SmudgedSerpent Hackers Target U.S. Policy Experts with Iranian-Themed Phishing Lures
A newly identified threat cluster dubbed UNK_SmudgedSerpent has launched a series of espionage-driven phishing attacks against U.S.-based academics and foreign policy experts focusing on Iran. According to Proofpoint researchers, the campaign overlaps tactically with Iranian-linked threat actors, including Charming Kitten (TA453) and MuddyWater (TA450), indicating potential coordination within Iran’s cyber ecosystem. The attackers used politically charged themes referencing societal change and the Islamic Revolutionary Guard Corps (IRGC) to lure victims into credential-harvesting traps. Impersonating senior analysts from institutions including the Brookings Institution and the Washington Institute, the adversaries initiated benign correspondence before redirecting victims to malicious links masquerading as Microsoft Teams or OnlyOffice login pages. In some cases, the operation deployed legitimate Remote Monitoring and Management (RMM) software, such as PDQ Connect or ISL Online, under the guise of Teams installers, thereby granting persistent remote access for espionage. Proofpoint’s analysis reveals that SmudgedSerpent’s infrastructure leveraged health-themed domains and OnlyOffice-branded pages, consistent with domain registration patterns seen in TA455 campaigns since 2024. The group demonstrated adaptive tradecraft, removing password prompts from fake login portals once victims grew suspicious, to maintain trust and lure them deeper into the phishing flow. Evidence suggests that the campaign achieved partial success, with attackers performing hands-on-keyboard activity to expand access via additional RMM tools. To mitigate such threats, organizations should implement multi-factor authentication, monitor for anomalous RMM installations, and verify the authenticity of senders before engaging in unsolicited research collaboration requests.
Cybercrime Power Bloc: Scattered Spider, LAPSUS$, and ShinyHunters Form Unified Extortion Collective
A new cybercrime alliance uniting Scattered Spider, LAPSUS$, and ShinyHunters has surfaced under the banner Scattered LAPSUS$ Hunters (SLH), marking an unprecedented merger of financially motivated and hacktivist-style threat actors. The group, which emerged in August 2025, has cycled through at least 16 Telegram channels to evade moderation, using the platform as both a coordination hub and a propaganda outlet. SLH’s structure mimics corporate branding, complete with an “Operations Centre” identity to project organizational legitimacy while conducting extortion-as-a-service (EaaS) campaigns. The alliance consolidates multiple subgroups within The Com, including UNC5537, UNC3944, and UNC6040, blending exploit development, social engineering, and public spectacle to maximize impact. Members also incentivize harassment campaigns against corporate executives and leverage Snowflake and Salesforce-related intrusions to enhance their extortion leverage. Trustwave’s analysis highlights SLH’s dual nature, which is operating at the intersection of monetary crime and reputation-driven hacktivism. The collective’s next phase may include a proprietary ransomware family named Sh1nySp1d3r, designed to rival LockBit and DragonForce, signaling ambitions to expand beyond data theft. The alliance’s messaging strategy, theatrical branding, and coordinated use of Telegram channels reveal a deep understanding of how perception can be weaponized within the cybercrime economy. Notably, DragonForce’s BYOVD malware campaign and its partnership with groups including Qilin and LockBit reflect a growing cartelization trend—where resource and infrastructure sharing lower technical barriers for affiliates. This convergence of extortion, social engineering, and narrative control underscores a strategic evolution in cybercriminal collaboration that blends underground enterprise operations with public manipulation tactics.
NGate Android Malware Uses NFC Relay to Enable ATM Cash Withdrawals With Victims’ Cards
A newly discovered Android malware dubbed NGate enables cybercriminals to withdraw cash from ATMs using victims’ own payment cards—without ever physically stealing them. The malware leverages Near-Field Communication (NFC) relay techniques to capture card data and Personal Identification Numbers (PINs) directly from victims’ phones and transmit them to an attacker’s device near an ATM. Distributed via phishing messages and fake banking apps, NGate masquerades as a legitimate security update or identity verification tool. Attackers posing as bank representatives pressure victims into tapping their cards against their phones to “confirm identity,” allowing the malware to harvest complete NFC transaction data. Once captured, this data is sent over plaintext TCP to a command-and-control (C2) server or a remote relay device, which then relays it to complete fraudulent ATM withdrawals. Technical analysis reveals NGate registers itself as a Host Card Emulation (HCE) payment service, enabling the device to act as a virtual payment card. The malware decrypts its embedded configuration using a key derived from the APK’s signing certificate hash. By combining card data with stolen PINs, attackers can reproduce valid ATM sessions through linked “emitter” devices operating in real time. This design demonstrates a modular, scalable NFC relay framework that bridges reader and ATM devices for rapid cash-out operations. To mitigate this threat, users should only download mobile banking apps from official app stores, avoid following links in unsolicited messages, and verify bank calls by contacting the institution directly. Financial institutions should also issue alerts to customers and strengthen fraud detection systems against NFC-based relay activity.
APT-C-60 Refines Job-Themed Spear-Phishing Campaign Using Malicious VHDX Files and Enhanced SpyGlace Malware
Japan’s JPCERT/CC has issued an updated alert on a renewed APT-C-60 phishing campaign targeting recruitment professionals through emails impersonating job applicants. The latest attacks, observed between June and August 2025, mark a tactical evolution from prior waves: instead of linking to Google Drive, attackers now embed malicious VHDX files directly in emails, simplifying the infection chain and improving success rates. Once victims mount the virtual drive and execute the embedded LNK shortcut, Git’s gcmd[.]exe runs a hidden script that deploys Downloader1, establishes persistence via COM, and displays a fabricated academic resume to maintain credibility. Downloader1 communicates with StatCounter using the machine’s serial number and computer name, and retrieves configuration files from GitHub repositories, signaling a deliberate shift from Bitbucket to GitHub to blend with legitimate enterprise traffic. The second stage, Downloader2, fetches the updated SpyGlace malware, which introduces new modular features and encryption upgrades. The “uld” command allows temporary module execution and removal, while the screenupload module references a new component, potentially for screenshot capture. SpyGlace’s strings and API calls are obfuscated through a dual ADD + XOR encoding scheme, and all network traffic is AES-128-CBC encrypted over a modified RC4 layer using the persistent “GOLDBAR” user ID, linking the campaign to earlier Japan-focused operations. GitHub commit timestamps—June 27, July 3, and July 16—demonstrate rapid iteration cycles, suggesting ongoing development. JPCERT/CC urges organizations to block VHDX attachments, monitor GitHub and StatCounter traffic, and detect COM hijacking persistence. Recruiters should verify sender identities, sandbox attachments, and remain vigilant as APT-C-60 continues refining its stealthy espionage tactics targeting Japan’s defense and research sectors.
