Diverse Cybercriminal Campaigns and Tactics Targeting Organizations
Multiple cybercriminal operations have been reported, each employing distinct tactics to compromise organizations and individuals. These include a large-scale business email compromise (BEC) campaign dubbed 'Scripted Sparrow,' which orchestrated a global siege involving three million emails, and a sophisticated loader attack using fake purchase orders to target manufacturing giants in Italy, Finland, and Saudi Arabia. Another campaign, referred to as 'The Payroll Trap,' leverages fake CAPTCHA pages in a quishing (QR code phishing) scheme to hijack employee paychecks. Additionally, a phishing campaign impersonating ADP was observed, where threat actors used convincing emails and counterfeit login pages to steal employee credentials and personal data.
Further, the cybercriminal ecosystem is seeing notable developments, such as the unmasking of 'Fly,' the secret architect behind the infamous Russian Market, and the formation of an alliance between Qilin, DragonForce, and a declining LockBit ransomware group. These stories highlight the evolving landscape of cybercrime, with actors employing both technical deception and strategic partnerships to maximize their impact against a range of targets worldwide.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Loader campaign targets manufacturers with fake purchase orders
A sophisticated loader malware campaign was reported targeting manufacturing companies in Italy, Finland, and Saudi Arabia. The attackers used 'Purchase Order' themed lures, indicating a spear-phishing operation focused on high-value industrial victims.
Quishing campaign uses fake CAPTCHA pages to hijack employee paychecks
Researchers identified a new quishing campaign that uses fake CAPTCHA pages as part of a phishing flow targeting employees. The operation appears aimed at stealing payroll credentials or redirecting payroll deposits to hijack paychecks.
Threat actors launch ADP-themed phishing campaign to steal employee data
A phishing campaign impersonating ADP was observed using urgent emails and a fake ADP login page to collect employee credentials, 2FA codes, and personal information including phone numbers, dates of birth, and Social Security numbers. Submitted data was exfiltrated to the attackers, enabling potential access to payroll and HR accounts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
The Payroll Trap: New Quishing Campaign Uses Fake CAPTCHAs to Hijack Employee Paychecks
securityonline.info
Open source“Purchase Order” Deception: Sophisticated Loader Targets Manufacturing Giants in Italy, Finland, and Saudi Arabia
securityonline.info
Open sourceFrom Email to Exfiltration: How Threat Actors Steal ADP Login and Personal Data
cofense.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Recent Ransomware and Malware Campaigns Targeting Organizations and Individuals
A surge in sophisticated cyberattacks has been observed, with threat actors employing a variety of tactics to compromise organizations and individuals. Notable incidents include the use of the BYOVD (Bring Your Own Vulnerable Driver) technique to deploy DeadLock ransomware, as well as targeted campaigns leveraging phishing emails with HR-related lures to distribute Remcos RAT malware. Additionally, attackers are exploiting popular movie torrents to spread Agent Tesla via layered PowerShell scripts, and Android users in Spain are being targeted by the DroidLock ransomware, which can hijack devices and demand ransom through full-screen overlays. These campaigns demonstrate a trend toward multi-stage infection chains, abuse of legitimate tools and drivers, and the use of social engineering to increase the likelihood of successful compromise. Other significant developments include the targeting of Canadian organizations by the STAC6565/Gold Blade group using QWCrypt ransomware, and the emergence of new threat actor tactics such as disabling endpoint detection and response (EDR) systems to facilitate ransomware deployment. The threat landscape is further complicated by the activities of groups like Scattered Lapsus$ Hunters, who use social engineering and typosquatted domains to compromise Zendesk users, and the exposure of internal dynamics within ransomware groups like BlackBasta, revealing operational stress and internal mistrust. These incidents underscore the evolving nature of cyber threats, the blending of espionage and financial motives, and the increasing sophistication of both technical and social attack vectors.
Mar 21, 2026
Targeted Phishing Campaigns by Scripted Sparrow and BlindEagle
Two distinct threat actor groups, Scripted Sparrow and BlindEagle, have been identified conducting highly targeted phishing campaigns against organizations across different regions. Scripted Sparrow, tracked by Fortra analysts, has executed persistent business email compromise (BEC) operations since June 2024, primarily targeting finance teams in North America and Europe. Their campaigns are notable for their structured approach, use of convincing fake invoices, forged executive approvals, and carefully chosen payment amounts just below approval thresholds. The group operates with defined roles and has been observed sending between 10,000 and 50,000 emails daily in small, targeted batches, with over 500 unique campaign variants catalogued. Meanwhile, BlindEagle has focused its efforts on Colombian government institutions, leveraging compromised internal email accounts to bypass standard email security controls such as SPF, DKIM, and DMARC. Their phishing emails, crafted to mimic official judicial notifications, contain malicious SVG attachments that redirect victims to fraudulent government portals. The infection chain is complex, utilizing multiple layers of obfuscation, legitimate web services, and fileless malware techniques to evade detection. Both campaigns demonstrate a high level of sophistication in social engineering and technical execution, posing significant risks to targeted organizations.
Mar 21, 2026
Diverse Cyber Threat Campaigns Targeting Organizations and Developers
Multiple advanced persistent threat (APT) groups and cybercriminal actors have launched sophisticated campaigns targeting organizations, IT professionals, and software developers using a variety of tactics and malware. Notable incidents include the deployment of malicious Visual Studio Code extensions containing Rust-based implants that mimic legitimate extensions to evade detection, as well as the use of public blockchain and cloud services for command-and-control (C2) communications. Other campaigns involve the distribution of trojanized installers for popular software, such as Telegram, to deliver ValleyRat malware, and the mass publication of malicious npm packages by North Korean actors to spread updated OtterCookie malware, which is capable of credential theft, remote access, and data exfiltration. Additional threats include targeted spear-phishing campaigns like "Operation Hanoi Thief," which uses pseudo-polyglot documents to compromise Vietnamese IT and HR professionals, and the Tomiris APT group’s adoption of new multi-language implants leveraging public messaging platforms for C2. Meanwhile, large-scale phishing campaigns are using seasonal lures to trick users into installing remote management tools, potentially for initial access brokering. These incidents highlight the increasing sophistication and diversity of attack vectors, the blending of legitimate and malicious infrastructure, and the persistent targeting of both organizations and individuals in the technology sector.
Mar 21, 2026