X-Industry

Remote Access Trojans, also known as RATs, have been around for years, although their prevalence in the market has surged recently.  RATs are digital skeleton keys, giving an attacker remote control over a system, often without the user ever knowing.  This kind of access often starts with someone clicking a malicious link or opening a rogue attachment in a phishing email or messaging app.  From there, the attacker can move laterally, steal data, monitor activity, or trigger ransomware.

RATs have

The legal market segment has been a prime target for cybercriminals due to the highly sensitive and confidential data it holds.  A recent report from the International Legal Technology Association (ILTA) and Fenix24, "Security at Issue: State of Cybersecurity in Law Firms," reveals a crucial shift in the threat landscape.  The report, based on a survey of 60 law firms, indicates that while awareness and investment are rising, fundamental vulnerabilities persist, and human-operated attacks are no

In early July 2025, a new DarkCloud campaign was observed in the wild by Fortinet’s FortiGuard Labs team.  It began with a phishing email containing an attached RAR archive. Fortinet subsequently investigated this campaign and conducted a step-by-step analysis.  DarkCloud is a known stealthy Windows-based information-stealer malware that was first identified in 2022. It is designed to steal sensitive information from the victim’s computer, including saved login credentials, financial data, conta

A leading cybersecurity, privacy, and data protection firm, Vipre Security Group, has released its Q2 2025 Email Threat Landscape Report, highlighting a significant shift in cybercriminal tactics.  The report, based on an analysis of global real-world data, uncovers a growing reliance on hyper-personalized, AI-driven phishing techniques that exploit human vulnerabilities rather than traditional technological tricks.  This evolution in email-based threats is raising alarms for organizations world

The Fortinet/FortiMail Workspace Security team recently identified a targeted intrusion campaign impacting multiple Israeli organizations.  The adversary leveraged compromised internal email infrastructure to distribute phishing messages across the regional business landscape.  These emails initiated a multi-stage, PowerShell-based infection chain that culminated in the delivery of a remote access trojan (RAT), executed entirely through PowerShell.

Key characteristics include:

• Full PowerShell-b

Gen Z has often been hailed as the most tech-savvy generation in history.  But new research from Kaspersky suggests that their hyper-connected, gig-driven lifestyle may also be making them one of the most vulnerable.  In a recent report, Kaspersky warns that "polyworking," a growing trend among Gen Z workers juggling multiple part-time jobs, freelance gigs, or side hustles, is creating an unprecedented cybersecurity challenge. With a widened digital footprint, these digital natives are increasin

A recent Varonis report exposes a rising threat: cyber criminals exploiting Microsoft OneNote to launch “native” phishing campaigns via Microsoft 365. OneNote is a well-established digital note-taking app that provides a single place for keeping users' reminders, research and project information.  These attacks exploit trust in legitimate collaboration tools, combining social engineering and cloud infrastructure to bypass traditional defenses.  This new attack vector uses shared OneNote notebook

Cybersecurity researchers have observed a surge in identity-driven cyberattacks targeting employee login credentials.   According to a new report by eSentire’s Threat Response Unit (TRU), between 2024 and the first quarter of 2025, 19,000 identity-related cyber investigations revealed a 156% increase in such threats compared to 2023.  These incidents now account for 59% of all confirmed threats across eSentire’s customer base of over 2000 organizations.[1]

One of the biggest enablers of this tre

Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associate

Researchers from FortiGuard Labs recently uncovered an active delivery site that hosts a weaponized HTA script and silently drops the infostealer “NordDragonScan” into victims’ environments.  Once installed, NordDragonScan examines the host and copies documents, harvests entire Chrome and Firefox profiles, and takes screenshots.  The package is then sent over TLS to its command-and-control server, “kpuszkiev.com,” which also serves as a heartbeat server to confirm the victim is still online and

Security researchers have warned bargain-hunting shoppers to be on the lookout for scams this Amazon Prime Day, after discovering many lookalike domains.  Check Point said that, in June alone, it recorded more than 1000 domains with names resembling “Amazon” and “Amazon Prime,” 87% of which have been flagged as malicious or suspicious.

The security vendor warned that big-name online events like Prime Day are a magnet for fraudsters, who tend to target victims via fake (phishing) sites impersonat

Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client’s Authenticode signature.  ConnectWise ScreenConnect is a remote monitoring and management (RMM) software that enables IT administrators and managed service providers (MSPs) to troubleshoot devices remotely.  When a ScreenConnect installer is built, it can be customized to include the remote server the client should connect to, the text displayed

Cybersecurity experts at Forcepoint’s X-Labs are warning about the continued activity of Remcos malware. This sophisticated threat consistently adapts to bypass security measures and maintain a hidden presence on infected computers.  This malware, often delivered through convincing phishing attacks, allows attackers to establish long-term access.

According to reports, campaigns observed between 2024 and 2025 show that Remcos malware remains highly active, continually adapting to stay hidden, as

"If you can't see the threat coming, you can't defend against it."  The third-party risk management (TPRM) industry has a significant blind spot, and it's becoming increasingly problematic.  While we concentrate on SOC reports, ISO certifications, and vendor questionnaires, cybercriminals are actively trading your vendors' stolen credentials, exploiting their vulnerabilities, and planning their next attacks, all in plain sight on the dark web.

The Underground Economy Your TPRM Program Overlooks

Almost half (44%) of mobile users report being exposed to scams and threats daily, with a majority concerned about losing important files and productivity loss as a result, according to Malwarebytes.  The security vendor polled 1,300 adults in the US, UK, Austria, Germany, and Switzerland for its "Tap, Swipe, Scam" report.  Although it focused on the personal impact of such threats, they’re having a growing impact on enterprise risk, given the large number of organizations that allow Bring Your

One of America’s largest home and auto insurers has notified regulators and customers of a cybersecurity incident and related network outage.  Fortune 500 business Erie Insurance employs over 7000 staff and 14,000 agents, with parent company Erie Indemnity Company posting revenue of close to $4bn last year.  It currently boasts over six million active policies.  However, the firm warned customers yesterday of an “ongoing network outage” related to a confirmed “information security event” which w

Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associate

In April 2025, FortiGuard Labs observed a threat actor using phishing emails with malicious HTML files to spread Horabot, malware that primarily targets Spanish-speaking users.  It is known for using crafted emails that impersonate invoices or financial documents to trick victims into opening malicious attachments and can steal email credentials, harvest contact lists, and install banking trojans.

Horabot leverages Outlook COM automation to send phishing messages from the victim’s mailbox, enabl

Cybercriminals are constantly finding new ways to trick people, and one of the latest scams on the rise is called vishing, short for voice phishing. Unlike email scams (also known as phishing), vishing occurs over the phone. Recent studies have highlighted a dramatic escalation in vishing attacks.

See: https://redskyalliance.org/xindustry/let-s-talk-about-vishing

The 2025 CrowdStrike Global Threat Report documented a 442% surge in vishing incidents from the first to the second half of 2024. Addi

A new report out today from Cisco Talos, a cybersecurity company part of Cisco Systems Inc., found that in 2024, cybercriminals didn’t need zero-days or custom malware to wreak havoc: They just logged in. Identity-based attacks, misused legitimate tools, and years-old vulnerabilities drove the majority of security incidents last year.

The findings come from the Talos 2024 Year in Review report, based on telemetry from more than 46 million devices across 193 countries and regions, analyzing more