Identity-Driven Intrusions Fueled by Infostealer Credentials and MFA-Aware Phishing
Threat actors are increasingly achieving initial access through identity compromise rather than software exploitation, with infostealer malware and phishing infrastructure supplying large volumes of valid credentials for automated login attempts against enterprise authentication front doors. Defused Cyber reported a large-scale credential-stuffing campaign targeting F5 BIG-IP and other SSO-adjacent services (including ADFS, STS, and OWA), where honeypots observed high-confidence corporate email/password pairs being submitted at scale from 219.75.254.166 (OPTAGE Inc., Japan). Correlation against Hudson Rock’s infostealer telemetry indicated the majority of observed credentials were harvested from infostealer-infected employee endpoints, suggesting a pipeline from endpoint infection to external SSO gateway intrusion attempts impacting major enterprises and public-sector entities.
In parallel, Datadog Security Labs documented the evolution of the 1Phish kit into an operationally mature, MFA-aware phishing framework targeting 1Password users, shifting from simple credential capture to multi-stage workflows that explicitly collect 2FA codes—consistent with real-time authentication attempts even without confirmed reverse-proxy session hijacking. Broader incident-response telemetry in Sophos’ Active Adversary Report reinforces the same trend: identity-related techniques (compromised credentials, brute force, phishing) accounted for a majority of observed root causes, and attackers often pivot quickly to Active Directory after initial access. A separate finance-sector “2026” threat landscape post is largely high-level and does not add specific, verifiable details to the infostealer/SSO or 1Phish activity described elsewhere.
Related Entities
Malware
Organizations
Affected Products
Sources
Related Stories
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
Today
Credential Theft and Evasion Techniques Across Phishing, Webmail Exploitation, and Commodity Malware
Threat actors are continuing to prioritize **credential theft** while using defensive and trusted services to evade detection. DomainTools reported a Microsoft 365 phishing operation that **weaponizes Cloudflare protections** (including *Turnstile* human verification) to block automated analysis and security crawlers, then selectively serves a credential-harvesting flow only to “clean” visitors. The infrastructure used additional gatekeeping such as IP reputation checks (including lookups via `api.ipify.org`), hardcoded blocks for security-vendor and cloud-provider ranges, and user-agent filtering that returns a fake `404` page to bots, with the theft logic hidden behind heavy obfuscation. Separately, Hunt.io documented **Operation Roundish**, assessed with medium-high confidence as aligned to **APT28 (Fancy Bear)**, after discovering an exposed open directory hosting a Roundcube exploitation toolkit used against Ukrainian targets (including `mail.dmsu.gov.ua`). The toolkit included XSS payloads, a Flask-based C2, and modules for credential harvesting, mail forwarding persistence, bulk email exfiltration, address book theft, and 2FA secret extraction, plus a Go-based Linux implant (`httd`) found on a compromised Ukrainian web application. In parallel reporting on credential-access tradecraft, Flashpoint analysis highlighted the low-cost **DarkCloud infostealer** (sold for about **$30**) that steals browser logins/cookies and other data and exfiltrates via common channels (email/FTP/Telegram/HTTP), while Aryaka Threat Labs described the **BlackSanta** campaign using steganographic lures and **BYOVD** techniques to disable EDR and enable stealthy data theft over HTTPS—underscoring that credential access and defense evasion remain common precursors to broader enterprise compromise.
5 days ago
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
1 months ago