Cybercriminals have adopted a sophisticated social engineering strategy that exploits the trust inherent in job hunting, according to a recent security advisory.

A financially motivated threat cluster operating from Vietnam has been targeting digital advertising and marketing professionals through fake job postings on legitimate employment platforms and custom-built recruitment websites.

The campaign, which leverages remote access trojans and credential-harvesting phishing kits, represents a growing threat to corporate advertising and social media accounts across multiple industries.

The attack methodology centers on creating fake company profiles masquerading as digital media agencies on popular job boards.

When unsuspecting applicants submit their resumes and contact information for these fabricated positions, they unknowingly establish a foundation of trust that threat actors later exploit.

The self-initiated nature of the victim’s first contact makes subsequent communications from the attacker appear legitimate, as targets believe they are engaging with a potential employer about a position they actively pursued.

The vulnerability extends beyond immediate exploitation. Threat actors can retain collected victim information for future cold email campaigns about additional fabricated opportunities or monetize curated lists of active job seekers by selling them to other criminal groups.

This creates a persistent threat environment where a single job application can result in repeated targeting over extended periods.

Google Threat Intelligence Group researchers identified the operation as UNC6229, noting the cluster primarily targets remote workers in contract or part-time positions who may actively seek employment while currently employed.

The campaign specifically focuses on individuals with legitimate access to high-value corporate advertising and social media accounts, which threat actors can either use to sell advertisements or directly sell the compromised accounts to other criminal entities.

Delivery Mechanisms and Technical Infrastructure

Following the initial contact phase, UNC6229 employs two primary payload delivery methods depending on campaign specifics.

The first approach involves sending password-protected ZIP attachments disguised as skills assessments, application forms, or preliminary hiring tasks.

These archives contain remote access trojans that grant attackers complete device control, enabling subsequent account takeovers.

The second method utilizes obfuscated phishing links, often shortened through URL services, directing victims to fraudulent interview scheduling portals or assessment platforms.

The phishing infrastructure demonstrates technical sophistication, with analyzed kits configured to specifically target corporate email credentials while handling various multi-factor authentication schemes including Okta and Microsoft implementations.

Google researchers noted that UNC6229 abuses legitimate customer relationship management platforms, including Salesforce, to send initial communications and manage campaigns.

This abuse of trusted services increases email deliverability rates and bypasses traditional security filters, making malicious messages appear authentic to recipients.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Google Warns of Threat Actors Using Fake Job Posting to Deliver Malware and Steal Credentials appeared first on Cyber Security News.

A sophisticated cyberattack campaign targeting Microsoft Internet Information Services (IIS) servers has emerged, exploiting decades-old security vulnerabilities to deploy malicious modules that enable remote command execution and search engine optimization fraud.

The operation, which came to light in late August and early September 2025, leverages publicly exposed ASP.NET machine keys to compromise servers worldwide, affecting approximately 240 server IP addresses and 280 domain names across diverse sectors including government agencies, small businesses, and e-commerce platforms.

The attackers exploit a critical weakness in ASP.NET viewstate deserialization by utilizing machine keys that have been publicly available since 2003.

These cryptographic secrets, originally published in a Microsoft Developer Network help page as configuration examples, were inadvertently adopted by countless administrators who implemented them verbatim in production environments.

Microsoft had previously identified over 3,000 such exposed machine keys in code repositories and programming forums, creating a substantial pool of vulnerable targets.

Once attackers obtain these keys, they can manipulate viewstate data to execute arbitrary code on targeted servers without requiring any additional credentials.

HarfangLab analysts identified the malicious module, designated HijackServer, during routine security monitoring of compromised IIS servers.

The infection chain demonstrates considerable sophistication, beginning with initial exploitation through POST requests targeting ASP.NET applications.

Logs from compromised systems revealed multiple suspicious requests with Chinese language settings (zh-tw) hitting root pages of vulnerable applications.

The attackers subsequently deployed a comprehensive toolkit archived as sys-tw-v1.6.1-clean-log.zip, containing 32-bit and 64-bit variants of the malicious IIS modules, installation scripts, and a customized rootkit derived from the open-source Hidden project.

Following initial access, threat actors employed privilege escalation techniques known as EfsPotato and DeadPotato to create hidden local administrator accounts.

They then installed two malicious DLL files, scripts.dll and caches.dll, as IIS modules named ScriptsModule and IsapiCachesModule respectively.

These modules operate at the earliest processing stage of HTTP requests, intercepting traffic before legitimate applications can respond.

The installation process included establishing a working directory at C:\Windows\Temp\_FAB234CD3-09434-8898D-BFFC-4E23123DF2C and configuring the modules to download additional components from staging servers at c.cseo99[.]com and f.fseo99[.]com.

Persistence and Detection Evasion Through Rootkit Deployment

The attackers demonstrated advanced operational security awareness by deploying a customized Windows kernel driver rootkit to conceal their presence.

The Wingtb.sys driver, a modified version of the publicly available Hidden rootkit, operates as a signed kernel component using an expired certificate from Anneng Electronic Co. Ltd.

Despite the certificate’s expiration in 2014, it remains loadable on modern Windows systems due to Microsoft’s driver signing policy exceptions for certificates issued before July 2015.

The rootkit provides comprehensive hiding capabilities for files, registry keys, and processes, managed through a companion command-line tool WingtbCLI.exe with commands translated into Chinese transliteration.

The post-installation script lock.bat systematically conceals critical artifacts including the deployed IIS module files, modified application configuration files, and the rootkit’s registry service key.

Perhaps most notably, the script executes a sweeping deletion of all Windows Event log files using the command: for /f "tokens=*" %%1 in ('wevtutil el') do wevtutil cl "%%1".

This noisy anti-forensics technique contradicts the otherwise stealthy approach of using a rootkit, potentially indicating operational security inconsistencies or the work of less experienced operators deploying pre-packaged tools.

The HijackServer module’s primary purpose appears focused on search engine optimization fraud for cryptocurrency investment schemes.

When Google’s web crawler requests pages from compromised servers, the module dynamically generates HTML content containing numerous links to dubious cryptocurrency websites.

These generated pages successfully appear in legitimate Google search results, demonstrating the effectiveness of the poisoning technique.

However, the module also exposes an unauthenticated remote command execution capability through the /scjg URL path, creating a persistent backdoor that any third party could exploit regardless of whether they coordinated with the original attackers.

This functionality transforms what might appear as financially motivated SEO fraud into a far more serious security compromise with potential espionage implications.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Hijacking IIS Servers in The Wild Using Exposed ASP .NET Machine Keys to Inject Malicious Modules appeared first on Cyber Security News.

North Korean state-sponsored hackers from the Lazarus APT group launched a cyberespionage campaign targeting European companies involved in unmanned aerial vehicle development.

Starting in late March 2025, attackers compromised three defense organizations across Central and Southeastern Europe, deploying advanced malware to steal proprietary UAV technology.

The campaign, tracked as Operation DreamJob, employed social engineering using fraudulent job offers to gain initial access.

The attacks focused on companies manufacturing drone components and developing UAV software, aligning with North Korea’s efforts to expand its drone program.

Researchers discovered compromised systems contained malicious droppers with the internal DLL name DroneEXEHijackingLoader.dll, providing evidence of the campaign’s focus on drone technology theft.

Targets received fake job descriptions with trojanized PDF readers that initiated multi-stage infection processes.

Welivesecurity analysts identified the main payload as ScoringMathTea, a sophisticated remote access trojan serving as Lazarus’s flagship malware since late 2022.

The RAT provides comprehensive control over compromised machines through approximately 40 commands, enabling file manipulation, process control, and data exfiltration.

ScoringMathTea maintains communication with command-and-control infrastructure through compromised servers hosted within WordPress directories.

The malware’s C&C traffic employs multiple encryption layers, utilizing the IDEA algorithm followed by base64 encoding.

Network analysis revealed connections to compromised domains including coralsunmarine[.]com, mnmathleague[.]org, and spaincaramoon[.]com.

Advanced Infection Mechanism and Evasion Tactics

The Lazarus group demonstrated technical sophistication by incorporating malicious loading routines into legitimate open-source projects from GitHub.

Attackers trojanized software including TightVNC Viewer, MuPDF reader, and plugins for WinMerge and Notepad++.

This provides dual advantages: the malware inherits legitimate appearance of trusted applications while executing malicious payloads.

The infection chain employs DLL side-loading and proxying techniques. Legitimate executables such as wksprt.exe and wkspbroker.exe side-load malicious libraries like webservices.dll and radcui.dll.

These compromised DLLs contain two export sets: functions for proxying to preserve application behavior, and malicious code loading subsequent stages.

The malware employs robust encryption throughout the infection lifecycle. Early-stage droppers retrieve encrypted payloads from file system or registry, decrypt them using AES-128 or ChaCha20 algorithms, then load them into memory.

This leverages the MemoryModule library for reflective DLL injection, allowing code execution entirely in-memory without writing decrypted components to disk.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post North Korean Hackers Attacking Unmanned Aerial Vehicle Industry to Steal Confidential Data appeared first on Cyber Security News.

A sophisticated phishing campaign leveraging randomly generated Universal Unique Identifiers (UUIDs) has emerged, successfully bypassing Secure Email Gateways (SEGs) and evading perimeter defenses.

The attack employs an advanced JavaScript-based phishing script combining random domain selection, dynamic UUID generation, and server-driven page replacement to steal credentials.

Unlike conventional phishing operations relying on static redirects, this campaign demonstrates tactical precision.

The phishing script operates by embedding malicious code within HTML attachments or spoofed file-sharing platforms such as Microsoft OneDrive, SharePoint Online, DocuSign, and Adobe Acrobat Sign.

When victims interact with seemingly legitimate documents, the script activates and selects one .org domain at random from nine predefined addresses.

These domains appear bulk-generated without recognizable word patterns, deliberately designed to evade blocklists and machine learning detection systems.

The script generates a dynamic UUID to track individual victims while utilizing a hardcoded UUID as a campaign identifier.

Cofense researchers identified this unusual tactic in early February 2025, noting its ongoing nature and sophistication.

The dual UUID mechanism stands out as particularly uncommon in phishing operations.

After domain selection and UUID generation, the script sends an HTTPS POST request to the chosen server’s API endpoint.

The server responds with dynamically generated content tailored to the victim’s context, such as personalized corporate login pages.

This approach enables threat actors to replace webpage content without changing URLs.

Dynamic Page Replacement

The most deceptive aspect involves dynamic page replacement capability, manipulating browser sessions to deliver credential phishing pages without traditional redirects.

Rather than using window.location.href redirects changing visible URLs, this script employs DOM manipulation techniques to replace page content with server-provided HTML.

The server-driven nature allows real-time customization based on victim context. When users enter email addresses, the script extracts domains and signals backend infrastructure to generate corresponding branded login pages.

This personalization significantly increases victim trust while reducing suspicion. The seamless experience maintained throughout proves critical for successful credential harvesting, demonstrating how modern attacks have evolved beyond simple email deception into sophisticated browser-based manipulation.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Phishing Attack Bypasses Using UUIDs Unique to Bypass Secure Email Gateways appeared first on Cyber Security News.