X-Industry

Cybersecurity researchers have observed a surge in identity-driven cyberattacks targeting employee login credentials.   According to a new report by eSentire’s Threat Response Unit (TRU), between 2024 and the first quarter of 2025, 19,000 identity-related cyber investigations revealed a 156% increase in such threats compared to 2023.  These incidents now account for 59% of all confirmed threats across eSentire’s customer base of over 2000 organizations.[1]

One of the biggest enablers of this tre

Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associate

Researchers from FortiGuard Labs recently uncovered an active delivery site that hosts a weaponized HTA script and silently drops the infostealer “NordDragonScan” into victims’ environments.  Once installed, NordDragonScan examines the host and copies documents, harvests entire Chrome and Firefox profiles, and takes screenshots.  The package is then sent over TLS to its command-and-control server, “kpuszkiev.com,” which also serves as a heartbeat server to confirm the victim is still online and

Security researchers have warned bargain-hunting shoppers to be on the lookout for scams this Amazon Prime Day, after discovering many lookalike domains.  Check Point said that, in June alone, it recorded more than 1000 domains with names resembling “Amazon” and “Amazon Prime,” 87% of which have been flagged as malicious or suspicious.

The security vendor warned that big-name online events like Prime Day are a magnet for fraudsters, who tend to target victims via fake (phishing) sites impersonat

Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client’s Authenticode signature.  ConnectWise ScreenConnect is a remote monitoring and management (RMM) software that enables IT administrators and managed service providers (MSPs) to troubleshoot devices remotely.  When a ScreenConnect installer is built, it can be customized to include the remote server the client should connect to, the text displayed

Cybersecurity experts at Forcepoint’s X-Labs are warning about the continued activity of Remcos malware. This sophisticated threat consistently adapts to bypass security measures and maintain a hidden presence on infected computers.  This malware, often delivered through convincing phishing attacks, allows attackers to establish long-term access.

According to reports, campaigns observed between 2024 and 2025 show that Remcos malware remains highly active, continually adapting to stay hidden, as

"If you can't see the threat coming, you can't defend against it."  The third-party risk management (TPRM) industry has a significant blind spot, and it's becoming increasingly problematic.  While we concentrate on SOC reports, ISO certifications, and vendor questionnaires, cybercriminals are actively trading your vendors' stolen credentials, exploiting their vulnerabilities, and planning their next attacks, all in plain sight on the dark web.

The Underground Economy Your TPRM Program Overlooks

Almost half (44%) of mobile users report being exposed to scams and threats daily, with a majority concerned about losing important files and productivity loss as a result, according to Malwarebytes.  The security vendor polled 1,300 adults in the US, UK, Austria, Germany, and Switzerland for its "Tap, Swipe, Scam" report.  Although it focused on the personal impact of such threats, they’re having a growing impact on enterprise risk, given the large number of organizations that allow Bring Your

One of America’s largest home and auto insurers has notified regulators and customers of a cybersecurity incident and related network outage.  Fortune 500 business Erie Insurance employs over 7000 staff and 14,000 agents, with parent company Erie Indemnity Company posting revenue of close to $4bn last year.  It currently boasts over six million active policies.  However, the firm warned customers yesterday of an “ongoing network outage” related to a confirmed “information security event” which w

Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associate

In April 2025, FortiGuard Labs observed a threat actor using phishing emails with malicious HTML files to spread Horabot, malware that primarily targets Spanish-speaking users.  It is known for using crafted emails that impersonate invoices or financial documents to trick victims into opening malicious attachments and can steal email credentials, harvest contact lists, and install banking trojans.

Horabot leverages Outlook COM automation to send phishing messages from the victim’s mailbox, enabl

Cybercriminals are constantly finding new ways to trick people, and one of the latest scams on the rise is called vishing, short for voice phishing. Unlike email scams (also known as phishing), vishing occurs over the phone. Recent studies have highlighted a dramatic escalation in vishing attacks.

See: https://redskyalliance.org/xindustry/let-s-talk-about-vishing

The 2025 CrowdStrike Global Threat Report documented a 442% surge in vishing incidents from the first to the second half of 2024. Addi

A new report out today from Cisco Talos, a cybersecurity company part of Cisco Systems Inc., found that in 2024, cybercriminals didn’t need zero-days or custom malware to wreak havoc: They just logged in. Identity-based attacks, misused legitimate tools, and years-old vulnerabilities drove the majority of security incidents last year.

The findings come from the Talos 2024 Year in Review report, based on telemetry from more than 46 million devices across 193 countries and regions, analyzing more

In Star Trek: The Next Generation episode “The Drumhead,” a Starfleet officer’s suspected espionage sparks an overzealous investigation that turns into a witch hunt, driven by paranoia.  Captain Picard’s warning about the dangers of overreaction, “With the first link, the chain is forged…,” underscores the importance of caution when assigning blame. This is highly relevant to the hacking of Ranveer Allahbadia’s YouTube channel, where suspicions point to Chinese hackers.  Although China has a his

Havoc is a powerful command-and-control (C2) framework. Like other well-known C2 frameworks, such as Cobalt Strike, Silver, and Winos4.0, Havoc has been used in threat campaigns to gain complete control over the target. Additionally, It is open-source and available on GitHub, making it easier for threat actors to modify it to evade detection.

FortiGuard Labs recently discovered a phishing campaign that combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The threat a

An ongoing PayPal email scam exploits the platform's address settings to send fake purchase notifications, tricking users into granting remote access to scammers.  For the past month, BleepingComputer and others have received emails from PayPal stating, "You added a new address.  This is just a quick confirmation that you added an address in your PayPal account."  The email includes the new address that was allegedly added to your PayPal account, including a message claiming to be a purchase con

The threat actors behind the Darcula Phishing-as-a-Service (PhaaS) platform appear to be preparing a new version that allows prospective customers and cyber actors to clone any brand's legitimate website and create a phishing version, further bringing down the technical expertise required to pull off phishing attacks at scale.  The latest iteration of the phishing suite "represents a significant shift in criminal capabilities, reducing the barrier to entry for bad actors to target any brand with

A new phishing campaign relies on legitimate links to trick victims into logging in and giving attackers control of their PayPal accounts. The phishing emails inform the intended victim of a payment request, providing legitimate-looking details, such as an amount and transaction ID, and even contain warnings that one would typically find in an email from PayPal. The messages come from a genuine PayPal address and include a genuine URL, which allows them to pass security checks and makes them app

An Android malware called FireScam tricks people into thinking they are downloading a Telegram Premium application that clandestinely monitors victims' notifications, text messages, and app activity while stealing sensitive information via Firebase services.

Cyfirma researchers spotted the new infostealer with spyware capabilities. They said the malware is distributed through a GitHub.io-hosted phishing website miming RuStore, a popular Russian Federation app store.

The phishing site delivers a

While you always want to be careful where you click online, a new variation on the classic clickjacking attack should give you pause when a site asks you to double-click on something.  As reported by Cybernews, Amazon security engineer Paulos Yibelo has shed light on a new version of this attack that can be used to disable security settings, delete an account or even take over your existing accounts.  As the name suggests, clickjacking is an attack method where hackers, scammers or other cybercr