LinkedIn Phishing Campaign Targets Finance Executives
A new phishing campaign is targeting finance executives by abusing LinkedIn’s direct messaging feature to deliver highly convincing fake invitations to join an investment fund’s executive board. The attackers impersonate a company called “Common Wealth,” presenting the message as a legitimate offer to join its executive committee in partnership with an established asset management branch. When victims click the provided link, they are routed through a series of redirects that begin with a trusted Google domain and end on a fake LinkedIn-branded portal hosted on Firebase. This portal claims to share official documents about the board position but prompts users to “view with Microsoft,” leading them to a fraudulent Microsoft login page. The attackers use a Cloudflare Turnstile challenge to bypass automated scanners and disguise their infrastructure, while the final phishing page harvests both credentials and active session cookies. These steps allow attackers to hijack corporate accounts even when multi-factor authentication is enabled. This campaign demonstrates how phishing attacks are expanding beyond email and into professional networking platforms where business leaders often communicate. By using LinkedIn, attackers exploit trust, familiarity, and the perception of legitimacy to reach high-value individuals without triggering traditional security tools. The use of multiple redirect layers, hosting on legitimate cloud services, and real security protections, such as CAPTCHA, significantly complicates detection. Push Security reports that roughly one-third of the phishing attempts it blocked recently originated from non-email channels, showing a major behavioral shift among threat actors. The targeting of senior financial executives suggests a goal of stealing high-privilege Microsoft credentials that could lead to data breaches, financial fraud, or unauthorized access to corporate systems. Organizations should treat social platforms as active threat surfaces, educating executives to verify unsolicited opportunities and restricting where business accounts can be accessed or linked.
New Linux Rootkit Bypasses Elastic Security Detection
Security researchers have identified a new Linux rootkit, named Singularity, that can evade Elastic Security’s advanced endpoint detection and response systems. The rootkit employs several intricate evasion techniques to bypass both static and behavioral detection methods commonly used to identify kernel-level threats. Elastic’s framework normally triggers over two dozen alerts when analyzing standard rootkits, but Singularity avoids detection entirely by exploiting predictable weaknesses in those patterns. It hides malicious code through compile-time string fragmentation, making it impossible for YARA rules or signature scanners to detect common identifiers within the binary. It also randomizes kernel symbol names, replaces recognizable function calls with benign ones, and disguises itself as legitimate kernel activity to remain invisible to system-level security scans. The rootkit fragments its module into encrypted pieces that reassemble only in memory, ensuring no single malicious object file ever exists on disk. Beyond these static obfuscation methods, Singularity demonstrates behavioral evasion techniques that render typical endpoint monitoring ineffective. It uses direct system calls rather than standard library functions, avoiding the traces that EDR tools look for. Its payloads are staged through disk-based scripts with clean execution chains, leaving no suspicious command lines for detection. Once active, it conceals its processes through signal-based hiding, effectively erasing signs of execution. Researchers note that this case highlights the broader limitations of static, rule-based security models, particularly against kernel-level threats that operate beneath traditional monitoring layers. To counter this type of threat, organizations must deploy memory-level forensics, kernel integrity verification, and multi-layered defense strategies rather than relying solely on signature-based endpoint detection solutions.
Botnets Expanding Through Automated Exploits on PHP Servers and IoT Devices
Cybersecurity researchers at Netscout are reporting a surge in automated attacks targeting PHP servers, IoT devices, and cloud gateways through botnets, including Mirai, Gafgyt, and Mozi. These attacks exploit known software vulnerabilities and cloud misconfigurations to seize control of exposed systems and grow botnet infrastructure. PHP environments have become the primary target due to their widespread use in platforms like WordPress and Craft CMS, many of which are poorly maintained or configured. Threat actors are actively exploiting older vulnerabilities to gain remote code execution. Researchers have also observed attackers using Xdebug sessions via the “/?XDEBUG_SESSION_START=phpstorm” parameter to access debugging tools left exposed in production, potentially revealing sensitive application data. In parallel, scanning activity is originating from major cloud providers like AWS, Azure, and Google Cloud, indicating that adversaries are using legitimate infrastructure to mask their activity and automate large-scale attacks. Beyond PHP servers, IoT vulnerabilities are being exploited to integrate devices into powerful distributed networks capable of denial-of-service attacks and large-scale credential theft operations. Flaws in Spring Cloud Gateway, TBK DVR systems, and MVPower DVR configurations are being weaponized to remotely execute commands on consumer devices. These compromised endpoints now serve as entry points for credential stuffing, password spraying, and even artificial intelligence–assisted scraping and phishing operations. Security experts warn that the evolution of these botnets signals a shift toward multi-purpose exploitation, where compromised systems double as residential proxies, concealing attacker traffic within normal network patterns. The recent identification of AISURU, a next-generation botnet variant dubbed “TurboMirai,” highlights the growing capacity of these networks to launch DDoS attacks exceeding 20 terabits per second while supporting secondary monetized services. Organizations are urged to secure cloud assets, disable unnecessary debugging tools, apply all relevant updates, and tightly control external access to production systems.
North Korean Threat Actors Deploy New Advanced Espionage Malware
North Korean state-sponsored hackers have intensified their cyber operations by introducing two new, highly sophisticated malware families designed for long-term espionage and persistent access. Researchers identified HttpTroy, a new backdoor from the Kimsuky group, and an enhanced version of BLINDINGCAN, a long-running remote access tool maintained by the Lazarus Group. Both tools demonstrate North Korea’s continued investment in advanced cyber capabilities and its focus on intelligence collection against government, defense, and critical industry targets. The Kimsuky campaign began with a spear-phishing email sent to a South Korean organization that contained a malicious ZIP archive disguised as a VPN service invoice. Once executed, the Go-based dropper decrypted its embedded payloads, created scheduled tasks mimicking antivirus updates, and ultimately delivered the HttpTroy backdoor. This malware grants full system control through features such as file manipulation, screen capture, command execution, and in-memory payload deployment, all while concealing communication via encrypted, encoded HTTP POST traffic. At the same time, the Lazarus Group launched a separate campaign using a modified version of its BLINDINGCAN remote access tool, deployed via an updated Comebacker loader observed in attacks against Canadian targets. While investigation into the full scope of this campaign continues, early findings indicate that Lazarus is continuing to evolve its codebase, with improved obfuscation, persistence, and remote-control capabilities. Both Kimsuky and Lazarus rely on extensive encryption, API hashing, and runtime string reconstruction to frustrate static and behavioral analysis. Their activity highlights a consistent North Korean strategy of refining older malware frameworks into stealthier, modular espionage platforms. Analysts warn that these developments represent a major step forward in the DPRK’s cyber-espionage toolkit, reinforcing the need for defense-in-depth strategies, behavioral monitoring, and strict scrutiny of inbound attachments and unusual communication patterns within targeted organizations.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
