FortiGuard Labs recently observed several targeted phishing campaigns in Taiwan that use themes designed to exploit local business processes. These campaigns disseminate Winos 4.0 (ValleyRat) and subsequent malicious plugins through weaponized attachments or embedded links.
The lures mimic official communications, such as tax audit notifications, tax filing software installers, and cloud-based e-invoice downloads. Fortinet researchers analysis of domain registration data reveals that attackers use a rotating set of domains and cloud services to host and distribute malware. The highly volatile nature of this infrastructure renders traditional, static domain blocking insufficient as a primary defense. Over the past two months, the researchers have identified various delivery techniques, including malicious LNK files used for a downloader.
Read more…
Source: Fortinet
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- SonicWall customers told to reset credentials following firewall data breach
September 19, 2025
SonicWall is urging its firewall customers to reset their passwords after confirming it suffering a security incident which may have exposed their data. In a security announcement, SonicWall outlined how unnamed threat actors brute-forced their way into the company’s MySonicWall cloud service. This tool allows SonicWall firewall users (typically businesses and IT teams) to back up ...
- Disrupted phishing service was after Microsoft 365 credentials
September 18, 2025
Microsoft and Cloudflare have disrupted a Phishing-as-a-Service operation, known as RaccoonO365. The primary goal of RaccoonO365 (or Storm-2246 as Microsoft calls it) was to rent out a phishing toolkit that specialized in stealing Microsoft 365 credentials. They were successful in at least 5,000 cases, spanning 94 countries since July 2024. The operation provided the cybercriminals’ customers ...
- Node Package Manager Supply Chain Attack
September 18, 2025
On September 15, the Node Package Manager (NPM) repository experienced an ongoing supply chain attack, in which the attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. With privileged access, the attackers injected malicious code into widely used JavaScript packages, threatening the entire software ecosystem. Notably, the attack has ...
- UK: Two teenagers charged over Transport for London cyber attack
September 18, 2025
Two teenagers have been charged in connection with a massive cyber attack which caused Transport for London (TfL) months of disruption. The National Crime Agency (NCA) says it believes the hack – which began on 31 August last year – was carried out by members of the cyber-criminal group, Scattered Spider. Thalha Jubair, 19, from east ...
- Google Releases Security Update for Chrome
September 18, 2025
Google has released version 140.0.7339.185/.186 for Chrome for Windows and Mac and 140.0.7339.185 for Chrome for Linux, which will roll out over the coming days/weeks. The updates address four high severity vulnerabilities, including CVE-2025-10585, which has an exploit in the wild. CVE-2025-10585 – Type Confusion in V8 – High severity CVE-2025-10500 – Use after free in Dawn ...
- “Shai-Hulud” Worm Compromises npm Ecosystem in Supply Chain Attack
September 17, 2025
Palo Alto Networks Unit 42 is investigating an active and widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem. A novel, self-replicating worm, which is currently being tracked as “Shai-Hulud,” is responsible for the compromise of over 180 software packages. This attack represents a significant evolution in supply chain threats, leveraging automated propagation ...