Fake IT bods on Microsoft Teams coax workers into installing malware
- Threat actors are impersonating corporate IT support over Microsoft Teams voice calls to persuade employees into handing over remote control of their machines, according to research from Palo Alto Networks’ Unit 42.
- The campaign begins with a phishing email disguised as an employee survey, followed by a Teams call from an attacker posing as IT. During the call, the target is talked into installing a legitimate remote administration tool such as HopToDesk or AnyDesk, which the attacker then uses to control the victim’s desktop directly.
- Once remote access is established, an MSI package is delivered that installs EtherRAT, a Node.js based RAT capable of running commands, stealing data, and maintaining persistence across Windows, Linux, and macOS. Rather than relying on a fixed server, EtherRAT retrieves its C2 address from an Ethereum smart contract.
- Because the attacker’s account originates outside the organization, Teams logs the session as an external, unfamiliar contact rather than a trusted internal source. Defenders can also look for files beginning with “CtrlVirtualCursorWin_”, which Teams generate during remote control sessions, and which serve as a forensic indicator that a session was actively driven by someone other than the device owner.
- Additional information: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-28-Fake-IT-support-abuses-Teams-to-deliver-EtherRAT.txt
Phishing poses as big-brand job interview to steal Google accounts
Article Link: https://www.bleepingcomputer.com/news/security/phishing-poses-as-big-brand-job-interview-to-steal-google-accounts/
- Researchers with Team Cymru discovered an active, five-month phishing campaign impersonating over thirty major global brands, including Netflix, Coca-Cola, and OpenAI, to target enterprise marketing professionals with highly convincing job interview invitations.
- The operation explicitly abuses the legitimate cloud-based PeopleForce human resources platform and infrastructure associated with the Salesforce Marketing Cloud service, routing targeted marketing candidates through trusted systems straight to malicious landing pages.
- Once there, the landing pages deploy a sophisticated browser-in-the-browser (BitB) technique, rendering an identical HTML and CSS clone of a Google single sign-on popup to harvest user credentials while evading standard corporate visual inspection.
- By weaponizing lookalike portals and the identities of real talent acquisition staff, this campaign exploits the natural urgency of an active job search to successfully harvest valid Google credentials from unsuspected marketing professionals.
- A list of domains discovered: https://gist.github.com/BushidoUK/57c38d5ee75481fb237e968a537de778
Meta’s New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images
Article Link: https://thehackernews.com/2026/07/metas-new-ai-image-tool-lets-others-use.html
- UPDATE: Meta has abruptly removed Muse Image from Instagram due to the public backlash regarding privacy concerns.
- Meta has announced that its new artificial intelligence (AI) model Muse Image lets people use public Instagram posts and reels to generate AI content, and it’s enabled by default.
- Users can tag public Instagram accounts with the Meta AI app to create new posts that can reuse part or all the published photos or videos. Allowing people to create new content by using public Instagram accounts.
- If a minor has a public account, a stranger cannot type their username into the Meta AI app to scrape their photos. Only people who actively follow that minor are allowed to use the AI tool to remix or reuse their images, but it only works if the minor has left the “allow reuse” setting turned on.
- Additional Information: https://about.fb.com/news/2026/07/introducing-muse-image-meta-ai/
AI Coding Tools Tricked into Hacking Developer Machine via Decades-Old Technique
Article Link: https://www.securityweek.com/ai-coding-tools-tricked-into-hacking-developer-machine-via-decades-old-technique/
- Wiz researchers disclosed a technique called GhostApproval that can trick AI coding agents such as Claude Code, Amazon Q Developer, and Cursor into executing unauthorized file writes outside a project’s intended workspace.
- The attack leverages symbolic link (symlink) following, where a program resolves to the actual target of a symbolic link rather than the link’s visible name, allowing a link inside the workspace to secretly point to a file outside it.
- Many of these tools rely on a confirmation prompt to prevent this kind of attack, requiring the developer to approve a file change before it happens. The flaw is that the prompt displays the harmless filename the developer expects, not the actual system file the symlink secretly points to. The developer approves what looks like a routine edit, but the tool writes to a completely different, attacker-chosen location instead. This safeguard depends on a Human in the Loop. Here, that person is being shown false information, so their approval no longer reflects what is happening on the system.
- Vendor responses have been inconsistent. AWS, Google, and Cursor confirmed the issue and shipped patches, Anthropic disputes the vulnerability classification but had mitigations already in place, and Augment and Windsurf have acknowledged the report without releasing fixes.
- Addition information: https://www.wiz.io/blog/ghostapproval-a-trust-boundary-gap-in-ai-coding-assistants
Ransomware Negotiator Gets 70 Months in Prison for Aiding BlackCat Attacks
Article Link: https://www.justice.gov/opa/pr/florida-ransomware-negotiator-who-extorted-and-attacked-multiple-us-victims-sentenced-prison
- A former ransomware negotiator, Angelo Martino, was sentenced to 70 months in prison for conspiring with BlackCat ransomware operators while representing victims during active extortion negotiations.
- Martino worked as a hired negotiator for five different ransomware victims. While representing their interests, he secretly passed confidential negotiation details, including insurance policy limits and internal bargaining positions, to the BlackCat operators, allowing them to increase the ransom amounts demanded.
- Martino also collaborated with Ryan Goldberg, an incident response manager at Sygnia, and Kevin Martin, a fellow negotiator at DigitalMint, to directly deploy BlackCat ransomware against additional victims between April and November 2023. Both men were sentenced to four years each in May 2026.
Sysdig clocks first documented case of agentic ransomware
Article Link: https://cyberscoop.com/sysdig-judepuffer-ai-agentic-ransomware-attack/
- Sysdig researchers documented the first known case of a fully agentic ransomware attack, where an AI agent independently ran reconnaissance, credential theft, lateral movement, persistence, encryption, and delivery of the ransom note across a single operation.
- The threat actor, JadePuffer, gained initial access by exploiting a known Langflow vulnerability, then directed the AI agent against a production server running MySQL and Alibaba Nacos. The agent went on to execute more than 600 distinct payloads without a human manually typing each step.
- What set this attack apart was the agent’s ability to adapt in real time. In one instance, it diagnosed a failed payload, rewrote its approach from subprocess calls to direct library imports, and redeployed a corrected version within 31 seconds.
- A person still directed the operation, choosing the victim, standing up the C2 infrastructure, and supplying stolen credentials obtained through a prior compromise. The agent’s role was to execute the technical steps of the attack, while reducing the skill floor required for running ransomware operations.
- Additional information: https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion
