Common Wealth LinkedIn board-invitation phishing campaign targeting finance executives
Campaign
Summary
Hide ▲
Show ▼
The Common Wealth phishing operation is targeting finance executives on LinkedIn with fake executive board invitations and browser-based credential theft. The lure uses direct messages, a Google open redirect, and attacker-controlled redirects to reach a fake Microsoft login flow. The landing pages use Cloudflare Turnstile to slow analysis and then capture credentials and session cookies through an AITM phish. The activity is notable because it is the second LinkedIn executive-phishing campaign in six weeks, indicating sustained operation continuity.
Related Happenings
Google sponsored search ManageWP phishing campaign
Campaign
First: 07.05.2026 00:36
Last: 07.05.2026 00:36
Sources 1
About this happening:
A **phishing campaign** is abusing **Google sponsored search results** to impersonate **ManageWP** and steal login credentials, **2FA codes**, and account access. The operation ma...
Google sponsored search ManageWP phishing campaign
CampaignAbout this happening: A **phishing campaign** is abusing **Google sponsored search results** to impersonate **ManageWP** and steal login credentials, **2FA codes**, and account access. The operation ma...
TikTok for Business phishing campaign using Turnstile and reverse proxy
Campaign
First: 26.03.2026 16:09
Last: 26.03.2026 16:09
Sources 1
About this happening:
A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
TikTok for Business phishing campaign using Turnstile and reverse proxy
CampaignAbout this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover
Threat Actor Meta
First: 20.02.2026 22:00
Last: 20.02.2026 22:00
Sources 1
About this happening:
A new phishing-as-a-service operation tied to **Jinkusu** is proxying real login pages through attacker infrastructure, making **MFA bypass** and account takeover easier for low-s...
Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover
Threat Actor MetaAbout this happening: A new phishing-as-a-service operation tied to **Jinkusu** is proxying real login pages through attacker infrastructure, making **MFA bypass** and account takeover easier for low-s...
Starkiller dark-web phishing platform scales credential theft as a SaaS-style criminal service
Threat Actor Meta
First: 19.02.2026 14:00
Last: 19.02.2026 14:00
Sources 1
About this happening:
The **Starkiller** phishing platform has emerged as a **SaaS-style criminal service**, raising the scale and durability of credential theft operations. It is sold on the **dark we...
Starkiller dark-web phishing platform scales credential theft as a SaaS-style criminal service
Threat Actor MetaAbout this happening: The **Starkiller** phishing platform has emerged as a **SaaS-style criminal service**, raising the scale and durability of credential theft operations. It is sold on the **dark we...
Timeline
-
30.10.2025 15:00 2 articles · 6mo ago
LinkedIn board-invitation phishing targets finance executives
Initial DisclosureFinance executives are being targeted on LinkedIn with direct-message phishing lures that impersonate executive board invitations for a newly created Common Wealth investment fund. The phishing flow begins with a malicious link, uses a Google open redirect and attacker-controlled redirects to reach a Firebase-hosted page on firebasestorage.googleapis[.]com, presents a fake "LinkedIn Cloud Share" document portal, and then sends the victim to login.kggpho[.]icu where Cloudflare Turnstile is used before a fake Microsoft login page steals credentials and session cookies through an Adversary-in-the-Middle phish. Push Security says it recently blocked one of the attacks and identified related domains including payrails-canaccord[.]icu, boardproposalmeet[.]com, and sqexclusiveboarddirect[.]icu.
Show sources
- LinkedIn phishing targets finance execs with fake board invites — www.bleepingcomputer.com — 30.10.2025 15:00
- LinkedIn phishing targets finance execs with fake board invites — www.bleepingcomputer.com — 30.10.2025 15:00