Sophisticated phishing campaign exploits Microsoft OAuth applications

🪪 Credential theft

Sophisticated phishing campaign exploits Microsoft OAuth applications

A sophisticated phishing campaign is exploiting Microsoft OAuth applications to bypass multifactor authentication and steal user credentials from enterprise environments. Cybercriminals have created over 50 fake Microsoft 365 applications impersonating legitimate services like RingCentral, SharePoint, Adobe, and DocuSign. The campaign has targeted thousands of users across hundreds of organizations worldwide with high success rate. READ MORE.

🔓 Vulnerabilities & exploitation attempts

Vulnerability in Gemini AI coding assistant enables silent code execution

A critical vulnerability has been identified in Google’s newly released Gemini CLI, a command-line AI assistant for developers, allowing attackers to silently execute malicious commands and exfiltrate sensitive data. Discovered within 48 hours of release, the flaw leverages prompt injection embedded in files like README.md, often hidden within seemingly legitimate license text, to trick the assistant into executing unauthorized shell commands when analyzing code repositories—particularly from untrusted or open-source sources. READ MORE.

⚙️ Malware developments

New Linux backdoor 'Plague' bypasses SSH authentication undetected

A newly discovered Linux backdoor called "Plague" has completely evaded detection by all major antivirus engines despite being active for over a year. Operating as a malicious Pluggable Authentication Module (PAM), this backdoor allows attackers to silently bypass system authentication and maintain persistent SSH access to compromised Linux servers. The threat represents a significant security concern due to its ability to integrate deeply into authentication systems while leaving minimal forensic traces. READ MORE.

Auto-Color malware uses suppression tactics in failed Linux intrusion

Darktrace has uncovered an attempted deployment of the Auto-Color Linux backdoor, exploiting CVE-2025-31324 in SAP NetWeaver. The attack targeted a U.S.-based chemical company and unfolded over several days, with the malware leveraging evasive techniques such as privilege checks, system masquerading, and preloading shared libraries for persistence. Auto-Color demonstrated adaptive behavior by suppressing its functionality when command-and-control (C2) communication failed, a technique designed to avoid detection during analysis or in isolated environments. READ MORE.

🎣 Phishing developments

Phishing email uses AutoIt to deploy VIP keylogger

Researchers identified a new campaign delivering the VIP Keylogger using an AutoIt-based injector, marking a shift from previous steganography-based delivery methods. The attack begins with a spear-phishing email containing a ZIP file that holds a disguised executable. Once executed, it runs an AutoIt script that drops two encrypted files (leucoryx and avenes) into the Temp folder. These are decrypted in memory, and the final payload is injected into RegSvcs.exe using process hollowing. READ MORE.

💰 Ransomware developments

LockBit attackers increase use of DLL sideloading and masquerading to evade detection

LockBit affiliates have recently intensified the use of DLL sideloading and masquerading to avoid detection and maintain persistence in compromised environments. These techniques allow ransomware to execute under the guise of legitimate applications by leveraging trusted binaries to load malicious code. READ.MORE.

Gunra ransomware launches Linux variant advanced encryption capabilities

A new ransomware variant targeting Linux systems has expanded the capabilities of an existing ransomware group that previously focused only on Windows environments. This shift to a cross-platform approach significantly increases the group’s reach and raises concerns for organizations reliant on Linux infrastructure. Multiple sectors have already been affected across multiple regions, with incidents involving large-scale data theft and disruptions. READ MORE.

ShinyHunters orchestrates large-scale Salesforce data theft campaign

A sophisticated data theft campaign targeting major corporations has been attributed to the ShinyHunters extortion group, which successfully compromised Salesforce CRM instances at companies including Qantas, Allianz Life, LVMH subsidiaries, and Adidas. The attacks utilized voice phishing techniques to manipulate employees into granting unauthorized access to their organizations' customer relationship management systems, resulting in significant data breaches across multiple industries including aviation, retail, insurance, and luxury goods. READ MORE.

Gain deeper Cyber Threat Intelligence (CTI) insights

CyberProof’s CTI service offers comprehensive threat intelligence coverage, ensuring that your organization stays ahead of active threats that pose the greatest risk to your assets.

Our advanced CTI team investigates the threat landscape, providing you with detailed reports, related Indicators of Compromise (IOCs), technical recommendations, and MITRE ATT&CK mapping.

LEARN MORE ABOUT OUR CTI SERVICES.

We hope you've found these updates valuable. To stay informed, follow us on LinkedIn and X.