SeasonalInvite eCard phishing campaign targeting Windows and macOS users
Campaign
Summary
Hide ▲
Show ▼
The SeasonalInvite phishing campaign has been active for six months, tricking Windows and macOS users into installing legitimate RMM software through fake eCards. The operation used 959 domains and a traffic distribution system (TDS) to route victims to a BlueMountain impersonation page that auto-downloaded an installer. The campaign matters because the installers were commercially signed and therefore could pass normal security checks while still enabling attacker-controlled remote access.
Related Happenings
CrashStealer meeting-PIN delivery campaign
Campaign
H score35
First: 13.07.2026 22:04
Last: 13.07.2026 22:04
Sources 1
About this happening:
The **CrashStealer** campaign is delivering a **signed, Apple-notarized installer** from a **fake software site** gated by a **meeting PIN**, narrowing infection opportunities to...
CrashStealer meeting-PIN delivery campaign
CampaignAbout this happening: The **CrashStealer** campaign is delivering a **signed, Apple-notarized installer** from a **fake software site** gated by a **meeting PIN**, narrowing infection opportunities to...
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Mastra @mastra/* npm packages hit by network compromise
Incident
H score47
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
**Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Mastra @mastra/* npm packages hit by network compromise
IncidentAbout this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Latest development: 20.06.2026 17:09
Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
H score39
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
UNC1069 open-source maintainer social-engineering campaign
Campaign
H score38
First: 04.04.2026 23:30
Last: 04.04.2026 23:30
Sources 1
About this happening:
UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...
UNC1069 open-source maintainer social-engineering campaign
CampaignAbout this happening: UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...
Latest development: 06.04.2026 23:55
Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.
Timeline
-
15.07.2026 18:00 2 articles · 1h ago
SeasonalInvite eCard phishing campaign targeting Windows and macOS users
Initial DisclosureEarly activity used **tax** and **Social Security** lures, then rotated to **Valentine's**, **Easter**, and spring invitation themes. Victims who reached the fake greeting-card page were funneled through a **TDS** to an installer that matched their operating system.
Show sources
- Phishing Campaign Abuses eCards to Deploy RMM Tools — www.infosecurity-magazine.com — 15.07.2026 18:00
- Phishing Campaign Abuses eCards to Deploy RMM Tools — www.infosecurity-magazine.com — 15.07.2026 18:00