Zscaler ThreatLabz identified two campaigns leveraging Indirect Prompt Injection (IPI) to manipulate AI agents via malicious websites. The first campaign uses SEO poisoning and hidden IPI instructions on a fraudulent API documentation site to trick AI agents into sending cryptocurrency payments for a fake API key. The second campaign uses a typosquatting domain (debank.auction) with hidden prompt injection to misclassify the fraudulent site as the legitimate DeBank platform. Testing across 26 LLMs showed 4 models vulnerable to the payment scam and 2 models susceptible to misclassification, demonstrating measurable real-world impact that varies by model and context.
StealC is a C++ malware-as-a-service infostealer that harvests credentials, cookies, and session tokens from browsers, email clients, crypto wallets, and gaming platforms, using APC injection to bypass Chromium App-Bound Encryption. Amadey is a modular MaaS loader that delivers StealC and other payloads through a rich backdoor command set including process injection, SOCKS proxying, RDP enablement, and hidden admin account creation. Microsoft DCU disrupted over 200 C2 domains and IPs associated with both threats in a coordinated action with Europol on June 24, 2026.
A large-scale campaign abuses the legitimate ScreenConnect remote management tool, distributed via 90+ spoofed freeware download sites using SEO poisoning, to silently deploy AsyncRAT. The attack uses DLL sideloading via a Microsoft-signed install.exe binary, followed by a multi-stage loader chain involving PowerShell and VBScript scripts that disable Defender, bypass UAC, and ultimately inject AsyncRAT into RegAsm.exe via process hollowing. The campaign targets both consumers and corporate networks across multiple languages and regions.
Recorded Future has identified a purchase scam campaign, dubbed AEGIR, utilizing SEO poisoning on compromised legitimate websites to redirect organic search traffic to unindexed scam domains. The campaign employs referrer-based cloaking to evade detection and leverages transaction laundering across multiple merchant accounts to monetize stolen payment card data, specifically targeting event-driven demand like the 2026 World Cup.
The ThreatLabz 2026 Phishing and Initial Access Report highlights a shift towards highly targeted, AI-enabled phishing campaigns against the public sector. Despite a 20% overall drop in phishing volume, attackers are increasingly utilizing AI site builders, encrypted delivery channels, and AiTM/BiTM techniques to bypass traditional MFA and secure initial access.
Threat actors are increasingly targeting macOS environments with infostealers delivered via deceptive .dmg disk images. These attacks rely on social engineering tactics, such as custom background images and misleading filenames, to trick users into bypassing Apple's Gatekeeper protections. This enables rapid 'smash-and-grab' data theft without the need for the malware to establish persistence on the host.
Threat actors are increasingly leveraging the hype around AI platforms like ChatGPT, Claude, and DeepSeek to conduct social engineering attacks. These campaigns utilize phishing, malvertising, and SEO poisoning to distribute infostealers such as Vidar or facilitate credential theft via adversary-in-the-middle (AiTM) infrastructure.
This threat intelligence report highlights multiple high-profile breaches, including 7-Eleven and GitHub, alongside the active exploitation of vulnerabilities in Windows Defender, Trend Micro, and Drupal. It also details emerging threats such as the Kali365 phishing kit, AI-driven prompt injection attacks, the Nimbus Manticore IRGC-linked campaign deploying the MiniFast backdoor, and a supply chain attack on Laravel Lang packages.
Software Supply Chain and AI Exploitation Dominate Threat Landscape
The software supply chain has become the primary battlefield for attackers because compromising a single developer tool can cascade into thousands of enterprise networks. Campaigns like Mini Shai-Hulud and TrapDoor are stealing credentials and injecting backdoors across major code registries, while the Laravel Lang Compromise and the Coruna Exploit Kit show how malicious code can automatically execute to steal secrets or exploit end users. As a result, organizations must treat developer environments as high-value targets, because a single compromised package or malicious VS Code extension can lead to catastrophic breaches like the GitHub internal repository theft by TeamPCP.
In parallel, artificial intelligence is simultaneously accelerating attacks and creating dangerous new attack surfaces. Threat actors are using AI to automate influence campaigns like Patriot Bait and crack passwords, while also impersonating AI tools like Gemini CLI and Claude Code to deliver infostealers. Furthermore, attackers are directly targeting exposed AI infrastructure, such as Ollama AI endpoints, and manipulating AI coding assistants via hidden prompt injections in campaigns like TrapDoor, which means AI systems are both the weapon and the target.
These trends together suggest that traditional perimeter defenses are failing against supply chain and AI-driven threats. Managers should immediately enforce strict vetting of open-source packages, restrict developer access to unverified extensions, and ensure AI infrastructure is not exposed to the public internet.
Iranian threat actor Nimbus Manticore (UNC1549) conducted a series of campaigns in early 2026 utilizing AppDomain Hijacking, SEO poisoning, and task hijacking to deploy the new MiniFast backdoor. The group demonstrated rapid toolset evolution, likely aided by AI-assisted development, targeting the aviation and software sectors across the US, Europe, and the Middle East.
A financially motivated eCrime campaign is leveraging SEO poisoning to impersonate AI coding assistants like Gemini CLI and Claude Code, tricking developers into executing a fileless PowerShell infostealer. The malware executes entirely in memory, disables Windows telemetry (ETW and AMSI), and harvests sensitive enterprise credentials, session tokens, and files before exfiltrating them to attacker-controlled infrastructure.
Fox Tempest is a financially motivated threat actor providing malware-signing-as-a-service (MSaaS) to the cybercrime ecosystem. By abusing Microsoft Artifact Signing via stolen identities, they generate short-lived, fraudulent code-signing certificates that allow threat actors like Vanilla Tempest to bypass security controls and deploy payloads such as the Oyster backdoor and Rhysida ransomware.
Threat actors are leveraging social media platforms, SEO poisoning, and AI agent responses to distribute ClickFix-style attacks disguised as tech tips. Victims are socially engineered into executing malicious PowerShell commands that initiate a fileless infection chain, bypassing traditional security controls to deploy information stealers like Vidar on their endpoints.
Storm-2755 is a financially motivated threat actor targeting Canadian organizations with 'payroll pirate' attacks. By leveraging SEO poisoning and Adversary-in-the-Middle (AiTM) techniques, the actor steals session tokens to bypass legacy MFA, maintains persistence using the Axios HTTP client, and alters direct deposit information to steal employee salaries.
Storm-2561 is conducting a credential theft campaign leveraging SEO poisoning to distribute fake enterprise VPN clients. The attack utilizes digitally signed payloads and DLL side-loading to deploy the Hyrax infostealer, which harvests VPN credentials and configuration data before redirecting victims to legitimate software to evade detection.
A new information stealer named BoryptGrab is being distributed through deceptive GitHub repositories that masquerade as legitimate software tools. The malware employs complex infection chains involving DLL side-loading, VBS downloaders, and encrypted payloads to deliver the stealer alongside additional backdoors like TunnesshClient and HeaconLoad.
Adversaries are actively exploiting web-based Indirect Prompt Injection (IDPI) to manipulate Large Language Models (LLMs) and AI agents. By embedding hidden or obfuscated instructions within benign web content, attackers can coerce AI systems into performing unauthorized actions such as data destruction, SEO poisoning, and bypassing content moderation when the AI processes the webpage.