During a recent investigation, we uncovered a phishing operation that combines free hosting on developer platforms with compromised legitimate websites to build convincing banking and insurance login portals.
These fake pages don’t just grab a username and password–they also ask for answers to secret questions and other “backup” data that attackers can use to bypass multi-factor authentication and account recovery protections. Instead of sending stolen data to a traditional command-and-control server, the kit forwards every submission to a Telegram bot.
Read more…
Source: Malwarebytes Labs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Patch Tuesday – February 2026
February 11, 2026
Microsoft is publishing 55 vulnerabilities this February 2026 Patch Tuesday. Microsoft is aware of exploitation in the wild for six of today’s vulnerabilities, and notes public disclosure for three of those. Earlier in the month, All three of the publicly disclosed zero-day vulnerabilities published today are security feature bypasses, and Microsoft acknowledges the same cast of ...
- A Peek Into Muddled Libra’s Operational Playbook
February 10, 2026
During a September 2025 incident response investigation, Unit 42 discovered a rogue virtual machine (VM) which they believe with high confidence to be used by the cybercrime group Muddled Libra (aka Scattered Spider, UNC3944). The contents of this rogue VM and activity from the attack provide valuable insight into the operational playbook of this threat actor. ...
- SolarWinds Web Help Desk Exploitation – February 2026
February 10, 2026
Multiple intrusions have been publicly reported starting on February 6, 2026 stemming from Internet-connected servers utilizing SolarWinds Web Help Desk software. This exploitation activity reportedly first occurred in December 2025. Given the number of recent CVEs affecting this product, it’s not yet clear which of several CVEs is directly responsible for these campaigns. Below are ...
- Malaysia: Nacsa investigating alleged cyber-espionage targeting multiple government bodies
February 7, 2026
The National Cyber Security Agency (Nacsa) is currently investigating alleged incidents of cyber-espionage activity targeting various Malaysian government entities. In a statement to StarLifestyle, a Nacsa spokesperson said the agency is aware of a report published by Unit 42, the threat research unit of US-based cybersecurity firm Palo Alto Networks. The Nacsa spokesperson said the agency ...
- Approaching cyclone: Vortex Werewolf attacks Russia
February 6, 2026
In December 2025 and January 2026, BI.ZONE Threat Intelligence detected malicious activity by a new cluster Vortex Werewolf (SkyCloak). The attacks targeted Russian government and defense organizations. BI.ZONE researchers findings indicate that the adversary used phishing emails to deliver malware to the target systems. Victims received messages containing a download link disguised as a Telegram file‑sharing ...
- China’s Salt Typhoon hackers broke into Norwegian companies
February 6, 2026
The Norwegian government has accused the Chinese-backed hacking group known as Salt Typhoon of breaking into several organizations in the country. In a report published on Friday, the Norwegian Police Security Service said the hacking group, believed to be working for the Chinese government, targeted vulnerable network devices to conduct espionage. Norway is the latest country ...