Latest news with #PowerShell
Techday NZ
4 days ago
- Techday NZ
ReliaQuest report exposes rise of social engineering cyber threats
ReliaQuest has released its latest quarterly report, outlining identified trends in cyber attacker techniques, malware use, and ransomware group activity observed between March and May 2025 across its customer base. ClickFix and social engineering tactics One of the most notable trends identified in the report is the widespread use of ClickFix, a social engineering method that misleads users into pasting malicious commands into tools such as PowerShell or the Windows Run prompt. Attackers disguise these actions as solutions to false issues, such as fake CAPTCHAs or Windows updates, enabling them to circumvent defences and introduce malware with comparative ease. This approach has facilitated the increased use of malware families such as Lumma and SectopRAT, both of which utilise trusted tools like MSHTA to deliver malicious payloads. The report notes that social engineering has significantly contributed to the rise of these attack vectors, stating, "Social engineering played a pivotal role in the success of these top tactics." Lateral movement and initial access trends Phishing-based techniques accounted for over half of observed initial access incidents among customers, while drive-by compromise incidents rose by 10% compared to the previous period. The report sees a shift, as attackers increasingly rely on user manipulation rather than exploiting technical vulnerabilities. ReliaQuest's analysis highlights the prominence of remote desktop protocol (RDP) over internal spear phishing as a method of lateral movement within networks. This shift is closely associated with attackers impersonating IT helpdesks to persuade users to install RDP tools. The report finds, "The shift away from tactics like internal spearphishing suggests attackers are favouring techniques that require less user interaction and offer more direct access to internal systems." Additionally, drive-by downloads powered by campaigns such as ClickFix and widely available phishing kits continue to lower the threshold for cybercriminal activity. External remote resources dropped from third to fourth place among initial access vectors, further illustrating the focus on exploiting human factors. MSHTA on the rise for defence evasion MSHTA (Microsoft HTML Application Host), a native Windows binary, was reported to be involved in 33% of defence evasion incidents during the period, up from just 3.1% the previous year. Attackers use this legitimate tool to bypass conventional security tools by convincing users to execute malicious commands themselves, often delivered through social engineering campaigns such as ClearFake. "ClearFake's early adoption of ClickFix techniques propelled MSHTA from 16th to second place among defence evasion tactics. Recently, other ClickFix adopters have fuelled MSHTA's current surge, leveraging broader social engineering tactics to bypass defences more effectively," the report details. Changes in ransomware operations The report notes significant changes among ransomware groups, with the closure of "RansomHub" leading many affiliates to migrate to other groups, notably Qilin, which saw a 148% increase in activity. Play and Safepay also reported increased activity of 116% and 266%, respectively. The number of active ransomware groups has dropped by nearly 30%, but newer or established ransomware-as-a-service (RaaS) platforms have absorbed most of these affiliates, raising concerns over increasingly professionalised threats. "With major ransomware groups like RansomHub gone, RaaS operators are vying to capitalise on the influx of affiliates searching for new platforms. To attract this talent, we'll likely see RaaS platforms introduce innovative capabilities or revise profit-sharing models. This competition is expected to create a more fragmented yet increasingly sophisticated ransomware ecosystem, posing even greater challenges for defenders." Impact on industry sectors The construction industry was the only sector to see an increase in ransomware attack victims, rising by 15%. ReliaQuest attributes this to opportunistic targeting as attackers seek out industries with perceived weaker defences. The report notes, "Construction organisations may feel compelled to pay ransoms quickly to avoid costly downtime and operational delays, making them attractive targets." By contrast, the retail sector saw a 62% decrease in victims, attributed to a drop in activity from the "CL0P" ransomware Cleo campaign. Malware trends and threat actor activity The period saw increased activity by the SectopRAT malware, delivered via ClickFix and malvertising campaigns. Despite infrastructure takedowns in May 2025, Lumma infostealer operations continue, with new logs advertised on cybercriminal forums and marketplaces. "Although Lumma's activity is likely to decline over the coming months as the impact of the takedown continues to unfold, it's likely the group could regain traction over time. As attention around the takedown diminishes, attackers may return to this familiar and well-established tool," the report comments. Emergence of Scattered Spider Scattered Spider, after a five-month hiatus, returned in April 2025 with attacks on UK retail organisations. The group is identified for using detailed social engineering against high-value individuals such as CFOs and utilising both on-premises methods and cloud techniques for stealth and control. "Scattered Spider's success lies in its ability to combine social engineering precision, persistence in cloud environments, and on-premises technical expertise. These TTPs allow the group to achieve initial access, maintain control, and operate stealthily, making it difficult for organizations to detect and remediate the group's activity in the early stages of an attack." Recommendations and defensive measures ReliaQuest's report makes several recommendations for organisations, including disabling Windows Run for non-administrative users, enforcing control over RDP tool installations, implementing web filtering, and prioritising user training against social engineering. Additional measures include strengthening identity verification, enabling advanced monitoring, and conducting regular risk assessments, particularly for privileged user accounts. Looking ahead, the report anticipates broader adoption of ClickFix among ransomware affiliates, increased sophistication by groups such as Scattered Spider, and the continued rise of infostealer malware like Acreed. The report concludes by emphasising the need for proactive investment in advanced detection, user education, and securing of both cloud and traditional infrastructure to counter an upward trend in attack complexity and evasion tactics.
Arabian Post
16-06-2025
- Business
- Arabian Post
GrayAlpha Weaponises Fake Browser Updates to Drop PowerNet Loader
Security researchers have uncovered a wave of attacks orchestrated by GrayAlpha, a cybercriminal operation linked to the FIN7 group, exploiting cloned browser update pages to install a custom PowerShell loader dubbed PowerNet and ultimately deliver NetSupport RAT malware. Infrastructure analysis confirms the use of fake browser-updates, counterfeit 7‑Zip download sites, and a previously unreported Traffic Distribution System called TAG‑124 as delivery mechanisms. The initial compromise begins when victims visit compromised sites or encounter malvertising and are redirected to fabricated update pages mimicking legitimate services like Google Meet, SAP Concur, LexisNexis and Advanced IP Scanner. Sophisticated JavaScript fingerprinting scripts capture system details before transitioning users to download payloads via URLs such as / These downloads deploy PowerNet—a custom PowerShell loader designed to unpack and execute NetSupport RAT in memory. Recorded Future's Insikt Group analysis traced overlapping infection paths active since April 2024. While each vector—fake updates, counterfeit 7‑Zip sites, and TAG‑124 TDS—was employed in tandem, only the bogus 7‑Zip pages remained active by mid‑June 2025, with new domains registered as recently as April 2025. The study also cites 'MaskBat,' a second custom loader resembling FakeBat malware that carries GrayAlpha-specific code strings. ADVERTISEMENT The investigation highlights the group's use of bullet‑proof hosting services, primarily Stark Industries Solutions, with additional infrastructure through HIVELOCITY and HIP‑hosting. These muddy their digital footprint while evading takedown attempts. The misuse of TAG‑124 TDS is particularly notable, marking its first known public disclosure and demonstrating growing sophistication in chaining infection methods. Analysts caution that these tactics emulate FIN7's modus operandi—highly targeted, multi-stage campaigns with advanced tooling. FIN7 has conducted cybercrime operations since at least 2013, notably targeting retail, hospitality and finance sectors. It remains structured like a corporate entity, employing specialised teams for malware creation, phishing, money laundering and logistics. In light of these threats, cybersecurity experts recommend stringent application allow‑listing, enhanced employee training to spot deceptive update prompts or malvertising, and deployment of YARA rules and network intel indicators capable of identifying PowerNet, MaskBat and NetSupport RAT activity. Organisations are also urged to actively monitor web infrastructure and domain registrations linked to TDS TAG‑124 campaigns. This campaign underscores a growing trend among financially motivated cyber actors: increasingly professional operations employing deceptive surface-level strategies to deliver heavyweight payloads. While infection surface varies—browser updates, download portals or redirect chains—the end goal remains consistent: persistence via NetSupport RAT, enabling remote access, surveillance, and data exfiltration.
Forbes
06-06-2025
- Forbes
Microsoft Issues Critical Windows Update—Do Not Delete This
You have been warned — do not hit delete. NurPhoto via Getty Images You won't like this. If you're at risk from this Windows security vulnerability, the fix is a nightmare unless you're a fairly expert user. That's not ideal, and it's all down to an update quietly installed on your PC without explanation in April. You may recall the awkward saga of the 'inetpub' folder and 'Microsoft's confusing messaging on deleting or not deleting this mysterious folder on your PC that could leave you and your PC at risk.' Plenty of users deleted the folder that suddenly turned up. 'After installing this update or a later Windows update,' Microsoft later explained, the new folder will appear on your device. 'This folder should not be deleted.' This empty folder, Windows Latest explains, 'is typically associated with Internet Information Services (IIS), which is a native Windows service that allows developers to host websites or apps on Windows 11.' The empty folder appeared without explanation. 'Some of us assumed that it's a bug with the cumulative update and deleted the folder.' Now we have news of an actual fix. 'If you deleted the 'inetpub' folder, created after Windows April 2025 updates,' Windows Latest warns, 'you need to immediately bring it back.' You can turn on the IIS service or 'use a new PowerShell script.' Only after all those deletions did the explanation come. The 'inetpub' folder 'is created as part of a security patch for CVE-2025-21204,' Windows Latest says, 'and it doesn't matter whether IIS is turned on or not. It'll show up, and you're not supposed to delete it, and if you deleted it, please bring it back, according to Microsoft.' You can turn on IIS, 'however, that's something most people don't want to do because IIS also creates additional folders, which are not required unless you're a developer. Instead you can run Microsoft's newly released PowerShell script. First ensure you're logged in as an Administrator, then you can follow Windows Latest's instructions: Mostly users are unlikely to go through this, which will leave them at risk. 'As per Microsoft, without the folder and its correct ACLs (Access Control Lists), you remain exposed to potential privilege escalation or unauthorized access.'
Yahoo
04-06-2025
- Business
- Yahoo
Microsoft to Add Lightweight Command-Line Text Editor 'Edit' to Windows 11
Microsoft is preparing to bring a new command-line text editor called Edit to Windows 11, which is made for users who want a simple and lightweight tool for editing text files. Edit is now available on GitHub for anyone to download, and Microsoft says it will soon be included by default in Windows 11 as the primary text editor for command-line environments such as PowerShell and Command Prompt, as reported by Windows Latest. But this does not mean Edit will replace Notepad; instead, it will be accessible directly from the Terminal by typing 'edit.' Edit is made to be an easy and efficient option, with a file size of just a couple of hundred KBs. It lets users perform basic text editing tasks, like opening and saving files, finding and replacing, word wrapping, and jumping to specific lines. It's ideal for users who want a minimal tool that works entirely within the Terminal, without the extra functions and size of more complex editors like Notepad or Word. Microsoft says Edit fills a gap for those who quickly view or change text files. To use Edit now, users can download it from GitHub or install it through the Winget package manager.
Forbes
04-06-2025
- Business
- Forbes
This Dangerous Email Tricks You Into Hacking Your Own PC
Do not be tricked into hacking your own PC. getty Take a walk through any major tourist city in the world, and eventually you will see them. On a bridge or promenade or in a park. Someone sitting with three plastic cups and a bunch of onlookers, watching as someone is scammed. Everyone knows it's a scam. It doesn't matter that you've watched as the marble is placed under a cup, keeping an eagle eye on it as the three cups are swapped around. The marble has moved and you cannot win. You know you should know better. So it is with the so-called ClickFix lures currently hacking PCs around the world. The leading example of the new wave of 'scam yourself' attacks, you know you should know better. But the cleverness of the hook, the trickery of the scammer still works. As McAfee explains, ClickFix attacks 'begin with users being lured to visit seemingly legitimate but compromised websites. Upon visiting, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal.' In reality, this 'sophisticated form of social engineering, leveraging the appearance of authenticity' just 'manipulates users into executing malicious scripts.' The email lure. Cofense A new warning from Cofense has just outed one of the most devious lures I've seen recently. It's a nasty attack that plays on the human emotions and fears of the victim being scammed, so much so that they don't see the attack coming. But they should. The dangerous email lure is sent to businesses in the travel industry, purporting to be from market giant warning that a customer has made a serious complaint and giving the recipient a time-boxed opportunity to respond using the link provided. This click launches ClickFix Cofense 'While the exact email structure varies from sample to sample,' Cofense says, 'these campaigns generally provide emails with embedded links to a ClickFix fake CAPTCHA site which is used to deliver a malicious script that runs RATs and/or information stealers.' The campaign 'preys on the recipient's fear of leaving a guest dissatisfied' and might 'claim that a guest was trying to contact the hotel but was unable to get a response.' Cofense provides one such example, which is 'particularly notable for mentioning potential reputational damage and giving a strict 24-hour deadline for compliance.' ClickFix attack. Cofense Not all these attacks are negative, some suggest requests or questions from future (imaginary) guests, while also providing a link for the hotel operator to respond. 'The emails used in these campaigns will sometimes state that the embedded link only works on Windows computers,' simply because this malware only infects Windows PCs. But despite the lure, the attack is the same as all the others. In this case it's a CAPTCHA 'Robot or Human?" challenge, which instructs the user to open a Windows prompt and paste in the text on the PC's clipboard, and then press Enter. Absent a few wording changes, there is no variation in this part of the attack. It's the most blatant tell. Cofense says some of the latest attacks used Cloudflare CAPTCHAs while others used brand instead. The instructions, though, are all the same. Once you know about ClickFix, in theory at least you can't be fooled. But the cybercriminals will try nonetheless, and the attacks are flying, so it's working. Don't be fooled. Never paste in copied text and hit Enter in this way. Whether it's a CAPTCHA, a secure website or document restriction, or a technical fault, it's always an attack. And the hacker is always you.
