Microsoft-Branded Phishing Scam Uses Fake CAPTCHAs and Browser Lockdowns to Deliver Tech Support Fraud
A newly uncovered campaign analyzed by the Cofense Phishing Defense Center weaponizes Microsoft’s trusted name and visual branding to lure users into a multilayered social engineering scam. Disguised as a payment notification from “Syria Rent a Car,” the phishing email tempts recipients with a reimbursement offer and prompts them to “confirm” their account via an embedded link. Once clicked, victims are led through a fake CAPTCHA page before being redirected to a landing page that simulates a Microsoft security lockdown. The page freezes the browser, disables mouse control, and floods the screen with alarming Microsoft-style alerts, convincing users that their system is infected. The victims are then urged to call a displayed “Microsoft Support” number, connecting them to scammers posing as technicians who pressure them to reveal credentials or install remote desktop tools. By blending payment lures, fake verification prompts, and a realistic ransomware-like overlay, the attackers exploit both brand trust and psychological panic to gain full access to victim systems. Cofense analysts note that this campaign reflects an evolution in phishing, where simple credential theft merges with live social engineering to amplify damage. Organizations can mitigate such threats by deploying layered phishing defenses, reinforcing user awareness programs, and monitoring for abnormal browser behavior or unauthorized remote access attempts.
WaterPlum’s ClickFake Interview Campaign Deploys Updated OtterCandy RAT Across Multiple Platforms
A new interview campaign linked to North Korea’s WaterPlum Cluster B—also known as BlockNovas—has been observed distributing an updated version of the OtterCandy remote access trojan (RAT) through fake “ClickFix” interview websites. WaterPlum has historically conducted operations, including Contagious Interview and ClickFake Interview, targeting developers and technical professionals. In this iteration, victims are enticed into downloading what appears to be a legitimate interview application. This application secretly installs OtterCandy, a Node.js-based RAT that combines functionalities from previous WaterPlum tools, including RATatouille and OtterCookie. Once executed, OtterCandy establishes a Socket[.]IO-based C2 channel, enabling credential theft, cryptocurrency wallet exfiltration, and document collection across Windows, macOS, and Linux systems. Recent updates introduced client_id tracking for unique victim identification, expanded browser data theft from four to seven targeted extensions, and a new self-cleaning command (ss_del) that deletes persistence artifacts to evade forensic recovery. Cluster B’s latest activity demonstrates continued evolution within the WaterPlum ecosystem, blending social engineering, multi-platform malware, and refined persistence mechanisms to increase operational stealth and longevity. The group’s use of JavaScript-based tooling and real-time C2 communications highlights its focus on portability and flexibility—traits that complicate detection in enterprise environments. Organizations should monitor for unexpected Node.js processes, unauthorized network connections over Socket[.]IO, and registry or file deletions indicative of cleanup routines. Strengthening browser extension controls, enforcing strict application whitelisting, and leveraging behavioral threat detection will be key to mitigating OtterCandy’s evolving capabilities. Continued analysis and intelligence sharing remain critical to preempting future WaterPlum Cluster B operations.
North Korean Hackers Adopt EtherHiding to Conceal Malware in Blockchain Smart Contracts
A North Korean state-sponsored threat actor, tracked as UNC5342, has been observed using the EtherHiding technique to deliver multi-stage malware through blockchain-based infrastructure. The campaign, part of the long-running “Contagious Interview” operation, lures software developers and cryptocurrency professionals on LinkedIn with fake job offers, later moving conversations to Telegram or Discord to execute malicious “coding assessments.” This marks the first known instance of a nation-state group embedding malicious payloads inside blockchain smart contracts. This tactic transforms public chains, including BNB Smart Chain and Ethereum, into resilient malware delivery platforms immune to traditional takedowns. Google’s Threat Intelligence Group attributes the activity to UNC5342, also known as DeceptiveDevelopment, DEV#POPPER, and Void Dokkaebi, linking it to DPRK’s dual mission of espionage and crypto theft. Once the target executes a malicious JavaScript downloader masquerading as an npm package, it queries blockchain smart contracts to fetch additional payloads, including the JADESNOW loader and InvisibleFerret backdoor. These components enable persistent access, data theft, and cryptocurrency wallet exfiltration across Windows, macOS, and Linux environments. EtherHiding’s design allows attackers to update malicious code directly on-chain, ensuring rapid adaptability and anonymity. By abusing the blockchain’s immutability and pseudonymity, UNC5342 effectively turns decentralized infrastructure into a bulletproof command-and-control channel. This evolution underscores how state-backed cyber units are now leveraging decentralized technologies to evade law enforcement and maintain persistence. Security teams should monitor for npm package anomalies, blockchain transaction queries from non-financial applications, and unexpected JavaScript execution tied to smart contract lookups.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
