Dark Web News

Scattered Spider has shifted its operational strategy, moving away from chaotic data leaks toward a more structured and professional model of cybercrime. Now functioning as a hybrid of Ransomware-as-a-Service (RaaS) and insider threat operations, the group is building a network of internal collaborators within some of the world’s largest tech and telecom companies, including Microsoft and Apple.  Scattered Spider Shifts from Loud Hacks to Quiet Access Deals  Once known for their high-profile breaches and attention-grabbing leaks, Scattered Spider and its affiliated groups, LAPSUS$, ShinyHunters, and the umbrella Scattered LAPSUS$ Hunters, have turned toward access brokerage. Instead of simply exfiltrating data, they’re actively buying and selling privileged access to corporate systems.  The group is now recruiting insiders across key industries: telecommunications, cloud software, gaming, server hosting, and business process outsourcing. Target companies include names like Microsoft, Apple, IBM, EA, Claro, Telefónica, OVH, and others in the US, UK, Australia, Canada, and France.  According to recent posts from the group, they are offering 25% of profits for insider access to Active Directory (AD) systems, and 10% for access to identity platforms like Okta, Azure, or AWS IAM root credentials. This represents a move toward a more profit-sharing, affiliate-based model, where insiders are treated as partners in crime rather than simple data sources.  “We Already Have the Data. We Need Access.”  A public statement by the group reads:  “We already have the data. We need access.”  This illustrates their transition from opportunistic hacking to a more calculated form of cyber extortion, aimed at gaining continuous footholds within high-value environments.  They also offered to purchase remote access tools like VPN credentials, Citrix sessions, and AnyDesk installations, which they then resell to ransomware affiliates for further exploitation.  One of their more detailed dark web posts—titled “SLSH 6.0 part 3 – lapsus$hiny$scattere…”, called for insiders to submit evidence of access, including SSH keys, OpenLDAP logs, and system network configurations. The group sets clear rules for participation: no companies under $500 million in revenue, and no targets from countries like Russia, China, North Korea, or Belarus.  Salesforce, Microsoft, Apple Among Targeted Firms  The Scattered LAPSUS$ Hunters have recently launched a new dark web leak site as part of their extortion efforts, following breaches at Salesloft and Salesforce. As of early October 2025, they claim to have compromised approximately 40 companies, with threats to release full datasets unless ransoms are paid by October 10.  Salesforce responded publicly on October 2, stating:  “There is no indication that the Salesforce platform has been compromised… Our findings indicate these attempts relate to past or unsubstantiated incidents.”  Still, the group continues to threaten legal consequences, claiming to have stolen nearly 1 billion records containing sensitive personally identifiable information (PII). They’ve named Berger Montague, a law firm known for data privacy litigation, as a potential partner in civil action against Salesforce if demands are not met.  They also threatened to expose regulatory violations under GDPR, CCPA, HIPAA, and other privacy laws. In one statement, the group said:  “We will be submitting a full document… how your company as a data controller… could have prevented such intrusions.”  Criticism of the Cloud Security Model  In comments to The Cyber Express, the group criticized the “shared responsibility” model of cloud security. They argued that Salesforce, like other platforms, shifts too much of the security burden onto customers.  “Salesforce is saying ‘yeah you can use our services but when it comes to security you have to deal with most of it yourself.’”  They further claimed that the use of known threat indicators—such as Mullvad VPN and TOR IPs—could have been blocked using basic YARA rules yet weren’t.  The leak site showcases the group’s aggressive tactics, listing household names like Microsoft, Apple, Google AdSense, Cisco, Toyota, FedEx, Disney/Hulu, UPS, McDonald’s, KFC, Instacart, Chanel, Adidas, Air France/KLM, and more. 

Australia’s strong economy and high per-capita wealth have made it a prime target for ransomware groups, with the country facing a disproportionate number of attacks compared to many other nations.  In 2025 alone, Australian organizations have been hit by 71 ransomware incidents, far exceeding the nine attacks recorded in neighboring New Zealand. Despite the difference in volume, both countries have seen ransomware activity this year, including attacks with notable supply chain implications.  Globally, ransomware attacks tend to be more frequent in regions like the U.S., Canada, and Europe. However, when adjusted for population size, Australia’s ransomware threat is particularly acute.  For example, Italy has been hit by 118 ransomware incidents so far in 2025, the fifth highest worldwide, yet Italy’s population is more than twice that of Australia. With Australia ranked 13th globally in GDP but only 55th in population, its economic prosperity has positioned it as an especially lucrative target for ransomware groups seeking financial gain. Unlike many regions where a single ransomware group dominates, the ransomware landscape in Australia and New Zealand is more fragmented. The groups Qilin, Akira, and INC have each claimed responsibility for eight attacks in the region this year, with Lynx and Dragonforce also actively involved. The most frequently targeted sectors in Australia and New Zealand are professional services and healthcare. However, at least eight other industries have experienced three or more ransomware incidents in 2025.  Major Ransomware Attacks in Australia and New Zealand in 2025 Several notable ransomware incidents have made headlines across Australia and New Zealand this year, involving various industries and extensive data breaches:  Akira Ransomware Group: Responsible for attacking an Australian company specializing in operational technology (OT) and industrial control systems (ICS). The group claimed to have stolen 10GB of corporate data, including sensitive employee documents such as passports, driver’s licenses, medical records, birth and death certificates, alongside contracts, financial records, and project files.  Australian Political Party Breach: In June 2025, a ransomware attack compromised an Australian political party’s servers. The attackers accessed email correspondence, documents, phone numbers, identity records, banking details, and employment history.  Dragonforce Group: Leaked over 100GB of data from an Australian engineering firm. The stolen information included site reports, customer data, detailed technical equipment drawings, and employee medical records.  Arcus Media: Claimed an attack on an Australian IT company that develops flight simulation and aviation training software. While no data samples were released, the incident raised concerns over aviation-related cybersecurity.  VanHelsing Ransomware: Targeted an Australian medical technology company focusing on sleep diagnostics and neurological monitoring. The group shared evidence, including U.S.-based staff passport scans, credit applications, product and testing data, and employee information.  RansomHub Group: Claimed a breach of an Australian pharmaceutical firm engaged in healthcare product manufacturing and distribution, alleging theft of 40GB of sensitive data.  Akira: Akira also claimed to breach an Australian process engineering company, resulting in the theft of 26GB of data, including employee and customer contact details, internal communications, and financial documents.  Qilin Group: Targeted an Australian steel industry company, reportedly stealing 11GB of data covering over 23,000 files, including financial documents and internal correspondence.  Play Ransomware Group: Attacked a New Zealand-based SaaS company specializing in billing solutions. Though the volume of stolen data was not disclosed, it reportedly included confidential client information, budgets, payroll, tax records, and identification documents.  Chaos Ransomware: Leaked nearly 3GB of data from an international instrumentation company operating significantly in New Zealand. The compromised files included technical manufacturing details such as PCB corrections, SMT programming, and RoHS compliance information.  The Unique Threat Environment in Australia and New Zealand Australia and New Zealand face a distinct ransomware threat, with Australia experiencing numerous attacks across various sectors and multiple active ransomware groups. New Zealand’s interconnectedness through global supply chains also exposes it to cybersecurity risk. To effectively counter these cyber threats, organizations must adopt strong cybersecurity measures such as zero trust models, asset segmentation, and continuous monitoring. Platforms like Cyble’s AI-native cybersecurity solutions provide real-time threat intelligence, proactive attack surface management, and autonomous incident response. 

The Pakistani government has launched an urgent investigation following reports of a massive data leak involving SIM holders’ personal information, including that of Interior Minister Mohsin Naqvi. The leaked SIM data, reportedly being sold openly online, has sparked national concern over digital security and privacy.  The Ministry of Interior confirmed in an official press release that Minister Naqvi had taken immediate notice of the situation and ordered the formation of a special investigation team. The National Cyber Crimes Investigation Agency, acting on the minister’s directives, has constituted this team with a strict deadline to complete its probe and submit findings within 14 days.  The team will thoroughly examine the circumstances, and those involved in the data leakage will be identified and brought to justice through legal action,” the press release stated.  SIM Data Being Sold Online for Pennies  According to media reports, the breach involves the sale of sensitive SIM data on Google platforms. It is claimed that the mobile location of individuals is being sold for Rs 500, mobile data records for Rs 2,000, and even details of foreign trips for Rs 5,000. Disturbingly, these illicit transactions include data related to government officials and private citizens alike, reported Pakistani English-language newspaper Dawn. This news comes just months after the Pakistan National Cyber Emergency Response Team (PKCERT) issued a dire warning about a global data breach that affected more than 180 million Pakistani internet users. PKCERT identified a publicly accessible, unencrypted database containing over 184 million unique account credentials, including usernames, emails, and passwords.  The data, linked to social media services, banking institutions, healthcare platforms, and government portals, had been stolen using infostealer malware. This malicious software extracts sensitive data from infected systems. The stolen information was stored without any encryption or password protection, making it easily exploitable.  “The leaked database is believed to have been compiled using infostealer malware… This data was stored in plain text and left completely unprotected,” the advisory noted.  PKCERT, the federal agency responsible for protecting Pakistan’s digital assets and critical infrastructure, warned that the breach could lead to:  Credential stuffing attacks  Identity theft  Unauthorized access to sensitive accounts  Targeted phishing and social engineering  Malware deployment using stolen credentials  The advisory urged citizens, especially SIM holders, to change their passwords regularly and use credible online tools to check for data breaches.  Previous Breaches Raise Questions About Data Security  This is not the first high-profile breach of sensitive Pakistani data. In March 2024, a Joint Investigation Team (JIT) reported to the Interior Ministry that the credentials of 2.7 million people were compromised between 2019 and 2023 in a separate incident involving the National Database and Registration Authority (NADRA).  The overlapping timelines and repeated breaches have raised serious questions about the effectiveness of digital security protocols in Pakistan. With the increasing digital footprint of citizens, including the widespread use of mobile phones and SIM cards, the protection of SIM data and related personal information is more important than ever.  As the investigation ordered by Interior Minister Naqvi unfolds, public attention will remain focused on both the Interior Ministry and PKCERT to ensure accountability, transparency, and most importantly, stronger data protection mechanisms for Pakistan’s millions of SIM holders. 

A newly discovered Android malware, dubbed SikkahBot, is actively targeting students in Bangladesh by posing as official applications from the Bangladesh Education Board. This malware campaign, identified by Cyble Research and Intelligence Labs (CRIL), has been in operation since July 2024.  According to CRIL, the SikkahBot malware is distributed through shortened URLs, including links like bit[.]ly/Sikkahbord, apped[.]short[.]gy, and downloadapp[.]website/tyup[.]apk. These URLs are likely spread through smishing attacks, tricking victims into downloading malicious APK files under the pretense of scholarship applications from government bodies.  Once installed, the fake apps prompt users to log in using their Google or Facebook accounts and request personal details such as name, department, and institute. It then demands financial information, including wallet numbers, wallet PINs, and payment methods. After submission, a fake message informs the victim that a representative will contact them soon, a ploy to buy time while the malware begins its work in the background.  SikkahBot Malware: Permissions Abuse and Automated Banking Fraud  What sets SikkahBot apart is its aggressive abuse of Android permissions. Upon installation, it pushes users to grant high-risk access, including the Accessibility Service, SMS access, call management, and the ability to draw over other apps. These permissions allow it to monitor and manipulate user activity with deep control over the device.  Permission Activity (Source: Cyble) Once these permissions are granted, the malware activates a fake homepage showing doctored images of students supposedly receiving scholarships, part of its social engineering strategy to establish legitimacy.  Behind the scenes, SikkahBot registers a broadcast receiver to intercept all incoming SMS messages. It specifically targets keywords related to mobile banking services widely used in Bangladesh, such as “bKash,” “Nagad,” and “MYGP,” as well as associated service numbers like “16216” and “26969.” Captured messages are then sent to an attacker-controlled Firebase server at update-app-sujon-default-rtdb[.]firebaseio.com.  Accessibility Exploits and Offline USSD Transactions  The malware’s exploitation of the Accessibility Service is particularly dangerous. When it detects that a user is interacting with banking apps such as bKash, Nagad, or Dutch-Bangla Bank, it pulls credentials from its command-and-control server. It attempts to autofill login details, bypassing user input entirely.  Login and registration page (Source: Cyble) If the user isn’t actively using these apps, SikkahBot initiates USSD-based banking transactions. It receives USSD codes and SIM slot information from the server, executes the calls, and automatically interacts with response prompts by clicking on UI elements labeled “SEND” or “OK.” This method allows transactions without requiring internet access, increasing the malware’s reach and reliability in low-connectivity environments.  Evasion and Evolution  Despite its high-risk behavior, SikkahBot malware variants maintain low detection rates on VirusTotal, a factor that highlights the malware’s obfuscation techniques and the attackers’ continued refinement. CRIL reports that more than 10 distinct samples have been discovered, with newer versions incorporating more automated features and sophisticated command execution methods.  “The combination of phishing, automated banking activity, and offline USSD exploitation makes it a highly effective tool for financial fraud against unsuspecting students,” CRIL stated in its technical analysis.  Recommendations for Protection  To protect against malware campaigns like SikkahBot, CRIL stresses the need for improved mobile security awareness and proactive defense strategies. Their key recommendations include: Install apps only from trusted sources such as the Google Play Store.  Avoid clicking on shortened or suspicious links, especially those received via SMS or social media.  Limit permissions: Do not grant Accessibility or overlay permissions unless absolutely necessary and verified.  Enable Multi-Factor Authentication (MFA) for financial apps.  Use mobile security software that includes real-time threat detection.  Keep Android OS and apps up to date to patch known vulnerabilities.  Report suspicious activity immediately to your bank and perform a factory reset if necessary.  Cyble’s Threat Intelligence Platform continues to monitor emerging malware like SikkahBot, providing early detection capabilities, infrastructure tracking, and threat attribution. As digital fraud increases in complexity and scope, constant vigilance and cybersecurity hygiene remain the first lines of defense. 

A Buffalo Police detective has been hit with a superseding federal indictment for allegedly attempting to purchase stolen credentials from an illicit online marketplace known as Genesis Market. The indictment was announced by U.S. Attorney Michael DiGiacomo, who confirmed that 35-year-old Terrance Michael Ciszek, also known by the alias “DrMonster,” faces multiple serious charges.  Ciszek is now formally charged with affecting transactions using access devices issued to other individuals, as well as aggravated identity theft. If convicted, he could face up to 15 years in federal prison and a fine of $250,000.  FBI Tracks Genesis Market and Digital Fraud  The charges stem from a broader investigation led by the Federal Bureau of Investigation (FBI), under the direction of Acting Special Agent-in-Charge Mark Grimm. According to Assistant U.S. Attorney Charles Kruly, who is prosecuting the case, the FBI began investigating Genesis Market in August 2018. The illicit online marketplace specialized in trafficking stolen digital data harvested from malware-infected devices worldwide.  “Genesis Market offered buyers packages of sensitive data, including login credentials, computer identifiers, email addresses, and passwords,” Kruly stated. These packages were sold using virtual currencies such as Bitcoin, making transactions harder to trace.  Also read: Operation Cookie Monster: FBI Seizes Cybercrime Marketplace Genesis Market   Ciszek Allegedly Bought and Used Stolen Credentials  Between March and August 2020, Ciszek was accused of purchasing 11 stolen data bundles from Genesis Market, which reportedly included 194 stolen account credentials. In March and April 2020, prosecutors allege, he attempted to use stolen credit cards to make purchases. He was also allegedly found in possession of another person’s full identification, including their credit card, on April 15, 2020.  This level of misconduct is especially troubling given Ciszek’s role as a detective with the Buffalo Police, raising questions about internal oversight and trust within law enforcement ranks.  False Statements and Ongoing Legal Proceedings  Further complicating his legal situation, Ciszek allegedly made false statements to FBI investigators on April 4, 2023. He denied purchasing stolen data from the internet and attempted to shift blame onto a family member, claiming his nephew may have been responsible for the transactions.  Ciszek had previously been indicted for possession of unauthorized access devices with intent to defraud and for making a false statement to a federal agency. The latest superseding indictment broadens the case, adding more serious charges.  While these developments reflect the federal government’s ongoing efforts to clamp down on illicit online marketplaces like Genesis Market, authorities remind the public that all individuals charged with crimes are presumed innocent until proven guilty in a court of law. 

A massive cybercrime operation tied to one of the internet’s most powerful DDoS-for-hire botnets, Rapper Bot, has been brought down, and at the center of the case is a 22-year-old man from Eugene, Oregon. According to a federal criminal complaint filed on August 6, 2025, in the District of Alaska, Ethan Foltz is alleged to be the mastermind behind Rapper Bot, a botnet responsible for hundreds of thousands of disruptive attacks around the world.  Also known as “Eleven Eleven Botnet” and “CowBot,” Rapper Bot functioned as a large-scale DDoS-for-hire botnet, targeting devices like WiFi routers and digital video recorders (DVRs). Once compromised, these devices were used to flood targeted systems with overwhelming internet traffic, resulting in Distributed Denial of Service (DDoS) attacks that could cripple websites, networks, and digital services within seconds.  The Rapper Bot Botnet Scale and Global Impact  Between April 2025 and the time of the complaint, Rapper Bot is believed to have launched over 370,000 separate attacks against more than 18,000 unique victims in over 80 countries. The botnet’s capabilities were staggering, operating between 65,000 and 95,000 infected devices, the attacks often peaked between 2 to 3 Terabits per second, with the largest potentially reaching over 6 Terabits per second.  Among the targets were U.S. government networks, major tech firms, and a prominent social media platform. Authorities confirmed that at least five of the infected devices used in these attacks were located in Alaska.  According to the court documents, Ethan Foltz and unnamed co-conspirators monetized the botnet by offering paid access to Rapper Bot’s infrastructure. Some clients allegedly used it for extortion, threatening to launch devastating attacks unless victims paid up. A single 30-second DDoS attack could cost businesses $500 to $10,000 in damages and recovery efforts.  Takedown and Seizure of Rapper Bot  Law enforcement’s breakthrough came on August 6, 2025, when federal agents executed a search warrant on Foltz’s residence in Oregon. During the operation, they seized control of Rapper Bot, disabling its attack infrastructure. Since then, no further Rapper Bot activity has been reported, following the handover of its command-and-control systems to the Defense Criminal Investigative Service (DCIS).  “Rapper Bot was one of the most powerful DDoS botnets to ever exist, but the outstanding investigatory work by DCIS cyber agents and support of my office and industry partners has put an end to Foltz’s time as administrator,” said U.S. Attorney Michael J. Heyman for the District of Alaska.  Charges, Partners, and Ongoing Operations  Ethan Foltz is charged with one count of aiding and abetting computer intrusions, a felony that carries a maximum sentence of 10 years in prison if convicted. The case is being prosecuted by Assistant U.S. Attorney Adam Alexander and investigated by the DCIS, with major contributions from industry partners. This enforcement action was carried out as part of Operation PowerOFF, a coordinated international law enforcement effort aimed at dismantling DDoS-for-hire botnets around the globe.  As with all criminal cases, Foltz is presumed innocent until proven guilty beyond a reasonable doubt in a court of law. 

Cybersecurity researchers at Cyble Research and Intelligence Labs (CRIL) have uncovered a new Android banking trojan called RedHook that is actively targeting Vietnamese mobile users. The malware is distributed via carefully crafted phishing sites impersonating trusted financial and government agencies. Once installed, RedHook delivers a dangerous combination of phishing, keylogging, and remote access capabilities, enabling full control over infected devices, yet it remains low‑profile with limited antivirus detection.  Decoding the RedHook Android Banking Trojan Campaign  CRIL first detected RedHook via a phishing website at sbvhn[.]com, which mimics the State Bank of Vietnam. The site lures users into downloading a trojanized APK (SBV.apk) from an exposed AWS S3 bucket (hxxps://nfe‑bucketapk.s3.ap‑southeast‑1.amazonaws[.]com/SBV.apk). The bucket, which has been public since November 2024, contained screenshots, phishing templates, and malware versions. It revealed that RedHook has been active since at least November 2024, with samples appearing in the wild by January 2025.  Phishing site distributing a malicious APK file (Source: Cyble) RedHook’s infrastructure includes domains such as mailisa[.]me, previously associated with a Vietnamese cosmetic scam. That shift indicates the threat actor has evolved from social engineering fraud to wielding an Android banking trojan embedded in phishing sites.  Infection Workflow and Capabilities  After installation, the malware prompts the user for overlay access and Android accessibility services. These elevated permissions enable RedHook to perform a range of intrusive actions: launching overlay phishing pages, capturing all keystrokes (keylogging), exfiltrating contacts and SMS, and installing or uninstalling apps. The malware abuses Android’s MediaProjection API to capture the screen and streams images via WebSocket to the attacker’s control infrastructure.  RedHook maintains persistent WebSocket communication with its command‑and‑control (C2) server, using the subdomain skt9.iosgaxx423.xyz, while initial HTTP requests go to api9.iosgaxx423.xyz. The malware supports 34 distinct remote commands from the server, numbered actions that let operators collect device info, SMS, screenshots, send commands, trigger overlays, and more. Technical Deep Dive  Upon launch, the malware presents a spoofed login page imitating the State Bank of Vietnam. Once credentials are entered, the trojan sends them to /auth/V2/login. In response, the server issues a JWT access token and client ID. Using these tokens, RedHook reports device specifics to /member/info/addDevice, including device ID, brand, orientation, and screen lock type, allowing the attacker to register and track each compromised device. At the time of the analysis, the number of returned user IDs had increased to 570, indicating over 500 infections.  RedHook’s phishing workflow unfolds in stages:  Victims are prompted to photograph and upload their citizen ID. The resulting image is transmitted to /file/upload/.  Users then provide bank name, account number, name, address, birthdate, and other personal data via templates that interestingly appear in Indonesian, not Vietnamese.  Finally, the victim is asked to enter a 4‑digit password and 6‑digit two‑step verification code.  Every keystroke entered is logged, tagged with app package name and foreground activity, and sent to the C2 server.  The RAT (Remote Access Trojan) capability is enabled via WebSocket connection over skt9. During this session, captured screen frames (converted to JPEG) are streamed live. The exposed S3 bucket contained screenshots showing the WebSocket session and Chinese‑language interface elements, implying a possible Chinese‑speaking threat actor. Chinese‑language strings also appear in the malware logs.  Exposed S3 bucket used by malware (Source: Cyble) The AWS S3 bucket exposed RedHook’s phishing templates mimicking several well‑known Vietnamese targets, including Sacombank, Central Power Corporation, the traffic police (CSGT), and government portals. Exposed data on open S3 bucket (Source: Cyble) Icons and branding closely mirrored those institutions to deceive victims into trusting the phishing sites.  Attribution and Indicators  Several artifacts strongly suggest a Chinese-speaking origin: Chinese text is present throughout screenshots captured from the C2 interface, and internal code and log strings also contain Chinese language. Additionally, the staging domain mailisa[.]me has links to previous Vietnamese fraud campaigns, including one case where a victim lost over 1 billion VND after being redirected to MaiLisa salon-branded phishing content.  Malware receiving mailisa.me domain from the server (Source: Cyble) Screenshots from an exposed data bucket referenced “MaiLisa Beauty Salon” and showed payments of 5.5 million VND to “DTMG TRADING CO. LTD D MAILISA,” closely resembling the earlier scam. Exposed S3 bucket images associated with the MaiLisa Beauty Salon theme (Source: Cyble) Together, these elements indicate a group likely operating from a Chinese-language background, evolving from basic scams to deploying RedHook, a sophisticated Android banking trojan, through phishing sites.  Conclusion  RedHook represents a dangerous shift in Android malware, combining phishing, remote access, and surveillance to target users, especially in Vietnam, while evading detection through spoofed sites and sideloaded APKs. Its advanced features and low VirusTotal visibility make it highly stealthy.   To combat threats like RedHook, users should avoid installing apps from unknown sources, be cautious of suspicious permission requests, and use behavior-based mobile security. Institutions must proactively share threat intelligence to disrupt mobile attack infrastructure. 

Cyble’s Research and Intelligence Lab (CRIL) has analyzed a new quishing campaign that leverages QR codes embedded in PDF files to deliver malicious payloads. The campaign, dubbed Scanception, bypasses security controls, harvests user credentials, and evades detection by traditional systems.  Unlike conventional phishing attacks, which rely on malicious links within emails or attachments, Scanception leverages user curiosity by embedding QR codes within legitimate PDF documents. Victims are prompted to scan these codes using their mobile devices, a tactic that cleverly shifts the attack vector to endpoints that lie outside organizational visibility, such as personal smartphones.  This approach allows attackers to bypass security systems like secure email gateways (SEGs) and endpoint detection tools, which often do not scrutinize mobile device traffic. The attack typically begins with a phishing email that includes a PDF file mimicking official corporate communication. These decoys are crafted to resemble HR notifications, employee handbooks, or onboarding documents, complete with logos, tables of contents, and multiple pages to avoid signature-based detection tools.  Scanception Quishing Campaign: Over 600 Unique Lures in Three Months  Phishing QR code (Source: Cyble) CRIL’s analysis over three months uncovered over 600 distinct phishing PDFs and emails tied to the Scanception campaign. Shockingly, nearly 80% of these files had zero detections on VirusTotal at the time of their discovery. These documents are not randomly distributed; instead, they are precision-targeted based on industry verticals, geographic location, and user roles.  This quishing campaign has a global reach throughout the tracking period, affecting organizations in over 50 countries, with high activity concentrations in North America, EMEA (Europe, the Middle East, and Africa), and the APAC region. The sectors most impacted include technology, healthcare, manufacturing, and BFSI (banking, financial services, and insurance), industries known for their data sensitivity and high-value targets.  Credential Theft via AITM Phishing Infrastructure  Office 365 sign-in portal (Source: Cyble) The end goal of Scanception is credential harvesting. The embedded QR codes lead to adversary-in-the-middle (AITM) phishing pages, often designed to impersonate Microsoft Office 365 login portals. These pages collect user credentials in real-time and use advanced techniques to bypass security measures such as multi-factor authentication (MFA).  Once credentials are entered, the attacker’s infrastructure captures the data using tools like randroute and randexp.min.js, which dynamically generate URLs to evade signature-based detection. The phishing pages also employ browser fingerprinting and detect debugging tools like Selenium and Burp Suite. If such tools are identified, the attack immediately halts by redirecting to a blank or legitimate webpage.  This dynamic infrastructure maintains an open communication channel with the attacker, potentially prompting for secondary authentication details like 2FA codes or one-time passwords (OTPs), enabling full session hijacking and long-term access to compromised accounts.  Abuse of Trusted Platforms and Redirection Techniques  One of Scanception’s most insidious strategies involves the abuse of trusted redirection services and reputable cloud-hosting platforms. The campaign has misused services such as YouTube, Google, Bing, Cisco, Medium, and even email protection vendors to host or relay phishing infrastructure. This tactic not only masks the attack behind seemingly legitimate URLs but also helps in evading content and reputation-based security filters.  Examples include:  Redirect URLs embedded in Google search links  Medium articles containing hidden redirect links  Cisco-secure URLs redirecting to phishing pages  Email security links that lead victims to fake login portals  By embedding malicious payloads behind such domains, attackers bypass security measures that typically whitelist these platforms.  Evolution of Tactics and Continued Activity  Scanception is not a static operation; it is adapting and changing rapidly. Initial versions of the decoy PDFs were single-page documents. Newer versions now include multiple pages, structured content, and advanced visual designs to enhance credibility. Some phishing pages now feature multi-stage harvesting and dynamic evasion techniques, including right-click disablement and real-time debugging detection.  Scanception is a new and advanced player in phishing, blending social engineering with technical evasion to exploit QR codes, trusted platforms, and unmanaged mobile devices. With over 600 unique lures identified in just 90 days, most undetected by threat engines, it highlights how attackers bypass security and target users beyond traditional perimeters.