CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Phishing Campaign Targets LastPass Users with Fake Maintenance Messages

First reported
Last updated
4 unique sources, 4 articles

Summary

Hide ▲

LastPass has identified an active phishing campaign impersonating the service to trick users into revealing their master passwords. The campaign, which began around January 19, 2026, uses phishing emails with urgent subject lines to direct users to a fake phishing site. LastPass emphasizes it will never ask for master passwords and is working to take down the malicious infrastructure. The phishing emails claim upcoming maintenance and urge users to create a local backup of their password vaults within 24 hours. The emails originate from several fraudulent email addresses and direct users to a phishing site that redirects to a domain mimicking LastPass. The campaign was launched during a holiday weekend in the United States to catch LastPass understaffed and less prepared for a prompt response. This campaign follows a previous information-stealing campaign targeting macOS users through fake GitHub repositories and another phishing campaign in October 2025 that used fake death claims to trigger a legacy inheritance process. LastPass has 33 million users and over 100,000 business customers. A cyber-attack in 2022 saw attackers steal parts of LastPass source code, along with proprietary technical information.

Timeline

  3. 21.01.2026 08:40 4 articles · 2d ago

    Phishing Campaign Targets LastPass Users with Fake Maintenance Messages

    On or around January 19, 2026, a phishing campaign impersonating LastPass began sending emails to users. The emails claim upcoming maintenance and urge users to create a local backup of their password vaults within 24 hours. The phishing site redirects users to a domain mimicking LastPass. The phishing emails originate from fraudulent email addresses such as 'support@lastpass[.]server8' and 'support@sr22vegas[.]com'. The campaign was launched during a holiday weekend in the United States to catch LastPass understaffed and less prepared for a prompt response. LastPass is working to take down the malicious infrastructure and has reminded users that it will never ask for their master passwords. The phishing emails include subject lines such as 'LastPass Infrastructure Update: Secure Your Vault Now', 'Your Data, Your Protection: Create a Backup Before Maintenance', 'Don't Miss Out: Backup Your Vault Before Maintenance', 'Important: LastPass Maintenance & Your Vault Security', and 'Protect Your Passwords: Backup Your Vault (24-Hour Window)'. The phishing site leads users to enter their login credentials, potentially giving attackers access to the entire vault. LastPass has not indicated that any accounts were compromised at this time. The tactics and broad customer targeting align closest with cybercriminal groups. LastPass has 33 million users and over 100,000 business customers.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Credential Theft and Account Compromise Surge in 2025

In 2025, cyber threat actors significantly increased their focus on credential theft, leading to a 389% rise in account compromise incidents, which constituted 55% of all attacks observed by eSentire. Credential access represented 75% of malicious activity, with two-thirds aimed at account takeovers and the remaining third used for phishing campaigns. Microsoft 365 accounts were primary targets. The use of phishing-as-a-service (PhaaS) kits, such as Tycoon2FA, FlowerStorm, and EvilProxy, fueled business email compromise (BEC) attacks. These kits are sophisticated, continuously updated, and designed to bypass modern security controls like multifactor authentication (MFA). While BEC attacks declined to less than 10% of malicious activity, they remained a top threat for companies, particularly in real estate, finance, retail, and construction. The report also highlighted a 14-fold increase in security incidents involving email bombing and IT Help Desk impersonation, a 300% spike in the ClickFix lure, and varying trends in cyber incidents across different industries.

Open in new tab

Attackers Optimize Traditional TTPs with AI in 2025

In 2025, attackers continued to leverage traditional techniques such as supply chain attacks and phishing, but with increased efficiency and scale due to AI advancements. The Shai Hulud NPM campaign demonstrated how a single compromised package can affect thousands of downstream projects. AI has lowered the barrier to entry for cybercriminals, enabling lean teams or even individuals to execute sophisticated attacks. Phishing remains effective, with one click potentially compromising large-scale systems. Malicious Chrome extensions bypassing official stores highlight the ongoing challenge of automated reviews and human moderators keeping pace with attacker sophistication.

Open in new tab

Phishing Campaign Targets Ad Manager Accounts via Fake Calendly Invites

A sophisticated phishing campaign impersonates top brands like Unilever, Disney, and MasterCard using fake Calendly invites to steal Google Workspace and Facebook Business account credentials. The campaign, discovered by Push Security, targets ad manager accounts to launch malvertising, AiTM phishing, and malware distribution campaigns. Access to these accounts allows threat actors to execute geo-targeted attacks and potentially resell compromised accounts for monetization. The phishing emails, crafted using AI tools, impersonate legitimate recruiters and direct victims to fake Calendly landing pages with CAPTCHA and AiTM phishing pages. The campaign employs anti-analysis mechanisms and Browser-in-the-Browser (BitB) attacks to enhance its effectiveness. Push Security identified 31 unique URLs and additional variants targeting both Google and Facebook credentials. Simultaneously, a malvertising campaign targets Google Ads Manager accounts through malicious sponsored ads.

Open in new tab

HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

The North Korea-linked threat actor Kimsuky has been linked to a new campaign distributing a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics. The attack involved a ZIP file containing a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. The article also highlights the advanced obfuscation techniques used by HttpTroy to evade detection and the broader campaign by North Korean state-sponsored groups targeting various sectors. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection. Additionally, Kimsuky is targeting organizations involved in North Korea-related policy, research, and analysis, including non-governmental organizations, think tanks, academic institutions, strategic advisory firms, and government entities in the U.S. The group is using QR codes in phishing campaigns, a technique known as 'quishing,' to redirect victims to malicious locations disguised as questionnaires, secure drives, or fake login pages. The FBI has warned about Kimsuky's use of malicious QR codes in spear-phishing campaigns targeting entities in the U.S., highlighting the group's history of subverting email authentication protocols and exploiting improperly configured DMARC record policies. Cybersecurity researchers have uncovered a new phishing campaign that exploits social media private messages to propagate malicious payloads, likely with the intent to deploy a remote access trojan (RAT). The activity delivers "weaponized files via Dynamic Link Library (DLL) sideloading, combined with a legitimate, open-source Python pen-testing script." The attack involves approaching high-value individuals through messages sent on LinkedIn, establishing trust, and deceiving them into downloading a malicious WinRAR self-extracting archive (SFX). Once launched, the archive extracts four different components: a legitimate open-source PDF reader application, a malicious DLL that's sideloaded by the PDF reader, a portable executable (PE) of the Python interpreter, and a RAR file that likely serves as a decoy. The infection chain gets activated when the PDF reader application is run, causing the rogue DLL to be sideloaded. The use of DLL side-loading has become an increasingly common technique adopted by threat actors to evade detection and conceal signs of malicious activity by taking advantage of legitimate processes. Over the past week, at least three documented campaigns have leveraged DLL side-loading to deliver malware families tracked as LOTUSLITE and PDFSIDER, along with other commodity trojans and information stealers. In the campaign observed by ReliaQuest, the sideloaded DLL is used to drop the Python interpreter onto the system and create a Windows Registry Run key that makes sure that the Python interpreter is automatically executed upon every login. The interpreter's primary responsibility is to execute a Base64-encoded open-source shellcode that's directly executed in memory to avoid leaving forensic artifacts on disk. The final payload attempts to communicate with an external server, granting the attackers persistent remote access to the compromised host and exfiltrating data of interest. The abuse of legitimate open-source tools, coupled with the use of phishing messages sent on social media platforms, shows that phishing attacks are not confined to emails alone and that alternative delivery methods can exploit security gaps to increase the odds of success and break into corporate environments. ReliaQuest told The Hacker News that the campaign appears to be broad and opportunistic, with activity spanning various sectors and regions. "That said, because this activity plays out in direct messages, and social media platforms are typically less monitored than email, it's difficult to quantify the full scale," it added. "This approach allows attackers to bypass detection and scale their operations with minimal effort while maintaining persistent control over compromised systems," the cybersecurity company said. "Once inside, they can escalate privileges, move laterally across networks, and exfiltrate data." This is not the first time LinkedIn has been misused for targeted attacks. In recent years, multiple North Korean threat actors, including those linked to the CryptoCore and Contagious Interview campaigns, have singled out victims by contacting them on LinkedIn under the pretext of a job opportunity and convincing them to run a malicious project as part of a supposed assessment or code review. In March 2025, Cofense also detailed a LinkedIn-themed phishing campaign that employs lures related to LinkedIn InMail notifications to get recipients to click on a "Read More" or "Reply To" button and download the remote desktop software developed by ConnectWise for gaining complete control over victim hosts. "Social media platforms commonly used by businesses represent a gap in most organizations' security posture," ReliaQuest said. "Unlike email, where organizations tend to have security monitoring tools, social media private messages lack visibility and security controls, making them an attractive delivery channel for phishing campaigns." "Organizations must recognize social media as a critical attack surface for initial access and extend their defenses beyond email-centric controls."

Open in new tab

Phishing Campaign Targets LastPass Users with Fake Death Claims

A phishing campaign is targeting LastPass users with fake death claims to gain access to their password vaults. The campaign, attributed to the financially motivated threat group CryptoChameleon (UNC5356), began in mid-October 2025. The attackers use phishing emails and fake websites to trick users into revealing their master passwords and passkeys. The phishing emails claim that a family member has requested access to the user's LastPass vault by uploading a death certificate. The emails include an agent ID number and a link to a fraudulent page where users are prompted to enter their credentials. In some cases, the attackers also call victims, posing as LastPass staff, to direct them to the phishing site. The campaign is more extensive and enhanced compared to a previous one in April 2024, now also targeting passkeys.

Open in new tab