Since 14 October, we’ve tracked a high volume XWorm campaign targeting Germany. The activity is attributed to TA584, a sophisticated #cybercrime group tracked since 2020.

Messages are sent from hundreds of compromised sender accounts impersonating ELSTER and contain malicious URLs.

New ecrime insights:

TA4557, known for distributing More_eggs malware, notably expanded to an international audience in recent campaigns.

Per our data, the recruiter-focused TA was seen targeting orgs in France, England & Ireland, in addition to typical North America-targeted threats.

This article that starts getting traction claims that the official RVTools website was distributing a malicious installer leading to Bumblebee. I see zero evidence of this actually being the case.
1/2

Proofpoint also recently observed this activity delivering GootLoader. Google Ads for a fake document creation app (lawliner[.]com) led to a malicious document creation website, on which users are directed to enter their email address.

Great research on that #GootLoader is now including email in their delivery chain. Please don't download NDAs and other contract templates from free sites without any history.

New blog drop with @selenalarson.bsky.social and the rest of the team. This one covers a lot of threats using the #ClickFix technique to lure targets to infect themselves by pasting malicious CMD/PS code. My "fave" is the chumbox #malvertising on major tech sites.
www.proofpoint.com/us/blog/thre...

Well I guess it's time to try this platform too 😅