Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Japanese Windows phishing campaign delivering MostereRAT

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

A phishing campaign is using malicious emails to lure Microsoft Windows users in Japan to a malicious website, creating an initial-access path for staged malware delivery and persistence. The operation matters because it is built to blend into routine business correspondence while setting up covert control of victim systems. The observed chain is not just credential theft; it is a delivery mechanism for MostereRAT and related remote-access tooling. The broader objective remains unclear, but the activity is already structured for long-term access.

Related Happenings

North Korean remote IT worker scam operation targeting American companies

Campaign
First: 16.04.2026 19:00 Last: 16.04.2026 19:00 Sources 1

About this happening: A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...

Open Happening

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

Okitipi Samuel-RaccoonO365-Moses Felix alliance reshapes ransomware ecosystem operations

Threat Actor Meta
First: 19.12.2025 21:05 Last: 19.12.2025 21:05 Sources 1

About this happening: The **Raccoon0365** phishing platform functioned as a **phishing-kit service** sold to other criminals, expanding **Microsoft 365 credential theft** and account-compromise capacit...

Open Happening

UNK_AcademicFlare Microsoft 365 device code phishing campaign

Campaign
First: 19.12.2025 19:54 Last: 19.12.2025 19:54 Sources 1

About this happening: The **UNK_AcademicFlare** phishing campaign is actively stealing **Microsoft 365** credentials through **device code authentication** abuse, creating **account takeover** risk for...

Open Happening

Timeline

  1. 08.09.2025 23:49 2 articles · 8mo ago

    Fortinet warns of MostereRAT phishing campaign targeting Windows users in Japan

    Initial Disclosure

    Fortinet's FortiGuard Labs warned of a phishing campaign targeting Microsoft Windows users in Japan that lures victims through malicious emails, a malicious website, and a weaponized Word document to deploy MostereRAT. The malware uses Easy Programming Language (EPL), staged payload execution, persistence, privilege escalation, AV/EDR evasion, Windows Filtering Platform (EFP) filters to block telemetry, and abuse of legitimate remote access tools such as AnyDesk and TightVNC for long-term control.

    Show sources
    Open in new tab