Cybersecurity researchers have uncovered a sophisticated phishing campaign that combines two emerging attack techniques to bypass conventional security defenses.

The hybrid approach merges FileFix social engineering tactics with cache smuggling to deliver malware payloads without triggering network-based detection systems.

This evolution represents a significant shift in how threat actors are circumventing endpoint detection and response solutions by eliminating the need for malicious code to establish internet connections during execution.

The attack begins with a deceptive phishing page masquerading as a legitimate FortiClient Compliance Checker interface.

Victims are socially engineered into executing malicious commands by pasting clipboard content into the Windows Explorer address bar.

The technique capitalizes on FileFix methodology, which exploits the 2048-character limit of Explorer’s address bar to deliver substantially larger payloads compared to traditional ClickFix attacks limited to 260 characters in the Windows Run dialog.

Attackers further obscure their commands by padding them with spaces, ensuring only benign-looking text appears visible to users while concealing malicious PowerShell scripts in the hidden portions.

What distinguishes this campaign from conventional malware distribution methods is its innovative use of cache smuggling to pre-position payloads on victim systems.

Rather than downloading malicious files through conventional web requests that security tools typically monitor, the attack leverages browser caching mechanisms to store embedded executables disguised as legitimate image files.

MalwareTech analysts identified this technique during threat intelligence investigations at Expel Security, noting how the first-stage loader simply extracts the second-stage payload directly from the browser’s cache without generating any suspicious network traffic.

The technical implementation involves JavaScript code that uses the fetch() function to retrieve a fake JPG file, which is actually a ZIP archive containing the malicious payload.

By setting the HTTP Content-Type header to image/jpeg, attackers trick web browsers into caching executable files as if they were standard static assets.

The embedded PowerShell script then searches through the browser’s cache directory to locate the smuggled ZIP file, extracts its contents, and executes the malware without establishing any external connections that would alert network monitoring systems.

Advanced Exif Smuggling Technique

Building upon basic cache smuggling principles, security researchers have developed an even more sophisticated variation using Exif metadata concealment within legitimate image files.

This technique exploits the Exchangeable Image File Format specification, which permits up to 64 KB of metadata storage within JPG images.

By embedding malicious payloads into oversized Exif fields while maintaining valid image structure, attackers can create fully functional photographs that simultaneously carry hidden executable code undetectable to casual inspection.

The implementation leverages a quirk in how Exif parsers handle ASCII string fields. While most software interprets a null byte as the string termination character, the Exif specification includes a separate length field that defines the actual data size.

Researchers demonstrated this by crafting Image Description fields structured as benign text followed by a null byte and then the payload data wrapped in delimiter tags.

When viewed through Windows Explorer properties, only the innocuous description appears, yet the full malicious payload remains embedded within the file structure, accessible through programmatic extraction using PowerShell regular expressions matching specific byte patterns.

This Exif smuggling approach eliminates several shortcomings of earlier cache smuggling implementations.

Traditional methods that simply relabeled executables as image files generated broken image icons and risked detection by firewalls performing content-type validation.

The new technique produces perfectly valid JPG files that render normally while containing hidden payloads extractable without dedicated Exif parsers.

Testing revealed this method works across multiple attack vectors, including Microsoft Outlook email attachments, where images are preemptively cached even when preview features are disabled, potentially delivering payloads before users open messages.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Merging FileFix and Cache Smuggling Attacks to Evade Security Controls appeared first on Cyber Security News.

A sophisticated Android banking trojan dubbed GhostGrab has emerged in the threat landscape, targeting financial institutions across multiple regions with advanced credential theft capabilities.

The malware operates silently on infected devices, harvesting sensitive banking credentials while intercepting one-time passwords through SMS messages.

Security teams have observed active campaigns distributing GhostGrab through compromised application stores and malicious advertisements, raising concerns about the evolving sophistication of mobile banking threats.

GhostGrab employs a multi-layered infection strategy that begins with social engineering tactics, often masquerading as legitimate productivity applications or system utilities.

Once installed, the malware requests extensive permissions under the guise of standard application functionality, including accessibility services, SMS access, and overlay permissions.

These privileges enable the trojan to monitor user activities, capture screen content, and intercept authentication messages without triggering immediate suspicion from victims.

Cyfirma researchers identified the malware during routine threat intelligence operations, noting its refined approach to evading detection mechanisms deployed by major banking institutions.

The trojan demonstrates advanced anti-analysis capabilities, including emulator detection and debugger checks that terminate execution when research environments are detected.

Analysis reveals that GhostGrab maintains command-and-control communication through encrypted channels, receiving updated configuration files that specify targeted banking applications and exfiltration protocols.

The malware’s impact extends beyond individual account compromise, as threat actors leverage stolen credentials for unauthorized fund transfers and fraudulent transactions.

Financial institutions have reported increased incidents of account takeovers correlating with GhostGrab infections, prompting enhanced monitoring protocols and customer security advisories.

Technical Architecture and Data Exfiltration Methods

GhostGrab implements a sophisticated overlay attack mechanism that displays convincing phishing screens atop legitimate banking applications.

When victims launch targeted financial apps, the malware dynamically generates pixel-perfect replicas of login interfaces, capturing credentials as users enter them.

The trojan monitors incoming SMS messages through registered broadcast receivers, filtering for authentication codes matching common OTP patterns.

Extracted credentials and OTP codes are immediately encrypted using AES-256 encryption before transmission to remote servers, minimizing detection by network monitoring tools.

The malware maintains persistence through system boot receivers and foreground services that restart core components following device reboots or application terminations.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New GhostGrab Android Malware Silently Steals Banking Login Details and Intercept SMS for OTPs appeared first on Cyber Security News.

The BlueNoroff threat group, also tracked as Sapphire Sleet, APT38, and TA444, has significantly evolved its targeting capabilities with sophisticated new infiltration strategies designed specifically to compromise C-level executives and senior managers within the Web3 and blockchain sectors.

The group, historically focused on financial gain through cryptocurrency theft, has unveiled two coordinated campaigns dubbed GhostCall and GhostHire that represent a substantial shift in both technical sophistication and social engineering tactics.

Securelist analysts and researchers identified these campaigns beginning in April 2025, revealing a multi-faceted approach that combines deceptive video conferencing infrastructure with advanced malware deployment chains.

The GhostCall campaign predominantly targets macOS users at technology companies and venture capital firms through fraudulent investment-related meetings, while GhostHire focuses on Web3 developers using fake recruitment processes.

Both campaigns demonstrate the group’s ability to leverage generative AI for crafting convincing phishing materials and enhancing social engineering effectiveness.

The emergence of these campaigns marks a deliberate platform shift from Windows to macOS systems, deliberately chosen to align with the target demographic’s predominantly Apple-based infrastructure.

This strategic decision enables the group to deploy specifically engineered malware chains optimized for macOS environments, creating significantly fewer detection opportunities across typical enterprise security stacks.

Attack Vector Innovation: The Fake Video Call Infrastructure

The GhostCall campaign employs an innovative attack mechanism centered on fabricated Zoom and Microsoft Teams environments hosted on attacker-controlled domains.

Victims receive Telegram-based invitations to investment meetings featuring phishing URLs mirroring legitimate conference platforms.

Upon joining fake calls, targets encounter carefully staged scenes displaying video recordings of previously compromised victims rather than deepfakes, creating convincing authenticity.

The interface then prompts users to download supposed SDK updates, which actually deliver malicious AppleScript files containing nearly 10,000 blank lines designed to obscure malicious payload extraction.

The infection chains employ sophisticated code injection techniques utilizing the proprietary GillyInjector framework.

The AppleScript executes a curl command downloading additional stages, ultimately installing modular malware components including CosmicDoor backdoors, RooTroy downloaders, and SilentSiphon stealer suites.

Most notably, the stealer modules comprehensively harvest sensitive data spanning cryptocurrency wallets, browser credentials, SSH keys, cloud infrastructure tokens, DevOps configurations, and Telegram account sessions.

The technical implementation showcases unprecedented sophistication, leveraging RC4 encryption for configuration management, AES-256 algorithms for payload protection, and strategic TCC database manipulation enabling unrestricted system access without user consent prompts.

This represents a significant maturation in the group’s operational capabilities and underscores the critical risks facing cryptocurrency industry executives.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post BlueNoroff Hackers Adopts New Infiltration Strategies To Attack C-Level Executives, and Managers appeared first on Cyber Security News.