SpiderLabs (@SpiderLabs) / X

SpiderLabs

6,473 posts

SpiderLabs

@SpiderLabs

The elite security team at @LevelBlueCyber. Response & Investigations. Analysis & Testing. Research & Development. Follow for info on the latest threats.

Everywhere

levelblue.com/blogs/spiderla…

Joined January 2009

SpiderLabs
@SpiderLabs
Aug 13, 2025
Threat actors are abusing #Microsoft infrastructure to conduct callback #phishing attacks. They register Microsoft 365 tenants with names crafted to include lure messages such as fake purchase alert containing a fraudulent support contact. They also use .onmicrosoft.com
18K
SpiderLabs
@SpiderLabs
Aug 20, 2025
#PhishingAlert: Threat actors are abusing ICS calendar invites to deliver #phishing links. Clicking the link redirects victims to Tycoon2FA-linked phishing pages impersonating #Microsoft 365 login portals. These fake sites are designed to steal credentials and session cookies,
12K
SpiderLabs
@SpiderLabs
Apr 4, 2025
🧑‍🍳 Here’s a CyberChef recipe for decoding Tycoon2FA’s JavaScript obfuscated with invisible Unicode characters: 🔗 carbon.now.sh/rXR8MGiikjz8aM… (Feel free to customise it as needed.) 🪝Tycoon2FA now uses invisible Unicode characters to encode #JavaScript in its #phishing landing
5.8K
SpiderLabs
@SpiderLabs
Feb 17, 2025
🚨 Phishing Alert: We’ve spotted fake timesheet report emails leading to the Tycoon 2FA phishing kit—now abusing Pinterest visual bookmarks as intermediaries. Stay vigilant! 🔍 #IoCs: pin[.]it/7FwOYIHSO 8a[.]nextwavxe[.]ru/zz4bnhS7UpYZhbV4xqA/ #CyberSecurity #Phishing
7.3K
SpiderLabs
@SpiderLabs
May 19, 2025
🪝🚨 #Phishing Alert: We've identified Tycoon2FA-linked campaigns targeting #Microsoft 365 users that use malformed URL with backslash character (e.g., https:\\). Despite the malformed format, most browsers still resolve these links, leading victims to credential harvesting
9.6K
SpiderLabs
@SpiderLabs
May 2, 2025
🚨 #MalspamAlert: We’ve spotted a campaign delivering #RemcosRAT, using a fake payment SWIFT copy to lure victims. The attached PDF links to an obfuscated JavaScript file that uses ActiveXObject to fetch a second-stage script. This script invokes PowerShell to download and decode
7K
SpiderLabs
@SpiderLabs
Jun 11, 2025
🪝 #Phishing Alert: We've observed the #Mamba2FA-linked phishing pages posing as a "Secure Document Portal". The page displays only a PDF image and textbox for victims' email address. Once the email address has been entered and "Access Document Here" was clicked, the victim will
6.3K
SpiderLabs
@SpiderLabs
Sep 21, 2023
A recent discovery by JPCERT/CC sheds light on a new technique that involves embedding a malicious Word document within a seemingly benign PDF file using a .doc file extension. trustwave.com/en-us/resource…
11K
SpiderLabs
@SpiderLabs
May 19, 2025
🚨 Phishing Alert: New phishing mail mimics urgent #Zoom invites from colleagues. Victims are led to a fake meeting page with video of “participants” to steal login info. Don’t click suspicious links — always verify! 🔒 #CyberSecurity #Phishing #Scam #MailMarshal IoCs:
8.8K
SpiderLabs
@SpiderLabs
Mar 24, 2022
🕷️ @SpiderLabs Senior Security Researcher Diana Lopera has discovered a new #phishing campaign that injects info stealer #Vidar #malware. The spyware is being concealed in #Microsoft Compiled HTML Help (CHM) files to avoid detection. Read the blog: trustwave.com/en-us/resource…
SpiderLabs
@SpiderLabs
Oct 2, 2024
🚨🪝 #PhishingAlert: Tycoon PhaaS Phishing Campaign Utilizes QR Code with Unicode Block Elements We have discovered a #phishing campaign linked to Tycoon PhaaS (Phishing-as-a-Service) that directs victims to a fake Office 365 login page via QR code. The phishing email
4.5K
SpiderLabs
@SpiderLabs
Jul 30, 2025
#MalspamAlert: We spotted a campaign delivering the #DarkCloud infostealer using fake HR documents such as "Your_Leave_For Mid Year_Till _December 2025 PNG.rar". The RAR archive hides an executable payload using a technique called header tampering. The attacker embeds an .exe
2.2K
SpiderLabs
@SpiderLabs
Sep 23, 2023
👥 The new #SpiderLabs blog looks at the importance of using multiple #C2 frameworks during #RedTeam engagements to make the simulation more realistic and well-rounded, as real attackers would have various options to bypass security controls. trustwave.com/en-us/resource…
4.2K
SpiderLabs
@SpiderLabs
Jun 18, 2025
🚨 #MalwareAlert: We spotted a malicious campaign abusing #LogMeIn Resolve remote access software to compromise user systems. The attack begins with an invoice-themed spam email that tricks targets into opening a PDF. The document urges an Adobe Acrobat update to view the invoice
4.4K