{"id":300,"date":"2026-03-19T15:33:58","date_gmt":"2026-03-19T15:33:58","guid":{"rendered":"https:\/\/cybercolombia.co\/index.php\/2026\/03\/19\/fortigate-raas-citrix-exploits-mcp-abuse-livechat-phish-more-cyberdefensa-mx\/"},"modified":"2026-03-19T15:33:58","modified_gmt":"2026-03-19T15:33:58","slug":"fortigate-raas-citrix-exploits-mcp-abuse-livechat-phish-more-cyberdefensa-mx","status":"publish","type":"post","link":"https:\/\/cybercolombia.co\/index.php\/2026\/03\/19\/fortigate-raas-citrix-exploits-mcp-abuse-livechat-phish-more-cyberdefensa-mx\/","title":{"rendered":"FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish &#038; More \u2013 CYBERDEFENSA.MX"},"content":{"rendered":"<div id=\"articlebody\">\n<p>ThreatsDay Bulletin is back on The Hacker News, and this week feels off in a familiar way. Nothing loud, nothing breaking everything at once. Just a lot of small things that shouldn\u2019t work anymore but still do.<\/p>\n<p>Some of it looks simple, almost sloppy, until you see how well it lands. Other bits feel a little too practical, like they\u2019re already closer to real-world use than anyone wants to admit. And the background noise is getting louder again, the kind people usually ignore.<\/p>\n<p>A few stories are clever in a bad way. Others are just frustratingly avoidable. Overall, it feels like quiet pressure is building in places that matter.<\/p>\n<p>Skim it or read it properly, but don\u2019t skip this one.<\/p>\n<div class=\"td-wrap\">\n<section aria-labelledby=\"threatsday-title\" class=\"td-section\">\n<ol class=\"td-timeline\" role=\"list\">\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Emerging RaaS exploiting FortiGate flaws<\/span><\/p>\n<p class=\"td-desc\">\n      Group-IB has shed light on the various tactics adopted by The Gentlemen, a nascent Ransomware-as-a-Service (RaaS) operation that consists of about 20 members. It originated from a payment dispute after its operator \u00abhastalamuerte\u00bb opened a public arbitration thread on the RAMP cybercrime forum, accusing Qilin ransomware operators of unpaid affiliate commission amounting to $48,000. The group primarily uses CVE-2024-55591, a critical authentication bypass vulnerability in FortiOS\/FortiProxy, for initial access. \u00abThe group maintains an operational database of approximately 14,700 already exploited FortiGate devices globally,\u00bb the company <a href=\"https:\/\/www.group-ib.com\/blog\/hastalamuerte-gentlemen-raas-ttps\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abSeparate from exploited devices, the operators maintain 969 validated brute-forced FortiGate VPN credentials ready for attack.\u00bb The Gentlemen also employs defense evasion via the bring your own vulnerable driver (BYOVD) technique to terminate security processes at the kernel level. About 94 organizations have already been attacked by this threat group since its emergence in July\/August 2025.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Pre-auth RCE chain in ITSM platform<\/span><\/p>\n<p class=\"td-desc\">\n      Four security flaws (CVE-2025-71257, CVE-2025-71258, CVE-2025-71259, and CVE-2025-71260) have been disclosed in BMC FootPrints, a widely deployed ITSM solution, that could be chained into pre-authentication remote code execution. The attack sequence begins with an authentication bypass (CVE-2025-71257) that extracts a guest session token (\u00abSEC_TOKEN\u00bb) from the password reset endpoint, which is then used to reach an unsanitized Java deserialization sink (CVE-2025-71260) in the \u00ab\/aspnetconfig\u00bb endpoint\u2019s \u00ab__VIEWSTATE\u00bb parameter. Exploitation via the AspectJWeaver gadget chain enables arbitrary file write to the Tomcat web root directory, achieving full remote code execution. Armed with the SEC_TOKEN, an attacker could also exploit two SSRF flaws (CVE-2025-71258 and CVE-2025-71259) and potentially leak internal data. The issues were addressed in September 2025.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Loader deploys stealthy C2 malware<\/span><\/p>\n<p class=\"td-desc\">\n      The <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/hijackloader-updates\" rel=\"noopener\" target=\"_blank\">malware loader<\/a> known as Hijack Loader is being used to deliver a previously undocumented, C++-based command-and-control (C2) framework known as SnappyClient. \u00abSnappyClient has an extended list of capabilities, including taking screenshots, keylogging, a remote terminal, and data theft from browsers, extensions, and other applications,\u00bb Zscaler ThreatLabz <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/technical-analysis-snappyclient\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abSnappyClient employs multiple evasion techniques to hinder endpoint security detection, including an Antimalware Scan Interface (AMSI) bypass, as well as implementing Heaven\u2019s Gate, direct system calls, and transacted hollowing. SnappyClient receives two configuration files from the C2 server, which contain a list of actions to perform when a specified condition is met, along with another that specifies applications to target for data theft.\u00bb The framework was first discovered in December 2025. The attack chain involves the distribution of malicious payloads after a user visits a website impersonating the Spanish telecom firm Telef\u00f3nica. It\u2019s assessed that the primary use for SnappyClient is cryptocurrency theft, with a possible connection between the developers of HijackLoader and SnappyClient based on observed code similarities.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Deep link abuse enables command execution<\/span><\/p>\n<p class=\"td-desc\">\n      Proofpoint has detailed a new technique called CursorJack that abuses Cursor\u2019s support for Model Context Protocol (MCP) <a href=\"https:\/\/cursor.com\/docs\/mcp\" rel=\"noopener\" target=\"_blank\">deep links<\/a> to enable local command execution or allow installation of a malicious remote MCP server. The attack takes advantage of the fact that MCP servers commonly specify a command in their \u00abmcp.json\u00bb configuration. \u00abThe cursor:\/\/ protocol handler could be abused through social engineering in specific configurations,\u00bb the company <a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/cursorjack-weaponizing-deeplinks-exploit-cursor-ide\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abA single click followed by user acceptance of an install prompt could result in arbitrary command execution. The technique could be leveraged both for local code execution via the command parameter or to install a malicious remote MCP server via the URL parameter.\u00bb The enterprise security firm has also <a href=\"https:\/\/github.com\/EmergingThreats\/threatresearch\/tree\/master\/CursorJack\" rel=\"noopener\" target=\"_blank\">released<\/a> a proof-of-concept (PoC) exploit on GitHub.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Mass exploitation hits Citrix flaws<\/span><\/p>\n<p class=\"td-desc\">\n      A new campaign is actively targeting known security flaws in Citrix NetScaler (CVE-2025-5777 and CVE-2023-4966). According to <a href=\"https:\/\/x.com\/DefusedCyber\/status\/2033603066402869537\" rel=\"noopener\" target=\"_blank\">Defused Cyber<\/a>, more than 500 exploit attempts have been recorded against its honeypot system on March 16, 2026. \u00abHighly elevated exploit activity against older vulnerabilities can often precede a zero-day vulnerability,\u00bb it said.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Teams phishing grants remote access<\/span><\/p>\n<p class=\"td-desc\">\n      Rapid7 said it\u2019s seeing an increase in phishing campaigns where threat actors impersonate internal IT departments via Microsoft Teams. \u00abThe primary objective is to persuade users to launch Quick Assist, granting the TA remote access to deploy malware, exfiltrate data, or facilitate lateral movement across the network,\u00bb it <a href=\"https:\/\/www.rapid7.com\/blog\/post\/dr-guidance-on-observed-microsoft-teams-phishing-campaigns\/\" rel=\"noopener\" target=\"_blank\">added<\/a>. \u00abThe recent surge in Teams-based delivery highlights a critical vulnerability in how organizations manage external access. Teams often allows any external user to message internal staff. This is the functional equivalent of operating an email server without a gateway filter.\u00bb\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">ClickFix delivers AutoHotKey backdoor<\/span><\/p>\n<p class=\"td-desc\">\n      A new ClickFix-style campaign has compromised a Pakistani government website (\u00abwasafaisalabad.gop[.]pk\u00bb) to deliver fake CAPTCHA lures. The attack chain installs an MSI installer via a disguised clipboard command, which drops an AutoHotKey-based backdoor polling a remote server for tasks, Gen Digital <a href=\"https:\/\/x.com\/GenThreatLabs\/status\/2031351353944006851\" rel=\"noopener\" target=\"_blank\">said<\/a>. It\u2019s currently not known how the website was breached. The social engineering tactic has proved so effective that even nation-state groups such as North Korea\u2019s Lazarus group, Iran\u2019s MuddyWater, and Russia\u2019s APT28 have adopted it. In January, researchers from Sekoia reported that a separate ClickFix framework dubbed IClickFix had been injected into over 3,800 WordPress sites since 2024.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Stealer upgrade spreads via pirated games<\/span><\/p>\n<p class=\"td-desc\">\n      The malware loader known as Hijack Loader is being used to deliver an updated version of an information stealer referred to as ACRStealer. \u00abThis updated variant follows similar evasion techniques and C2 initialization strategy to make it even stealthier,\u00bb G DATA <a href=\"https:\/\/blog.gdatasoftware.com\/2026\/03\/38385-acr-stealer-infrastructure\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThis integration with HijackLoader highlights ACRStealer\u2019s versatility and modularity, which will likely attract more malicious actors to use it as a final payload.\u00bb In these campaigns, Hijack Loader is downloaded from the domain associated with PiviGames, a Spanish portal hosting pirated PC games. The development comes against the backdrop of another campaign that involved several cases of malware <a href=\"https:\/\/blog.gdatasoftware.com\/2026\/02\/38373-pivigames-spreads-hijackloader\" rel=\"noopener\" target=\"_blank\">being distributed<\/a> through PiviGames.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Live chat phishing steals sensitive data<\/span><\/p>\n<p class=\"td-desc\">\n      A new phishing campaign has been observed using LiveChat, a customer service software featuring live messaging, to steal data. Phishing emails using refund-related themes are used to redirect users to a link hosted via LiveChat\u2019s service (\u00abdirect.lc[.]chat\u00bb), from where they are asked to click on a link sent in the chat to complete the refund by entering their personal and financial information. \u00abUnlike typical refund scams or credential phishing, this campaign engages victims through a real-time chat interface, impersonating well-known brands in order to harvest sensitive data such as account credentials, credit card details, multi-factor authentication (MFA) codes, and other personally identifiable information (PII),\u00bb Cofense <a href=\"https:\/\/cofense.com\/blog\/livechat-abuse-how-phishers-are-exploiting-saas-support-tools-to-steal-sensitive-data\" rel=\"noopener\" target=\"_blank\">said<\/a>.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">RagaSerpent expands multi-region espionage<\/span><\/p>\n<p class=\"td-desc\">\n      A SideWinder-adjacent cluster known as RagaSerpent is suspected to be leveraging tax audit and government compliance themes in spear-phishing emails to deliver multi-stage malware for command-and-control (C2) and establish sustained access across targeted organizations in Southeast Asia, including Indonesia and Thailand. The attack chain is consistent with a prior campaign targeting India using similar tax-related lures to deliver a legitimate enterprise tool called SyncFuture TSM, developed by a Chinese company. \u00abThis is not unusual in APT operations: in-country targeting can be used to complicate attribution (e.g., by creating noisy \u2018domestic\u2019 victimology) or to reach foreign diplomats\/missions operating inside India\u2014a pattern explicitly noted in reporting on SideWinder\u2019s broader geographic targeting and diplomatic victim set,\u00bb ITSEC Asia <a href=\"https:\/\/www.linkedin.com\/posts\/itsec-asia_when-your-tax-audit-email-is-actually-a-activity-7437768379685380096-8a7Y\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. The recent campaigns show the threat actor has expanded its operations beyond South Asia and into Africa, Europe, the Middle East, and Southeast Asia.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Unauthenticated access exposed device data<\/span><\/p>\n<p class=\"td-desc\">\n      DJI has <a href=\"https:\/\/www.theverge.com\/tech\/879088\/dji-romo-hack-vulnerability-remote-control-camera-access-mqtt\" rel=\"noopener\" target=\"_blank\">patched<\/a> a security flaw in its backend that could have allowed attackers to take over all its Romo smart vacuums. Security researcher Sammy Azdoufal said DJI servers returned data for any device just by providing a device serial number. DJI shared the data on any device without any authentication or authorization. The researcher said he was able to map the locations of more than 7,000 Romo smart vacuums and 3,000 DJI portable power stations that shared the same server.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">New password layer strengthens account security<\/span><\/p>\n<p class=\"td-desc\">\n      WhatsApp has begun <a href=\"https:\/\/wabetainfo.com\/whatsapp-beta-for-android-2-26-7-8-whats-new\/\" rel=\"noopener\" target=\"_blank\">testing<\/a> support for setting an alphanumeric account password. It can be anywhere between six and 20 characters long and should include at least one letter and one number. Adding an alphanumeric password to the equation is likely an effort to make brute-force attempts harder. For example, if a threat actor carries out a SIM swap to intercept messages and bypass two-factor authentication, they would still need to enter the 6-20 character-long password to gain access to the victim\u2019s WhatsApp account.\u00a0\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Suspected ransomware group appears fabricated<\/span><\/p>\n<p class=\"td-desc\">\n      More evidence has emerged that the <a href=\"https:\/\/www.cyderes.com\/howler-cell\/0apt-bluff-campaign-evolves-into-potential-threat\" rel=\"noopener\" target=\"_blank\">0APT ransom group<\/a> is likely a fake and a fraud. \u00abThus far, the threat actor has not provided credible proof of ransomware or data exfiltration attacks as the data samples on the DLS appeared to be fabricated,\u00bb Intel 471 <a href=\"https:\/\/www.intel471.com\/blog\/likely-fake-ransomware-operator-0apt-causes-panic-our-analysis\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abFor example, the files that supposedly contained metadata of data stolen from victim networks were unusually large, reaching several terabytes each. Additionally, partial downloads of those files indicated they did not contain any useful data, and in fact, we observed several instances in which the content contained a repeating pattern of null bytes.\u00bb\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Google blocks millions of risky apps<\/span><\/p>\n<p class=\"td-desc\">\n      Google <a href=\"https:\/\/security.googleblog.com\/2026\/02\/keeping-google-play-android-app-ecosystem-safe-2025.html\" rel=\"noopener\" target=\"_blank\">rejected<\/a> 1.75 million policy-violating Android apps and blocked more than 80,000 developer accounts from the Google Play Store in 2025, down from 2.36 million apps and 158,000 accounts in 2024. The company said that through 2025, it blocked more than 255,000 Android apps from obtaining excessive access to sensitive user data, and that it implemented more than 10,000 safety checks on published apps and strengthened detection capabilities by integrating Google\u2019s latest generative artificial intelligence (AI) models into the review process. Android\u2019s built-in security suite, Play Protect, which now scans over 350 billion apps every day, has identified over 27 million malicious apps sideloaded from outside Google Play. Play Protect\u2019s \u2018enhanced fraud protection\u2019 has been expanded to cover over 2.8 billion Android devices in 185 markets, blocking 266 million installation attempts from 872,000 unique risky apps. In a related development, the tech giant has made available Scam Detection for phone calls on Google Pixel devices in the U.S., U.K., Australia, Canada, France, Germany, India, Ireland, Italy, Japan, Mexico, and Spain. It\u2019s also being <a href=\"https:\/\/security.googleblog.com\/2026\/02\/strengthening-android-lead-in-scam-protection.html\" rel=\"noopener\" target=\"_blank\">expanded<\/a> to Samsung Galaxy S26 series in the U.S.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">1% of flaws drove most attacks<\/span><\/p>\n<p class=\"td-desc\">\n      A report from VulnCheck found that a mere 1% of 2025 CVEs were exploited in the wild by the end of the year. Network edge devices accounted for a third of all products exploited last year. \u00abThere was a small decrease (-13%) in new vulnerabilities linked to named state-sponsored threat groups and APTs over the course of 2025,\u00bb the cybersecurity company <a href=\"https:\/\/www.vulncheck.com\/blog\/2026-vulncheck-exploit-intelligence-report\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abNew CVE exploits attributed to China-nexus groups increased while Iranian exploit activity fell.\u00bb Another report from IBM X-Force <a href=\"https:\/\/www.ibm.com\/think\/x-force\/threat-intelligence-index-2026-securing-identities-ai-detection-risk-management\" rel=\"noopener\" target=\"_blank\">revealed<\/a> that there has been a 44% increase in cyberattacks exploiting public-facing applications.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">EU extends CSAM detection rules<\/span><\/p>\n<p class=\"td-desc\">\n      The European Parliament has <a href=\"https:\/\/www.europarl.europa.eu\/news\/en\/press-room\/20260306IPR37531\/child-sexual-abuse-online-support-for-extending-rules-until-august-2027\" rel=\"noopener\" target=\"_blank\">voted<\/a> to extend a temporary exemption to E.U. privacy legislation that allows online platforms to voluntarily detect child sexual abuse material (CSAM) until August 2027. Lawmakers said the additional time will allow the bloc to negotiate and adopt a long-term legal framework to prevent and combat CSAM online.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">AOT malware evades analysis and detection<\/span><\/p>\n<p class=\"td-desc\">\n      A previously undocumented attack chain delivered via a phishing URL has been found to distribute a ZIP archive containing a C++ trojan downloader, which then initiates a loader responsible for decrypting and staging the Rhadamanthys stealer and XMRig cryptocurrency miner. \u00abThe campaign\u2019s core evasion relies on .NET Native Ahead-of-Time (AOT) compiled binaries, which strip traditional .NET metadata, frustrate common .NET analysis tools, and force analysts to fall back on native-level tooling, making detection and reverse engineering significantly harder,\u00bb Cyderes <a href=\"https:\/\/www.cyderes.com\/howler-cell\/reverse-engineering-net-aot-malware\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abSophisticated anti-analysis capabilities: The AOT loader employs a sandbox scoring system evaluating RAM size, system uptime, user file counts, and AV process presence; virtual machine detection via registry inspection; and active suppression of miner activity when monitoring tools like Task Manager, Process Hacker, or x64dbg are detected.\u00bb\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Secrets sprawl surges across GitHub<\/span><\/p>\n<p class=\"td-desc\">\n      GitGuardian\u2019s State of Secrets Sprawl report has <a href=\"https:\/\/blog.gitguardian.com\/the-state-of-secrets-sprawl-2026\/\" rel=\"noopener\" target=\"_blank\">found<\/a> that 28,649,024 new secrets were added to public GitHub commits in 2025 alone, up 34% from the previous year. The figure also represents a 152% increase in leaked secrets growth since 2021. In 2025, AI service secrets reached 1,275,105, up 81% year-over-year. Also identified by GitGuardian were 24,008 unique secrets exposed in MCP-related configuration files across public GitHub, including 2,117 unique valid credentials.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Malicious themes inject ads and redirects<\/span><\/p>\n<p class=\"td-desc\">\n      Six malicious Packagist packages posing as OphimCMS themes have been found to contain trojanized jQuery that exfiltrates URLs, injects full-screen overlay ads, and loads Funnull-linked redirects. The packages are ophimcms\/theme-dy, ophimcms\/theme-mtyy, ophimcms\/theme-rrdyw, ophimcms\/theme-pcc, ophimcms\/theme-motchill, and ophimcms\/theme-legend. \u00abAll six ship trojanized JavaScript assets, primarily disguised as legitimate jQuery libraries, that redirect visitors, exfiltrate URLs, inject ads, and in the most severe case load a second-stage payload \u2013 a mobile-targeted redirect to gambling and adult content sites, from infrastructure operated by Funnull,\u00bb Socket <a href=\"https:\/\/socket.dev\/blog\/6-malicious-packagist-themes-ship-trojanized-jquery\" rel=\"noopener\" target=\"_blank\">said<\/a>.\n    <\/p>\n<\/div>\n<\/li>\n<li class=\"td-item\">\n  <span aria-hidden=\"true\" class=\"td-dot\"\/><\/p>\n<div class=\"td-stack\">\n    <span class=\"td-punch\">Multi-stage phishing bypasses security filters<\/span><\/p>\n<p class=\"td-desc\">\n      A C-level executive at Swedish security firm Outpost24 was <a href=\"https:\/\/specopssoft.com\/blog\/phishing-campaign-cisco\/\" rel=\"noopener\" target=\"_blank\">targeted<\/a> in a sophisticated phishing attack. The multi-chain redirect phishing campaign impersonated JPMorgan Chase to trick the recipient into reviewing a document by clicking on a link and triggering the infection. The link is a redirect URL hosted within Cisco\u2019s infrastructure, which then initiates a series of URL redirects that leverage trusted services like Nylas as well as compromised legitimate infrastructure to bypass security filters and conceal the final phishing destination. \u00abSeveral stages redirect victims through legitimate or previously reputable domains, reducing the likelihood that security scanners or reputation-based filtering will block the link,\u00bb Specops said. \u00abThe attackers went as far as to implement a legitimate Cloudflare-based \u2018human validation\u2019 step to ensure that only real people saw the actual landing page where credentials are requested.\u00bb The attack, ultimately unsuccessful, is said to have used a new phishing-as-a-service (PhaaS) toolkit named Kratos.\n    <\/p>\n<\/div>\n<\/li>\n<\/ol>\n<\/section>\n<\/div>\n<p>Some of this will fade by next week. Some of it won\u2019t. That\u2019s the annoying part, figuring out which \u201cminor\u201d thing quietly sticks around and turns into a real problem later.<\/p>\n<p>Anyway, that\u2019s the rundown. Take what you need, ignore what you can, and keep an eye on the stuff that feels a little too easy.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>ThreatsDay Bulletin is back on The Hacker News, and this week feels off in a familiar way. Nothing loud, nothing breaking everything at once. Just a lot of small things that shouldn\u2019t work anymore but still do. Some of it looks simple, almost sloppy, until you see how well it lands. Other bits feel a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,5],"tags":[1059,1057,24,144,379,1060,1058,1061,1056],"class_list":["post-300","post","type-post","status-publish","format-standard","hentry","category-noticias","category-trending","tag-abuse","tag-citrix","tag-cyberdefensa-mx","tag-exploits","tag-fortigate","tag-livechat","tag-mcp","tag-phish","tag-raas"],"_links":{"self":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/300","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/comments?post=300"}],"version-history":[{"count":0,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/300\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media?parent=300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/categories?post=300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/tags?post=300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}