2FA phishing
-
Over 4,300 Domains Used in Mass Phishing Campaign Targeting Hotel Guests
Researchers say a Russian-speaking threat actor registered more than 4,300 domains this year to run a large phishing campaign impersonating hotel booking services and harvesting payment data and credentials.
-
Proofpoint links new UNK_SmudgedSerpent cluster to targeted phishing of Iran experts
Proofpoint has identified a new threat cluster, UNK_SmudgedSerpent, that used political lures, impersonation and malicious installers to target academics and Iran policy experts between June and August 2025, deploying RMM tools including PDQ Connect and possibly ISL Online.
-
Herodotus Android malware uses human-like typing delays to evade detection
Threat Fabric has identified Herodotus, an Android malware-as-a-service that uses randomized typing delays to mimic human input and evade timing-based detection, and is being distributed via SMS to users in Italy and Brazil.
-
Researchers warn ‘CoPhish’ uses Microsoft Copilot Studio agents to harvest OAuth tokens
Datadog Security Labs disclosed “CoPhish,” a phishing method that uses Microsoft Copilot Studio agents and legitimate Microsoft-hosted demo pages to deliver fraudulent OAuth consent flows and harvest session tokens; Microsoft says it will address the issue in a future update and both vendors recommend tightening admin privileges and consent policies.
-
Toys “R” Us Canada notifies customers after customer records leaked
Toys “R” Us Canada told customers a threat actor posted stolen customer records on the unindexed internet on July 30, 2025. Third-party investigators confirmed the data’s authenticity, which may include names, addresses, emails and phone numbers; passwords and payment data were not exposed. The company said it has upgraded security and is notifying regulators, and…
-
Researchers warn spoofed AI sidebars can trick Atlas and Comet users into dangerous actions
Security researchers at SquareX say they can use a malicious browser extension to overlay a fake AI sidebar in Atlas and Comet, tricking users into phishing pages, OAuth theft of Gmail/Drive access, or running commands that install a reverse shell.
-
Researchers warn ‘Jingle Thief’ group exploits cloud access to commit gift card fraud
Palo Alto Networks Unit 42 says a group called Jingle Thief is targeting cloud environments used by retailers to steal credentials, issue unauthorized gift cards and resell them on gray markets, using phishing, long‑term access and identity misuse to evade detection.
-
Iran-linked MuddyWater used compromised email to deliver Phoenix backdoor to 100+ MENA government targets, Group-IB says
Group-IB says Iran-linked MuddyWater used a compromised mailbox accessed via NordVPN to phish MENA organisations, deploying weaponised Word documents that installed the Phoenix v4 backdoor across more than 100 government targets and hosting RMM tools and a browser credential stealer on its C2 infrastructure.
-
Phishing emails offering fake jobs used to steal Facebook logins, researcher says
Sublime Security reported on Oct. 16, 2025 that a phishing campaign uses fake job offers and brand impersonation to capture Facebook login credentials, warning of deceptive URLs and counterfeit login pages.
-
Europol: SIMCARTEL takedown leads to seven arrests, thousands of SIM cards seized
European authorities dismantled a network called SIMCARTEL that used SIM boxes to facilitate phishing and other frauds, seizing thousands of SIM cards, making seven arrests and tracing the operation to millions of created accounts, officials said.
