This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.
Scattered LAPSUS$ Hunters: 2025’s Most Dangerous Cybercrime Supergroup (Picus Security)
Picus Security charts the rise of the threat actor collective known as Scattered LAPSUS$ Hunters (SLH), a 2025 coalition of the previously independent groups Scattered Spider, LAPSUS$, and ShinyHunters. This supergroup combines extensive access-brokerage, insider-recruitment, and public-facing extortion campaigns—rendering it one of the most volatile and visible threats on the extortion landscape.
Key Insights
Alliance formation: SLH marks a strategic merger that pools reputational value and operational resources, enabling affiliate access and rapid scaling of extortion-as-a-service (EaaS) offerings.
Social engineering pivot: The group emphasizes vishing, SMS phishing, and supply-chain compromise (especially in SaaS and identity platforms) over traditional malware-driven intrusions.
Public-facing theatrics: SLH leverages Telegram channels, data-leak sites, and public threats to amplify fear, recruit affiliates, and engage in brand-style cyber extortion.
Broad target scope: Industries targeted include enterprise SaaS providers, technology firms, retail, and manufacturing, with frequent exploitation via OAuth abuse, insider access, and credential harvesting.
Resilient and adaptive: Despite law-enforcement actions, SLH maintains activity through federated branding, multiple leak portals, and decentralized affiliate networks.
Further Reading: Picus Security
The Most Advanced ClickFix Yet (Push Security)
Push Security researchers have uncovered a new and highly refined iteration of the “ClickFix” phishing framework, featuring modular capabilities for credential harvesting and session hijacking. This version uses advanced URL obfuscation, cloud-hosted redirects, and adaptive templates that mimic corporate login portals to bypass detection and deceive users more effectively.
Key Insights
Framework evolution: ClickFix’s latest version integrates dynamic templates and tokenized redirects to evade pattern-based blocking.
Session hijacking: Stolen authentication cookies allow attackers to access corporate accounts even when multi-factor authentication is enabled.
Cloud abuse: Hosting payloads on legitimate cloud services gives attackers credibility and helps phishing links evade automated scanning.
Rapid deployment: The phishing kits are prepackaged for affiliates, enabling faster setup and broader campaign reach.
Enterprise risk: The sophistication and modularity of ClickFix underline a trend toward professionalized phishing-as-a-service ecosystems.
Further Reading: Push Security
Cyber LNK Weaponizes Windows Shortcuts for Malware (Abnormal)
Abnormal researchers describe a rising threat where attackers weaponize Windows .lnk shortcut files using a point-and-click builder (Cyber LNK). As macro-based delivery declined, threat actors moved to shortcut files that masquerade as benign documents or PDFs but execute payloads when opened—giving attackers a stealthy, scalable alternative for phishing and malware distribution.
Key Insights
Shortcut-based delivery: .lnk files are being abused to launch commands or executables while appearing as harmless documents (e.g., showing a PDF icon).
Builder democratizes attacks: The Cyber LNK builder simplifies creation of weaponized shortcuts, lowering technical barriers for less skilled actors.
Macro migration vector: Attackers shifted to .lnk following widespread blocking of macro-enabled Office files, preserving phishing efficacy.
Evasion & UX spoofing: Techniques include icon spoofing, filename masquerading, and obfuscated command lines to bypass static detection and fool users.
Delivery via email phishing: Campaigns deliver .lnk attachments or archived shortcuts via phishing, combining social engineering with the new file vector.
Further Reading: Abnormal
New Phishing Campaign Exploits Meta Business Suite to Target SMBs Across the U.S. and Beyond (Check Point Research)
Check Point Research uncovered a phishing campaign that abuses the Meta Business Suite JSON API flows to masquerade as legitimate business-management notifications. Through this abuse, attackers sent convincing lures to SMBs in the U.S. and globally, claiming billing issues or account suspension and directing victims to fake login portals. The campaign succeeded in bypassing detection by conforming to expected API patterns and dynamically generating URLs that appear unique per victim.
Key Insights
API abuse for legitimacy: Attackers used Meta’s business-management JSON callbacks to fetch business names and tailor phishing messages, increasing trust and clicks.
Global SMB targeting: While initial hits were in the U.S., the campaign expanded to over 20 countries, focusing on small and mid-sized businesses with available business-suite integrations.
Dynamic URL generation: Each phishing link was unique and time-limited, preventing bulk blocking and defeating static URL reputation databases.
Credential theft via login proxy: Victims were redirected to an Azure-hosted login page that mirrored the Meta Business Suite sign-in interface, capturing both credentials and session cookies.
Evading detection: Because the attacker-generated callback requests resembled normal Meta API traffic, email filters reliant on anomaly detection struggled to flag the messages.
Further Reading: Check Point Research – New Phishing Campaign Exploits Meta Business Suite to Target SMBs Across the U.S. and Beyond
New Phishing Attack Leverages Popular Brands to Harvest Logins (Cybersecurity News)
A recent phishing campaign delivers self-contained HTML attachments that impersonate trusted brands such as Microsoft 365, Adobe, FedEx, and DHL to harvest credentials. These attachments bypass external link filtering by embedding phishing pages directly in the email and use JavaScript to send stolen data to Telegram bots rather than traditional command-and-control servers. The campaign targets industries like agriculture, automotive, construction, and education in regions including the Czech Republic, Slovakia, Hungary, and Germany.
Key Insights
Attachment-based attack delivery: Phishing emails include HTML files with fake login portals, avoiding reliance on external links and reputation lists.
Brand impersonation at scale: Multiple major brands are mimicked to increase trust and widen the potential victim pool.
Direct data exfiltration using Telegram bots: Stolen credentials are sent directly through Telegram Bot API, reducing detection trace-paths.
Industry & regional targeting: Focused on sectors with frequent procurement flows and Central/Eastern European markets, showing deliberate target selection.
Technical evasion tactics: Use of RFC-compliant filenames (e.g., “RFQ_4460-INQUIRY.HTML”) helps disguise malicious attachments as legitimate business documents.
Further Reading: Cybersecurity News
New ClickFix Attack Tricks Users with ‘Fake OS Update’ to Execute Malicious Commands (Cybersecurity News)
A new iteration of the ClickFix social-engineering campaign deploys a browser-based fake Windows update prompt that simulates a system crash or update screen. Victims who follow on-screen instructions end up executing malicious commands, leading to remote access, infostealer installations, or ransomware loaders.
Key Insights
The deceptive overlay mimics a Windows update or Blue Screen of Death (BSOD) complete with progress bar and error codes, inducing urgency and fear.
Victims are instructed to perform “manual fixes” such as pressing Ctrl+Alt+Del, entering commands in a pseudo CLI, and downloading a “recovery tool” which is actually malware.
The campaign leverages both PCs and mobile devices, with full-screen simulations compatible across platforms.
Because the user initiates the commands themselves, many security tools fail to flag the activity as malicious.
This attack underlines the persistent importance of user awareness and a skeptical mindset toward unexpected system update prompts.
Further Reading: Cybersecurity News
Global Cyber Attacks Surge in October 2025 Amid Explosive Ransomware Growth and Rising GenAI Threats (Check Point Research)
In October 2025, organizations saw a sharp rise in cyber attacks, with weekly averages nearing 2,000 per organization. Ransomware activity expanded significantly, and GenAI-related risks continued to emerge as organizations adopted newly integrated AI tools.
Key Insights
Weekly attack volumes increased across most regions, with several sectors experiencing notable year-over-year growth.
Ransomware incidents rose substantially, reflecting broader adoption of opportunistic targeting.
GenAI usage introduced new exposure points, particularly around prompt-based data leakage.
Education, telecommunications, and government sectors experienced the highest attack frequency.
Further Reading: Check Point Research
Phishing Scam Uses “rn” to Fake Microsoft (Cybersecurity News)
A new phishing campaign is abusing a visual trick that replaces the letter “m” with the characters “r” and “n”, creating deceptive domains such as “rnicrosoft.com.” The substitution is subtle enough that many users overlook it, especially on mobile devices, where character spacing is tighter. Attackers use these lookalike domains to deliver convincing credential-harvesting emails and login pages that appear legitimate.
Key Insights
Attackers rely on a visually deceptive domain swap (“m” → “rn”) that closely mimics legitimate Microsoft branding.
The technique increases success rates because users often skim URLs, especially on smaller screens.
This method reflects a broader shift toward domain-based deception rather than attachment-driven phishing.
Further Reading: Cybersecurity News
Fake Windows-Update Screen Pushes Malware via ClickFix Campaign (BleepingComputer)
A new iteration of the ClickFix phishing campaign employs a fake Windows update or error screen — complete with progress bars and warning messages — to trick victims into executing malicious commands. Once the user follows the on-screen instructions, the system launches malware capable of remote access or data theft.
Key Insights
The fake update screen leverages urgency and system-failure anxiety to prompt user action.
Because execution is triggered manually by the user, many defenses fail to flag the activity.
Although targeting Windows, this style of UI-based deception could be adapted to other platforms.
The campaign highlights a shift toward interface-spoofing rather than traditional link-based phishing.
Further Reading:
BleepingComputer
HashJack — First-Known Indirect Prompt Injection against AI Browsers (Cato Networks)
Researchers identified a new indirect prompt-injection method called HashJack, which hides malicious instructions inside the fragment section of a URL (the part after “#”). When an AI browser assistant loads the page and interprets the fragment as part of its prompt, the attacker can silently influence the assistant’s behavior without compromising the website itself. This technique turns otherwise legitimate URLs into delivery mechanisms for prompt-based attacks.
Key Insights
Attackers can weaponize any legitimate website simply by appending a malicious fragment to the URL.
URL fragments are not transmitted to servers or monitored by most network security tools, enabling the attack to bypass common defenses.
The technique can be used for phishing, misinformation, malicious instruction delivery, or data manipulation.
Multiple AI-enhanced browsers and assistants are susceptible until mitigations are deployed.
Further Reading: Cato Networks
B2B Guest Access Creates an Unprotected Attack Vector (Ontinue)
Microsoft’s “Chat with Anyone” capability in Teams allows users to chat with nearly any email address, but accepting a guest invite places them inside an external tenant where their organization’s security controls no longer apply. Attackers can exploit this gap to send phishing links or malicious files from low-security tenants, bypassing protections such as Safe Links and malware scanning.
Key Insights
Guest access applies the host tenant’s security controls, not the user’s home organization.
Attackers can use low-cost or trial tenants to bypass URL scanning and attachment inspection.
The feature is enabled globally by default, increasing the risk of unnoticed exposure.
External chats can function like email-borne phishing but without standard enterprise safeguards.
Further Reading: Ontinue
Weaponized Google Meet Page Uses ClickFix to Deliver Malware
Attackers are using a fake Google Meet landing page to trick users into executing malicious PowerShell commands. The site imitates the real Google Meet interface and displays a bogus camera or microphone error. It then instructs the user to run a “fix” that silently installs malware — often a Remote Access Trojan or infostealer — by copying a command to the clipboard and guiding the user to execute it through the Run dialog. Because the execution occurs outside the browser, typical browser-based protections are bypassed.
Key Insights
The attack depends entirely on social engineering, prompting users to manually run attacker-supplied commands.
Browser protections are avoided because execution happens through the operating system rather than a webpage.
The campaign leverages trust in Google Meet to lend legitimacy to the fake interface.
Forensic artifacts on infected systems can trace activity back to the malicious site.
Further Reading: Cybersecurity News
