Email-Borne Social Engineering and Credential Theft Risk
Recent coverage emphasized that phishing and social engineering via email remain a primary initial access vector, with attackers increasingly blending into routine workflows (emails, meeting invites, and trusted SaaS notifications). TechTarget highlighted that user judgment is often the last control when filters fail, citing the Microsoft Digital Defense Report 2025 claim that 28% of breaches trace back to phishing/social engineering, and noting reports of spam relayed through legitimate Zendesk domains/instances (e.g., leveraging recognizable brands) to bypass filtering and drive credential theft or follow-on access.
Separate reporting and guidance reinforced how attackers operationalize these patterns: The Hacker News described Operation Nomad Leopard, a spear-phishing campaign targeting Afghan government entities using government-themed decoys and a GitHub-hosted ISO that drops a LNK to execute a FALSECUB backdoor capable of remote command execution. Other items in the set were largely general best-practice or “common threats” explainers (password hygiene, generic threat overviews) rather than incident-specific intelligence, but they align with the same overarching risk theme: weak/reused passwords and routine email behaviors continue to enable account takeover and downstream compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
15 events from the most recent confirmed update back to the earliest known activity.
Email scam reporting underscores employee vigilance needs
A TechTarget news brief published on January 23, 2026, highlighted email scam activity and the need for employee vigilance. The reference does not provide enough detail to identify a more specific underlying incident.
U.S. authorities pursue prosecutions in ATM jackpotting cases
U.S. law-enforcement and justice authorities were reported to have advanced prosecutions related to ATM jackpotting schemes. The item reflected continued legal action against financially motivated cyber-enabled crime.
Swedish espionage case sees new justice-related developments
The roundup referenced law-enforcement or judicial developments tied to Swedish espionage allegations. It was included as part of notable security-related legal actions reported during the period.
Critical vulnerabilities disclosed in Bluvoyix platform
Critical security flaws affecting the Bluvoyix platform were highlighted in the bulletin. The disclosure added another enterprise software risk item to the late-January threat landscape.
Crates.io introduces improved security visibility features
Crates.io was reported to have made security visibility improvements intended to help users better assess package risk. The changes were presented as part of broader ecosystem hardening efforts.
EU advances new supply-chain cybersecurity proposals
New European Union proposals aimed at improving supply-chain cybersecurity were highlighted in the roundup. The measures reflected a policy response to growing software and third-party risk concerns.
Zendesk ticket systems abused as relay points for spam
Abuse of Zendesk ticketing systems as relays for spam or scam messages was reported. The technique showed how attackers can misuse legitimate business platforms to improve delivery and credibility.
Pixel 9 zero-click exploit chain leveraging Dolby and kernel flaws revealed
A zero-click exploit chain affecting the Pixel 9 was described as leveraging Dolby and kernel driver vulnerabilities. The disclosure highlighted a sophisticated mobile attack path requiring no user interaction.
Widespread C2 hosting observed in Chinese internet space
Reporting noted widespread command-and-control hosting activity in Chinese internet space. The observation pointed to infrastructure concentration trends relevant to threat hunting and attribution analysis.
Researchers observe large-scale WordPress plugin reconnaissance
Large-scale reconnaissance activity targeting WordPress plugins was reported, indicating broad scanning or pre-exploitation interest in plugin ecosystems. The item was included among multiple January 2026 developments involving abuse of common internet-facing software.
Fake Notepad++ installer distributes proxyware in South Korea
A fake Notepad++ installer was reported distributing proxyware to users in South Korea. The campaign abused the reputation of a legitimate software brand to monetize infected systems.
Google Ads campaign spreads trojanized PDF editor and TamperedChef
A malicious advertising campaign used Google Ads to distribute a trojanized PDF editor that dropped the TamperedChef infostealer. The campaign was identified as another example of attackers abusing legitimate ad ecosystems to reach victims.
Ad-driven file-converter sites install persistent RATs
Researchers highlighted a malvertising campaign in which fake file-converter websites delivered persistent remote access trojans to victims. The operation relied on deceptive advertising and trusted-looking utility themes instead of exploiting software vulnerabilities.
Russia-aligned hacktivists conduct DoS activity against U.K. organizations
Russia-aligned hacktivist activity was reported targeting U.K. critical infrastructure and local government with denial-of-service attacks. The bulletin framed this as an ongoing disruptive campaign rather than a novel exploit-driven intrusion.
Operation Nomad Leopard targets Afghan government with FALSECUB malware
A spear-phishing campaign dubbed Operation Nomad Leopard targeted Afghan government entities, using a GitHub-hosted ISO file to deliver the FALSECUB backdoor. The activity was described in late-2025 to January-2026 reporting as part of a broader trend of attackers abusing trusted services and workflows.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Social Engineering and Phishing-Driven Intrusions Targeting Identity and Remote Access
Multiple reports highlight **social engineering and phishing** as primary initial-access vectors, with attackers increasingly targeting **identity systems** rather than exploiting software vulnerabilities. Microsoft was again the most spoofed brand in phishing during Q4 2025 (22% of observed brand-impersonation attempts), reflecting how attackers abuse trust in major identity and productivity platforms to harvest credentials; examples cited include lures mimicking Netflix account recovery, Roblox-related pages, and Spanish-language Facebook scams. Separately, an incident response case described payroll fraud achieved without malware or a network breach: an attacker impersonated employees to help desks, reset passwords, re-enrolled MFA, and registered an external email as an authentication method in **Azure Active Directory**, then altered direct-deposit details to redirect paychecks—underscoring how **help-desk processes and MFA reset workflows** can be exploited for persistence and financial theft. Targeted campaigns also show continued evolution in delivery tradecraft for **remote access**. A spear-phishing operation against Argentina’s judicial sector used ZIP attachments containing a weaponized Windows shortcut (`.lnk`) masquerading as a PDF plus scripts and a decoy court document to deploy a **Remote Access Trojan** while minimizing user suspicion. In parallel, research described **Pulsar RAT** (a Quasar RAT derivative) emphasizing stealth via **memory-only execution** and **HVNC**, with TLS-encrypted C2 and configuration retrieval from public paste sites, alongside persistence mechanisms such as scheduled tasks and UAC-bypass techniques. Another campaign attributed to **Konni APT** (“Operation Poseidon”) abused **Google and Naver ad redirection** (e.g., `ad.doubleclick[.]net`, `mkt.naver[.]com`) to launder clicks through trusted ad infrastructure before landing victims on compromised sites hosting malware, demonstrating how open-redirect and ad-tech trust can bypass reputation-based controls.
Mar 21, 2026
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
Mar 21, 2026
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
Mar 21, 2026