Cybersecurity researchers are warning of a “widespread and ongoing” SMS phishing campaign that’s been targeting toll road users in the United States for financial theft since mid-October 2024.

“The toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by ‘Wang Duo Yu,'” Cisco Talos researchers Azim Khodjibaev, Chetan Raghuprasad, and Joey Chen assessed with moderate confidence.

The phishing campaigns, per the company, impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas about an unpaid toll and clicking on a fake link sent in the chat.

It’s worth noting some aspects of the toll phishing campaign were previously highlighted by security journalist Brian Krebs in January 2025, with the activity traced back to a China-based SMS phishing service called Lighthouse that’s advertised on Telegram.

While Apple iMessage automatically disables links in messages received from unknown senders, the smishing texts urge recipients to respond with “Y” in order to activate the link – a tactic observed in phishing kits like Darcula and Xiū gǒu.

Should the victim click on the link and visit the domain, they are prompted to solve a fake image-based CAPTCHA challenge, after which they are redirected to a fake E-ZPass page (e.g., “ezp-va[.lcom” or “e-zpass[.]com-etcjr[.]xin”) where they are asked to enter their name and ZIP code to access the bill.

Targets are then asked to proceed further to make the payment on another fraudulent page, at which point all the entered personal and financial information is siphoned to the threat actors.

Talos noted that multiple threat actors are operating the toll road smishing campaigns by likely making use of a phishing kit developed by Wang Duo Yu, and that it has observed similar smishing kits being used by another Chinese organized cybercrime group known as the Smishing Triad.

Interestingly, Wang Duo Yu is also alleged to be the creator of the phishing kits used by Smishing Triad, per security researcher Grant Smith. “The creator is a current computer science student in China who is using the skills he’s learning to make a pretty penny on the side,” Smith revealed in an extensive analysis in August 2024.

Smishing Triad is known for conducting large-scale smishing attacks targeting postal services in at least 121 countries, using failed package delivery lures to coax message recipients into clicking on bogus links that request their personal and financial information under the guise of a supposed service fee for redelivery.

Furthermore, threat actors using these kits have attempted to enroll victims’ card details into a mobile wallet, allowing them to further cash out their funds at scale using a technique known as Ghost Tap.

The phishing kits have also been found to be backdoored in that the captured credit/debit card information is also exfiltrated to the creators, a technique known as double theft.

“Wang Duo Yu has crafted and designed specific smishing kits and has been selling access to these kits on their Telegram channels,” Talos said. “The kits are available with different infrastructure options, priced at US $50 each for a full-feature development, $30 each for proxy development (when the customer has a personal domain and server), $20 each for version updates, and $20 for all other miscellaneous support.”

As of March 2025, the e-crime group is believed to have focused their efforts on a new Lighthouse phishing kit that’s geared towards harvesting credentials from banks and financial organizations in Australia and the Asia-Pacific region, according to Silent Push.

The threat actors also claim to have “300+ front desk staff worldwide” to support various aspects of the fraud and cash-out schemes associated with the phishing kit.

“Smishing Triad is also selling its phishing kits to other maliciously aligned threat actors via Telegram and likely other channels,” the company said. “These sales make it difficult to attribute the kits to any one subgroup, so the sites are currently all attributed here under the Smishing Triad umbrella.”

In a report published last month, PRODAFT revealed that Lighthouse shares tactical overlaps with phishing kits such as Lucid and Darcula, and that it operates independently of the XinXin group, the cybercrime group behind the Lucid kit. The Swiss cybersecurity company is tracking Wang Duo Yu (aka Lao Wang) as LARVA-241.

“An analysis of attacks conducted using the Lucid and Darcula panels revealed that Lighthouse (Lao Wang / Wang Duo Yu) shares significant similarities with the XinXin group in terms of targeting, landing pages, and domain creation patterns,” PRODAFT noted.

Cybersecurity company Resecurity, which was the first to document Smishing Triad in 2023 and has also been tracking the scam toll campaigns, said the smishing syndicate has used over 60,000 domain names, making it challenging for Apple and Google to block the fraudulent activity in an effective manner.

“Using underground bulk SMS services enables cybercriminals to scale their operations, targeting millions of users simultaneously,” Resecurity said. “These services allow attackers to efficiently send thousands or millions of fraudulent IM messages, targeting users individually or groups of users based on specific demographics across various regions.”

A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader.

“Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution,” Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign.

The starting point of the attack is a deceptive email that poses as an order request to deliver a malicious 7-zip archive attachment, which contains a JavaScript encoded (.JSE) file.

The phishing email, observed in December 2024, falsely claimed that a payment had been made and urged the recipient to review an attached order file. Launching the JavaScript payload triggers the infection sequence, with the file acting as a downloader for a PowerShell script from an external server.

The script, in turn, houses a Base64-encoded payload that’s subsequently deciphered, written to the Windows temporary directory, and executed. Here’s where something interesting happens: The attack leads to a next-stage dropper that is either compiled using .NET or AutoIt.

In case of a .NET executable, the encrypted embedded payload – an Agent Tesla variant suspected to be Snake Keylogger or XLoader – is decoded and injected into a running “RegAsm.exe” process, a technique observed in past Agent Tesla campaigns.

The AutoIt compiled executable, on the other hand, introduces an additional layer in an attempt to further complicate analysis efforts. The AutoIt script within the executable incorporates an encrypted payload that’s responsible for loading the final shellcode, causing .NET file to be injected into a “RegSvcs.exe” process, ultimately leading to Agent Tesla deployment.

“This suggests that the attacker employs multiple execution paths to increase resilience and evade detection,” Khanzada noted. “The attacker’s focus remains on a multi-layered attack chain rather than sophisticated obfuscation.”

“By stacking simple stages instead of focusing on highly sophisticated techniques, attackers can create resilient attack chains that complicate analysis and detection.”

IronHusky Delivers New Version of MysterySnail RAT

The disclosure comes as Kaspersky detailed a campaign that targets government organizations located in Mongolia and Russia with a new version of a malware called MysterySnail RAT. The activity has been attributed to a Chinese-speaking threat actor dubbed IronHusky.

IronHusky, assessed to be active since at least 2017, was previously documented by the Russian cybersecurity company in October 2021 in connection with the zero-day exploitation of CVE-2021-40449, a Win32k privilege escalation flaw, to deliver MysterySnail.

The infections originate from a malicious Microsoft Management Console (MMC) script that mimics a Word document from the National Land Agency of Mongolia (“co-financing letter_alamgac”). The script is designed to retrieve a ZIP archive with a lure document, a legitimate binary (“CiscoCollabHost.exe”), and a malicious DLL (“CiscoSparkLauncher.dll”).

It’s not exactly known how the MMC script is distributed to targets of interest, although the nature of the lure document suggests that it may have been via a phishing campaign.

As observed in many attacks, “CiscoCollabHost.exe” is used to sideload the DLL, an intermediary backdoor capable of communicating with attacker-controlled infrastructure by taking advantage of the open-source piping-server project.

The backdoor supports capabilities to run command shells, download/upload files, enumerate directory content, delete files, create new processes, and terminate itself. These commands are then used to sideload MysterySnail RAT.

The latest version of the malware is capable of accepting nearly 40 commands, allowing it to perform file management operations, execute commands via cmd.exe, spawn and kill processes, manage services, and connect to network resources via dedicated DLL modules.

Kasperksy said it observed the attackers dropping a “repurposed and more lightweight version” of MysterySnail codenamed MysteryMonoSnail after preventive actions were taken by the affected companies to block the intrusions.

“This version doesn’t have as many capabilities as the version of MysterySnail RAT,” the company noted. “It was programmed to have only 13 basic commands, used to list directory contents, write data to files, and launch processes and remote shells.”

Apr 18, 2025The Hacker NewsSaaS Security / Shadow IT

Your employees didn’t mean to expose sensitive data. They just wanted to move faster. So they used ChatGPT to summarize a deal. Uploaded a spreadsheet to an AI-enhanced tool. Integrated a chatbot into Salesforce. No big deal—until it is.

If this sounds familiar, you’re not alone. Most security teams are already behind in detecting how AI tools are quietly reshaping their SaaS environments. And by the time an alert is triggered—if it even exists—damage may already be done.

This Isn’t a Hypothetical Problem. It’s Happening Now.

AI adoption inside organizations is no longer strategic. It’s spontaneous.

Employees are experimenting, connecting, automating—and bypassing security while doing it. AI systems are becoming embedded in your SaaS stack without visibility or oversight. And it’s creating a new class of shadow integrations—ones that don’t show up in traditional threat models.

If your current defenses rely on manual tracking, policy enforcement, or user education alone, you’re not keeping up.

Learn How to Adapt—Before Your Next Blind Spot Becomes a Breach

Join Dvir Sasson, Director of Security Research at Reco, for “Your AI is Outrunning Your Security. Here’s How to Keep Up” — an unfiltered session on what it really takes to maintain AI Security Readiness.

You’ll walk away with:

• Clarity on emerging AI-driven threats inside SaaS tools you already use
• Real examples of breaches caused by unmonitored AI integrations
• Actionable detection and response strategies that forward-thinking companies are using right now

AI is no longer just a tool—it’s a moving part of your operational fabric. The more decentralized and dynamic it becomes, the less your traditional security playbook applies. If you’re not accounting for AI’s growing presence across your SaaS apps, you’re not seeing the full risk surface.

Watch this Webinar

And when a breach hits your CRM, your boardroom doesn’t care how it happened. Just that you didn’t see it coming.

Save Your Seat: This session is for security leaders, IT owners, and SaaS risk managers who want to evolve beyond reactive security—and take proactive control in an AI-powered world.

👉 Register now to reserve your spot. Spaces are limited.

Apr 18, 2025Ravie LakshmananIoT Security / Malware

Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service (DDoS) malware known as XorDDoS, with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States.

“From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence,” Cisco Talos researcher Joey Chen said in a Thursday analysis.

“This trend is not only due to the widespread global distribution of the XorDDoS trojan but also an uptick in malicious DNS requests linked to its command-and-control (C2) infrastructure. In addition to targeting commonly exposed Linux machines, the trojan has expanded its reach to Docker servers, converting infected hosts into bots.”

Nearly 42 percent of the compromised devices are located in the United States, followed by Japan, Canada, Denmark, Italy, Morocco, and China.

XorDDoS is a well-known malware that has a track record of striking Linux systems for over a decade. In May 2022, Microsoft reported a significant surge in XorDDoS activity, with the infections paving the way for cryptocurrency mining malware such as Tsunami.

The primary initial access pathway entails conducting Secure Shell (SSH) brute-force attacks to obtain valid SSH credentials and then download and install the malware on vulnerable IoT and other internet-connected devices.

Upon successfully establishing a foothold, the malware sets up persistence using an embedded initialization script and a cron job so that it launches automatically at system startup. It also makes use of the XOR key “BB2FA36AAA9541F0” to decrypt a configuration present within itself to extract the IP addresses necessary for C2 communication.

Talos said it observed in 2024 a new version of the XorDDoS sub-controller, called the VIP version, and its corresponding central controller, along with a builder, indicating that the product is likely being advertised for sale.

The central controller is responsible for managing multiple XorDDoS sub-controllers and sending DDoS commands simultaneously. Each of these sub-controllers, in turn, commandeer a botnet of infected devices.

“The language settings of the multi-layer controller, XorDDoS builder, and controller binding tool strongly suggest that the operators are Chinese-speaking individuals,” Chen said.

Apr 18, 2025Ravie LakshmananWindows Security / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a medium-severity security flaw impacting Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.

The vulnerability, assigned the CVE identifier CVE-2025-24054 (CVSS score: 6.5), is a Windows New Technology LAN Manager (NTLM) hash disclosure spoofing bug that was patched by Microsoft last month as part of its Patch Tuesday updates.

NTLM is a legacy authentication protocol that Microsoft officially deprecated last year in favor of Kerberos. In recent years, threat actors have found various methods to exploit the technology, such as pass-the-hash and relay attacks, to extract NTLM hashes for follow-on attacks.

“Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network,” CISA said.

In a bulletin published in March, Microsoft said the vulnerability could be triggered by minimal interaction with a specially crafted .library-ms file, such as “selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file.”

The tech giant also credited Rintaro Koike with NTT Security Holdings, 0x6rss, and j00sean for discovering and reporting the flaw.

While Microsoft has given CVE-2025-24054 an exploitability assessment of “Exploitation Less Likely,” the security flaw has since come under active exploitation since March 19, per Check Point, thereby allowing bad actors to leak NTLM hashes or user passwords and infiltrate systems.

“Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania,” the cybersecurity company said. “Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.”

The flaw is assessed to be a variant of CVE-2024-43451 (CVSS score: 6.5), which was patched by Microsoft in November 2024 and has also been weaponized in the wild in attacks targeting Ukraine and Colombia by threat actors like UAC-0194 and Blind Eagle.

According to Check Point, the file is distributed by means of ZIP archives, causing Windows Explorer to initiate an SMB authentication request to a remote server and leak the user’s NTLM hash without any user interaction simply upon downloading and extracting the archive’s contents.

That said, another phishing campaign observed as recently as March 25, 2025, has been found delivering a file named “Info.doc.library-ms” without any compression. Since the first wave of attacks, no less than 10 campaigns have been observed with the end goal of retrieving NTLM hashes from the targeted victims.

“These attacks leveraged malicious .library-ms files to collect NTLMv2 hashes and escalate the risk of lateral movement and privilege escalation within compromised networks,” Check Point said.

“This rapid exploitation highlights the critical need for organizations to apply patches immediately and ensure that NTLM vulnerabilities are addressed in their environments. The minimal user interaction required for the exploit to trigger and the ease with which attackers can gain access to NTLM hashes make it a significant threat, especially when such hashes can be used in pass-the-hash attacks.”

Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes for the shortcoming by May 8, 2025, to secure their networks in light of active exploitation.