FBI Disrupts Global Phishing Network After Uncovering Massive LabHost Infrastructure
The FBI recently revealed the scale of a now-dismantled phishing-as-a-service operation known as LabHost, which enabled cybercriminals to launch coordinated phishing campaigns against millions of victims worldwide. From late 2021 through April 2024, LabHost gave nearly 10,000 registered users access to professionally crafted phishing kits, customizable spoofing tools, infrastructure for SMS-based scams, and adversary-in-the-middle proxies designed to bypass two-factor authentication. This platform allowed attackers to impersonate over 200 well-known brands and institutions, directing victims to fake login portals to steal sensitive information. During the investigation, the FBI uncovered more than 42,000 phishing domains connected to LabHost’s infrastructure, with over one million harvested login credentials and nearly half a million compromised credit cards. The Bureau's takedown of LabHost is one of the most significant efforts to disrupt the commercialized cybercrime ecosystem. Although the platform has been dismantled, the damage persists, as many phishing domains may still appear in historical traffic logs or internal systems. The FBI released a FLASH alert with indicators of compromise, urging organizations to check logs for connections to these domains, apply domain blacklisting, and investigate any links to potentially exposed data. The agency also stressed that companies should treat any prior interaction with these domains as a serious incident and follow through with incident response. This case underscores how phishing campaigns have evolved from isolated attacks to scalable services offered through criminal marketplaces, making it easier for less-skilled actors to carry out complex attacks. It also reinforces the importance of proactive monitoring, intelligence sharing, and internal awareness to detect and respond to these threats before damage occurs.
Update: Commvault Confirms Breach but Says No Customer Data Was Affected
Commvault has confirmed that it was the target of a cyberattack by a nation-state threat actor, marking a significant incident involving a major data protection and resilience provider. The breach was identified in February 2025 following notification of suspicious activity within Commvault’s infrastructure. An internal investigation determined that several systems were affected, but customer backup data remained secure and untouched. The company emphasized that there was no disruption to its core operations or its ability to deliver services to its global customer base. With over 100,000 organizations relying on its platforms, Commvault moved quickly to assess the scope of the incident and ensure that data integrity and business continuity were maintained throughout. In its public update, Commvault noted that it is working closely with federal authorities, including the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and two independent cybersecurity firms to support the investigation and remediation process. While details about the exact methods used in the breach remain limited, the company has taken proactive steps by sharing indicators of compromise with the broader cybersecurity community. Commvault also issued recommendations to help customers strengthen their security posture and reduce the likelihood of similar intrusions in their environments. Although the breach did not lead to known data loss or system outages, it highlights the persistent targeting of critical technology providers and underscores the importance of maintaining layered security defenses and strong incident response capabilities.
Update: Nebulous Mantis Expands Global Espionage Campaign with RomCom RAT and Targeted Phishing
Cybersecurity researchers have uncovered new details about Nebulous Mantis, a Russian-speaking cyber espionage group behind the RomCom remote access trojan (RAT), which has been active since at least mid-2022. RomCom’s infrastructure relies on bulletproof hosting providers and uses encrypted communication channels, stealthy malware delivery through IPFS, and sophisticated techniques like COM hijacking and credential harvesting. Once deployed, RomCom can execute over 40 remote commands, allowing attackers to perform reconnaissance, steal browser data, exfiltrate sensitive files, and navigate within corporate networks with minimal detection. A recent campaign discovered by U.K. cybersecurity firm BrideWell, dubbed Operation Deceptive Prospect, shows the group’s evolving tactics, including phishing messages submitted through public feedback forms that imitate real customer complaints. These forms included links to spoofed Google Drive and Microsoft OneDrive pages, leading to a malware downloader disguised as a PDF. This campaign targeted retail, hospitality, and critical national infrastructure organizations, signaling RomCom’s growing focus on operational and logistical sectors. Researchers observed time zone-based targeting to align attacks with victim work hours and noted that the threat actor is continuously expanding its toolset. Combined with activity from a related financially motivated group, Ruthless Mantis, the findings highlight an ongoing trend of blending espionage with ransomware tactics to maintain persistent access and gather intelligence.
