Major Incidents or Breaches

  • The FBI has issued a FLASH alert regarding UNC6040 and UNC6395, two threat actor clusters actively compromising Salesforce environments. These actors are stealing sensitive data and engaging in extortion of affected organisations.

Notable Threat Actor Activity

  • Chinese-speaking users are being targeted by a malware campaign leveraging SEO poisoning. The campaign uses fake software distribution sites, hosted via GitHub Pages, to deliver HiddenGh0st, Winos, and kkRAT malware families.
  • A new phishing-as-a-service (PhaaS) platform named VoidProxy has been identified. VoidProxy is designed to target Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) services.

Trends, Tools, or Tactics of Interest

  • Attackers are manipulating search engine rankings (SEO poisoning) to lure users to malicious sites, particularly for distributing malware to Chinese-speaking audiences.
  • There is an observed increase in web searches for ZIP file archives (e.g., backup.zip, web.zip) as noted by web honeypots, indicating potential reconnaissance or exploitation attempts targeting archived data.
  • The use of legitimate platforms like GitHub Pages for malware hosting continues to be a tactic, complicating detection and takedown efforts.
  • VoidProxy’s service highlights the ongoing professionalisation and accessibility of phishing operations, specifically targeting enterprise cloud accounts and SSO-protected environments.