ThreatInsight
@threatinsight.proofpoint.com
Proofpoint's insights on targeted attacks and the cybersecurity threat landscape.
Read our blog to see examples of UNK_SmudgedSerpent’s infection chain and infrastructure. This activity is a prime example of how cyber espionage is evolving, blurring boundaries between digital intelligence, human targeting, and state coordination.
November 6, 2025 at 5:07 PM
Read our blog to see examples of UNK_SmudgedSerpent’s infection chain and infrastructure. This activity is a prime example of how cyber espionage is evolving, blurring boundaries between digital intelligence, human targeting, and state coordination.
UNK_SmudgedSerpent has impersonated prominent U.S. foreign policy figures in phishing attempts designed to compromise analysts studying Iran’s domestic politics and IRGC.
The targeting of Iran foreign policy experts reflects the Iranian government's intel collection priorities.
The targeting of Iran foreign policy experts reflects the Iranian government's intel collection priorities.
November 6, 2025 at 5:06 PM
UNK_SmudgedSerpent has impersonated prominent U.S. foreign policy figures in phishing attempts designed to compromise analysts studying Iran’s domestic politics and IRGC.
The targeting of Iran foreign policy experts reflects the Iranian government's intel collection priorities.
The targeting of Iran foreign policy experts reflects the Iranian government's intel collection priorities.
From June-Aug 2025, we observed multiple overlaps in its tactics, techniques and procedures (TTPs) with Iran’s TA453, TA450, and TA455.
The hybrid style tradecraft—mixing social engineering, Microsoft 365 credential theft, and RMM software—is rarely used by state-aligned groups.
The hybrid style tradecraft—mixing social engineering, Microsoft 365 credential theft, and RMM software—is rarely used by state-aligned groups.
November 6, 2025 at 5:06 PM
From June-Aug 2025, we observed multiple overlaps in its tactics, techniques and procedures (TTPs) with Iran’s TA453, TA450, and TA455.
The hybrid style tradecraft—mixing social engineering, Microsoft 365 credential theft, and RMM software—is rarely used by state-aligned groups.
The hybrid style tradecraft—mixing social engineering, Microsoft 365 credential theft, and RMM software—is rarely used by state-aligned groups.
Proofpoint would like to thank our colleagues at ConnectWise ScreenConnect, RedCanary, and the DFIR Report for collaborating on information sharing related to this activity.
November 3, 2025 at 1:45 PM
Proofpoint would like to thank our colleagues at ConnectWise ScreenConnect, RedCanary, and the DFIR Report for collaborating on information sharing related to this activity.
Organizations should be aware of the cyber-enabled tactics and payloads used by cargo theft criminals and implement cybersecurity measures to prevent successful exploitation.
Our blog has recommendations, Emerging Threat Labs signatures, and IOCs for reference.
Our blog has recommendations, Emerging Threat Labs signatures, and IOCs for reference.
November 3, 2025 at 1:45 PM
Organizations should be aware of the cyber-enabled tactics and payloads used by cargo theft criminals and implement cybersecurity measures to prevent successful exploitation.
Our blog has recommendations, Emerging Threat Labs signatures, and IOCs for reference.
Our blog has recommendations, Emerging Threat Labs signatures, and IOCs for reference.
We've tracked nearly two dozen campaigns since Aug 2025 targeting U.S. trucking/logistics firms. This activity is massively impacting supply chains, exploiting logistics techn that underpins U.S. commerce.
While the activity we detail in our report focuses on North America, it’s a global problem.
While the activity we detail in our report focuses on North America, it’s a global problem.
November 3, 2025 at 1:45 PM
We've tracked nearly two dozen campaigns since Aug 2025 targeting U.S. trucking/logistics firms. This activity is massively impacting supply chains, exploiting logistics techn that underpins U.S. commerce.
While the activity we detail in our report focuses on North America, it’s a global problem.
While the activity we detail in our report focuses on North America, it’s a global problem.
Hackers compromise trucking/transport companies, then post fake "loads" for truckers & brokers to claim.
⬇️
Once the trucker replies, they infect them with malicious RMMs to overtake their company. They then try to bid on real loads to intercept and pick them up.
⬇️
The stolen physical goods are sold.
⬇️
Once the trucker replies, they infect them with malicious RMMs to overtake their company. They then try to bid on real loads to intercept and pick them up.
⬇️
The stolen physical goods are sold.
November 3, 2025 at 1:45 PM
Hackers compromise trucking/transport companies, then post fake "loads" for truckers & brokers to claim.
⬇️
Once the trucker replies, they infect them with malicious RMMs to overtake their company. They then try to bid on real loads to intercept and pick them up.
⬇️
The stolen physical goods are sold.
⬇️
Once the trucker replies, they infect them with malicious RMMs to overtake their company. They then try to bid on real loads to intercept and pick them up.
⬇️
The stolen physical goods are sold.
We deep dive into the cyber-enabled tactics and payloads used by cargo theft criminals, and recommend cybersecurity measures to prevent successful exploitation.
Here’s how it works:
Here’s how it works:
November 3, 2025 at 1:45 PM
We deep dive into the cyber-enabled tactics and payloads used by cargo theft criminals, and recommend cybersecurity measures to prevent successful exploitation.
Here’s how it works:
Here’s how it works:
In a revealing blog, we detail the #digitaltransformation of cargo theft: a criminal enterprise that leads to $34 billion in annual losses.
Threat actors are combining #socialengineering w/ transportation industry knowledge to steal real physical goods. brnw.ch/21wX9UA
Threat actors are combining #socialengineering w/ transportation industry knowledge to steal real physical goods. brnw.ch/21wX9UA
Remote access, real cargo: cybercriminals targeting trucking and logistics | Proofpoint US
Key findings Cybercriminals are compromising trucking and freight companies in elaborate attack chains to steal cargo freight. Cargo theft is a multi-million-dollar criminal
brnw.ch
November 3, 2025 at 1:45 PM
In a revealing blog, we detail the #digitaltransformation of cargo theft: a criminal enterprise that leads to $34 billion in annual losses.
Threat actors are combining #socialengineering w/ transportation industry knowledge to steal real physical goods. brnw.ch/21wX9UA
Threat actors are combining #socialengineering w/ transportation industry knowledge to steal real physical goods. brnw.ch/21wX9UA
The tool has been released in the Proofpoint Emerging Threats public #GitHub for other defenders to leverage.
Learn more about it here: brnw.ch/21wWSH0
#PDF #threatdetection #cyberthreat
Learn more about it here: brnw.ch/21wWSH0
#PDF #threatdetection #cyberthreat
Proofpoint releases innovative detections for threat hunting: PDF Object Hashing | Proofpoint US
Key findings Proofpoint created a new open-source tool for creating threat detection rules based on unique characteristics in PDFs called “PDF Object Hashing”. This technique can
brnw.ch
October 23, 2025 at 6:05 PM
The tool has been released in the Proofpoint Emerging Threats public #GitHub for other defenders to leverage.
Learn more about it here: brnw.ch/21wWSH0
#PDF #threatdetection #cyberthreat
Learn more about it here: brnw.ch/21wWSH0
#PDF #threatdetection #cyberthreat
Remediation recommendations are included at the end of our blog.
🚩 Upon discovery of a suspected malicious application in the environment, we suggest immediately invalidating all client secrets and removing all existing certificates.
🚩 Upon discovery of a suspected malicious application in the environment, we suggest immediately invalidating all client secrets and removing all existing certificates.
October 21, 2025 at 5:51 PM
Remediation recommendations are included at the end of our blog.
🚩 Upon discovery of a suspected malicious application in the environment, we suggest immediately invalidating all client secrets and removing all existing certificates.
🚩 Upon discovery of a suspected malicious application in the environment, we suggest immediately invalidating all client secrets and removing all existing certificates.
Our proof-of-concept shows how easily a threat actor can register an internal app, assign broad permissions like Mail.Read or offline_access, and harvest tokens for continuous access. Even if credentials change, the malicious app remains authorized and active.
October 21, 2025 at 5:51 PM
Our proof-of-concept shows how easily a threat actor can register an internal app, assign broad permissions like Mail.Read or offline_access, and harvest tokens for continuous access. Even if credentials change, the malicious app remains authorized and active.
Internal, tenant-registered (“second-party”) apps are especially dangerous. Unlike external apps, they inherit implicit trust within the organization. Once compromised, these apps can be used to blend in, evade detection, and retain access for days, or longer.
October 21, 2025 at 5:51 PM
Internal, tenant-registered (“second-party”) apps are especially dangerous. Unlike external apps, they inherit implicit trust within the organization. Once compromised, these apps can be used to blend in, evade detection, and retain access for days, or longer.
⚠️ Attackers are moving beyond credentials.
Our blog shows they’re increasingly weaponizing #OAuth applications to maintain persistent access in the cloud—even after #passwords are reset or #MFA is enforced.
This persistence poses a growing risk to modern enterprises.
Our blog shows they’re increasingly weaponizing #OAuth applications to maintain persistent access in the cloud—even after #passwords are reset or #MFA is enforced.
This persistence poses a growing risk to modern enterprises.
October 21, 2025 at 5:51 PM
⚠️ Attackers are moving beyond credentials.
Our blog shows they’re increasingly weaponizing #OAuth applications to maintain persistent access in the cloud—even after #passwords are reset or #MFA is enforced.
This persistence poses a growing risk to modern enterprises.
Our blog shows they’re increasingly weaponizing #OAuth applications to maintain persistent access in the cloud—even after #passwords are reset or #MFA is enforced.
This persistence poses a growing risk to modern enterprises.
Proofpoint assesses TA584 is an initial access provider whose compromises can lead to #ransomware.
Historically, this actor focused on North America and the UK. TA584 expanded its targeting to include European entities including Germany since 1 July 2025.
Historically, this actor focused on North America and the UK. TA584 expanded its targeting to include European entities including Germany since 1 July 2025.
October 20, 2025 at 9:31 PM
Proofpoint assesses TA584 is an initial access provider whose compromises can lead to #ransomware.
Historically, this actor focused on North America and the UK. TA584 expanded its targeting to include European entities including Germany since 1 July 2025.
Historically, this actor focused on North America and the UK. TA584 expanded its targeting to include European entities including Germany since 1 July 2025.
Click Payload: hxxp://94[.]159[.]113[.]37/ssd.png | b6956f45bd3c7b3009a31f0caf087d0686e60ee96978766a9f6477b8b093eace
XWorm C2: 85[.]208[.]84[.]208:4411
SharpHide Payload: 85[.]208[.]84[.]208/x.jpg
XWorm C2: 85[.]208[.]84[.]208:4411
SharpHide Payload: 85[.]208[.]84[.]208/x.jpg
October 20, 2025 at 9:31 PM
Click Payload: hxxp://94[.]159[.]113[.]37/ssd.png | b6956f45bd3c7b3009a31f0caf087d0686e60ee96978766a9f6477b8b093eace
XWorm C2: 85[.]208[.]84[.]208:4411
SharpHide Payload: 85[.]208[.]84[.]208/x.jpg
XWorm C2: 85[.]208[.]84[.]208:4411
SharpHide Payload: 85[.]208[.]84[.]208/x.jpg
Landing page: hxxps://www[.]eportal-npa[.]elster-de[.]quick-print[.]top/ePortal/ or hxxps://www[.]npa-eportal[.]digital-service[.]elster-de[.]status-drive[.]top/ePortal/
October 20, 2025 at 9:31 PM
Landing page: hxxps://www[.]eportal-npa[.]elster-de[.]quick-print[.]top/ePortal/ or hxxps://www[.]npa-eportal[.]digital-service[.]elster-de[.]status-drive[.]top/ePortal/
Proofpoint tracks this variant of XWorm as “P0WER” due to that is uses this string as AES Key. This variant always uses SharpHide for persistence by setting up a hidden registry key that will execute another remote PowerShell script on each boot to run XWorm again.
October 20, 2025 at 9:31 PM
Proofpoint tracks this variant of XWorm as “P0WER” due to that is uses this string as AES Key. This variant always uses SharpHide for persistence by setting up a hidden registry key that will execute another remote PowerShell script on each boot to run XWorm again.
The user is redirected to a legit website if the ClickFix command is successful. This is done via server-side check (most likely based on IP) and response to post to https[:]//[InvolvedHostName][.]top/api/exe.
October 20, 2025 at 9:31 PM
The user is redirected to a legit website if the ClickFix command is successful. This is done via server-side check (most likely based on IP) and response to post to https[:]//[InvolvedHostName][.]top/api/exe.
If the ClickFix instructions are followed, it will execute a remote PowerShell script that disables AMSI, loads a memory‑only .NET loader (included in the script) which injects an XWorm payload into RegSvcs.exe, clears the clipboard, and exits.
October 20, 2025 at 9:31 PM
If the ClickFix instructions are followed, it will execute a remote PowerShell script that disables AMSI, loads a memory‑only .NET loader (included in the script) which injects an XWorm payload into RegSvcs.exe, clears the clipboard, and exits.