An active multi-stage phishing campaign distributes AsyncRAT and Remcos RATs through weaponized Excel attachments targeting sales, procurement, and vendor management staff globally. The infection chain uses VBA macros to retrieve HTA payloads via URL shorteners and Cloudflare Workers, with final payloads hidden via PNG steganography and loaded filelessly into memory via .NET assembly loading. The campaign demonstrates high-volume, automated payload generation with consistent obfuscation patterns including Base64 encoding, character substitution, and string reversal.
Cisco Talos identified ARToken, a phishing-as-a-service platform linked to EvilTokens, that abuses Microsoft's OAuth 2.0 Device Authorization Grant to bypass MFA and capture victim tokens. The platform provides affiliates with a comprehensive post-compromise toolkit including PRT-based persistence surviving password resets, BEC email operations, inbox rule manipulation, and SharePoint exfiltration. ARToken deploys a sophisticated seven-layer client-side anti-analysis system and abuses legitimate sharepoint.com URLs from attacker-controlled Microsoft 365 workspaces to evade security scanners.
Multiple Russia-aligned threat actors, including SHADOW-EARTH-066 and Earth Dahu, are actively exploiting a patched WinRAR path traversal vulnerability (CVE-2025-8088) to target Ukrainian organizations. The attackers use crafted RAR archives with NTFS Alternate Data Streams to silently drop malicious payloads, such as the evolved GIFTEDCROOK infostealer or HTA-based espionage tools, into the Windows Startup folder and ProgramData directories.
The article highlights the evolution of social engineering tactics, emphasizing how attackers abuse trusted workflows, AI platforms, and legitimate infrastructure like OAuth to bypass traditional security controls. Key threats include device code phishing campaigns like EvilTokens that bypass MFA for persistent access, and AI chatbot lures tricking macOS users into executing AMOS infostealer payloads via malicious terminal commands.
EvilTokens is a newly discovered Phishing-as-a-Service (PhaaS) platform that automates Microsoft device code phishing to facilitate Business Email Compromise (BEC). By tricking victims into authorizing a malicious device via legitimate Microsoft login portals, attackers harvest access and refresh tokens to gain persistent, unauthenticated access to Microsoft 365 environments.
A novel phishing campaign is abusing the legitimate LiveChat SaaS platform to impersonate brands like PayPal and Amazon. By engaging victims in real-time chat interfaces using automated bots or human operators, attackers successfully harvest sensitive information, including account credentials, multi-factor authentication (MFA) codes, personally identifiable information (PII), and credit card details.
Between January 2025 and January 2026, the India-nexus threat actor SloppyLemming conducted a cyber espionage campaign targeting government and critical infrastructure in Pakistan and Bangladesh. The campaign utilized PDF and Excel lures to deploy two custom implants—an in-memory shellcode backdoor named BurrowShell and a Rust-based keylogger—via DLL search order hijacking and extensive abuse of Cloudflare Workers infrastructure.
AI Rush Opens New Attack Paths as Trusted Cloud Services Fuel Phishing
The rush to adopt artificial intelligence is giving attackers two new advantages: convincing lures to trick users and poorly secured infrastructure to exploit. This week, multiple campaigns used fake websites for the Claude AI assistant to infect victims with password-stealing malware, while researchers revealed that commercial robots and AI connection protocols contain critical flaws that let hackers hijack them. Because organizations are deploying AI tools faster than they can secure them, attackers are finding easy entry points into corporate networks.
In parallel, phishing campaigns are increasingly hijacking trusted cloud services like Amazon's email platform and Vercel's AI-powered website builder to send messages that bypass security filters entirely. A massive campaign targeting US employees used fake HR reviews to steal login sessions even when multi-factor authentication was enabled, and the breach of the Canvas learning platform exposed data on 275 million people that can now be used for highly convincing follow-up scams. These trends together suggest that traditional defenses are losing effectiveness because attackers are hiding inside the systems we already trust.
Organizations should immediately patch the actively exploited Palo Alto Networks and Ivanti vulnerabilities flagged by CISA this week, require phishing-resistant authentication methods, and treat every AI tool and robot connected to their network as a high-risk device that needs strict monitoring.