IT NEWS

This blog is part of a series highlighting new and concerning trends we noticed over the last year. Trends matter because they almost always provide a good indication of what’s coming next.

If there’s one thing that became very clear in 2025, it’s that malware is no longer focused on Windows alone. We’ve seen some major developments, especially in campaigns targeting Android and macOS. Unfortunately, many people still don’t realize that protecting smartphones, tablets, and other connected devices is just as essential as securing their laptops.

Android

Banking Trojans on Android are not new, but their level of sophistication continues to rise. These threats continue to be a major problem in 2025, often disguising themselves as fake apps to steal credentials or stealthily take over devices. A recent wave of advanced banking Trojans, such as Herodotus, can mimic human typing behaviors to evade detection, highlighting just how refined these attacks have become. Android malware also includes adware that aggressively pushes intrusive ads through free apps, degrading both the user experience and overall security.

Several Trojans were found to use overlays, which are fake login screens appearing on top of real banking and cryptocurrency apps. They can read what’s on the screen, so when someone enters their username and password, the malware steals them.

macOS

One of the most notable developments for Mac users was the expansion of the notorious ClickFix campaign to macOS. Early in 2025, I described how criminals used fake CAPTCHA sites and a clipboard hijacker to provide instructions that led visitors ro infect their own machines with the Lumma infostealer.

ClickFix is the name researchers have since given to this type of campaign, where users are tricked into running malicious commands themselves. On macOS, this technique is being used to distribute both AMOS stealers and the Rhadamanthys infostealer.

Cross-platform

Malware developers increasingly use cross-platform languages such as Rust and Go to create malware that can run on Windows, macOS, Linux, mobile, and even Internet of Things (IoT) devices. This enables flexible targeting and expands the number of potential victims. Malware-as-a-Service (MaaS) models are on the rise, offering these tools for rent or purchase on underground markets, further professionalizing malware development and distribution.

Social engineering

iPhone users have been found to be more prone to scams and less conscious about mobile security than Android owners. That brings us to the first line of defense, which has nothing to do with the device or operating system you use: education.

Social engineering exploits human behavior, and knowing what to look out for makes you far less likely to fall for a scam.

Fake apps that turn out to be malware, malicious apps in the Play Store, sextortion, and costly romance scams all prey on basic human emotions. They either go straight for the money or deliver Trojan droppers as the first step toward infecting a device.

We’ve also seen consistent growth in Remote Access Trojan (RAT) activity, often used as an initial infection method. There’s also been a rise in finance-focused attacks, including cryptocurrency and banking-related targets, alongside widespread stealer malware driving data breaches.

What does this mean for 2026?

Taken together, these trends point to a clear shift. Cybercriminals are increasingly focusing on operating systems beyond Windows, combining advanced techniques and social engineering tailored specifically to mobile and macOS.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Pornhub tells users to expect sextortion emails after data exposure
• Hacktivists claim near-total Spotify music scrape

Stay safe!

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Hacktivist group Anna’s Archive claims to have scraped almost all of Spotify’s catalog and is now seeding it via BitTorrent, effectively turning a streaming platform into a roughly 300 TB pirate “preservation archive.”

On its blog, the group states:

“A while ago, we discovered a way to scrape Spotify at scale. We saw a role for us here to build a music archive primarily aimed at preservation.”

Spotify insists that the hacktivists obtained no user data. Still, the incident highlights how large‑scale scraping, digital rights management (DRM) circumvention, and weak abuse controls can turn major content platforms into high‑value targets.

Anna’s Archive claims it obtained metadata for around 256 million tracks and audio files for roughly 86 million songs, totaling close to 300 TB. Reportedly, this represents about 99.9% of Spotify’s catalog and roughly 99.6% of all streams.

Spotify says it has “identified and disabled the nefarious user accounts that engaged in unlawful scraping” and implemented new safeguards.

From a security perspective, this incident is a textbook example of how scraping can escalate beyond “just metadata” into industrial‑scale content theft. By combining public APIs, token abuse, rate‑limit evasion, and DRM bypass techniques, attackers can extract protected content at scale. If you can create or compromise enough accounts and make them appear legitimate, you can chip away at content protections over time.

The “Spotify scrape” will likely be framed as a copyright story. But from a security angle, it serves as a reminder: if a platform exposes content or metadata at scale, someone will eventually automate access to it, weaponize it, and redistribute it.

And hiding behind violations of terms and conditions—which have never stopped criminals—is not effective security control.

How does this affect you?

There is currently no indication that passwords, payment details, or private playlists were exposed. This incident is purely about content and metadata, not user databases. That said, scammers may still claim otherwise. Be cautious of messages alleging your account data was compromised and asking for your login details.

Some general Spotify security tips, to be on the safe side:

• If you have reused your Spotify password elsewhere or shared your credentials, consider changing your password for peace of mind.
• Regularly review active sessions on streaming services and revoke anything you do not recognize. Spotify does not offer per-device session management, but you can sign out of all devices via Account > Settings and privacy on the Spotify website.
• Avoid unofficial downloaders, converters, or “Spotify mods” that ask for your login or broad OAuth permissions. These tools often rely on the same kind of scraping infrastructure—or worse, function as credential-stealing malware.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

After a recent data breach that affected Pornhub Premium members, Pornhub has updated its online statement to warn users about potential direct contact from cybercriminals.

“We are aware that the individuals responsible for this incident have threatened to contact impacted Pornhub Premium users directly. You may therefore receive emails claiming they have your personal information. As a reminder, we will never ask for your password or payment information by email.”

Pornhub is one of the world’s most visited adult video-sharing websites, allowing users to view content anonymously or create accounts to upload and interact with videos.

Pornhub has reported that on November 8, 2025, a security breach at third-party analytics provider Mixpanel exposed “a limited set of analytics events for certain users.” Pornhub stressed that this was not a breach of Pornhub’s own systems, and said that passwords, payment details, and financial information were not exposed.

Mixpanel confirmed it experienced a security incident on November 8, 2025, but disputes that the Pornhub data originated from that breach. The company stated there is:

 “No indication that this data was stolen from Mixpanel during our November 2025 security incident or otherwise.”

Regardless of the source, cybercriminals commonly attempt to monetize stolen user data through direct extortion. At the moment, it is unclear how many users are affected, although available information suggests that only Premium members had their data exposed.

In October, we reported that one in six mobile users are targeted by sextortion scams. Sextortion is a form of online blackmail where criminals threaten to share a person’s private, nude, or sexually explicit images or videos unless the victim complies with their demands—often for more sexual content, sexual favors, or money.

Having your email address included in a dataset of known Pornhub users makes you a likely target for this type of blackmail.

How to stay safe from sextortion

Unless you used a dedicated throwaway email address to sign up for Pornhub Premium, you should be prepared to receive a sextortion-type email. If one arrives:

• Any message referencing your Pornhub use, searches, or payment should be treated as an attempt to exploit breached or previously leaked data.
• Never provide passwords or payment information by email. Pornhub has stated it will not ask for these.
• Do not respond to blackmail emails. Ignore demands, do not pay, and do not reply—responding confirms your address is actively monitored.
• Save extortion emails, including headers, content, timestamps, and attachments, but do not open links or files. This information can support reports to your email provider, local law enforcement, or cybercrime units.
• Change your Pornhub password (if your account is still active) and ensure it’s unique and not reused anywhere else.
• Turn on multi-factor authentication (MFA) for your primary email account and any accounts that could be used for account recovery or identity verification.
• Review your bank and card statements for unfamiliar charges and report any suspicious transactions at once.
• If you used a real-name email address for Pornhub, consider moving sensitive subscriptions to a separate, pseudonymous email going forward.

Use STOP, our simple scam response framework to help protect against scams. 

• S—Slow down: Don’t let urgency or pressure push you into action. Take a breath before responding. Legitimate businesses like your bank or credit card don’t push immediate action.  
• T—Test them: If you answered the phone and are feeling panicked about the situation, likely involving a family member or friend, ask a question only the real person would know—something that can’t be found online. 
• O—Opt out: If it feels off, hang up or end the conversation. You can always say the connection dropped. 
• P—Prove it: Confirm the person is who they say they are by reaching out yourself through a trusted number, website or method you have used before. 

Should you have doubts about the legitimacy of any communications, submit them to Malwarebytes Scam Guard. It will help you determine whether it’s a scam and provide advice on how to act.

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Last week on Malwarebytes Labs:

• CISA warns ASUS Live Update backdoor is still exploitable, seven years on
• The ghosts of WhatsApp: How GhostPairing hijacks accounts
• Chrome extension slurps up AI chats after users installed it for privacy
• Two Chrome flaws could be triggered by simply browsing the web: Update now
• Inside a purchase order PDF phishing campaign
• SoundCloud, Pornhub, and 700Credit all reported data breaches, but the similarities end there
• Android mobile adware surges in second half of 2025
• Photo booth flaw exposes people’s private pictures online
• Google is discontinuing its dark web report: why it matters
• Pig butchering is the next “humanitarian global crisis” (Lock and Code S06E25)
• PayPal closes loophole that let scammers send real emails with fake purchase notices

On the ThreatDown blog:

• AI-orchestrated cyberattacks

Stay safe!

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) added (along with two others) a vulnerability in ASUS Live Update to its catalog of Known Exploited Vulnerabilities (KEV).

The KEV catalog lists vulnerabilities that are known to be exploited in the wild and sets patch deadlines for Federal Civilian Executive Branch (FCEB) agencies. When CISA adds an issue to this list, it’s a strong signal that exploitation is real, ongoing, and urgent.

The ASUS Live Update Embedded Malicious Code vulnerability, tracked as CVE-2025-59374 (with a CVSS score of 9.3), affects Live Update, a utility commonly used to deliver firmware and software updates to ASUS devices.

This isn’t the first time ASUS Live Update has been linked to serious security incidents. In 2019, ASUS responded to media reports about attacks on the Live Update tool by advanced persistent threat (APT) groups, stating that:

“A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group.”

Later investigations revealed that a sophisticated supply chain attack mounted in 2018, attributed to Chinese state-sponsored attackers, had inserted a backdoor into ASUS Live Update. The attack was particularly effective because that utility came preinstalled on most ASUS devices and was used to the automatically update BIOS, UEFI, drivers, and other components.

CISA now notes that the affected devices could be abused to perform unintended actions if certain conditions are met. Originally, the attackers reportedly targeted only around 600 specific devices, based on hashed MAC addresses hardcoded in various versions of the tool. This was despite the fact that millions of users may have downloaded the backdoored utility.

Support for the ASUS Live Update application has since been discontinued. The final intended version of ASUS Live Update was 3.6.15, but it will continue to provide software updates. This is likely why a CVE was assigned and why the vulnerability was added to the KEV catalog. There was no official “why now” statement from ASUS, MITRE, or CISA, but the timing aligns with a legacy, end-of-support product being reclassified as a vulnerability with confirmed active exploitation.

What do ASUS users need to do?

First of all, make sure you’re running a clean version of the utility. ASUS urges users to update to version 3.6.8 or later to address known security issues.

• Right-click the ASUS Live Update icon at the bottom-right corner of your Windows screen
• Click About to see the version information as the shown in the picture below.
  
• If you are on an older version, open the program and click Check update immediately
• ASUS Live Update will automatically find the latest driver and utility.
• Click Install
• After updating, recheck and ensure it shows “No updates.”

Alternatively, you can download and install the latest version manually. ASUS’ own support article describes the only official way to get the current Live Update package:​

1. Go to the ASUS Official Website (asus.com)
2. Use the search box to find your exact model (e.g., UX580GD)
3. Open the product page and click Support → Driver & Tools
4. Select your operating system (e.g., Windows 10/11 64-bit).​
5. In the Utilities section, locate ASUS Live Update and click Download

This is as close as we could get you to a “direct” official download. The URL is different for every model and ASUS does not provide a central Live Update installer directory. While this makes it harder than it maybe should be, we do recommend using this official download. Given the history of supply chain abuse involving this tool, downloading it from third-party sources is a risk not worth taking.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers have found an active campaign aimed at taking over WhatsApp accounts. They’ve called this attack GhostPairing because it tricks the victim into completing WhatsApp’s own device-pairing flow, silently adding the attacker’s browser as an invisible linked device on the account.

Ghost of WhatsApp Past: When it was just you

Device pairing lets WhatsApp users add additional devices to their account so they can read and reply to messages from a laptop or through WhatsApp Web.

Compared to similar platforms, WhatsApp’s main strengths are its strong end-to-end encryption and seamless cross-platform use. But cybercriminals have found a way to abuse that cross-platform use to bypass the encryption.

In the Ghost of WhatsApp Past, everything looks normal. It’s just you and the devices you meant to connect. The same mechanism that makes life easier later gets abused to let in an uninvited guest. And that renders the end-to-end encryption useless when the attacker gains direct access to the account.

Ghost of WhatsApp Present: The “I found your photo” moment

So, all is well. Until the target receives a message along the lines of “Hey, check this, I found your photo!” accompanied by a link.

The link, and the website it leads to, are designed to look like they belong to Facebook (which, like WhatsApp, is owned by Meta).

This fake login page provides instructions to log in with their phone number to continue or to verify before viewing the photo. The scammers then use the provided phone number to submit a WhatsApp “device pairing” request for it.

The researchers observed two variants of the attack. One that provides a QR code to scan with WhatsApp on your phone. The other sends a numeric code and tells the user to enter it into WhatsApp to confirm a login.

In the second scenario, the victim opens WhatsApp, sees the pairing prompt, types the code, and believes they are completing a routine verification step, when in fact they have just linked the attacker’s browser as a new device.

This is the attacker’s preferred approach. In the first, the browser-based QR-code occurs on the same device as the WhatsApp QR-code scan—QR codes normally expect a second device—and might give people the chance to think about what’s really going on.

Ghost of WhatsApp Future: When the ghost settles in

With the new access to your WhatsApp account, the criminals can:

• Read all your new and synced messages.
• Download photos, videos, and voice notes.
• Send the same “photo” lure to your contacts and spread the scam.
• Impersonate you in direct and group chats.
• Harvest messages, images, and other information to use in future scams, social engineering, and extortion.

And they can do much of this before the real account owner notices that something is wrong.

What Scrooge can learn from all this

It’s not the first time scammers have used tricks like these to take over accounts. Facebook has seen many waves of similar scams.

There are a few basic measures you can take to avoid falling for lures like these.

• Don’t follow unsolicited links sent to you, even if they’re from an account you trust. Verify with the sender that it’s safe. In some cases, you’ll be helpfully warning them their account is compromised.
• Enable Two‑Step Verification in WhatsApp. This adds a PIN that attackers cannot set or change, reducing the impact of other takeover techniques.
• Read prompts and notifications. Many of us have trained ourselves to click all the right buttons to get through the flow as quickly as possible without reading what they’re actually doing, but it’s a dangerous habit.

If you have fallen victim to this, here’s what to do.

• Tell your WhatsApp contacts that your account may have been abused and not to click any “photo” links or verification requests that might have come from you.
• Immediately revoke access: go to Settings → Linked Devices and log out of all browsers and desktops you do not explicitly use. When in doubt, remove everything and re‑link only the devices you own.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

This case highlights a growing grey area in consumer privacy: data collection that is technically disclosed, but so far outside user expectations that most people would never knowingly agree to it.

The next time you tell an AI chat assistant your deepest secrets, think twice; you never know who (or what) might be listening. More than seven million users of a VPN extension for Google Chrome and Microsoft Edge found that out the hard way this week after researchers at Koi Security revealed the browser extension had been logging users’ AI chats and sending them to a data broker.

Urban VPN Proxy looked like a reputable program. It sat in the Chrome Web Store with a 4.7-star rating and Google’s “Featured” badge, which is meant to indicate that an extension meets higher standards for user experience and design. More than six million people downloaded the Chrome version of the tool, which ironically claims to protect users’ online privacy. Another 1.3 million installed it on Microsoft Edge.

The extension was originally benign, but then on July 9, 2025 its publisher, Urban Cybersecurity, shipped version 5.5.0. According to Koi Security, that update introduced code that intercepted every conversation users had with eight AI assistant platforms: ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI), and Meta AI.

The extension intercepted chat prompts from the user’s browser, along with responses from the AI. It then reportedly packaged them up and sent them to Urban Cybersecurity’s parent company, BiScience (B.I Science (2009) Ltd). That is a data broker company, which collects browsing history and device IDs from millions of users.

As Koi Security points out in its report, Urban Cybersecurity does mention AI data collection in the consent screen that it shows during product setup. It says:

“…we process certain browsing data such as pages you visit, your network connection, ChatAI communication, and security signals, as outlined in our Privacy Policy.”

The privacy policy further explains what data it collects and says that it discloses the data for marketing analytics purposes.

There are two problems with that.

First, the extension silently auto-updates on Chrome and Microsoft Edge browsers, as Koi Security points out. That means users who installed an earlier, non-harvesting version installed would have been automatically upgraded to the chat-slurping version in July and been none the wiser—unless they happened to read updated privacy policies for fun.

fromSecond, the Chrome Web Store listing reportedly described the product as protecting people from entering personal information into AI chatbots. That claim is hard to square with the fact that the extension captures and exfiltrates AI chats regardless of whether its protection features are turned on, according to Koi.

The researchers also found that seven other extensions from the same publisher contained identical harvesting code, bringing the total number of affected users to more than eight million. Koi Security published a list of those extensions in its report.

Why data brokers love AI chat

With people inclined to tell AI sessions increasingly personal things, this secretive harvesting should worry us. Set aside for a minute those who confess to crimes, or those who pour out deeply private thoughts while using AI as a form of therapy. Many other chats are filled with things that feel more mundane but are still highly sensitive: job advice (people have shared full resumes with AI chats), medical symptoms, family planning questions, study materials, and legal queries.

Those conversations are often far more detailed and revealing than traditional search engine queries. If data brokers obtain them, they can mine the content for personal insights and link it with other data they already hold about you.

This episode reinforces two pieces of advice that we’ve given before. The first is to be careful which browser extensions you install, and which VPN services you use. Not all are what they seem.

Second, be careful what you tell AI assistants. Even if nothing is intercepting the conversation locally, the company operating the AI itself might be made to hand over chat data, as OpenAI was earlier this month.

Google’s “Featured” badge says extensions “follow our technical best practices and meet a high standard of user experience and design” but this seems to have been one that slipped through the next. As of last night, Urban Proxy VPN and Urban Cybersecurity’s other apps appeared to have been removed from the Chrome Web Store. The ones identified by Koi Security on the Microsoft Edge Add-ons store were still available, though.

If you used any of these extensions, were unaware of the situation and are unhappy about it, you should assume that any AI chats since July 9 this year may have been compromised. To remove extensions, you can do so in Chrome by visiting chrome://extensions and in Edge by visiting edge://extensions. You may also want to reset passwords and clear browser caches and cookies.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Google issued an extra patch addressing two security vulnerabilities in Chrome, both of which can be triggered remotely by an attacker when a user visits a specially crafted, malicious web page.

Chrome is by far the world’s most popular browser, with an estimated 3.4 billion users. That makes it a massive target. When Chrome has a security flaw that can be triggered just by visiting a website, billions of users are exposed until they update.

That’s why it’s important to install these patches promptly. Staying unpatched means you could be at risk just by browsing the web. Attackers often try to exploit browser vulnerabilities quickly, before most users have a chance to update. Always let Chrome update itself, and don’t delay restarting it, as updates usually fix exactly this kind of risk.

How to update Chrome

The latest version number is 143.0.7499.146/.147 for Windows and macOS, and 143.0.7499.146 for Linux. So, if your Chrome is on version 143.0.7499.146 or later, it’s protected from these vulnerabilities.

The easiest way to update is to allow Chrome to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To update manually, click the More menu (three dots), then go to Settings > About Chrome. If an update is available, Chrome will start downloading it. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.

You can also find step-by-step instructions in our guide to how to update Chrome on every operating system.

Technical details

One of the vulnerabilities was found in the WebGPU web graphics API, which allows for graphics processing, games, and more, as well as AI and machine learning applications. This vulnerability, tracked as CVE-2025-14765 is a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Use-after-free is a class of vulnerability caused by incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker may be able to use the error to manipulate the program.

Heap corruption occurs when a program inadvertently damages the allocator’s view of the heap, which can lead to unexpected alterations in memory. The heap is a region of memory used for dynamic memory allocation.

The other vulnerability, known as CVE-2025-14766 was—once again—found in the V8 engine as an out-of-bounds read and write.

V8 is the engine that Google developed for processing JavaScript, and it has seen more than its fair share of bugs.

An out-of-bounds read and write vulnerability means an attacker may be able to manipulate parts of the device’s memory that should be out of their reach. Such a flaw allows a program to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers could write code to a part of the memory where the system executes it with permissions that the program and user should not have.

In this case, the vulnerability could be exploited when the engine processes specially crafted HTML content, such as a malicious website.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A PDF named “NEW Purchase Order # 52177236.pdf” turned out to be a phishing lure. So we analyzed the phishing script behind it.

A customer contacted me when Malwarebytes blocked the link inside a “purchase order” email they had received.

When I examined the attachment, it soon became clear why we blocked it.

The visible content of the PDF showed a button prompting the recipient to view the purchase order. Hovering over the button revealed a long URL that included a reference to a PDF viewer. While this might fool some people at first glance, a closer look raised red flags:

Since I’m rarely able to control my curiosity, I temporarily added an exclusion to Malwarebytes’ web protection so I could see where the link would take me. The destination was a website displaying a login form with the target’s email address already filled in (the address shown here was fabricated by me):

The objective was clear: phishing. But the site’s source code didn’t reveal much.

The most likely objective was to harvest business email addresses and their passwords. Attackers commonly test these credentials against enterprise services such as Microsoft Outlook, Google Workspace, VPNs, file-sharing platforms, and payroll systems. The deliberately vague prompt for a “business email” increases the likelihood that users will provide corporate credentials rather than personal ones.

There was also a small personalization touch. The “Estimado” greeting sets a professional tone and is common in business correspondence across Spanish-speaking regions.

For a full analysis read on, but the real clue is that the harvested credentials accompanied additional information about the victim’s browser, operating system, language, cookies, screen size, and location. This data was sent directly to the scammer’s account on Telegram, where it’s likely to be used to compromise the business network or sold on to other cybercriminals.

A quick search on VirusTotal showed that there were several PDF files linking to the exact same ionoscloud.com subdomain.

Analysis

As I pointed out earlier, the source code of the initial phishing page did not reveal a lot. These are probably auto-generated templates that can be planted on any website, allowing attackers a fast rotation.

ionoscloud.com belongs to IONOS Cloud, the cloud infrastructure division of IONOS, a major European hosting company. It offers services similar to Amazon AWS or Microsoft Azure, including hosting for websites and files. Scammers specifically choose reputable cloud platforms like IONOS Cloud because of the “halo effect” of being hosted at a well-known domain, which means security companies can’t just block the whole domain.

The criminals also get the flexibility to quickly spin up, modify, or tear down phishing sites and continue to evade detection by moving to new URLs or storage buckets.

So, we followed the trail to a JavaScript file, which turned out to be obfuscated script—and a long one at that. But the end of it looked promising.

Since it was still unclear at this point what it was up to, I made a change to the script to avoid infection and which allowed me to get the source code without executing the script. To achieve this, I replaced the last line of the original script with code that exports the next layer to an HTML file.

The next obfuscation layer turned out to be easy. All it contained was a long string that needed to be unescaped. Because of the length, I used an online decoder to do that for me.

This showed me the code for the actual form that the target would see—and the goal of the whole phishing expedition.

The part that did the actual harvesting was hidden in another script.

This was still pretty long and obfuscated but by analyzing the code and giving the functions readable names I managed to find out which information the script gathered. For example, the script uses the ipapi location service:

And I found out where it sent the details.

Any credentials entered on the phishing page are POSTed directly to the attacker’s Telegram bot and immediately forwarded to their chosen Telegram chat for collection. The Telegram chat ID hardcoded in the script was 5485275217.

How to stay safe

The advice here is pretty standard. (Do as our customer did, not as I did.)

• Phishing and malware campaigns frequently use PDF files, so treat them like any other attachment: don’t open until the trusted sender confirms sending you one.
• Never click links inside attachments without verifying with the sender, especially if you weren’t expecting the message or don’t know the sender.
• Always check the address of any website asking for your login details. A password manager can help here, as it won’t auto-fill credentials on a fake site.
• Use real-time anti-malware protection, preferably with a web protection component. Malwarebytes blocks the domains associated with this campaign.
• Use an email security solution that can detect and quarantine suspicious attachments.

Pro tip: Malwarebytes Scam Guard recognized the screenshot of the PDF as a phishing attempt and provided advice on how to deal with it.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.