Executive Summary

This week exposed critical social engineering campaigns targeting manufacturing supply chains and diplomatic missions with unprecedented sophistication. Attackers are weaponizing trusted platforms like Google Classroom and exploiting AI summarization tools to bypass security controls. The UpCrypter phishing campaign has compromised Windows systems across manufacturing, healthcare, and retail sectors globally, while APT36 expanded attacks to Linux infrastructure in government networks. Most concerning: the emergence of "invisible prompt injection" attacks that manipulate AI tools to deliver ransomware instructions, and sophisticated campaigns initiating contact through corporate "Contact Us" forms to build trust over weeks before payload delivery.

Business impact centers on supply chain disruption, with manufacturing bearing 31% of targeted attacks. Financial services face escalating voice deepfake threats, with new campaigns impersonating CoinMarketCap journalists to compromise crypto executives. Security teams must immediately: (1) implement stricter verification for inbound business communications, (2) sanitize AI tool inputs to prevent prompt injection, and (3) strengthen help desk authentication protocols against bribery attempts like those seen in the Coinbase breach.

Top 5 This Week

  • Phishing Campaign Uses UpCrypter in — Global campaign targeting manufacturing with fake voicemails delivers remote access tools. Deploy email filters for HTML attachments claiming missed calls.

  • MixShell Malware Delivered via Contact — Attackers initiate weeks-long trust building through company contact forms before payload delivery. Implement verification protocols for all inbound business inquiries.

  • Weaponized AI-Generated Summaries — Invisible prompt injection manipulates AI tools to output ransomware commands. Sanitize all AI tool inputs and monitor for unexpected instructions in outputs.

  • Behind the Coinbase Breach — Attackers bribed outsourced support staff for customer data access. Audit third-party access controls and implement bribery reporting protocols.

  • APT36 Attacking Indian BOSS Linux Systems — Spear-phishing with weaponized .desktop files targets government Linux infrastructure. Train Linux users on file extension verification before opening attachments.

Phishing & BEC

Global Phishing Campaign Utilizes UpCrypter Loader (FortiGuard Labs)
Sophisticated global campaign uses personalized emails with HTML attachments redirecting to spoofed websites, employing the UpCrypter loader to install persistent remote access tools. Manufacturing comprises 31% of targets, with high sophistication attacks also hitting healthcare and retail sectors.

Exploiting Google Classroom in Sophisticated Phishing Campaign (Check Point)
Threat actors exploited Google Classroom's trusted status to target 13,500 organizations globally, sending 115,000 phishing emails that bypassed security filters. The medium sophistication campaign directed victims to WhatsApp for secondary engagement, exposing vulnerabilities in domain-based trust models.

Kimsuky APT Data Leak (Foresiet)
Major leak from North Korea's Kimsuky APT exposed their toolkit including customized malware and thousands of stolen credentials. High sophistication attacks targeted government networks in South Korea, U.S., Japan, and Europe using spoofed government email addresses.

Social Engineering

Sophisticated Social Engineering Campaign Targets U.S. Supply Chain (Check Point Research)
The ZipLine campaign targeting manufacturing initiates contact through corporate "Contact Us" forms, conducting weeks of professional exchanges before delivering MixShell malware via weaponized ZIP files. High sophistication attacks use DNS tunneling and in-memory execution to evade detection.

Exploiting AI Summarisation Tools with ClickFix-Style Prompt Injection (CloudSEK)
Researchers developed prompt injection attacks manipulating AI summarization tools to generate malicious instructions using hidden HTML/CSS. High sophistication technique exploits the gap between visible and processed content, potentially leading AI to output ransomware deployment commands.

The SOC Crisis: Why Current Security Operations Centers Are Failing
Analysis reveals SOCs struggle against AI-driven social engineering despite significant investments. High sophistication attacks exploit identity-based vulnerabilities while organizations maintain the illusion of security through inadequate tool integration.

Spear-phishing

APT36 Exploits .desktop Files to Target Indian BOSS Linux Systems (Cyfirma)
APT36 launched high sophistication attacks on India's government Linux infrastructure using weaponized .desktop shortcut files disguised as PDFs. Distributed via spear-phishing, the campaign establishes persistence through cron jobs and exfiltrates sensitive government data.

Spear-Phishing Campaign Targets Crypto Executives (CoinMarketCap)
Medium sophistication campaign impersonates CoinMarketCap journalists to target crypto executives with fake interview requests. Attackers exploit Zoom remote control features during calls to deploy malware and steal sensitive financial data.

UNC6384: Advanced Cyber Espionage Tactics (Google Threat Intelligence)
China-nexus threat actor UNC6384 targets Southeast Asian diplomats using AitM techniques with valid code signing certificates to deploy PlugX malware. High sophistication attacks redirect users to malicious sites mimicking software updates.

Bribery

Coinbase Breach: A New Era of Bribery in Cyber Attacks (Coinbase, TaskUS)
Attackers bribed outsourced workers in India to access Coinbase customer data, highlighting the shift from technical exploits to human compromise. Medium sophistication attack underscores vulnerabilities in third-party vendor management.

Keep Reading

No posts found

© 2025 Mirage Threat Radar: Social Engineering Weekly.

Privacy policy

Terms of use

Powered by beehiiv