Common Wealth LinkedIn board-invitation phishing campaign targeting finance executives
Campaign
Summary
Hide ▲
Show ▼
The Common Wealth phishing operation is targeting finance executives on LinkedIn with fake executive board invitations and browser-based credential theft. The lure uses direct messages, a Google open redirect, and attacker-controlled redirects to reach a fake Microsoft login flow. The landing pages use Cloudflare Turnstile to slow analysis and then capture credentials and session cookies through an AITM phish. The activity is notable because it is the second LinkedIn executive-phishing campaign in six weeks, indicating sustained operation continuity.
Related Happenings
Google DoubleClick malspam campaign delivering DesckVB RAT
Campaign
H score33
First: 03.06.2026 19:29
Last: 03.06.2026 19:29
Sources 1
About this happening:
A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
Google DoubleClick malspam campaign delivering DesckVB RAT
CampaignAbout this happening: A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
Ghost Stadium FIFA World Cup fraud campaign
Campaign
H score41
First: 27.05.2026 14:28
Last: 27.05.2026 14:28
Sources 1
About this happening:
A **Ghost Stadium**-linked **FIFA impersonation fraud campaign** is targeting **2026 FIFA World Cup** fans with cloned **fifa.com** pages, fake ticket and hospitality offers, and...
Ghost Stadium FIFA World Cup fraud campaign
CampaignAbout this happening: A **Ghost Stadium**-linked **FIFA impersonation fraud campaign** is targeting **2026 FIFA World Cup** fans with cloned **fifa.com** pages, fake ticket and hospitality offers, and...
Google sponsored search ManageWP phishing campaign
Campaign
H score13
First: 07.05.2026 00:36
Last: 07.05.2026 00:36
Sources 1
About this happening:
A **phishing campaign** is abusing **Google sponsored search results** to impersonate **ManageWP** and steal login credentials, **2FA codes**, and account access. The operation ma...
Google sponsored search ManageWP phishing campaign
CampaignAbout this happening: A **phishing campaign** is abusing **Google sponsored search results** to impersonate **ManageWP** and steal login credentials, **2FA codes**, and account access. The operation ma...
TikTok for Business phishing campaign using Turnstile and reverse proxy
Campaign
H score31
First: 26.03.2026 16:09
Last: 26.03.2026 16:09
Sources 1
About this happening:
A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
TikTok for Business phishing campaign using Turnstile and reverse proxy
CampaignAbout this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
H score82
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Timeline
-
30.10.2025 15:00 2 articles · 8mo ago
LinkedIn board-invitation phishing targets finance executives
Initial DisclosureFinance executives are being targeted on LinkedIn with direct-message phishing lures that impersonate executive board invitations for a newly created Common Wealth investment fund. The phishing flow begins with a malicious link, uses a Google open redirect and attacker-controlled redirects to reach a Firebase-hosted page on firebasestorage.googleapis[.]com, presents a fake "LinkedIn Cloud Share" document portal, and then sends the victim to login.kggpho[.]icu where Cloudflare Turnstile is used before a fake Microsoft login page steals credentials and session cookies through an Adversary-in-the-Middle phish. Push Security says it recently blocked one of the attacks and identified related domains including payrails-canaccord[.]icu, boardproposalmeet[.]com, and sqexclusiveboarddirect[.]icu.
Show sources
- LinkedIn phishing targets finance execs with fake board invites — www.bleepingcomputer.com — 30.10.2025 15:00
- LinkedIn phishing targets finance execs with fake board invites — www.bleepingcomputer.com — 30.10.2025 15:00