and they only ran when the user opened a password database. In other words, the application would first start as usual, prompt the user to select a database and enter its master password, and only then begin performing actions that security mechanisms might consider suspicious. This makes it harder for sandboxes and other analysis tools that detect abnormal application behavior to spot the attack.
Not just KeePass
While investigating malicious websites distributing trojanized versions of KeePass, the researchers discovered related sites hosted on the same domain. The sites advertised other legitimate software, including the secure file manager WinSCP and several cryptocurrency tools. These were modified less extensively and simply installed known malware called Nitrogen Loader on victims’ systems.
This suggests that the trojanized KeePass was created by initial access brokers. These criminals steal passwords and other confidential information to find entry points into corporate computer networks and then sell the access to other malicious actors — usually ransomware gangs.
A threat to everyone
Distributors of password-stealing malware indiscriminately target any unsuspecting user. The criminals analyze any passwords, financial data, or other valuable information they manage to steal, sort it into categories, and sell whatever is needed to other cybercriminals for their underground operations. Ransomware operators will buy credentials for corporate networks, scammers will purchase personal data and bank card numbers, and spammers will acquire login details for social media or gaming accounts.
That’s why the business model for stealer distributors is to grab anything they can get their hands on and use all kinds of lures to spread their malware. Trojans can be hidden inside any type of software — from games and password managers to specialized applications for accountants or architects.
How to protect your home computer
Download applications from the vendor’s official website or major app stores only.
Pay attention to digital signatures. When you launch a program you’ve never downloaded before, Windows displays a warning with the name of the digital signature owner in the Publisher field. Make sure that this matches the real developer’s information. When in doubt, check the information on the official website.
Be cautious of search ads. When you search for the name of an application, carefully review the first four or five results, but ignore the ads. The developer’s official website is typically one of those results. If you’re not sure which result leads to the official website, it’s best to double-check the address via major app stores or even on Wikipedia.
Be sure to use comprehensive security software, such as Kaspersky Premium, on all your computers and smartphones. This will protect you from being infected by most types of malware and stop you visiting dangerous websites.
Don’t shun password managers! Although a popular password manager was used in a sophisticated attack, the idea of securely storing important data in encrypted form is more relevant than ever. Subscriptions to Kaspersky Plus and Kaspersky Premium include Kaspersky Password Manager, which lets you securely store your credentials.
How to protect your organization from infostealers and initial access brokers
Using legitimate credentials in attacks is one of the most popular tactics among cybercriminals. To make it harder to steal and use corporate accounts, follow the advice for organizations on combating infostealers.
To repel trojanized software that can give attackers direct access to your network, we additionally recommend the following measures:
Restricting the download and execution of untrusted software using application allowlists. Suitable criteria for allowlisting include “applications from a specific vendor” and applications signed with a specific certificate. The latter option would have helped in the KeePass case and blocked the known application signed with an unauthorized certificate.
Implementing a centralized approach to monitoring and response, which includes installing endpoint detection and response (EDR) sensors on every workstation and server, and analyzing the resulting telemetry with SIEM or XDR solutions. Kaspersky Next XDR Expert is well-suited to providing a comprehensive solution to this challenge.
Expanding employee training. In addition to being vigilant about phishing, it’s important to train your team to recognize fake software, malicious ads, and other social engineering techniques. The Kaspersky Automated Security Awareness platform can help with this.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-28 16:06:412025-05-28 16:06:41Beware of the fake KeePass | Kaspersky official blog
Cybercriminals impersonate the trusted e-signature brand and send fake Docusign notifications to trick people into giving away their personal or corporate data
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-28 14:06:382025-05-28 14:06:38Word to the wise: Beware of fake Docusign emails
Phishing attacks have become a pervasive and escalating threat across various industries, notably in finance, manufacturing, and healthcare. For Managed Security Service Providers (MSSPs), the challenge lies in swiftly identifying and mitigating these threats to safeguard client infrastructures and uphold service integrity.
This case study explores how ANY.RUN’s Threat Intelligence Lookup and Interactive Sandbox can empower MSSPs to detect, investigate, and respond to phishing attacks more effectively.
About the Case Study
As an example, we’ll use a payload from Delivr.to (a platform designed to help organizations assess and enhance their email security by simulating real-world threats). We’ll see how Threat Intelligence Lookup and Interactive Sandbox help with:
Access to real-world phishing samples: Use our extensive threat database to study current phishing samples, simulate email filter bypasses, and prepare more resilient defenses.
Deep behavior analysis: Examine samples in the sandbox to uncover IOCs, IOBs, IOAs, TTPs, and link attacks to specific malware families and threat actors.
Targeted threat discovery: Search phishing samples by country, time period, known artifacts.
Training and awareness: Use real phishing cases to educate your team and clients, improving detection and response readiness.
Let’s begin.
1. Introducing the payload
We have chosen an HTML file Electronic_Receipt_ATT0001.htm from the payload sample library of Delivr.to.
Payload’s credentials via Delivr.to
The attachment’s description contains its ID, hash sum, payload chain deployment steps, and the tags describing the attack chain scenario.
Such payloads are meant to be emailed in order to put to test corporate cybersecurity policies. However, a full-fledged understanding of a threat implies not only the detection of email filters bypass, but a full analysis of an activated payload behavior. This is why we shall use ANY.RUN’s TI Lookup to search for this HTML file.
2. Detecting the payload in malware campaigns
Our request to TI Lookup includes the parameter indicating an attached file and the file’s name.
The test attachment is often found in malware samples
21 malware samples containing this payload have been discovered in TI Lookup at the moment. Besides providing links to the samples and their analyses, TI Lookup highlights the fact that most samples featuring our benign file have been tagged as malicious and attributed to Tycoon phishing kit distributed as Phishing-as-a-Service (PhaaS).
This means that the chosen payload is actually employed in real phishing campaigns.
Level up malware analysis and threat intelligence capabilities See all ANY.RUN’s 9th Birthday offers
We can also search for other payloads related to Tycoon’s activity. The search query combines the name of the process “outlook.exe” — used when opening emails — and the threat name “tycoon”. As a result, we obtain a broad set of analyses containing various malicious attachment variants associated with Tycoon. This allows us to analyze real-world examples of phishing campaigns and identify recurring delivery patterns.
Phishing samples with Tycoon payloads in the Sandbox
ANY.RUN provides not only attribution to a specific threat but also an overview of the activity landscape — including the number of related samples analyzed by the professional community, the timeframe of the payload’s usage, and the frequency of its appearance. The most recent sample featuring Electronic_Receipt_ATT0001.htm, as of the time of analysis, is dated May 27, 2025, which helps assess the threat’s current relevance.
4. Watching the malware in action
Let’s conduct a more detailed analysis of the payload in the ANY.RUN Sandbox. We’ll view one of the malware analyses.
A sandbox analysis of Tycoon malware sample with phishing email
First of all, we can explore malicious email information. The recipient’s address helps identify the likely aim of the attack and the organization it may have been directed against. The email subject is also available, and in some cases, its context—allowing us to assess the social engineering tactics used by the attacker to persuade the recipient to open up the malicious attachment.
Email subject and attachment signaling phishing
Detailed email header information can be retrieved from the Static Discovering tab:
Traces to Tycoon’s victimology
The email recipient’s address — fsp@mycoastlifecu.com — belongs to CoastLife Credit Union, a U.S.-based financial institution, which is confirmed by its presence on the company’s official website.
The use of a legitimate corporate email as the recipient suggests that this attachment was part of an actual phishing campaign targeting employees of financial organizations. This, in turn, indicates the attackers’ likely focus — U.S.-based companies providing banking or financial services.
The attack’s illustrative target
“Authentication-Results” indicates that the email failed SPF verification. Specifically, it shows that the sender’s IP address 141.95.114.239 was not authorized to send emails on behalf of the domain greengrowersinc.com. This data confirms sender spoofing and identifies the specific IP address involved in the email campaign.
Another evidence of malicious behavior, authentication failed
5. Performing interactive analysis
On executing the malicious HTML attachment in the ANY.RUN environment, we can observe the phishing page that loads upon its activation. The execution triggers the download of a webpage hosted on the domain nq.jrerqaoiha.ru which looks like a typical part of malicious infrastructure. Besides, a Microsoft authentication page appearing on a .ru domain is highly unusual and suggests a fraudulent scheme.
A typical phishing page impersonating Microsoft corporate login
The page mimics a Microsoft Excel login form with official Microsoft branding. The interface prompts the user to enter their credentials, suggesting an attempt at credential harvesting.
Malware’s network activity details with IOCs
“Network → Threats” tab shows detected network threats. For each recorded activity, you can view detailed detection results based on Suricata IDS, including:
Signature description
Protocol used
Relevant IP addresses and ports
MITRE ATT&CK technique mapping. In this case, a connection to the domain nq.jrerqaoiha.ru classified as part of the Tycoon2FA phishing kit was linked to T1566 (Phishing) technique and tagged as Potential Social Engineering.
These steps, which cover several analytical aspects critical for cybersecurity professionals, demonstrate how ANY.RUN enables in-depth research of phishing attacks, which is highly relevant for most MSSP companies.
Integrate ANY.RUN’s Solutions in Your MSSP
Integrating ANY.RUN’s Threat Intelligence Lookup and Interactive Sandbox into your MSSP operations equips you with advanced tools to combat phishing and other cyber threats efficiently.
These solutions deliver precise, actionable intelligence to ensure:
Stronger Client Protection: Proactively investigate and identify malware and phishing attacks using ANY.RUN’s services to take faster actions for safeguarding clients’ infrastructure.
Accelerated Research: Uncover extensive context on any threat, slashing threat investigation time and enabling faster analyst response.
Maximized ROI: Speed up triage and response with TI Lookup and the Interactive Sandbox to prevent incidents faster and avoid financial and reputational losses.
In-depth Threat Analysis: Leverage ANY.RUN’s Interactive Sandbox for real-time detonation and analysis of malicious files and URLs missed by automated systems.
Streamlined SOC Processes: Take advantage of 2-second searches to reduce triage, investigation, and response times, enhancing team productivity.
ANY.RUN’s Threat Intelligence Lookup and Interactive Sandbox offer robust solutions for analyzing and preventing phishing attacks. The services enable MSSPs to conduct in-depth behavioral analyses of suspicious emails and attachments, identify indicators of compromise, and attribute threats to specific malicious actors. By integrating these capabilities into their security operations, MSSPs can enhance their threat detection and response times, providing clients with proactive defense mechanisms against phishing threats.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-28 13:06:432025-05-28 13:06:43How MSSPs Can Analyze and Investigate Phishing Attacks with ANY.RUN
Malware doesn’t stick to one platform or play fair. One day it’s a Python stealer. The next, it’s an Android RAT or a Node.js backdoor quietly pinging its C2. Then it hits Linux, flooding your network with suspicious connections.
Modern threats are unpredictable. They move across systems and languages, often slipping past tools that weren’t built for this level of complexity.
One sandbox where you can analyze, detect, and understand malware and phishing, no matter the OS, architecture, or language. With support for Windows, Linux, and Android, you can choose the environment that fits your sample and see how the same threat behaves across platforms. Just upload, launch, and start investigating.
Let’s see how cybersecurity teams use ANY.RUN to detect and analyze malware written in languages like Python and Node.js, and built to target different systems.
Malware Written in Node.js: Unpacking GootLoader’s Multi-Stage Execution
JavaScript isn’t just for websites anymore, and that’s part of the problem. Threat actors increasingly use JavaScript and Node.js to build droppers, stealers, and loaders that can bypass traditional defenses.
For businesses, these threats often arrive disguised as legitimate files, especially in environments where document sharing and template downloads are common. Once executed, they can trigger multi-stage infections, establish persistence, and pull down additional payloads without leaving obvious traces.
To see how a Node.js-based attack unfolds in the real world, let’s analyze a live GootLoader infection inside the ANY.RUN sandbox.
The attack begins when a user lands on a compromised website while searching for something business-related, like a contract template.
Analysis of the Gootloader Node.js malware inside ANY.RUN’s Interactive Sandbox
The site delivers a ZIP file containing a trojanized JavaScript file posing as a common library (e.g., jQuery). Once opened, the script runs via wscript.exe, launching a heavily obfuscated payload.
Get extra sandbox licenses for your team as a gift Take advantage of ANY.RUN’s special offers before May 31
ANY.RUN’s Script Tracer logs and deobfuscates this activity in real time, giving analysts full visibility into each execution step.
ANY.RUN’s Script Tracer showing deobfuscatded info
We can see all the completed processes of the attack from the right side of the screen, where the process tree is. Here is what we discover here:
Once executed, the first-stage payload drops a second-stage JavaScript file onto the victim’s system and creates a scheduled task to run it immediately and ensure persistence.
The task launches the second-stage script, initially again through wscript.exe (PID 7828), which then transfers execution to cscript.exe (PID 7896). This script spawns a PowerShell process (PID 8092), which further deobfuscates and runs another PowerShell script.
PID 7828 with its exposed techniques and tactics inside ANY.RUN sandbox
This PowerShell script conducts extensive system reconnaissance, collecting environment variables, OS version, running processes, and more. It communicates with the attacker’s command and control (C2) server by sending compressed and encoded data embedded in HTTP headers, complicating detection.
After establishing communication, the PowerShell script downloads additional payloads, often storing them within the Windows registry to avoid being written to disk. These payloads may include a loader and a secondary component such as a Cobalt Strike Beacon or other post-exploitation tools.
Python-Based Malware: A Stealthy Threat to Business Environments
Python isn’t just a favorite among developers, it’s increasingly used by attackers to create lightweight, modular, and evasive malware. Its readability and cross-platform flexibility make it an ideal choice for building custom stealers, droppers, and loaders that are easy to modify and hard to catch.
For businesses, Python-based malware like Pentagon Stealer poses a real threat. It’s designed to quietly siphon off browser data, crypto wallet credentials, communication tokens, and personal files, often without dropping anything obvious to disk.
To see how it operates in the wild, let’s break down a real sample of the Python variant of Pentagon Stealer in the ANY.RUN sandbox.
The infection starts with an encrypted dropper, which launches a hidden Python script using AES encryption in CBC mode. Once decrypted, the stealer sets up persistence and scans the system for valuable data.
In ANY.RUN’s sandbox, Pentagon’s behavior is clearly exposed across each stage of the infection chain.
Data theft detection: The stealer harvests browser credentials, cookies, and data from apps like Atomic and Exodus. This activity is automatically flagged by the sandbox, giving analysts immediate insight into what data was accessed and how.
Data theft detected inside ANY.RUN sandbox
C2 communication: Pentagon communicates with domains like pentagon[.]cy and stealer[.]cy, while variants such as BLX upload stolen data to gofile.io. These indicators are collected and displayed in the IOC section, making it easy to pivot, enrich threat intel, or block infrastructure in other systems.
IOCs gathered along with the domain pentagon[.]cy
MITRE ATT&CK mapping: The sandbox automatically links observed behavior to ATT&CK tactics and techniques. For Pentagon, this includes:
Credentials from Web Browsers: The malware extracts saved usernames, passwords, and cookies from Chromium-based browsers, compromising access to email, cloud apps, and internal systems.
Credentials in Files: It scans user directories for sensitive files, like password.txt or wallet backups, that may contain unprotected login credentials.
System Information Discovery: Pentagon gathers OS details, hardware info, and environment variables to tailor its behavior or decide whether to proceed with the attack.
Query Registry: The stealer accesses Windows Registry keys to detect installed software, security tools, and persistence mechanisms.
Service Stop: It disables security-related services like Windows Defender to avoid detection and ensure uninterrupted operation of follow-up payloads.
MITRE ATT&CK techniques and tactics displayed inside ANY.RUN sandbox
With this mapping, teams get a full picture of the attack’s intent and progression without manually stitching logs together.
Android Malware: How Salvador Stealer Hijacks Banking Credentials
Salvador Stealer is a highly deceptive Android malware disguised as a legitimate banking app. Behind its clean interface lies a full-fledged phishing and data exfiltration machine, designed to steal everything from government ID numbers and personal information to net banking credentials and one-time passwords.
For both individuals and financial institutions, Salvador poses a serious threat, combining technical sophistication with aggressive credential harvesting and real-time data leaks via Telegram and phishing servers.
To uncover the full behavior of Salvador Stealer and observe its actions in real time, we executed the sample inside ANY.RUN’s Android environment.
Analysis of the Salvador malware inside ANY.RUN Sandbox’s interactive Android VM
Inside the interactive Android VM, we could clearly observe each stage of the infection, uncovering its tactics, visualizing the phishing interface, and tracing data exfiltration with minimal manual effort.
We see that Salvador Stealer operates in two stages:
Dropper APK – Silently installs and triggers the second-stage payload.
Base.apk (Payload) – The actual credential-stealing component.
Dropper APK Behavior
The dropper APK is engineered to install the second-stage malware without the user’s knowledge. It uses specific permissions and intent filters in its AndroidManifest.xml.
Inside ANY.RUN, we observed the dropper launching a new activity immediately after execution, behavior consistent with silent installations.
The dropper APK designed to install and launch a secondary payload (base.apk) as a new activity
Payload Behavior & Phishing Interface
Once executed, the payload connects to Telegram, used as a Command and Control (C2) channel and triggers the “starts itself from another location” signature, confirming it was deployed via dropper.
Process communicating with Telegram revealed inside ANY.RUN Android sandbox
Real-Time Credential Exfiltration
After submission, all user data is immediately exfiltrated to:
A phishing website controlled by the attacker
A Telegram bot used as a backup C2 channel
Stolen data sent to Telegram C2 server
ANY.RUN’s HTTPS MITM Proxy mode captured this behavior clearly, allowing us to inspect the exact HTTP requests, destination URLs, and the contents of the exfiltrated data in plaintext.
This level of visibility is critical when dealing with mobile malware that uses encrypted channels. Teams can immediately verify whether sensitive information was stolen, where it was sent, and how it was packaged, all without reverse-engineering the app or relying on guesswork. It shortens investigation time, boosts detection accuracy, and helps teams extract actionable IOCs in minutes.
See all ANY.RUN’s 9th Birthday special offers and get yours before May 31
Linux Malware: Uncovering Mirai’s Network Flood Inside the Sandbox
While Linux systems are often seen as more secure, they’re far from immune, especially when it comes to IoT-targeting malware like Mirai. Built to infect vulnerable devices with weak or default credentials, Mirai turns compromised routers, IP cameras, and other Linux-based systems into part of a massive botnet used for coordinated DDoS attacks.
In our sandbox session, we ran a Mirai sample inside a Linux virtual environment, revealing exactly how this malware behaves post-infection.
After running the analysis, the malware began scanning the internet for additional targets, sending out a flood of connection attempts to IP addresses across various ports. The spike in outbound activity was visible in the sandbox’s network traffic tab, highlighting Mirai’s worm-like behavior as it looked to propagate further.
Network traffic tab with 121964 connections
To add another layer of detection, Suricata rules were triggered during the session, automatically flagging the traffic as malicious and confirming the presence of a Mirai variant. This kind of signature-based alert is crucial for quickly validating what you’re looking at without needing to manually inspect every packet.
Suricata rule triggered by Mirai malware inside ANY.RUN sandbox
By analyzing Mirai in ANY.RUN, cyber security teams gain:
A real-time view of malicious scanning and propagation behavior
Easy access to network IOCs, including contacted IPs, ports, and protocols
Automated rule-based detection (Suricata) to validate threats instantly
A safe environment to test Linux-specific malware, which is often harder to analyze in traditional sandboxes
Whether you’re defending enterprise infrastructure or monitoring connected devices, ANY.RUN’s support for Linux malware analysis makes it easier to uncover threats that operate below the radar of Windows-based defenses.
Going Deeper with Pre-Installed Developer Tools
Not every sample can be cracked with just behavioral analysis, some require deeper inspection, debugging, or code-level investigation. ANY.RUN’s pre-installed development software set is perfect for these purposes.
Available for Windows 10 (64-bit) VMs, this configuration equips analysts with a curated toolkit tailored for reverse engineering, unpacking, and scripting, all without needing to set anything up manually.
By selecting the “Development” software set before starting a session, users instantly gain access to tools like Python, Node.js, x64dbg, Detect It Easy, dnSpy, HxD, DebugView, Process Hacker, and more to investigate complex malware like custom loaders, obfuscated stealers, or scripts in Node.js or Python.
Let’s look at two real-world use cases where this set has been used:
Example 1: Extracting MSI Files Without Execution
Using Lessmsi, analysts can safely unpack .msi files and inspect their contents without running them, critical for avoiding accidental payload execution. In one session, this was combined with Detect It Easy (DiE) to analyze extracted binaries and flag suspicious file signatures or packers.
Example 2: Debugging Obfuscated Malware with x64dbg
In another session, x64dbg was used to step through malware execution line by line, helping analysts understand how the sample unpacked itself and interacted with system components; insights that static analysis alone couldn’t reveal.
Having these tools built into the sandbox means your team can dig deeper without wasting time setting things up. It speeds up investigations, helps catch more sophisticated threats, and gets you closer to answers when every minute counts.
A Smarter Way to Investigate Multi-Platform Threats
Modern malware doesn’t limit itself to one environment, and neither should your analysis. From Windows loaders and Python stealers to Android banking malware and Linux-based botnets, today’s threats are built to adapt. The same sample can behave differently depending on where it runs, dropping different payloads, using OS-specific evasion techniques, or communicating with separate C2 infrastructure.
Using a different tool for each platform only slows your team down and increases the risk of missing critical behavior.
ANY.RUN brings everything together in one place. One sandbox where you can detect, investigate, and understand threats, no matter the OS, architecture, or language. Launch analysis sessions across Windows, Linux, and even real Android environments to see how malware acts in each context.
Faster Investigations Across Platforms: Skip the tool-switching and analyze samples across operating systems, Windows, Linux, and Android, from one streamlined interface.
Deeper Insight into Complex Samples: Whether it’s a Node.js loader or a Python stealer, trace execution, follow obfuscated logic, and unpack evasive behavior with ANY.RUN’s Script Tracer, Pre-Installed Dev toolkit.
Clear View of Network Behavior: See how malware communicates, even over encrypted channels or uncommon protocols using HTTPS MITM Proxy and Suricata rule integration.
Complete Context Behind Every Attack: Understand the full attack chain, from persistence to exfiltration, through mapped behavior, process trees, ATT&CK matrix, and comprehensive logs.
Cloud-Based, Ready-to-Go Malware Analysis: Skip complex setups. Launch your session in seconds with debuggers, interpreters, and network tools already built in.
Built for Teamwork and Collaboration: ANY.RUN makes it easy for teams to work together. Share live sessions, tag behaviors, and keep everyone, from analysts to managers, on the same page.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-27 12:06:432025-05-27 12:06:43How to Analyze Node.js, Python, Android, and Linux Malware with ANY.RUN
Can your photos and other data be downloaded or erased from your smartphone while it’s charging from a public charging port — on public transport, in a clinic, at the airport, and so on? Despite manufacturers’ safety measures, it’s sometimes possible.
Hackers first came up with such attacks way back in 2011: if an innocent-looking USB charging port doesn’t just supply electricity but contains a hidden computer, it can connect to your smartphone in data-transfer mode using the Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP) and extract data from the device. This attack became known as juice-jacking, and both Google and Apple quickly came up with a safeguard: when a smartphone is connected to a device supporting MTP/PTP, it asks the user whether to allow data transfer or just charge. For many years, this simple precaution seemed to solve the problem… until 2025 — when researchers from Graz University of Technology in Styria, Austria, discovered a way to bypass it.
ChoiceJacking attack
In the new attacks — dubbed ChoiceJacking attacks — a malicious device disguised as a charging station confirms on its own that the victim supposedly wants to connect in data-transfer mode. Depending on the manufacturer and OS version, there are three variants of the attack. Each variant finds a different way to bypass a certain limitation in the USB protocol: a device cannot operate in both host mode (as a computer) and peripheral mode (e.g., as a mouse or keyboard) at the same time.
The first method is the most complex but works on both iOS and Android. A microcomputer is disguised as a charging station. This microcomputer can connect to a smartphone as a USB keyboard, USB host (computer), and Bluetooth keyboard.
When the smartphone is plugged in, the malicious station emulates a USB keyboard and sends commands to turn on Bluetooth and connect to a Bluetooth device — the very same malicious computer, now impersonating a Bluetooth keyboard. After that, the system reconnects via USB, now posing as a computer. The smartphone asks the user whether to allow data transfer — and the malicious device confirms the request via a Bluetooth “keystroke”.
The second method only works on Android and doesn’t require Bluetooth. The malicious charger pretends to be a USB keyboard and floods the smartphone with keystrokes — overwhelming the input buffer. While the OS is busy processing this meaningless input, the charger disconnects and reconnects — this time as a computer. A prompt appears on screen asking which mode to connect in, and right at that moment the tail end of the keyboard input buffer plays out, containing a keystroke sequence that confirms connection in data-transfer mode (MTP, PTP, or even ADB debug mode).
The third method — also Android-only — exploits the fact that all tested smartphones incorrectly implement the Android Open Access Protocol (AOAP). The malicious device connects as a computer right away, and when the confirmation screen appears, it sends the necessary keystroke events through AOAP. According to the protocol, simultaneous operation in both USB-host and AOAP modes is prohibited — but in practice, this restriction is often ignored.
Which devices are protected from USB ChoiceJacking?
Both Apple and Google blocked these attack methods in iOS/iPadOS 18.4, and Android 15, respectively. Now, in order to confirm USB data transfer, it’s not enough to simply press Yes — you need to pass biometric authentication or enter a password. Unfortunately, on Android, the OS version alone doesn’t guarantee your smartphone’s safety. For example, Samsung devices running the One UI 7 shell don’t request authentication — even after updating to Android 15.
That’s why Android users who have updated to Android 15 are advised to connect their smartphone to a known safe computer via a cable and check whether a password or biometric confirmation is required. If not — avoid public charging stations.
How serious is this, and how to protect yourself?
While law enforcement agencies have occasionally warned about USB data-theft attacks (1, 2), no real-world attacks have ever been publicly documented. This doesn’t mean they’ve never occurred, but it clearly isn’t a widespread threat.
If you’re concerned about such attacks, you should only charge you devices using your own trusted charger or power bank, or use a USB data blocker — an adapter that allows only power to flow through the cable while preventing data transmission. These adapters, also called “USB Condoms”, are quite effective, but can slow down charging on newer smartphones since they also block the data signals required for Quick Charge mode. Alternatively, you could use a cheap charge-only USB cable (which can’t transmit data), but you should test it first with a trusted computer to ensure no data-transfer prompt appears on the screen; then you’ll need to carry it around with you everywhere — and keep in mind that it also rules out Quick Charge.
The most crucial and widely available protection is updating to the latest versions of Android or iOS.
If you ever find yourself in a bind — with an outdated OS, no blocker, and an urgent need to use the nearest USB charger — just remain vigilant while charging. When you connect the phone, watch the screen: if it doesn’t just start charging but prompts you to choose the connection type, select Charging only. If you’re really worried about your data, it’s better to unplug and look for a less “smart” port.
For more on other unusual smartphone hacks — check these out:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-27 11:06:402025-05-27 11:06:40The ChoiceJacking attack: stealing smartphone photos and data while charging via USB | Kaspersky official blog
For an email attack to succeed, the first thing cybercriminals need to do is get their messages in front of potential victims. In a recent post, we covered how scammers leveraged notifications from GetShared — a fully legitimate service for sharing large files. Today, we examine another method for delivering malicious emails. The operators behind this scam have learned to insert custom text into genuine thank-you messages sent by Microsoft 365 to its new business subscribers.
A genuine Microsoft email with a nasty surprise inside
The attack kicks off with a legitimate email in which Microsoft thanks the recipient for purchasing a Microsoft 365 Apps for Business subscription. The email does, in fact, arrive from the Redmond tech giant’s legitimate address: microsoft-noreply@microsoft.com. One would be hard-pressed to imagine an email address with a more trusted reputation, so the message easily gets past any email server filters.
One more time, just so we’re clear: this is an honest-to-goodness email from Microsoft. The contents match a typical purchase confirmation. In the screenshot below, the company thanks the recipient for buying 55 Microsoft 365 Apps for Business subscriptions worth a total of $587.95.
Example of a Microsoft business notification where attackers inserted their message in the Billing information section
The crux of the scam lies in the text attackers add to the Billing information section. Typically, this section contains the subscriber company’s name and the billing address. However, the scammers swap out that information for their own phone number, plus a note encouraging the recipient to call “Microsoft” if they need any assistance. The types of “purchased” subscriptions suggest that the scammers are targeting company employees.
They prey on a common employee fear: making an expensive, unnecessary purchase could cause trouble at work. And since resolving the issue by email isn’t an option (the message comes from a no-reply address), the victim is left with little choice but to call the phone number provided.
Who answers the calls, and what happens next?
If the victim takes the bait and decides to call to inquire about the subscriptions they’ve supposedly purchased, the scammers deploy social engineering tricks.
A Reddit user, who’d received a similar email and called the number, shared their experience. According to the victim, the person who answered the call insisted on installing some support software, and sent an EXE file. The subsequent conversation suggests that the file contained a RAT of some kind.
The victim didn’t suspect anything was amiss until the scammer promised to refund money to their bank account. That was a red flag, as they shouldn’t have had access to the victim’s banking details. The scammer went on to ask the victim to sign in to their online banking to check if the transaction had gone through.
The victim believes that the software installed on their computer was malware that would have allowed the attackers to intercept their login credentials. Fortunately, they recognized the danger early enough and hung up. Within the same thread, other Reddit users reported similar emails containing various contact details.
How scammers send phishing emails from a genuine Microsoft address
How, exactly, the attackers manage to send Microsoft notifications to their victims is still something of a mystery. The most plausible explanation came from another Reddit user, who suggested that the scam operators were using stolen credentials or trial versions to access Microsoft 365. By using BCC or simply entering the victim’s email address when purchasing a subscription, they can send messages like the one shown in the screenshot above.
An alternative theory is that the scammers gain access to an account with an active Microsoft 365 subscription and then use the billing-information resend feature — specifying the target user as the recipient.
Whichever is true, the attackers’ goal is to replace the billing information — the only part of the Microsoft notification they can alter — with their own phone number.
How to protect yourself against such attacks
Malicious actors keep finding new loopholes in well-known, perfectly legitimate services to use for phishing campaigns and scams. That’s why, to keep an organization secure, you need not only technical protections but also administrative controls. Here’s what we recommend:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-26 17:06:402025-05-26 17:06:40How scammers exploit genuine Microsoft business notifications
ESET Research has been tracking Danabot’s activity since 2018 as part of a global effort that resulted in a major disruption of the malware’s infrastructure
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-24 18:06:492025-05-24 18:06:49Danabot under the microscope