Threat Actor Exploits Link-Wrapping Services to Deploy Microsoft 365 Phishing Campaign
A highly targeted phishing campaign was uncovered, where a threat actor manipulated link-wrapping features from well-known providers Proofpoint and Intermedia to cloak malicious URLs directing victims to Microsoft 365 credential-harvesting pages. These services are designed to secure emails by rewriting and scanning links through trusted domains; however, the attacker exploited this security measure to their advantage. By first compromising email accounts already protected by these platforms, the actor gained a foothold to send malicious emails from within trusted environments. The links were initially shortened and then automatically rewrapped by the security tools, producing URLs that appeared safe and were more likely to bypass email filters. The phishing emails impersonated business-related alerts, including voicemail messages or Microsoft Teams notifications, which added credibility and urgency to the lure. This attack has been successfully used in the wild between June and July, with real-world exploitation confirmed by Cloudflare’s Email Security team. Victims who clicked the links were taken through a series of redirects, often involving legitimate services, before being redirected to a fake Microsoft login page that captured their credentials. In some cases, phishing emails pose as encrypted document notifications or Teams chat replies, adding to the deception. The use of compromised trusted services makes detection more difficult, especially when the emails are coming from otherwise legitimate domains. To defend against this, organizations should implement multi-factor authentication, monitor for unusual link structures or unexpected redirects in emails, and avoid relying solely on link-wrapping as a security measure. Training users to scrutinize URLs, even if they come from known senders, and flagging suspicious login prompts can help detect these attempts before damage is done.
Plague Backdoor Abuses Linux Login System to Hide and Steal Access
Researchers at Nextron Systems have identified a stealthy Linux backdoor named Plague that leverages the Pluggable Authentication Module (PAM) system to silently bypass authentication and grant persistent SSH access to compromised systems. This malware has remained undetected for over a year and has been observed in samples uploaded to VirusTotal with zero antivirus detections. Plague operates by hooking into pam_sm_authenticate(), a core PAM function, and injecting static credentials that allow attackers to log in without triggering alerts or standard authentication checks. It employs several evasion techniques to avoid detection, including anti-debugging methods, obfuscated strings, and the removal of forensic traces. Upon successful login, it unsets environment variables including SSH_CONNECTION and SSH_CLIENT and redirects shell history to /dev/null, effectively wiping evidence of activity. Because PAM modules operate at the system level and are deeply integrated into authentication processes, Plague can survive reboots, updates, and routine administrative changes without being flagged by traditional endpoint security tools. What makes Plague particularly dangerous is its simplicity and effectiveness, compiled into less than 100 lines of code, yet capable of deep persistence and stealth. It has been identified in various compiled forms, including those based on Ubuntu and Debian, suggesting ongoing development. The presence of hardcoded passwords, tampering with session environments, and layered obfuscation indicates a well-crafted tool designed for long-term access and credential theft. No threat actor has claimed responsibility, and its usage in the wild is confirmed by multiple real-world artifacts discovered since mid-2024. To detect or mitigate Plague, administrators should routinely audit PAM directories (/lib/security, /etc/pam.d/), verify module integrity, use behavior-based monitoring tools, restrict SSH access through key-based authentication and MFA, and enable robust auditing to catch unauthorized login activity. Organizations running Linux in critical environments, especially internet-facing or infrastructure-tier systems, should treat this threat as a high-priority intrusion risk.
PlayPraetor Malware Expands Through Fake App Stores and Multi-Affiliate Operations
PlayPraetor is a newly discovered Android remote access trojan (RAT) that has infected over 11,000 devices, with the majority of cases concentrated in Portugal, Spain, France, Morocco, Peru, and Hong Kong. First identified in March 2025, it spreads through fake Google Play Store pages distributed via Meta Ads and SMS messages, tricking users into installing malicious APKs. The malware abuses Android’s accessibility services to gain full control of the device, deploys fake overlay screens to steal login credentials from banking and crypto apps, and hides its presence by monitoring clipboard data and logging keystrokes. Its rapid growth is driven by targeted campaigns against Spanish, French, and Arabic-speaking users, though its modular design makes it adaptable for attacks in other languages and regions. PlayPraetor’s multi-affiliate model enables the creation of widespread, customized campaigns using deceptive apps tailored to specific audiences. PlayPraetor also comes in different variants that mimic real apps, install progressive web apps, or trick users into purchasing fake products. Each version utilizes the same underlying control panel, which enables affiliates to create convincing fake app pages and adjust attack methods in real-time. This version performs on-device fraud by executing actions directly on the user’s device, bypassing traditional security controls. Its growing reach and evolving capabilities make PlayPraetor a serious financial threat, particularly in regions with limited mobile threat detection and strong mobile banking adoption. To detect and mitigate PlayPraetor, organizations should enforce strict mobile device management (MDM) policies, block sideloaded APK installations, and implement security solutions capable of monitoring accessibility service misuse. End users should avoid downloading apps from unofficial sources and carefully inspect app permissions, particularly requests for accessibility or device administrator rights. Behavioral mobile threat defense tools can help detect overlay attacks, background data exfiltration, and unauthorized screen interaction. Additionally, implement fraud detection systems that flag high-risk mobile activity and unusual transaction behavior linked to compromised devices. Security teams must also educate users on social engineering tactics behind fake app pages and SMS phishing to reduce initial infection vectors.
