Storm-2561 Distributes Fake Enterprise VPN Clients to Steal Credentials

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Microsoft recently warned of phishing campaigns using OAuth URL redirection mechanisms to bypass conventional phishing defenses. These campaigns target government and public-sector organizations, redirecting victims to attacker-controlled infrastructure without stealing their tokens. Attackers abuse OAuth's standard behavior by crafting URLs with manipulated parameters or associated malicious applications to redirect users to malicious destinations. The attack starts with a malicious application created by the threat actor, configured with a redirect URL pointing to a rogue domain hosting malware. The malicious payloads are distributed as ZIP archives, leading to PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Threat actors are now targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes. Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages. The attacks target government and public-sector organizations with phishing links that prompt users to authenticate to a malicious application. The malicious OAuth applications are registered with an identity provider, such as Microsoft Entra ID, and leverage the OAuth 2.0 protocol to obtain delegated or application-level access to user data and resources. The attackers create malicious OAuth applications in a tenant they control and configure them with a redirect URI pointing to their infrastructure. The researchers say that even if the URLs for Entra ID look like legitimate authorization requests, the endpoint is invoked with parameters for silent authentication without an interactive login and an invalid scope that triggers authentication errors. This forces the identity provider to redirect users to the redirect URI configured by the attacker. In some cases, the victims are redirected to phishing pages powered by attacker-in-the-middle frameworks such as EvilProxy, which can intercept valid session cookies to bypass multi-factor authentication (MFA) protections. Microsoft found that the 'state' parameter was misused to auto-fill the victim’s email address in the credentials box on the phishing page, increasing the perceived sense of legitimacy. In other instances, the victims are redirected to a 'download' path that automatically delivers a ZIP file with malicious shortcut (.LNK) files and HTML smuggling tools. Opening the .LNK launches PowerShell, which performs reconnaissance on the compromised host and extracts the components required for the next step, DLL side-loading. A malicious DLL (crashhandler.dll) decrypts and loads the final payload (crashlog.dat) into memory, while a legitimate executable (stream_monitor.exe) loads a decoy to distract the victim. Microsoft suggests that organizations should tighten permissions for OAuth applications, enforce strong identity protections and Conditional Access policies, and use cross-domain detection across email, identity, and endpoints.

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware, known as OysterLoader, provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in October 2025. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools. In early 2026, OysterLoader evolved with new C2 infrastructure and obfuscation methods, including a multi-stage infection chain and dynamic API resolution to hinder detection and analysis.

The **GPUGate malware campaign** continues to evolve, now leveraging **Claude AI artifacts and Google Ads** to distribute **MacSync and AMOS infostealers** via **ClickFix attacks**. Over **15,600 users** have accessed malicious Claude-generated guides, which instruct victims to execute Terminal commands fetching malware payloads. This follows earlier waves abusing **ChatGPT/Grok chats, fake GitHub repositories, and malvertising** to deploy stealers targeting credentials, crypto wallets, and system data. The campaign, active since **April 2023**, has expanded from traditional phishing to **abusing AI ecosystems, supply-chain weaknesses, and trusted platforms** (e.g., Homebrew, LogMeIn, AI assistants). Russian-speaking actors operate **AMOS as a Malware-as-a-Service (MaaS)**, with stolen logs sold in underground markets to fuel fraud, ransomware, and account takeovers. The latest **Claude artifact abuse** underscores the shift toward **high-impact, scalable distribution channels**, exploiting weak platform vetting and user trust in AI-generated content. Organizations should monitor for **suspicious Terminal activity, C2 traffic to domains like `a2abotnet[.]com`, and unauthorized data egress** while educating users on **ClickFix-style lures** and unverified AI tool instructions.

Microsoft and Malwarebytes have disclosed a **DNS-based ClickFix variant** that marks the first documented use of the `nslookup` command to stage and deliver malicious payloads. This technique abuses DNS queries to retrieve a PowerShell script embedded in the `NAME:` field of a DNS response from an attacker-controlled server (**84[.]21.189[.]20**), which then deploys **ModeloRAT** via a Python runtime and VBScript persistence mechanism. The attack chain begins with fake CAPTCHA lures, followed by social engineering tactics (e.g., fake system alerts, browser crashes, or instructional videos) to coerce victims into executing the `nslookup` command, which downloads a ZIP archive containing the final payload. This evolution builds on earlier ClickFix tactics, including **ConsentFix** (Azure CLI OAuth abuse), **CrashFix** (malicious Chrome extensions triggering browser crashes), and **SyncAppvPublishingServer.vbs** (Google Calendar dead drops). The latest DNS-based approach demonstrates the campaign’s adaptability, leveraging **trusted native tools** (`nslookup`), **DNS as a C2 channel**, and **psychological manipulation** (urgency tactics) to bypass security controls. Concurrently, ClickFix campaigns continue to expand with **cross-platform targeting** (Windows/Linux/macOS), **AI platform abuse** (ChatGPT, Grok, Claude), and **weaponized SaaS infrastructure** (Google Groups, Pastebin) to distribute payloads like **Lumma Stealer** and **Odyssey Stealer**. The integration of **DNS staging**, **browser-native execution**, and **multi-stage loaders** underscores the campaign’s resilience despite 2025 law enforcement disruptions, with actors refining tradecraft to maximize evasion via **social engineering**, **steganography**, and **legitimate service abuse**.

Cybercriminals are increasingly abusing the Lovable vibe coding service to create malicious websites for phishing attacks, crypto scams, and other threats. Proofpoint researchers have identified tens of thousands of Lovable URLs involved in malicious activities since February 2025. The service, launched in late 2024, has been used to generate convincing and effective websites in minutes, lowering the barrier of entry into cybercrime. Lovable, based in Stockholm, Sweden, has been targeted by multiple campaigns leveraging its AI-powered platform to distribute MFA phishing kits, malware, and phishing kits targeting credit card and personal information. The company has responded by implementing new security protections, including Security Checker 2.0, an AI-powered platform safety program, and taking down hundreds of malicious domains. Since February, cybersecurity company Proofpoint observed tens of thousands of Lovable URLs that were delivered in email messages and were flagged as threats. Four malicious campaigns have been identified, including a large-scale operation using the phishing-as-a-service platform Tycoon, a payment and data theft campaign impersonating UPS, a cryptocurrency theft campaign impersonating Aave, and a malware delivery campaign distributing the remote access trojan zgRAT. Additionally, DPRK hackers have leveraged ClickFix-style lures to deliver BeaverTail and InvisibleFerret malware, targeting marketing and trader roles in cryptocurrency and retail sector organizations. The campaign uses a fake hiring platform web application created using Vercel to distribute the malware, which is delivered in the form of a compiled binary for Windows, macOS, and Linux systems.