ThreatInsight
@threatinsight.proofpoint.com
Proofpoint's insights on targeted attacks and the cybersecurity threat landscape.
Proofpoint researchers say with high confidence that cybercriminals are working with organized crime groups to commit physical cargo theft. 🚚
@bloomberg.com spoke with our #ecrime experts who warned, "It is a full-scale supply chain threat."
Read the article: www.bloomberg.com/news/article....
@bloomberg.com spoke with our #ecrime experts who warned, "It is a full-scale supply chain threat."
Read the article: www.bloomberg.com/news/article....
Hackers and Crime Rings Are Teaming Up to Steal Cargo, Cyber Firm Says
Hackers are infiltrating trucking and freight companies in a scheme to steal and sell cargo shipments, a growing campaign that could end up costing companies and consumers billions of dollars, accordi...
www.bloomberg.com
November 11, 2025 at 12:07 AM
Proofpoint researchers say with high confidence that cybercriminals are working with organized crime groups to commit physical cargo theft. 🚚
@bloomberg.com spoke with our #ecrime experts who warned, "It is a full-scale supply chain threat."
Read the article: www.bloomberg.com/news/article....
@bloomberg.com spoke with our #ecrime experts who warned, "It is a full-scale supply chain threat."
Read the article: www.bloomberg.com/news/article....
New research from @ThreatInsight 🚨 Deviations in typical activities by known Iranian-linked threat actors has resulted in Proofpoint threat researchers naming a new temporary threat actor cluster, UNK_SmudgedSerpent.
Blog: www.proofpoint.com/us/blog/thre...
Blog: www.proofpoint.com/us/blog/thre...
November 6, 2025 at 5:05 PM
New research from @ThreatInsight 🚨 Deviations in typical activities by known Iranian-linked threat actors has resulted in Proofpoint threat researchers naming a new temporary threat actor cluster, UNK_SmudgedSerpent.
Blog: www.proofpoint.com/us/blog/thre...
Blog: www.proofpoint.com/us/blog/thre...
From Old West train robbers 🚂 to 1960s mobsters 💰, #cargotheft is an age-old problem.
Today, cargo theft is commonly conducted digitally by hacking the #supplychain to exploit gaps and steal #freight remotely.
🧵⤵️
Today, cargo theft is commonly conducted digitally by hacking the #supplychain to exploit gaps and steal #freight remotely.
🧵⤵️
November 3, 2025 at 1:45 PM
From Old West train robbers 🚂 to 1960s mobsters 💰, #cargotheft is an age-old problem.
Today, cargo theft is commonly conducted digitally by hacking the #supplychain to exploit gaps and steal #freight remotely.
🧵⤵️
Today, cargo theft is commonly conducted digitally by hacking the #supplychain to exploit gaps and steal #freight remotely.
🧵⤵️
Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint.
We use this tool internally to help track multiple threat actors with high confidence.
We use this tool internally to help track multiple threat actors with high confidence.
October 23, 2025 at 6:05 PM
Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint.
We use this tool internally to help track multiple threat actors with high confidence.
We use this tool internally to help track multiple threat actors with high confidence.
With the goal of better understanding cloud account takeover (#ATO) attacks, we developed a tool that automates the creation of malicious internal apps within a #compromised #cloud environment.
Here, we detail our findings and security implications. ⤵️ brnw.ch/21wWOgL
Here, we detail our findings and security implications. ⤵️ brnw.ch/21wWOgL
Beyond credentials: weaponizing OAuth applications for persistent cloud access | Proofpoint US
Key takeaways OAuth applications can be used to gain persistent access within compromised environments. OAuth applications maintain their authorized access even if user
brnw.ch
October 21, 2025 at 5:51 PM
With the goal of better understanding cloud account takeover (#ATO) attacks, we developed a tool that automates the creation of malicious internal apps within a #compromised #cloud environment.
Here, we detail our findings and security implications. ⤵️ brnw.ch/21wWOgL
Here, we detail our findings and security implications. ⤵️ brnw.ch/21wWOgL
Since 14 October, we’ve tracked a high volume XWorm campaign targeting Germany. The activity is attributed to TA584, a sophisticated #cybercrime group tracked since 2020.
Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.
Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.
October 20, 2025 at 9:31 PM
Since 14 October, we’ve tracked a high volume XWorm campaign targeting Germany. The activity is attributed to TA584, a sophisticated #cybercrime group tracked since 2020.
Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.
Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.
TA585 is the identifier of the most recent threat actor named by Proofpoint.
The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.
Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.
The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.
Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.
When the monster bytes: tracking TA585 and its arsenal | Proofpoint US
Key findings TA585 is a sophisticated cybercriminal threat actor recently named by Proofpoint. It operates its entire attack chain from infrastructure to email delivery to malware
brnw.ch
October 13, 2025 at 8:35 PM
TA585 is the identifier of the most recent threat actor named by Proofpoint.
The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.
Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.
The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.
Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.
Researchers at Proofpoint have uncovered a recent brute force campaign, tracked as UNK_CustomCloak, targeting the first-party app, Windows Live Custom Domains.
Activity was observed from September 20-30th, affecting nearly half a million users in over 4,000 tenants.
Activity was observed from September 20-30th, affecting nearly half a million users in over 4,000 tenants.
October 10, 2025 at 3:40 PM
Researchers at Proofpoint have uncovered a recent brute force campaign, tracked as UNK_CustomCloak, targeting the first-party app, Windows Live Custom Domains.
Activity was observed from September 20-30th, affecting nearly half a million users in over 4,000 tenants.
Activity was observed from September 20-30th, affecting nearly half a million users in over 4,000 tenants.
Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.
Blog: www.proofpoint.com/us/blog/thre....
Blog: www.proofpoint.com/us/blog/thre....
Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels | Proofpoint US
What happened Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China
www.proofpoint.com
September 18, 2025 at 5:11 PM
Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.
Blog: www.proofpoint.com/us/blog/thre....
Blog: www.proofpoint.com/us/blog/thre....
Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues. 🧵
September 3, 2025 at 6:23 PM
Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues. 🧵
Threat actors are exploiting #Microsoft365 Direct Send to make their phishing campaigns appear to originate from inside an organization.
On this episode of DISCARDED, you'll hear why legacy features like Direct Send are a prime target for cybercriminals.
Stream now on our website: brnw.ch/21wVja5
On this episode of DISCARDED, you'll hear why legacy features like Direct Send are a prime target for cybercriminals.
Stream now on our website: brnw.ch/21wVja5
August 29, 2025 at 8:09 PM
Threat actors are exploiting #Microsoft365 Direct Send to make their phishing campaigns appear to originate from inside an organization.
On this episode of DISCARDED, you'll hear why legacy features like Direct Send are a prime target for cybercriminals.
Stream now on our website: brnw.ch/21wVja5
On this episode of DISCARDED, you'll hear why legacy features like Direct Send are a prime target for cybercriminals.
Stream now on our website: brnw.ch/21wVja5
Something #spicy is coming to the next Only Malware in the Building podcast—dropping September 2. 🌶️
Bookmark the show page and reserve your seat at the table 🪑 alongside Selena Larson, Dave Bittner and Keith Mularski.
🔥 You won't want to miss it! thecyberwire.com/podcasts/onl...
#podcast #hotones
Bookmark the show page and reserve your seat at the table 🪑 alongside Selena Larson, Dave Bittner and Keith Mularski.
🔥 You won't want to miss it! thecyberwire.com/podcasts/onl...
#podcast #hotones
August 21, 2025 at 7:15 PM
Something #spicy is coming to the next Only Malware in the Building podcast—dropping September 2. 🌶️
Bookmark the show page and reserve your seat at the table 🪑 alongside Selena Larson, Dave Bittner and Keith Mularski.
🔥 You won't want to miss it! thecyberwire.com/podcasts/onl...
#podcast #hotones
Bookmark the show page and reserve your seat at the table 🪑 alongside Selena Larson, Dave Bittner and Keith Mularski.
🔥 You won't want to miss it! thecyberwire.com/podcasts/onl...
#podcast #hotones
You asked, we answered. AI tools are significantly lowering the barrier to entry for cybercriminals.
We have observed threat actor campaigns leveraging the AI-generated website builder Lovable to create and host cred phishing, malware, and fraud websites.
Learn more in our blog: brnw.ch/21wV3Zo
We have observed threat actor campaigns leveraging the AI-generated website builder Lovable to create and host cred phishing, malware, and fraud websites.
Learn more in our blog: brnw.ch/21wV3Zo
August 20, 2025 at 3:40 PM
You asked, we answered. AI tools are significantly lowering the barrier to entry for cybercriminals.
We have observed threat actor campaigns leveraging the AI-generated website builder Lovable to create and host cred phishing, malware, and fraud websites.
Learn more in our blog: brnw.ch/21wV3Zo
We have observed threat actor campaigns leveraging the AI-generated website builder Lovable to create and host cred phishing, malware, and fraud websites.
Learn more in our blog: brnw.ch/21wV3Zo
Proofpoint identified a unique attack chain leveraging GitHub notifications to deliver #Rhadamanthys.
We first spotted this post by ANY.RUN about ClickFix delivering Rhadamanthys and began investigating. infosec.exchange/@anyrun_app/...
We first spotted this post by ANY.RUN about ClickFix delivering Rhadamanthys and began investigating. infosec.exchange/@anyrun_app/...
ANY.RUN (@anyrun_app@infosec.exchange)
#IOCs:
SHA256:
560afd97f03f2ed11bf0087d551ae45f2046d6d52f0fa3d7c1df882981e8b346
8b079bae684fd287c605de8acae338401a76a412c6a802faf2cf6e9ec0cf6224
0ba3b2871e0ad3b4fba615ea76e2d5f7cefa80e87468c6dcfc9b4...
infosec.exchange
August 18, 2025 at 6:31 PM
Proofpoint identified a unique attack chain leveraging GitHub notifications to deliver #Rhadamanthys.
We first spotted this post by ANY.RUN about ClickFix delivering Rhadamanthys and began investigating. infosec.exchange/@anyrun_app/...
We first spotted this post by ANY.RUN about ClickFix delivering Rhadamanthys and began investigating. infosec.exchange/@anyrun_app/...
Threat researchers from Proofpoint have found a way to sidestep FIDO-based #authentication, a discovery that could expose targets to credential phishing attacks, account takeover (#ATO), and adversary-in-the-middle (AiTM) threats.
#FIDO #MFA
All the details in our blog: brnw.ch/21wURuW.
#FIDO #MFA
All the details in our blog: brnw.ch/21wURuW.
Don’t Phish-let Me Down: FIDO Authentication Downgrade | Proofpoint US
Key takeaways FIDO-based passkeys remain a highly recommended authentication method to protect against prevalent credential phishing and account takeover (ATO) threats.
brnw.ch
August 12, 2025 at 7:00 PM
Threat researchers from Proofpoint have found a way to sidestep FIDO-based #authentication, a discovery that could expose targets to credential phishing attacks, account takeover (#ATO), and adversary-in-the-middle (AiTM) threats.
#FIDO #MFA
All the details in our blog: brnw.ch/21wURuW.
#FIDO #MFA
All the details in our blog: brnw.ch/21wURuW.
In a new technical blog, Proofpoint threat researchers detailed their observations of threat actors impersonating well-known enterprises with fake #Microsoft #OAuth applications that redirect to malicious URLs, enabling credential phishing. brnw.ch/21wUA69
Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing | Proofpoint US
Key findings Threat actors are impersonating various enterprises with fake Microsoft OAuth applications to steal credentials. These campaigns bypass multifactor authentication
brnw.ch
July 31, 2025 at 11:44 PM
In a new technical blog, Proofpoint threat researchers detailed their observations of threat actors impersonating well-known enterprises with fake #Microsoft #OAuth applications that redirect to malicious URLs, enabling credential phishing. brnw.ch/21wUA69
Each threat actor has its own tactics, techniques, and procedures (TTPs).
On this DISCARDED episode, we discuss the chaotic brilliance of mid-tier eCrime actors, why shared commodity tooling can make attribution difficult, why TA582 is so interesting, and much more.
Stream here 👉 brnw.ch/21wUw3L
On this DISCARDED episode, we discuss the chaotic brilliance of mid-tier eCrime actors, why shared commodity tooling can make attribution difficult, why TA582 is so interesting, and much more.
Stream here 👉 brnw.ch/21wUw3L
July 29, 2025 at 6:46 PM
Each threat actor has its own tactics, techniques, and procedures (TTPs).
On this DISCARDED episode, we discuss the chaotic brilliance of mid-tier eCrime actors, why shared commodity tooling can make attribution difficult, why TA582 is so interesting, and much more.
Stream here 👉 brnw.ch/21wUw3L
On this DISCARDED episode, we discuss the chaotic brilliance of mid-tier eCrime actors, why shared commodity tooling can make attribution difficult, why TA582 is so interesting, and much more.
Stream here 👉 brnw.ch/21wUw3L
🚨 Job seekers, watch out! 🚨
Proofpoint found threat actors targeting job seekers to distribute remote management tools that can lead to data or financial theft, or potentially to install follow-on malware like ransomware.
Proofpoint found threat actors targeting job seekers to distribute remote management tools that can lead to data or financial theft, or potentially to install follow-on malware like ransomware.
July 24, 2025 at 3:41 PM
🚨 Job seekers, watch out! 🚨
Proofpoint found threat actors targeting job seekers to distribute remote management tools that can lead to data or financial theft, or potentially to install follow-on malware like ransomware.
Proofpoint found threat actors targeting job seekers to distribute remote management tools that can lead to data or financial theft, or potentially to install follow-on malware like ransomware.
Threat researchers at Proofpoint released new details on a widespread Request for Quote (RFQ) scam that involves leveraging common Net financing options to steal a variety of high-value electronics and goods.
Blog: brnw.ch/21wUkQ8
#shipment #RFQ #finance #scam
Blog: brnw.ch/21wUkQ8
#shipment #RFQ #finance #scam
NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods | Proofpoint US
Key findings Request for Quote scammers are using vendor supplied financing to steal physical goods. They utilize email and legitimate online quote request forms to reach
brnw.ch
July 22, 2025 at 3:06 PM
Threat researchers at Proofpoint released new details on a widespread Request for Quote (RFQ) scam that involves leveraging common Net financing options to steal a variety of high-value electronics and goods.
Blog: brnw.ch/21wUkQ8
#shipment #RFQ #finance #scam
Blog: brnw.ch/21wUkQ8
#shipment #RFQ #finance #scam
NEW ‼️ Researchers at @Proofpoint revealed an increase in China-aligned cyber #espionage targeting Taiwan’s #semiconductor industry—a sector critical to the global tech #supplychain.
At least 3️⃣ distinct China-aligned threat actors are behind the efforts. brnw.ch/21wUctY
At least 3️⃣ distinct China-aligned threat actors are behind the efforts. brnw.ch/21wUctY
July 16, 2025 at 9:09 PM
NEW ‼️ Researchers at @Proofpoint revealed an increase in China-aligned cyber #espionage targeting Taiwan’s #semiconductor industry—a sector critical to the global tech #supplychain.
At least 3️⃣ distinct China-aligned threat actors are behind the efforts. brnw.ch/21wUctY
At least 3️⃣ distinct China-aligned threat actors are behind the efforts. brnw.ch/21wUctY
Confirm before you click! 🖱️
Learn about an interesting phishing campaign involving the “unsubscribe” link often included in marketing emails. 🔍 ⤵️
Learn about an interesting phishing campaign involving the “unsubscribe” link often included in marketing emails. 🔍 ⤵️
July 1, 2025 at 4:30 PM
Confirm before you click! 🖱️
Learn about an interesting phishing campaign involving the “unsubscribe” link often included in marketing emails. 🔍 ⤵️
Learn about an interesting phishing campaign involving the “unsubscribe” link often included in marketing emails. 🔍 ⤵️
#Espionage 🤝 #Cybercrime
TA829 🤝 UNK_GreenSec
Proofpoint researchers published new insights on an intriguing overlap between 2 threat actor clusters—TA829 and UNK_GreenSec—in a campaign that blurs the lines between espionage and cybercriminal activity. brnw.ch/21wTN5x
TA829 🤝 UNK_GreenSec
Proofpoint researchers published new insights on an intriguing overlap between 2 threat actor clusters—TA829 and UNK_GreenSec—in a campaign that blurs the lines between espionage and cybercriminal activity. brnw.ch/21wTN5x
10 Things I Hate About Attribution: RomCom vs. TransferLoader | Proofpoint US
Threat Research would like to acknowledge and thank the Paranoids, Spur, and Pim Trouerbach for their collaboration to identify, track, and disrupt this activity. Key takeaways
brnw.ch
June 30, 2025 at 4:16 PM
#Espionage 🤝 #Cybercrime
TA829 🤝 UNK_GreenSec
Proofpoint researchers published new insights on an intriguing overlap between 2 threat actor clusters—TA829 and UNK_GreenSec—in a campaign that blurs the lines between espionage and cybercriminal activity. brnw.ch/21wTN5x
TA829 🤝 UNK_GreenSec
Proofpoint researchers published new insights on an intriguing overlap between 2 threat actor clusters—TA829 and UNK_GreenSec—in a campaign that blurs the lines between espionage and cybercriminal activity. brnw.ch/21wTN5x
In a new blog, Proofpoint threat research engineers disclosed their detailed discovery of Amatera Stealer, a newly rebranded and upgraded malware-as-a-service (MaaS) version of the ACR Stealer.
Read the blog: brnw.ch/21wTvpI.
#securityengineering #detectionengineering #securitycontrols
Read the blog: brnw.ch/21wTvpI.
#securityengineering #detectionengineering #securitycontrols
Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication | Proofpoint US
Key takeaways Proofpoint identified a new, rebranded stealer based on ACR Stealer called Amatera Stealer. It is delivered via web injects featuring sophisticated attack
brnw.ch
June 18, 2025 at 4:33 PM
In a new blog, Proofpoint threat research engineers disclosed their detailed discovery of Amatera Stealer, a newly rebranded and upgraded malware-as-a-service (MaaS) version of the ACR Stealer.
Read the blog: brnw.ch/21wTvpI.
#securityengineering #detectionengineering #securitycontrols
Read the blog: brnw.ch/21wTvpI.
#securityengineering #detectionengineering #securitycontrols
New ecrime insights:
TA4557, known for distributing More_eggs malware, notably expanded to an international audience in recent campaigns.
Per our data, the recruiter-focused TA was seen targeting orgs in France, England & Ireland, in addition to typical North America-targeted threats.
TA4557, known for distributing More_eggs malware, notably expanded to an international audience in recent campaigns.
Per our data, the recruiter-focused TA was seen targeting orgs in France, England & Ireland, in addition to typical North America-targeted threats.
June 16, 2025 at 3:09 PM
New ecrime insights:
TA4557, known for distributing More_eggs malware, notably expanded to an international audience in recent campaigns.
Per our data, the recruiter-focused TA was seen targeting orgs in France, England & Ireland, in addition to typical North America-targeted threats.
TA4557, known for distributing More_eggs malware, notably expanded to an international audience in recent campaigns.
Per our data, the recruiter-focused TA was seen targeting orgs in France, England & Ireland, in addition to typical North America-targeted threats.
Researchers at Proofpoint expose threat actors’ attempt to hijack thousands of EntraID user accounts across almost 100 cloud tenants by leveraging TeamFiltration, a red teaming framework used by network defenders. brnw.ch/21wTk3G
Attackers Unleash TeamFiltration: Account Takeover Campaign (UNK_SneakyStrike) Leverages Popular Pentesting Tool | Proofpoint US
Key takeaways Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting
brnw.ch
June 11, 2025 at 3:39 PM
Researchers at Proofpoint expose threat actors’ attempt to hijack thousands of EntraID user accounts across almost 100 cloud tenants by leveraging TeamFiltration, a red teaming framework used by network defenders. brnw.ch/21wTk3G