Welcome to the February edition of Upfort’s Threat Matrix where the weather was as cold as cybercriminals’ actions! (Sorry.)

In this edition, we cover a bevy of emerging scams including the compromising of a popular crypto account on X, a breach at a major drug-testing firm exposes sensitive info of more than three million users, a sophisticated scam taps legit PayPal email servers to launch targeted phishing attacks, and more! PLUS actionable steps to keep your business secure. 

We also encourage you to take two minutes and complete our interactive cybersecurity checklist to tell how prepared your company is. Or take a free cyber security risk assessment, which taps Upfort’s state-of-the-art AI to surface exploitable vulnerabilities in your network.

‍

Mega-botnet launches large-scale password-spraying attacks on Microsoft 365 accounts

A botnet comprising over 130,000 compromised devices is actively conducting a large-scale password-spraying attack against Microsoft 365 accounts. Security researchers have identified the attack exploiting non-interactive sign-ins—a lesser-monitored authentication feature that allows attackers to repeatedly attempt password guesses without triggering traditional security alerts.

These non-interactive logins, commonly used for service accounts and background processes (e.g., scheduled tasks, application access via OAuth tokens, or legacy authentication protocols like IMAP and POP3) enable attackers to infiltrate networks without causing account lockouts. Experts warn that this method significantly extends the time threat actors can operate undetected, increasing risks of account takeovers, lateral movement within corporate networks, and MFA bypasses.

How to protect your business: Organizations should monitor non-interactive sign-in logs, enforce strict password policies with privileged access management (PAM), and rotate credentials regularly. Implementing behavioral monitoring can help detect unusual login patterns before a breach occurs.

Read more

Pump.fun X account hacked to promote scam cryptocurrency token

The X (formerly Twitter) account of Pump.fun, a popular Solana-based memecoin generator, was hacked to promote a fraudulent governance token named “$PUMP.” The attackers used the compromised account to falsely claim that $PUMP was an official governance token and promised rewards to early adopters.

Shortly after, the attackers promoted another scam token called “GPT-4.5” (a reference to the buzzy reported next version of OpenAI’s chatbot) threatening to delete the Pump.fun X account if the token reached a $100 million market cap. Pump.fun confirmed the breach on its Telegram channel, warning users not to engage with the compromised account while they investigate.

How to protect your business: Organizations should enforce strong multi-factor authentication (MFA) for social media accounts, monitor for unauthorized access, and educate users on common crypto scams. If an account is compromised, notify users immediately and work with the platform to regain control.

Read more

EncryptHub breaches 618 organizations to deploy ransomware

The cybercriminal group EncryptHub, also known as Larva-208, has compromised at least 618 organizations worldwide since June 2024, using spear-phishing and social engineering tactics. Once inside corporate networks, the attackers deploy Remote Monitoring and Management (RMM) tools, information stealers like Stealc and Rhadamanthys, and in many cases, ransomware.

The group tricks victims into revealing credentials and multi-factor authentication (MFA) tokens through phishing pages designed to mimic corporate VPNs like Cisco AnyConnect, Palo Alto GlobalProtect, and Microsoft 365. EncryptHub has also registered over 70 fake domains to enhance their deception, making detection and takedown efforts more difficult.

How to protect your business: Organizations should enforce phishing-resistant MFA, monitor for unauthorized RMM installations, and conduct employee training on social engineering threats. Regular penetration testing can help identify security gaps before attackers exploit them.

Read more

‍

WhatsApp disrupts spyware campaign targeting journalists

WhatsApp has disrupted a spyware campaign linked to Israeli cybersecurity firm Paragon Solutions, which targeted journalists and civil society members. The attack impacted around 90 users, with WhatsApp reaching out to victims and warning that they were “possibly compromised.” The Meta-owned platform has also sent a cease-and-desist letter to Paragon and is considering legal action.

Paragon, a competitor to Pegasus spyware maker NSO Group, was recently acquired by Florida-based AE Industrial Partners. Reports indicate that the U.S. Immigration and Customs Enforcement (ICE) signed a $2 million contract with the company in late 2024.

How to protect your business: Organizations handling sensitive information should use encrypted messaging apps, enable multi-factor authentication, and regularly update software to patch potential vulnerabilities. Be cautious of unknown links or calls, as spyware often exploits social engineering tactics.

Read more

DISA data breach exposes personal information of 3.3 million individuals

DISA Global Solutions, a major U.S. background screening and drug testing firm, has confirmed a data breach affecting 3.3 million people. The cyberattack, which occurred between February and April 2024, exposed sensitive personal data, including full names, Social Security numbers, driver’s license numbers, financial account details, and other private records. While DISA initially stated there was no evidence of misuse, a now-deleted notice suggests the company may have paid a ransom to prevent data leaks.

How to protect your business: Organizations handling sensitive data should encrypt all personally identifiable information (PII), implement robust monitoring for unauthorized access, and establish a clear incident response plan to address breaches effectively.

Read more

PayPal “New Address” feature exploited to send phishing emails

Cybercriminals are exploiting PayPal’s “New Address” notification feature to send phishing emails that appear to come from PayPal’s official email address. Victims receive an email stating that a new address was added to their account, along with a fake purchase confirmation for an expensive MacBook. The email urges recipients to call a fraudulent PayPal support number, where scammers attempt to convince them to download remote access software to “resolve” the issue.

Because these emails originate from PayPal’s legitimate mail servers, they bypass security filters and appear authentic. Attackers use this technique to steal login credentials, access banking information, or install malware on victims’ devices. Read the whole article on Bleeping Computer for a comprehensive rundown of how the email hijacking takes place. 

How to protect your business: Train employees to recognize phishing emails, avoid calling numbers listed in unsolicited messages, and always verify PayPal account changes by logging in directly. Implement endpoint security tools to prevent unauthorized remote access.

Read more

Fake DeepSeek websites used to steal cryptocurrency in new phishing campaign

Threat actors are creating fake websites impersonating DeepSeek, a newly launched AI chatbot, to steal cryptocurrency and sensitive data. Security researchers discovered multiple fraudulent domains, such as deepseeksol[.]com and deepseeksky[.]com, designed to lure victims into providing personal information and downloading the Vidar information stealer malware.

The attack chain involves a deceptive registration process, followed by a fake CAPTCHA page that copies a malicious PowerShell command to the user’s clipboard. If executed, the command installs Vidar, which exfiltrates cryptocurrency wallet files, stored passwords, and browser cookies. The malware also hides its command-and-control (C2) infrastructure using Telegram.

How to protect your business: Avoid downloading software from unverified sources, use endpoint security solutions to detect clipboard-based malware, and enable two-factor authentication (2FA) for cryptocurrency accounts to prevent unauthorized access.

Read more

Chinese hackers use custom malware to spy on U.S. telecom networks

The Chinese state-sponsored hacking group Salt Typhoon (AKA Earth Estries, GhostEmperor, UNC2286) has been infiltrating U.S. telecommunications networks using a custom malware tool called JumbledPath. This Go-based malware enables attackers to stealthily capture network traffic, steal sensitive data, and erase logs to evade detection.

Salt Typhoon primarily gains access by using stolen credentials, targeting networking infrastructure from major providers, including Verizon, AT&T, and Lumen Technologies. The group has been linked to breaches spanning several years, with some incidents involving the compromise of government-related communications and court-authorized wiretap data.

How to protect your business: Organizations should enforce strict credential management, monitor for unauthorized SSH activity, and track log anomalies for early threat detection. Implementing network segmentation and security monitoring tools can help prevent persistent access.

Read more

Australian fertility services giant Genea hit by security breach

Genea, one of Australia’s largest fertility service providers, has disclosed a cyberattack in which an unauthorized third party accessed its network and potentially compromised sensitive patient data. The company is still investigating the extent of the breach and whether personal health information was impacted.

Genea has taken down affected servers to contain the attack and is working to restore its systems. While the company has not confirmed if patient care has been disrupted, it assured clients that they would be notified of any changes to their treatment schedules.

How to protect your business: Healthcare and service organizations should implement strong access controls, monitor network traffic for anomalies, and have a robust incident response plan in place to quickly address potential breaches.

Read more

‍