Phishing

🟠 High | Source: The Hacker News A China-linked threat actor, TA4922, has expanded its phishing campaigns beyond its previous targets to now include organisations in the UK, Germany, Italy, and South Africa. The group is deploying known malware families including ValleyRAT and Atlas RAT, with a rapidly evolving toolkit suggesting well-resourced, sustained operations. This represents a significant escalation in geographic scope and poses a direct threat to European enterprises. Architect’s Take: Review and tighten email gateway controls to block phishing lures associated with TA4922, and ensure endpoint detection rules cover ValleyRAT (Winos 4.0) and Atlas RAT indicators. Consider hunting for lateral movement or C2 beaconing patterns consistent with these RAT families across cloud-hosted workloads and on-premises infrastructure. ...

🟠 High | Source: The Hacker News A China-linked threat group, TA4922, has significantly expanded its phishing campaigns beyond its previous targets to now include organisations in the UK, Germany, Italy, and South Africa. The group is deploying known remote access trojans including ValleyRAT and Atlas RAT, with a fast-moving operational pace and an evolving malware toolkit. This matters because the expansion into European markets signals a deliberate strategic shift, increasing risk for organisations in these regions. ...

🟠 High | Source: The Hacker News Attackers are exploiting Google’s DoubleClick ad-serving domain as a redirect hop in malicious email campaigns, using its trusted reputation to bypass security filters before delivering the DesckVB remote access trojan. Because many email and web security tools whitelist or deprioritise scrutiny of well-known Google-owned domains, the technique significantly increases the likelihood of successful delivery. Once installed, a RAT gives attackers persistent remote control over the victim’s machine. ...

🟡 Medium | Source: The Hacker News Attackers are exploiting Google’s DoubleClick ad-serving domain as a redirect layer in malicious spam emails, using its trusted reputation to bypass security filtering tools before routing victims to attacker-controlled infrastructure that delivers the DesckVB remote access trojan. Because DoubleClick is a widely trusted Google domain, many email and web security products will not flag the initial link as suspicious. This technique is a growing trend of abusing legitimate cloud services to obscure the early stages of an attack chain. ...