Part 2 of our #EvilTokens in-depth analysis is out! This blog post details the AI-augmented features significantly facilitating #BEC fraud. I believe that this AI-augmented post-compromise tooling represent a genuine breakthrough in the #PhaaS ecosystem. blog.sekoia.io/eviltokens-a...

In early March 2026, we uncovered #EvilTokens, a new #PhaaS offering device code phishing pages and AI-driven features to automate and scale BEC workflows. Part 1 of our analysis provides a technical analysis of the EvilTokens kit ⬇️ blog.sekoia.io/new-widespre...

Our latest TDR report on the #IClickFix framework: 📊 3,800+ WordPress sites compromised worldwide ⚙️ Multi-stage JavaScript loader 🚦 Abusing YOURLS as TDS 🖱️ Fake Cloudflare CAPTCHA and #ClickFix lure 🦠 #NetSupport RAT payload bsky.app/profile/seko...

Open directory at 104.168.81.]229/BJ/ containing phishing pages for Zimbra, Outlook, Adobe, and various Chinese services 104.168.81.]229 microsoftstorage.duckdns[.]org outllook.duckdns[.]org outlookspace.duckdns[.]org patnerrshipp.duckdns[.]org ⬇️

#TDR analysts dig into a modus operandi targeting the hospitality industry and the related cybercrime ecosystem that facilitates #phishing and #fraud campaigns. blog.sekoia.io/phishing-cam...

📝 Our latest #TDR report delivers an in-depth analysis of Adversary-in-the-Middle (#AitM) #phishing threats - targeting Microsoft 365 and Google accounts - and their ecosystem. This report shares actionable intelligence to help analysts detect and investigate AitM phishing.

Check out our new blog post by the TDR team, presenting the latest TTPs used by the #Interlock ransomware group! It includes their use of the ClickFix tactic, PyInstaller, Node.js, Cloudflare Tunnels, and new PowerShell loader/backdoor ⬇️ bsky.app/profile/seko... ✍️ @kseznec.bsky.social

Since the apparition of the #Interlock ransomware, the Sekoia #TDR team observed its operators evolving, improving their toolset (#LummaStealer and #BerserkStealer), and leveraging new techniques such as #ClickFix to deploy the ransomware payload. blog.sekoia.io/interlock-ra...

Tycoon 2FA (a prominent AitM phishing kit), targeting Microsoft and Google accounts, uses a new CAPTCHA page instead of the custom Cloudflare Turnstile page e.g. hxxps://ymi.bvyunz.]ru/3v4jfQ-cUo/ hxxps://xau.kolivax.]ru/ckYHFJN/ hxxps://ffqt.lzirleg.]es/VajlR/ ⬇️

Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures. ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar. ⬇️ bsky.app/profile/seko...

TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic. buff.ly/vbiVbsN

#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader. cc @plebourhis.bsky.social @sekoia.io 1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding 2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic ⬇️

For those who did not monitor the supply chain attack against Chrome extensions in December 2024, our article provides an overview of: - the targeted phishing attack against extension developers - malicious code - the adversary's infrastructure ⬇️ bsky.app/profile/seko...

TDR analysts analysed the supply chain attack targeting Chrome browser extensions, which potentially affected hundreds of thousands of end users in December 2024. https://buff.ly/4auQ0HN

Around 1,000 malicious domains are hosting webpages impersonating Reddit and WeTransfer, redirecting users to download password-protected archives These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia.io, which executes #Lumma Stealer IoCs ⬇️

Our last article exposes the new AiTM phishing kit Sneaky 2FA, sold by the cybercrime service "Sneaky Log"! We provide an in-depth analysis of the phishing pages, the associated service, detection opportunities and multiple IoCs. ⬇️ bsky.app/profile/seko...

Recent update in #Vidar C2 servers configuration: HTTP Location header set to "hxxps://t.]me", instead of "hxxps://google.]com" Heuristic to track C2 IPs and domains on Censys: search.censys.io/search?resou... Dead Drop Resolvers (DDR) of the week: hxxps://t.]me/no111p ⬇️

🦝 The new episode of @intel471.bsky.social "Cybercrime Exposed" podcast produced by @jkirk.bsky.social tells the story of #Raccoon Stealer and, more broadly, reveals how the #infostealer ecosystem operates. Featuring @crep1x.bsky.social from @sekoia.io! intel471.com/resources/po...