CloudSEK Updates

CloudSEK’s latest investigation exposes a rapidly evolving fraud ecosystem targeting Canadians through highly convincing impersonation of government services and trusted national brands. From fake traffic fines and tax refunds to airline bookings and parcel delivery alerts, attackers are scaling operations using shared infrastructure and phishing-as-a-service models. The report reveals how urgency and institutional trust are weaponized—and what organizations must do to stay ahead.

MacSync is a stealthy macOS infostealer delivered through a ClickFix-style phishing lure that tricks users into pasting a single Terminal command. Once executed, it harvests passwords, browser data, crypto wallets, and even trojanizes trusted hardware wallet apps like Ledger and Trezor—turning familiar software into long-term phishing tools

CloudSEK has exposed RedLineCyber, a threat actor infiltrating Discord to distribute Pro.exe. This "clipboard hijacker" silently monitors your system, swapping your destination wallet address for the attacker’s the moment you paste. Targeting streamers and gamers, this stealthy malware operates without a network footprint—making it nearly invisible until your assets are gone.

CloudSEK's TRIAD recently identified a spear-phishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities. The campaign uses icon spoofing and malicious Word documents to deliver "RustyWater," a Rust-based implant representing a significant upgrade to their traditional toolkit

CloudSEK’s report details a persistent nine-month RondoDoX botnet campaign targeting IoT devices and web applications. Recently, the threat actors have shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like "React2Shell" and cryptominers. This analysis offers crucial insights into their evolving infrastructure and provides defensive recommendations to mitigate these sophisticated attacks.

CloudSEK's TRIAD reveals a critical campaign by the Chinese "Silver Fox" APT targeting Indian entities with authentic-looking Income Tax phishing lures. While previously misattributed to SideWinder, this sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. Discover the full technical breakdown and why accurate attribution is essential for effective defense.

CloudSEK has uncovered 2,000+ fake holiday-themed online stores ahead of Black Friday, including Amazon-lookalikes and .shop domains mimicking global brands. These coordinated scams use identical phishing kits, fake urgency tactics, and shell checkout pages, posing major risks to consumers. Full findings available in the detailed research report.

Over the past decade, the English-speaking cybercriminal ecosystem commonly referred to as “The COM” has undergone a profound transformation. What began as a niche subculture centered on the trading of what is called “OG Usernames (original gangster)”

APT35 (Charming Kitten) operates a professional malware ecosystem featuring Saqeb System and RAT-2AC2 RATs, custom webshells, and FUD-tested modules. The group’s C2 uses TOR, multi-hop relays, and encrypted traffic for persistence and stealth. Targeting airlines, law enforcement, and regional infrastructure (2022-2025), it links cyber operations to IRGC geopolitical objectives