Supply-chain attacks have been one of the most dangerous categories of cybersecurity incidents for years now. And if 2025 taught us anything, it’s that cybercriminals are doubling down on them. In this deep dive, we’re looking at supply-chain attacks from 2025 that, while not always the costliest, were certainly the most unusual and caught the industry’s attention.

January 2025: a RAT found in the DogWifTools GitHub repository

As a “warm-up” after the holiday break, cybercriminals systematically backdoored several versions of DogWifTools. This is a utility designed for launching and vigorously promoting Solana-based meme coins on Pump.fun. After compromising the private GitHub repository for DogWifTools, the attackers waited for the developers to upload a fresh build, injected a RAT into it, and then swapped the legitimate program with their malicious version just a few hours later. According to the developers, the threat actors successfully trojanized versions 1.6.3 through 1.6.6 of DogWifTools for Windows.

The endgame was triggered in late January. After using the RAT to harvest a massive amount of data from infected devices, the attackers drained their victims’ crypto wallets. While victims estimate the total haul at over US$10 million in cryptocurrency, the attackers themselves disputed that figure — though they stopped short of revealing exactly how much they’d actually made off with.

February 2025: the US$1.5 billion Bybit heist

If January was a warm-up, February was a total meltdown. The Bybit crypto exchange hack completely eclipsed previous incidents — becoming the largest crypto heist in history. The attackers managed to compromise the Safe{Wallet} software, the multisig cold storage solution the exchange relied on to manage its assets.

Bybit employees thought they were signing a routine transaction; in reality they were authorizing a malicious smart contract. Once executed, it drained a primary cold wallet, dispersing the funds across several hundred attacker-controlled addresses. The final haul exceeded 400 000 ETH/stETH, with a staggering total value of approximately… US$1.5 billion!

March 2025: Coinbase targeted in a GitHub Actions cascading compromise

Spring 2025 kicked off with a sophisticated attack that used a compromise of multiple GitHub Actions — the workflow patterns used to automate standard DevOps tasks — as its primary delivery mechanism. It all started with the theft of a personal access token belonging to a maintainer of the SpotBugs analysis tool. Using this foothold, the attackers published a malicious process and managed to hijack a token from a maintainer of the reviewdog/action-setup workflow, who was also involved in the project.

From there, they compromised a dependency, the tj-actions/changed-files workflow, modifying it to execute a malicious Python script. This script was designed to hunt for high-value secrets, such as AWS, Azure and Google Cloud keys, GitHub and NPM tokens, database credentials, and RSA private keys. Oddly, the script wrote everything it found directly to publicly accessible build logs. This meant the leaked data wasn’t just available to the attackers, but to anyone savvy enough to look.

The original goal of this operation was a repository belonging to the Coinbase crypto exchange. Fortunately, the developers caught the threat in time and prevented the compromise. After apparently realizing they were about to lose control of the tj-actions/changed-files pipeline, the attackers pivoted to a spray-and-pray approach. This put 23 000 repositories at risk of a secrets leak. In the end, several hundred of those repositories actually saw their sensitive credentials exposed to the public.

April 2025: a backdoor in 21 Magento extensions

In April, an infection was discovered across a whole range of extensions for Magento, one of the most popular platforms for building online stores. The backdoor was embedded into 21 modules developed by three vendors: Tigren, Meetanshi, and MGS. These extensions were part of the infrastructure for several hundred e-commerce companies, including at least one multinational corporation.

According to the researchers who discovered it, the backdoor was actually planted way back in 2019. In April 2025, the attackers finally triggered it to compromise websites and upload web shells. This was accomplished through a function embedded in the extensions that executed arbitrary code pulled from a license file.

Ironically, the infected modules included MGS GDPR and Meetanshi CookieNotice. As the names suggest, these extensions were designed to help sites comply with user privacy and data processing regulations. In the end, instead of ensuring privacy, their use most probably led to the theft of user data and financial assets through web skimming.

May 2025: ransomware distributed through a compromised MSP

In May, ransomware actors from the DragonForce gang gained access to the infrastructure of an unnamed managed service provider (MSP) and used it to distribute their ransomware and steal data from the MSP’s client organizations.

It appears the attackers exploited several vulnerabilities (including one critical flaw) in SimpleHelp, the remote monitoring and management tool used by the MSP. These vulnerabilities were discovered back in 2024 and were publicly disclosed and patched in January 2025. Unfortunately, the MSP evidently decided not to rush the update process — a delay the ransomware gang was more than happy to exploit.

June 2025: a backdoor in over a dozen popular npm packages

At the start of the summer, attackers hacked the account of one of the Gluestack library maintainers and used a stolen access token to inject backdoors into 17 npm packages. The most popular of these packages, @react-native-aria/interactions, boasted 125 000 weekly downloads, while all the compromised packages combined totaled over a million.

What’s particularly interesting in this case are the steps the Gluestack developers took following the incident: first, they restricted GitHub repository access for secondary contributors; second, they enabled two-factor authentication (2FA) for publishing new versions; and third, they promised to implement secure development practices like pull-request-based workflow, systematic code reviews, audit logging, and so on. In other words, prior to the incident a project with hundreds of thousands of weekly downloads had no such measures in place.

July 2025: popular npm packages infected through a phishing attack

In July, npm packages were once again the stars of the show — including the widely used, succinctly named “is” package, which boasts 2.7 million weekly downloads. This JavaScript utility library provides a broad range of type-checking and value validation functions. To pull off a phishing strike against one of the project owners, attackers successfully utilized the oldest trick in the book: typosquatting (using the domain npnjs.com instead of npmjs.com) and a clone of the official npm website.

They then used the compromised account to publish several of their own versions of the package with an embedded backdoor. The infection flew under the radar for six hours: plenty of time for a large number of developers to download the malicious npm packages.

The same phishing tactic was deployed against other developers as well. The attackers leveraged several compromised developer accounts to distribute different variants of their malicious payload. There’s also a strong suspicion that they may have saved some of their haul for future attacks.

August 2025: the s1ngularity attack and a leak of hundreds of developers’ secrets

In late August, an incident dubbed “s1ngularity” continued the trend of targeting JavaScript developers. Attackers compromised Nx, a popular build system and CI/CD pipeline optimization tool. Malicious code injected into the packages searched through infected developer systems for a vast range of sensitive data, such as crypto wallet keys, npm and GitHub tokens, SSH keys, API keys, and more.

Interestingly, the attackers used locally installed AI tools, such as Claude Code, Gemini CLI, and Amazon Q, to sniff out secrets on the victims’ machines. Everything they found was then posted to public GitHub repositories created in the victims’ names, using titles “s1ngularity-repository”, “s1ngularity-repository-0”, and “s1ngularity-repository-1”. As you might have guessed, that’s where the name of the attack comes from.

Consequently, the private data of hundreds of developers ended up sitting in plain sight, where it could be accessed not just by the attackers, but by absolutely anyone with an internet connection.

September 2025: a crypto stealer hits npm packages that have 2.6 billion weekly downloads

The trend of npm package compromises rolled right into September. Following a fresh phishing campaign targeting JavaScript developers, attackers managed to inject malicious code into a few dozen high-profile projects. Some of these, specifically “chalk” and “debug”, boast hundreds of millions of weekly downloads; collectively, the infected packages were racking up over 2.6 billion downloads per week at the time of the breach — and they’ve only grown more popular since.

The payload was a crypto stealer: malware designed to intercept cryptocurrency transactions and reroute them to the attackers’ wallets. Fortunately, despite successfully poisoning some of the world’s most popular projects, the attackers somehow managed to botch the final stage of their operation. In the end, they walked away with a measly US$925.

Just a week later, another major incident struck: the first wave of the self-propagating Shai-Hulud malware, which infected around 150 npm packages, including projects from CrowdStrike. However, the second wave, which hit several months later, proved to be far more destructive. We’ll take a closer look at the Great Worm a bit further down.

October 2025: GlassWorm infects the Visual Studio Code ecosystem

Roughly a month after the Shai-Hulud attack, similar self-propagating malware dubbed GlassWorm began infecting Visual Studio Code extensions across both the Open VSX Registry and the Microsoft Extension Marketplace. The attackers were hunting for GitHub, Git, npm, and Open VSX accounts, as well as crypto wallet keys.

The creators of GlassWorm took a highly creative approach to their command-and-control infrastructure: they used a crypto wallet on the Solana blockchain as their primary C2, with Google Calendar serving as a backup communication channel.

Beyond simply draining victims’ crypto wallets and hijacking their accounts to spread the worm further, the attackers also dropped a RAT named Zombi onto infected devices, granting them total control over the compromised systems.

November 2025: the IndonesianFoods campaign and 150 000 spam packages on npm

In November, a new nuisance emerged within the npm registry. A coordinated malicious campaign dubbed IndonesianFoods saw attackers flood the registry with tens of thousands of useless packages.

The primary goal here was gaming the system to inflate metrics and farm tokens on tea.xyz, a blockchain platform designed to reward open-source developers. To pull this off, the attackers built a massive web of interdependent projects with the names referencing Indonesian cuisine, such as zul-tapai9-kyuki or andi-rendang23-breki.

The creators of this campaign didn’t bother hijacking accounts. Strictly speaking, the spam packages didn’t even contain a malicious payload — unless you count a script designed to automatically generate new packages every seven seconds. Nevertheless, the incident served as a stark reminder of how vulnerable the npm infrastructure is to large-scale spam campaigns.

December 2025: Shai-Hulud 2.0 and the leak of 400 000 developer secrets

The absolute headliner of the year — not just for supply-chain attacks, but likely for the entire cybersecurity field — was the self-propagating malware Shai-Hulud (also known as Sha1-Hulud) targeting developers.

This malware was the logical evolution of the s1ngularity attack we mentioned earlier: it also scours systems for all kinds of secrets and publishes them in open GitHub repositories. However, Shai-Hulud added a self-propagation mechanism to this baseline: the worm infects projects controlled by already-compromised developers by using their stolen credentials.

The first wave of Shai-Hulud hit in September, infecting several hundred npm packages. But toward the end of the year, a second wave arrived, dubbed Shai-Hulud 2.0.

This time, the worm was upgraded with wiper functionality. If the malware failed to find valid npm or GitHub tokens on an infected system, it triggered a destructive payload that erased user files.

Approximately 400 000 secrets were leaked in total as a result of the attack. It’s worth noting that, just like with s1ngularity, all this sensitive data ended up in public repositories where it could be downloaded not only by the attackers but by anyone else. And it’s highly likely that the fallout from this attack will be felt for a long time to come.

One of the first, confirmed cases of an exploit using secrets leaked by Shai-Hulud was a cryptocurrency theft targeting several thousand Trust Wallet users. Attackers used these secrets on Christmas Eve to upload a malicious version of the Trust Wallet extension, complete with a built-in crypto drainer, to the Chrome Web Store. In the end, they managed to make off with US$8.5 million in cryptocurrency.

How to protect against supply-chain attacks

While putting together a similar retrospective for 2024, we found sticking to a “one month, one threat” structure fairly easy. For 2025, however, it was a much taller order. There were so many massive supply-chain attacks last year that we simply couldn’t fit them all into this one overview.

The year 2026 is shaping up to be just as intense, so we recommend checking out our dedicated post on preventing supply-chain attacks. In the meantime, here are the essential takeaways:

• Thoroughly evaluate your vendors and carefully audit the code you integrate into your own projects.
• Implement strict security requirements directly into your service contracts.
• Develop a comprehensive incident response plan.
• Monitor your corporate infrastructure for suspicious activity using an XDR solution.
• If your internal security team is stretched thin, leverage an external service for proactive threat hunting and timely response.

If you want to learn more about supply-chain attacks, have a read of our analytical report Supply chain reaction: securing the global digital ecosystem in an age of interdependence. It’s based on insights from technical experts, and reveals how often organizations face supply-chain and trusted-relationship risks, where protection gaps remain, and what strategies to employ to improve resilience against these kinds of threats.

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

Anyone who spoke with me in the last several weeks has had to deal with me loudly waiting in anticipation for the long-awaited “Project Hail Mary” movie adaptation. I read (and cried over) the book by Andy Weir, who’s also the author of “The Martian,” about a year ago and, shortly after, found out it was being made into a movie. 

(I know what you’re thinking: Two movie-themed editions in two weeks? It’s every cinephile’s dream!) 

Anyway, the story centers around a biologist and science teacher named Ryland Grace (Ryan Gosling), who wakes up from a coma on a spaceship lightyears away from Earth, his two crewmembers long dead. Our planet’s sun is slowly dimming, its energy being consumed by alien microbes called “astrophage” that are infecting all the stars in our stellar neighborhood — except one. Grace’s task is to figure out why this star is unaffected and send the solution back to Earth. It’s a one-way trip, and he’ll eventually die in space alone… or so he thinks. 

The movie met 99.9% of my expectations, which is rare for an adaptation. The humor was spot-on, the soundtrack was gorgeous, and the puppetry — yes, the puppetry (mild spoilers for Rocky, Grace’s new alien friend) — was out-of-this-world. 

While it is a story about space, it’s first and foremost about communication, trust, and collaboration — things we’re no strangers to at Talos, especially when creating the Year in Review report (which is available now). The entire processof creating this report, from raw data to final design, is only a little bit less monumental than stopping alien microbes from plunging the earth into an ice age. 

The process begins with Talos’ Strategic Analysis team, who leverage the vast amount of Cisco’s telemetry, Talos research, and data from Talos Incident Response cases to analyze trends over the past year. This analysis is synthesized into a comprehensive report, which undergoes rigorous review and proofing at multiple levels. While the report is being drafted, the Strategic Comms team develops a detailed schedule of content and collateral to promote it both internally and externally, meeting weekly to track our progress. Once the text is finalized, it moves to our design team, who transform the data into a visually stunning, accessible format. Even after the report launches, the work continues: We produce videos, answer your questions on Reddit (today only!), record podcasts, create social media graphics, and collaborate across Cisco to ensure our findings reach the right people. 

We do this for the good of the community. Our report isn’t gated, and it never will be; you can read it right in your browser without filling out fake names and emails in annoying forms. Talos’ job is to keep as many people as safe as possible, and that means free access to critical information. Here’s a taste of our findings: 

• React2Shell was the No. 1 most targeted CVE in 2025 despite only being discovered in December. ToolShell was No. 3 despite being released in June. 
• About 25% of the vulnerabilities on our top 100 list affect widely used frameworks and libraries, highlighting the risk of supply chain-style attacks. 
• Nearly a third of MFA spray attacks targeted identity and access management (IAM) applications. 
• Attackers continued to rely heavily on phishing for initial access, observed in 40% of Talos IR cases. 35% of cases involved internal phishing. 
• Qilin was the most seen ransomware variant in 2025, with over 40 victims each month except January. 

We also offer insights on AI and state-sponsored threats, so be sure to view the full report. 

In “Project Hail Mary,” Grace and his alien friend, Rocky, realize that they can’t save their respective worlds alone. The Talos Year in Review is the result of a massive, cross-functional mission. It takes collaboration between all of Talos’ teams to turn complex, often daunting telemetry into actionable intelligence for the community. 

When we share knowledge, communicate clearly, and work together, the results are, to quote Rocky, “Amaze! Amaze! Amaze!” 

Stay tuned over the coming days and weeks as we break each section down into the most important 2025 Year in Review findings you need to know.

The one big thing 

One of the main themes from the 2025 Year in Review’s vulnerability data is that attackers are targeting identity by compromising the infrastructure that sits around it, including physical hardware devices, software, and management platforms. Network components act as de facto identity gateways, allowing adversaries to impersonate users, bypass MFA, and traverse networks undetected. Attackers overwhelmingly prefer high-access targets that require minimal exploitation steps and yield maximum operational payoff. 

Why do I care? 

Identity-centric network components act as control points for the entire environment, meaning their compromise can invalidate MFA, bypass segmentation, and grant immediate access to high-value resources. Network management platforms give adversaries direct access to privileged administrative functions, device credentials, and automation pipelines that touch hundreds of downstream systems. Compromising a single ADC or management platform can expose dozens of downstream systems, making these devices powerful force multipliers. 

So now what? 

Organizations should consider the impact on identity when prioritizing the patching of network devices. ADCs must be protected as identity control points, not merely performance appliances. Defenders should focus on these high-leverage vulnerability classes that enable identity compromise, policy manipulation, and infrastructure-wide escalation. Read the full Year in Review for more information.

Top security headlines of the week 

U.S. Department of Energy publishes five-year energy security plan 
The three goals are to develop ‘world-class’ security technologies, to harden the US energy infrastructure, and establish emergency preparedness for response and recovery from incidents. (SecurityWeek) 

Someone has publicly leaked an exploit kit that can hack millions of iPhones 
Researchers are warning that this will allow any hacker to easily use the tools to target iPhone users running older versions of Apple’s operating systems who have not yet updated to its latest iOS 26 software. (TechCrunch) 

Checkmarx KICS code scanner targeted in widening supply chain hit 
Specifically, the cybercriminals infiltrated KICS GitHub Action, which organizations use to run KICS scans within their CI/CD pipelines, and poisoned multiple versions of the software. (Dark Reading) 

Attackers hide infostealer in copyright infringement notices 
Aimed at organizations in critical sectors, including healthcare, government, hospitality, and education, it attempts to install PureLog Stealer, a low-cost infostealer easy for threat actors to use. (Dark Reading) 

Oracle releases emergency patch for critical identity manager vulnerability 
CVE-2026-21992 can be used without authentication for remote code execution and it may have been exploited in the wild. (SecurityWeek) 

Can’t get enough Talos? 

Today only: Ask us anything 
Talos and Splunk researchers are standing by on Reddit to answer your questions about the Year in Review, Top 50 Cybersecurity Threats report, or just about anything else you want to know. It’s halfway over, so post your questions now! 

Year in Review highlights 
In 2025, attackers moved fast, but they also played the long game. This short video highlights the biggest trends from the 2025 Talos Year in Review and what they reveal about where the threat landscape is headed. 

Gravy, glutes, and the Talos Year in Review 
Hazel, Bill, Joe, and Dave discuss the 2025 Year in Review, supported as always by the Turkey Lurkey Man. We also discuss the cyber activity tied to the situation in the Middle East. 

Cybersecurity’s double-header 
With the recent release of the Year in Review and Splunk’s Top 50 Cybersecurity Threats report, Amy, Bill, and Lou break down the most critical trends that shaped the security landscape last year. 

Upcoming events where you can find Talos 

• Botconf 2026 (April 15 – 17) Reims, France 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe 
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe 
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: APQ9305.dll 
Detection Name: Auto.90B145.282358.in02 

SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
MD5: a2cf85d22a54e26794cbc7be16840bb1 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
Example Filename: a2cf85d22a54e26794cbc7be16840bb1.exe 
Detection Name: W32.5E6060DF7E-100.SBX.TG 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe 
Detection Name: Win.Dropper.Miner::95.sbx.tg 

SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
MD5: 41444d7018601b599beac0c60ed1bf83 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
Example Filename: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55.js 
Detection Name: W32.38D053135D-95.SBX.TG 

Cisco Talos Blog – ​Read More

Spammers are constantly seeking new ways to reach the widest audience possible while dodging email filters — all to ensure their “tempting” offers land in your inbox rather than the spam folder. To pull this off, bad actors are increasingly pivoting to legitimate platforms, dreaming up sophisticated ways to weaponize them for their own gain.

We’ve previously covered scam attacks using Google Forms, where fraudulent emails were sent directly from Google’s mail servers. In those cases, links were shielded by the reputable forms.gle domain, allowing them to breeze past spam filters. Now, a similar tactic has been implemented using Yandex Surveys. Here’s a look at how this new scam works, and how you can stay safe.

Everything looks fine at first glance…

Online survey tools are fairly common these days. Marketing professionals use them to gather feedback, HR departments use them for employee engagement, and researchers use them to study target audiences. But how are scammers getting in on the action?

They create a survey, embed links to fraudulent websites within the body, and blast out emails containing the survey link to their mailing lists. Standard anti-spam filters see URLs like yandex.com/poll/… as legitimate. Recipients often have the same reaction, reasonably assuming, “It’s a link to a well-known service — what could go wrong?”

Our experts have tracked a massive spike in these emails. In January, Kaspersky Premium blocked just over 2200 of these messages; by February, that number soared to over 32 000. We’re looking at aggressive scaling here — nearly a 15-fold increase in just one month.

Here’s a survey page containing a scam message and link. The visible portion features a well-known crypto exchange logo and an active link to the attackers’ site. At the bottom, you’ll notice a couple of dots — more on these later

Spammers distribute these survey links through their own channels, often hijacking website feedback forms that lack sender verification. The fact that the message originates from a legitimate network provides yet another green flag for anti-spam filters to let these emails slide right through.

A crypto scam email in English sent through a feedback form on a Greek website

The most popular themes for this type of spam currently involve crypto scams — promising users a windfall in digital currency — and links to sketchy dating sites.

How scammers exploit Yandex Surveys

To build a survey that doesn’t actually look like one, attackers take advantage of the platform’s extended survey mode.

Yandex Surveys allows users to swap out a simple question for a text block, which can include descriptions, images, or videos. This is exactly where scammers embed their pitch and the link to their phishing site. They use the built-in “Upload media” feature to add official-looking logos and other embellishments that sell the illusion.

To make sure the victim doesn’t see the “Next” button or the standard disclaimer — which warns that surveys are created by third parties and that Yandex isn’t responsible for the content — the scammers pad the space below the scam block with invisible characters. For instance, they might add dozens of lines of transparent emojis; you can’t see them, but they still take up screen real estate. Further down, past the point where most people would stop scrolling, they simply drop in punctuation marks, one per line.

To understand how these surveys are built, we used a test survey to retrace the scammers’ steps. Transparent emojis are used to create dead space under the scam block, followed by punctuation marks further down where few users are likely to scroll

The result? The user sees nothing but the fraudulent offer and the link, while everything else is pushed off-screen. It’s the same technique we’ve seen used with Google Forms.

Beyond the benefit of using legitimate URLs, another perk for the scammers is that this method doesn’t cost them a dime. They aren’t paying the service for promotion, or using the built-in targeting tools; they simply blast the link to their own database. In this scenario, the service is essentially being used as good-reputation web page hosting.

To top it off, the scammers can jump into the “Statistics” section of the survey to track click-through rates in real-time and then export the data into a spreadsheet. This is basically a turnkey analytics suite.

Once a victim clicks the link in the survey and lands on the attackers’ website, they are greeted by a professional-looking site running a classic “prize giveaway” scheme.

How to avoid taking the bait:

• Don’t blindly trust “reputable domain names”. Seeing yandex.com or forms.gle in the address bar is no longer a guarantee that the content is safe. Anyone can create a survey at those addresses.
• Stay alert if you receive an unexpected email. Be especially wary if it promises a payout, a prize, or asks you to “confirm” something urgently. These are scammers’ tricks of choice.
• Always scroll to the bottom of the page. If the content abruptly cuts off and you’re left with a wall of empty space, that should set off alarm bells. Check the footer — you’ll often find service disclaimers or other clues that prove you’re looking at a fraudulent survey.
• Don’t click links in suspicious surveys. If you do happen to click through, never enter any personal or financial information on the resulting site.
• Use a trusted security tool. Kaspersky Premium detects these fraudulent sites and blocks access before you have a chance to hand over your data or risk infecting your device through a zero-click vulnerability.

Finally, it’s worth noting that scammers didn’t actually hack Yandex Surveys; instead, they took a creative — albeit malicious — approach to repurposing the tool for their own ends. Since Yandex Surveys is scheduled to shut down on April 6, 2026, this specific scheme will soon hit a dead end. Still, scammers are constantly hunting for the next loophole to exploit. Your best defense remains a healthy dose of skepticism toward any unexpected email — even if the links point to a domain you know and trust.

Other tricks spammers use:

• Beware of Google Forms bearing crypto gifts
• Phishing and spam: the wildest campaigns of 2025
• Spam 101: what is spam, and how to defeat it
• How phishers and scammers use AI
• Fifty shades of sextortion

Kaspersky official blog – ​Read More