The Power of ChatGPT: How ChatGPT is Changing the Phishing Game

The Power of ChatGPT: How ChatGPT is Changing the Phishing Game

ChatGPT is changing the phishing game for threat actors who can use it for crafting phishing emails and bypassing MFA. This text shares the power of ChatGPT in the hands of phishing actors, how it can be used for email crafting, and how you can protect yourself from AI-powered phishing.

ML (Machine Learning) Models and AI (Artificial intelligence) chatbot technology has come a long way in recent years, and one of the most advanced models is ChatGPT. Making headlines worldwide with its ability to understand and respond to natural language inputs, ChatGPT is a valuable tool in multiple industries.

However, like two sides of a coin, ChatGPT can significantly impact innocent lives in the hands of threat actors. In this article, we will explore how ChatGPT is changing the phishing game and the potential implications of this technology for both businesses and individuals.


The Emergence of ChatGPT and its Role in Phishing

ChatGPT, OpenAI’s large language model, has brought about significant progress in the field of NLP (Natural Language Processing), with applications ranging from customer service, virtual assistants, and even phishing detection and prevention, which is ironical since it can also be used for malicious purposes of phishing and targeting innocent individuals without much effort.

As technology continues to develop, we can expect to see ChatGPT being used more and more innovatively, making it a mighty tool for shaping the future. But we can also see it being used by threat actors to overcome the challenges of crafting phishing emails leading to more sophisticated campaigns with this AI chatbot. But how exactly does ChatGPT fit with phishing and cyberattacks?



ChatGPT Assisting Phishers in Social Engineering and Email Crafting

Phishing is a common tactic used by cybercriminals to trick individuals into sharing sensitive information, such as login credentials or financial information. However, the phishing game is changing with the emergence of AI chatbot technology like ChatGPT. Where ChatGPT can be trained to detect and respond to phishing attempts, making it a valuable asset in the fight against cybercrime, it also takes care of the challenges that low-level cybercriminals face while crafting phishing emails.

Threat actors, or individuals who engage in phishing attacks, face several challenges when crafting phishing emails. Crafting a successful phishing email is a complex task that requires a significant amount of skill and knowledge.

One of the main challenges is making the email appear as legitimate as possible to increase the likelihood of the recipient falling for the scam or social engineering tactic, which almost always involves creating a sense of urgency or fear in the recipient to prompt them to act quickly without thinking. ChatGPT can take care of this to continually craft phishing email templates for mass phishing campaigns enabling threat actors to cause all kinds of harm.

For example, when researchers at HoxHunt were checking how capable the AI chatbot was in crafting phishing emails, they asked it to prepare a BEC (Business Email Compromise) phishing attack impersonating the CEO (Chief Executive Officer) for a defunct organization by the name Standard Oil. ChatGPT delivered a phishing email with the CEO reaching out to individuals for their immediate attention, informing them of financial restructuring, and asking them to redirect invoices to a new account.


ChatGPT for Phishing


Threat actors can and are already utilizing the AI chatbot for crafting malicious phishing emails. Just like RaaS (Ransomware as a service) models transformed ransomware attacks, enabling threat actors to target more organizations for financial gains, ChatGPT can be a similar catalyst for phishing campaigns to target individuals and enterprise workforce. But how is ChatGPT helping threat actors? Let us see.


How Threat Actors can Utilize ChatGPT for Phishing

ChatGPT has advanced coding capabilities that enable threat actors to carry out malicious activities. However, limiting the topic to ChatGPT’s ability to provide writing is an impressive and dangerous feat. Furthermore, since the chatbot improves quickly and offers various ways to write emails that are indistinguishable from the ones that humans write, phishing actors can utilize the AI chatbot and similar platforms to create anything they need to dupe innocent individuals on the Internet, including fake web personas, fake website presence, and more.

Here are two areas where ChatGPT can help attackers:

  1.     Translation

ChatGPT has over 20 languages, including English, Chinese, Korean, and more, but individuals on the Internet have tested nearly 100, and ChatGPT comes through. Now that language is no bar, any individual could explain to ChatGPT what they need as an output, and it would provide the writing promptly, even if the writing were a phishing email. Even though the AI chatbot is blocked in Russia, individuals and threat actors have found ways to use the chatbot via VPNs (Virtual Private Networks) and foreign numbers.


  1.     Bypassing MFA

With the boom of NLP, ChatGPT can convincingly carry on conversations in a human-like manner and can be used to bypass MFA (Multi-Factor Authentication). In the past, threat actors have used SMSRanger, BloodOTPbot, and other similar bots in turbo-charged phishing attacks to automatically follow up credential harvesting attacks, asking the victim for the OTP (One Time Password) code and making a fool of 2FA (Two Factor Authentication).

When threat analysts at Hoxhunt asked the chatbot how it could bypass MFA, it said, “These chatbots can engage with people in a human-like manner and trick them into revealing their personal information or MFA credentials. For example, an attacker may use a chatbot to impersonate a trusted individual or organization and request that the victim provide their password or security token.”


chatbot bypass MFA


Since NLP-enabled and AI chatbots are more intelligent, they can keep up with individuals and move with the flow of the conversation to dupe them out of security codes, helping the threat actor bypass MFA.


How to Protect Yourself from Phishing in the age of AI-powered Phishing Campaigns?

The legacy approaches of always being cautious of unsolicited messages and never clicking on links or downloading attachments from unknown or suspicious sources work. And leveraging anti-phishing tools and software, such as email filters and browser extensions, to detect and block phishing attempts can add a layer of protection. But here are some tips to protect yourself from phishing in the age of AI-powered phishing campaigns: 

  • Offering a simple method for reporting suspicious emails.
  • Scrutinizing web traffic through a secure web gateway to safeguard both on-premises and remote users.
  • Verifying URLs (Uniform Resource Locator) for malicious content or typosquatting.
  • Implementing email security protocols such as DMARC (Domain-based Message Authentication, Reporting, and Conformance), DKIM (DomainKeys Identified Mail), and SPF (Sender Policy Framework) to combat domain spoofing and content tampering.
  • Isolating Word documents and other attachments in a sandbox environment to prevent them from accessing corporate networks.


Final Words

AI chatbots like ChatGPT can become powerful tools for threat actors to carry out phishing attacks. They can mimic human behavior and communication patterns to make their phishing attempts more convincing and automate the process to increase their chances of success, which is why it is imperative for organizations to stay informed about the latest phishing tactics and to implement advanced security measures, such as AI-based threat detection and response, to detect and respond to these threats.


email phishing protection


Despite the potential risks and the potential of ChatGPT on the other side, the benefits of ChatGPT in transforming the world and implementing AI chatbots in security are undeniable and will continue to play an important role of phishing protection in the future.

BitRAT Malware Threat Actors Leveraging Stolen Columbian Cooperative Bank Data in Phishing Campaign

BitRAT Malware Threat Actors Leveraging Stolen Columbian Cooperative Bank Data in Phishing Campaign

The BitRAT malware was used to target the Columbian Cooperative Bank, where the threat actors made away with records of over 400,000 individuals. The threat actors are using the information from these records for a massive spear phishing campaign. This text sheds light on the event, shares what BitRAT is, the BitRAT Columbian Cooperative Bank breach, an analysis of the latest BitRAT sample, why BitRAT is a grave threat, and shares how organizations can protect against BitRAT malware.


The Role of Employees in Your Company’s Cybersecurity Breach

The Role of Employees in Your Company’s Cybersecurity Breach

Cybersecurity is no longer something for ‘other’ companies to worry about. Nowadays, it doesn’t matter how big you are or how much capital you have to spend: if you’re any kind of business, you need to have it in place. 

But pre-installed firewalls and anti-malware aren’t enough, you also need to consider the role your employees have in the event of a breach. The reality is that common sense and the assumption that people will do the right thing will only go so far. 

Breaches occur more frequently than most would like to admit, but what’s even more worrying is that the majority are caused inadvertently by negligent staff. This could happen by way of accidentally emailing sensitive data to the wrong recipients or even misconfiguring assets for unwanted access. 

So whether you already have some of the following things in place or are completely new to the concept of cybersecurity, let’s take a look at the role your employees have and how you can have them working with you rather than against you in the cybersecurity war. As shown below, the statistics are showing an exponential rise in data breaches, so let’s not waste any time here!


Image Sourced from


Use password management

One of the biggest causes of cybersecurity breaches is bad password management. Whether it’s because your employees are choosing weak passwords, storing them in an insecure way, or even mishandling them, the policies you adopt around this practice can make all the difference when protecting your computer systems. 

Weak passwords make life easy for hackers, and often it doesn’t take them long to figure out what certain employees are using specific word and number configurations to create their passwords.

People will often use extremely obvious words or numerical phrases such as ‘123456’, making life ridiculously easy for someone trying to break in. 

Another issue with passwords is linked to how they’re stored. Often employees will do this openly or even publicly, such as on a Google doc or on a post-it note. And even some methods of supposedly secure storage can be unsafe, such as online password management systems that offer no encryption whatsoever. 

There is also the problem of incorrectly handling passwords. For example, when an employee never changes a password or when one is shared over an unencrypted messaging network. Bad management across a variety of platforms can be an issue too, such as using the exact same password over and over again. 

Solutions to some of these bad practices include using two-factor authentication for access, utilizing an encrypted password management system, and improving awareness around using passwords through regular, ongoing training within your organization. 


Free to use image sourced from Pixabay


Handling sensitive data 

Another important factor to consider in your company’s cybersecurity is how your employees handle sensitive data. Nightmare scenarios can involve someone accidentally emailing highly confidential information to the wrong recipients, inadvertently deleting very important files, or even leaking valuable information to an imposter with their voice over IP phone systems

Not backing up data can be a common problem too. Often employees say they haven’t got time to complete a backup or that they weren’t even aware it was necessary. These kinds of issues can be averted by increasing awareness in your company via posters and ongoing training. It can also help to have some automation in place so that you’re not relying completely on your workers for this to happen.

Human errors, such as accidentally sending sensitive info to the wrong people or deleting valuable data by mistake, can be tragic occurrences, and they can often come down to a lack of training and awareness. But what of the times when an employee says they were too tired or stressed? 

Sometimes it’s worth looking at your company culture as a whole to see if it’s playing a part in your cybersecurity.  There’s nothing wrong with hard work, but if it’s being championed above all else – even the protection of your computer systems – then it might be worth re-examining. Your employees shouldn’t be feeling tired most of the time, and if they are, then it shouldn’t be surprising that they’re making errors. 

Look at work hours and the ethos around getting things done. If it’s too hardcore, then your problems might be helped by tweaking these things and spending more time promoting good cyber hygiene, and protecting your business from phishing and ransomware attacks.


Free to use image sourced from Unsplash

Increase cyber awareness

This echoes much of what has already been said about employee training. Incredibly, so much of the human error that occurs in cybersecurity breaches can be directly linked to ignorance. Even simple and straightforward tasks like completing a much-needed software update or backing-up important files from your contact center cloud solution can be left undone because a staff member didn’t know they were necessary in the first place. 

Just because they might seem obvious to you, doesn’t mean they will be to someone else. If you want to adopt certain policies, then it’s crucial that you inform your employees of them via ongoing training. If they are regularly reminded of what to do when a pop-up prompt appears on their screen or to back up after saving an important file, then errors will occur less often. 

It’s also worth considering how to deliver this kind of cyber awareness training. Lectures that are passively received are less likely to be remembered than interactive training programs that get your staff involved, be it online or in person. You can also consider strategically putting posters up in the work area as prompts and reminders to do the right thing by way of protecting passwords and backing-up files. There are also specific courses out there on things such as phishing awareness training that you could invest in for your employees. 


Consider access rights and privilege control

When files are accidentally deleted, or sensitive documents are used inappropriately, it is often done by those who have no business with said files and documents in the first place. Incredibly, it can be normal for new starters to have free reign over a company’s entire digital filing system, when in fact, they only need to use a small percentage of it. 

A way around this is to ensure that all employees have limited access and adopt a privilege control policy. This reduces the amount of information that someone is exposed to and thus significantly decreases the chance of a mistake being made. 

To begin with, you could even deny all access by default and only grant it on a case-by-case basis. It might cost more time with requests being made, but it can seriously decrease any opportunities for error. 

This ‘principle of least privilege’ is low cost and, once set up and made an official policy, is easy to enforce. It gives you peace of mind and, in turn, will make your employees more mindful about what they can and can’t access, along with what’s deemed sensitive/important versus what isn’t. Along with more advanced technology, such as malware and ransomware protection, it’s a basic policy that can be easily implemented. 


Free to use image sourced from Pixabay


Use current and authorized software

Another schoolboy error is using out-of-date and unauthorized software. When you’re running old systems or software that is deemed ‘blocked’ by your company, you can open yourself up to all kinds of trouble. Similarly, when you allow employees to use their own devices in the workplace, such as in this BYOD policy example.

Software updates exist for a reason, and one of the main ones is for security purposes. Attacks by hackers are noted in the coding community, and stronger walls are put in place when they occur. These new defenses are rolled out as updates, and if they’re not downloaded promptly, you can leave yourself exposed to known threats. 

Often employees don’t see or aren’t even aware that these need to be actioned, so educate them about this in your training. Remind them that if they see the valid pop-up, then they need to click on it. And if they claim that they don’t have the time for them, ensure they have. 

If possible, set your computers up to download any new updates automatically, for example, overnight, so that you don’t have to rely on your workers to trigger them or worry that they might interfere with productivity by restarting workstations at random times of the day.


Free to use image sourced from Unsplash


Empower your employees and take your cybersecurity to the next level

So as you can see, the role your employees can have in your company’s cybersecurity breach is huge. From personal password management to regular software updates, it’s easy to see that employees make more of a difference than you might have originally thought and that cybersecurity practices are important. 

Yes, an IT department is important too, and they can help when all hell breaks loose, but they cannot do everything. And besides, wouldn’t it be best not to have to rely on them for preventable mishaps like the ones listed above? 

You need a workforce who are well educated and receive ongoing training in all things cybersecurity. It’s also important to adopt access and privilege control so that you’re not inadvertently turning your systems into a free-for-all, wild west situation. 

If you haven’t already, put some – if not all – of these cybersecurity strategies in place and learn all you can about what’s important with regard to your employees and cybersecurity. With more information and business going digital, it’s most likely one of your key assets, so do the right thing and protect yourself ahead of time. 



Jenna Bunnell – Senior Manager, Content Marketing, Dialpad

Jenna Bunnell is the Senior Manager for Content Marketing at Dialpad, an AI-incorporated cloud-hosted unified communications system that provides valuable call details for business owners and sales representatives using Dialpad’s virtual business phone system. She is driven and passionate about communicating a brand’s design sensibility and visualizing how content can be presented in creative and comprehensive ways. Jenna has also written for other domains such as FreshySites and BlockSurvey. Check out her LinkedIn profile.

Cybersecurity Updates For The Week 2 of 2023

Cybersecurity Updates For The Week 2 of 2023

The phishing threat landscape is constantly evolving, with threat actors likely to continue their actions in 2023. Here are this week’s headlines to inform you of the latest tactics being adopted by threat actors to dupe individuals and organizations alike.


Hackers Hold Database of Romanian Hospital for Ransom

Botoşani (northeastern Romania) based Saint Gheorghe Recovery Hospital became the latest target of a ransomware attack, impacting its medical activity. Cybercriminals demanded 3 Bitcoin to decrypt the servers’ data.

The attack resembles the one that occurred in 2019 summer when four Romanian hospitals became the target. The attackers accessed a remote connection used by one of the maintenance companies to break into the network. They entered the network and encrypted the December database. Afterward, they left a message in English, asking the hospital authorities for a 3 Bitcoin ransom.

The recent attack was complex, and computer scientists from DIICOT and BitDefender (a Romanian antivirus company) could not decrypt the files.

The manager of the Recovery Hospital, doctor Cătălin Dascălescu said, “We have notified DIICOT and the National Directorate of Cyber Security. An investigation is underway, and we are waiting for its findings. I cannot offer further details at the moment. We hope we will have medical activity at normal capacity from Monday.”


US Burger Chain Five Guys Notify A Data Breach

Five Guys, a US burger chain, recently disclosed a data breach targeting job applicants, and the company can face a lawsuit for the cybersecurity incident. Five Guys started informing customers on December 29 and notified state authorities about the incident.

It is common for businesses to disclose cybersecurity incidents near significant holidays to avoid media coverage. However, a law firm specializing in cybersecurity incidents, Turke & Strauss, noticed Five Guys’ data breach notification.


Burger Chain Data Breach


The law firm urged the impacted individuals to get in touch with them and discuss potential legal recourse against the fast food chain. It also revealed that the sensitive information includes customers’ names, driver’s licenses, and Social Security numbers.

It’s unclear if the data breach was part of a ransomware attack or if an attacker stumbled upon the unprotected cloud storage. Affected individuals were offered free identity protection and credit monitoring services.


SpyNote Strikes Again: Financial Institutions Become the Android Spyware’s Target

Financial institutions became the latest targets of an Android malware’s new version called SpyNote in October 2022. It combines both banking trojan and spyware characteristics. “The reason behind an increase in the number of SpyNote attacks is that the developer, previously selling it to other actors, made its source code public,” according to ThreatFabric. “It helped other cybercriminals develop and distribute the malware and target banking institutions.”

Some notable institutions impersonated by the malware include Kotak Mahindra Bank, Deutsche Bank, HSBC UK, and Nubank. SpyNote or SpyMax is feature-rich spyware with various capabilities like installing malicious apps, gathering calls, videos, SMS messages, and audio recordings, tracking GPS locations, and hindering efforts to uninstall the app. It also masquerades as an official Google Play Store service and other applications in productivity, wallpapers, and gaming categories. Following is a list of a few SpyNote artifacts, mainly delivered through smishing attacks:

  •   Bank of America Confirmation (yps.eton.application)
  •   BurlaNubank (com.appser.verapp)
  •   Conversations_ (com.appser.verapp )
  •   Current activity (com.willme.topactivity)
  •   Deutsche Bank Mobile (com.reporting.efficiency)
  •   HSBC UK Mobile Banking (com.employ.mb)
  •   Kotak Bank (
  •   Virtual SimCard (cobi0jbpm.apvy8vjjvpser.verapchvvhbjbjq)


Massive Leaked Archive Containing 235 million Twitter Users’ Information Available Online.

A data leak with email addresses of 235 million Twitter users was recently published on a popular hacker forum. Experts immediately analyzed it, confirming the authenticity of the entries in the massive leaked archive. In July end, a cybercriminal leaked 5.4 million Twitter users’ data, obtained by exploiting Twitter’s now-fixed vulnerability.


Twitter vulnerability


In January, a report claimed the discovery of a vulnerability hackers could exploit to find a Twitter account through their associated phone number/email.

Multiple threat actors exploited the vulnerability to scrape Twitter user profiles with private (email addresses and phone numbers) and public data. Then, they offered the scraped data on various online cybercrime marketplaces. In August, Twitter said that they patched the zero-day flaw discovered by researcher zhirinovskiy through the bug bounty platform HackerOne, which paid him a $5,040 bounty.


Ransomware Attack Shuts Down Massachusetts School District

Superintendent John Robidoux said that Swansea Public Schools canceled classes recently due to a ransomware attack shutting down the district’s network. According to the superintendent, no student or staff’s personally identifiable information was compromised in the attack.

Robidoux issued a news release saying that Hub Technology, the district’s cybersecurity company, shut down the network and isolated the cyberattack within minutes of the attack.

Robidoux said, “After a preliminary investigation, we determined that no personal staff or student information got compromised, and no cloud-based information or files got affected by the attack.”

“We believe this attack occurred because of an encrypted download run by someone within the district, but it is not malicious.” Robidoux added, “I am thankful our district enforces robust security measures around our network that prevented a bigger issue from occurring.”


Critical Flaws Discovered In Ferrari, Porsche, Mercedes, BMW, And Other Carmakers

BMW, Mercedes, Toyota, Ford, and other famous carmakers utilize vulnerable APIs that can allow attackers to perform malicious activities. Cybersecurity researcher Sam Curry discovered numerous vulnerabilities in the vehicles manufactured by various carmakers and the services offered by vehicle solutions providers.


Critical Flaws on cars


Cybercriminals can exploit the vulnerabilities to perform various malicious activities, like unlocking cars and tracking them. The flaws discovered by the experts impacted popular brands, including Rolls Royce, Ferrari, Ford, Porsche, Kia, Honda, Infiniti, Mercedes-Benz, Genesis, BMW, Nissan, Acura, Toyota, Jaguar, and Land Rover. Furthermore, the research team discovered vulnerabilities in the services offered by Reviver, SiriusXM, and Spireon.

Exploiting these flaws gave the researchers access to various Mercedes mission-critical internal applications through improperly configured SSO. A cybercriminal could have exploited them for remote code execution on multiple systems. Furthermore, the flaws allowed threat actors to access the content of the systems’ memory, leading to the exposure of Mercedes’ customer and employee PII.

For BMW and Rolls Royce, experts found SSO vulnerabilities allowing them to access any employee application. The experts entered VINs, gained access to internal dealer portals, and retrieved sales documents.


Toyota Discloses a Data Breach That Exposed Customers’ Personal Information

Toyota Motor Corporation recently revealed a data breach that compromised its customers’ personal information through an access key available to the public on GitHub for close to five years. Toyota India reported the data breach at Toyota Kirloskar Motor (a joint venture between Toyota and Indian giant Kirloskar Group) to the appropriate Indian authorities.

Toyota Accidentally published a portion of the T-connect site source code on GitHub.


source code Data Breach


The carmaker recently discovered that it accidentally published the source code for its T-Connect website on GitHub. The report said that the incident might have compromised around 296,000 customer records.

The company designed the T-Connect app, giving car owners access to their vehicle’s infotainment system and allowing them to monitor who has access to it.

The source code also included the data server access key with client data like email addresses and management numbers. The motor giant said that a developer subcontractor exposed the source code.

A notice by the company says, “In December 2017, a “T-Connect” website development subcontractor unintentionally uploaded a portion of the source code on GitHub, exposing it to the public, violating the handling rules.” According to Toyota, “The website development subcontractor’s inappropriate handling of the source code caused the incident. We will proceed accordingly.”


Singapore-Based Crypto Firm Targeted by a Hack, Users Lose More Than $10 Million

A cybercriminal manipulated files of a Singapore-based crypto wallet provider, enabling victims to download the wallets on their phones and stealing over US$8 million (S$10 million). Many users reported that their funds got stolen from their BitKeep wallets, although it is unclear how many Singaporean users got affected.

According to PeckShield, a blockchain security and data analytics firm, the cryptocurrencies stolen included Binance’s BNB Coin, Ether, and stablecoins Tether and Dai.


protection from phishing


A BitKeep spokesman, responding to queries from The Straits Times, said it adopted phishing protection techniques to safeguard its users from further losses, including freezing some of the stolen funds and tracing the addresses used in the hack. He further added that they lodged a police report at the end of December, and the police set up a task force in collaboration with cybersecurity experts.

The Latest Iran-aligned Hacker Phishing Campaign Targeting Middle Eastern Countries

The Latest Iran-aligned Hacker Phishing Campaign Targeting Middle Eastern Countries

Iran-aligned hacker group, MuddyWater’s latest phishing campaign deploying the new Syncro remote administration tool is causing all kinds of trouble. This text shares details about the phishing campaign, who MuddyWater is, the hacker group’s previous attacks, the latest changes, Syncro’s capabilities, how the attack campaign works, and how to protect against it.

There is a novel phishing campaign utilizing legitimate corporate accounts for phishing emails. MuddyWater, a hacking group associated with Iran’s MOIS (Ministry of Intelligence and Security), has been using compromised email accounts from genuine organizations for a large-scale phishing campaign that is paired with a remote administration tool.

The group has used similar tools in the past but has changed its tactics multiple times, coming to its most severe one. Here is everything you need to know about the MuddyWater phishing campaign and its RAT, Syncro.


Who is MuddyWater?

Also known as Boggy Serpens, Earth Vetala, Seedworm, and Cobalt Ulster, MuddyWater is a hacker group that primarily targets the Middle East and surrounding nations like India. The hacker group has been causing trouble since 2017, and its threat actors are known for their slowly evolving PowerShell-based backdoor that is continually incremented in its capability from time to time. The hacker group has also targeted the USA in the past, along with Central and West Asian countries.


MuddyWater’s Previous Attacks

MuddyWater has been conducting significant spear-phishing campaigns in the United Arab Emirates, Saudi Arabia, Israel, and Azerbaijan. These included:

  1. Phishing Emails: As Earth Vetala, the hacking group sent spear-phishing emails and lure documents. These documents and phishing emails contained URLs (Uniform Resource Locators) that led the victims to file-sharing services.
  2. Malicious URLs: These malicious URLs were linked to legitimate file-sharing services from where the threat actors distributed their RAT (Remote Administration Tool), Screen Connect.
  3. MuddyWater RAT: MuddyWater’s previous RAT, ScreenConnect, posed as a legitimate application for managing enterprise systems remotely for system administrators. ScreenConnect encompassed data encoding, email parsing, file and registry copy, HTTP/S (Hypertext Transfer Protocol Secure) connection support, native command line, and process and file execution capabilities.



However, researchers at Trend Micro identified multiple threat indicators and discovered that the threat actors were using post-exploration tools for password dumping. These passwords were tunneled to a threat actor-controlled C2 (Command and Control) server using open-source tools, and additional infrastructure on targeted systems was established for persistent presence. The threat actors could extract credentials from the following.

  •   Chrome
  •   Chromium
  •   Firefox
  •   Opera
  •   Internet Explorer
  •   Outlook


Furthermore, the PowerShell backdoor could:

  •   Analyze Skype connectivity
  •   Download and install Skype
  •   Encoded communication with its C2 server
  •   Execute commands sent from the C2 server
  •   Gather MFA (Multi-Factor Authentication) settings
  •   Gather the currently logged-on user and OS version


 MuddyWater’s Latest Phishing Campaign

The threat research team at Deep Instinct has been closely analyzing the cybercriminal group’s latest phishing campaign that has been targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.

  1. Phishing

The latest phishing activity was observed in October and is notable for the threat actors due to the usage of a new RAT named Syncro. Just like the previous one, the latest MuddyWater phishing campaign utilizes compromised legitimate corporate accounts.

However, these phishing emails contain a new lure in the form of an HTML (Hyper Text Markup Language). The threat actors have been posing as Egyptian hosting service providers and organizations, Israeli Healthcare, and more.

Since the HTML attachment is not an archive or executable, it does not raise any victim’s suspicions, as HTML is overlooked while preparing the workforce for phishing education and phishing awareness training.


  1. Syncro

Syncro is a highly sophisticated RAT that allows MuddyWater’s threat actors to take control of the victim’s devices remotely. However, MuddyWater is not the only threat actor utilizing this tool. Syncro has been observed in Luna Moth and BatLoader campaigns as well.

Syncro is a platform packed with features aimed at helping MSPs (Managed Service Providers) run their businesses. Syncro provides MSPs with an agent for device management that comes installed with a customized MSI file and a customer ID and also comes with a 21-day trial offer that allows you to choose the subdomain.

The trial version comes with a GUI (Graphical User Interface), allowing the actor complete control over any device via RAT, a terminal with SYSTEM privileges, remote desktop access, task and service managers, and more. With Syncro, threat actors can deploy multiple backdoors, exfiltrate data, and hand off access to other threat actors, making it a significant threat.



How does MuddyWater’s Phishing Campaign Work

The phishing campaign works in three key steps, which are:

  1. Targeted Emails: MuddyWater’s latest phishing campaign follows in the footsteps of its previous one, with threat actors practicing social engineering and sending malicious phishing emails to targeted individuals.
  1. Malicious Attachments: Once the victim is approached, the threat actors send a phishing link to a legitimate dropbox, an HTML file connected to the cloud server, or malicious attachments leading the victim to OneHub.
  1. ZIP Downloads: All these cloud servers or document dropboxes contain a malicious ZIP file that extracts an MSI Windows Installer that deploys Syncro on their machines.


How to Protect Against the MuddyWater Phishing Campaign?

Along with the analysis, Deep Instinct’s researchers also shared how it would be best for security teams, organizations, and individuals to monitor their machines for remote desktop solutions that are uncommon in the enterprise since they are abused more than their common counterparts.

Additionally, it would be best to provide the best phishing training to the workforce and executives alike. Here are a few ways you can ensure that your clients and the organizations are safe from phishing emails and social engineering:

  • SSL Certificates: Using an SSL (Secure Sockets Layer) certificate can allow organizations to secure all incoming and outgoing traffic, which means all information is protected from eavesdropping and cannot be used for social engineering.
  • Securely Hosted Payments: One of the best practices for 2023 and beyond is reducing risks to customer financial information by using payment gateways with the latest PCI DSS and ISO 27001 certifications. So even if your customers receive phishing emails targeted towards stealing their financial information, they are protected.
  • Adequate Staff Education: Educating employees is critical since they make or break any organization. Proper staff training, phishing awareness, practice simulations, and regular seminars sharing the latest revelations and phishing tactics enforce the idea in the workforce, making them better at identifying and steering clear phishing emails.


Final Words

The latest MuddyWater phishing campaign is novel, and the targeted organizations need to learn for phishing protection. Not just from the ongoing threat but from future ones. With various social engineering methods and malicious payload deployment, the latest MuddyWater phishing campaign will surely harm many more.


However, the first step in stopping any threat is knowing how it works and how it can damage you. With that covered, it would be best to follow the above guidelines to strengthen the organization against phishing attacks, and invest in automated tools and technologies and cyber insurance, to be prepared for the worst-case scenario since there are significant chances of any organization facing a cyberattack, especially phishing.

Notable Phishing Attacks of 2022

Notable Phishing Attacks of 2022

As we enter into 2023, cybercriminals are continuing to evolve their tactics and techniques to carry out phishing attacks. With the rise of remote working, the attack surface for phishing attacks has broadened significantly, which means it’s more important than ever for organizations to stay ahead of the curve.

In this blog post, we’ll look at the top phishing attacks of 2022 that can help you better prepare for your protection from phishing in 2023.


Phishing Campaign Spreading Evolved IceXLoader Malware To Exfiltrate Data

Phishing Campaign Spreading Evolved IceXLoader Malware To Exfiltrate Data

The IceXLoader malware has evolved and is striking via a phishing email, dropping the malware payload capable of advanced, evasive, and persistent system presence to exfiltrate data. This text shares IceXLoader’s history, how IceXLoader works, new features, IceXLoader attack pattern, how the IceXLoader malware can harm organizations, and what organizations need to do to stay protected.


Cybersecurity Updates For The Week 46 of 2022

Cybersecurity Updates For The Week 45 of 2022

You may hardly find an industry today that is not impacted by phishing attacks. Threat actors don’t spare anyone, be it a typical internet user or an organization with thousands of employees. This is why it is crucial to keep yourself updated about how these attacks happen to ensure you or your organization does not end up being a victim of such cyber threats. Here are threat week headlines that cover how threat actors exploit vulnerabilities and target your information assets.


Robin Banks Phishing Service Back with Cookie Stealer and Russian Server

Robin Banks Phishing Service Back with Cookie Stealer and Russian Server

The Robin Banks PhaaS platform is back with a new Russian server and a cookie stealer to bypass 2FA and compromise organizational accounts. This article shares the history of Robin Banks, attack patterns, how Robin Banks evolved, the Robin Banks cookie stealer and Russian server, how Robin Banks’s phishing kit works, and how organizations can stay protected against Robin Banks’s phishing.


Cybersecurity Updates For The Week 51 of 2022

Cybersecurity Updates For The Week 44 of 2022

Threat actors continue to target organizations worldwide to get access to their information assets. It may be challenging to anticipate a phishing attack, but one can surely learn from the attacks that have taken place to understand how these malicious actors operate and adopt anti-phishing measures accordingly. To that end, here are the phishing and breach-related updates for the week.


As Twitter Plans To Charge Verified Users $8 Fee, Threat Actors Start Launching Phishing Campaigns Exploiting The Situation

As Twitter Plans To Charge Verified Users $8 Fee, Threat Actors Start Launching Phishing Campaigns Exploiting The Situation

Scammers and hackers are exploiting the confusion regarding Twitter’s new CEO, Elon Musk’s plans for paid blue ticks on the platform. They are sending phishing emails disguised as official Twitter notices and luring users into sharing their details. This post covers the details regarding such phishing schemes.


Social Engineering Attack on Twilio Compromises Employee Accounts and Customer Data

Social Engineering Attack on Twilio Compromises Employee Accounts and Customer Data

Twilio has suffered a second attack, leading to the compromise of its former and current employee accounts and the loss of sensitive customer information. This text shares the details of the attack, how it happened, whether it is over, whether customers are safe, how Twilio is dealing with it, and what organizations could learn from the cyberattack.