In a novel maneuver for a disruption operation against cyber attackers, industry and law enforcement teamed up to conduct a court takedown of two widely-used criminal tools at once rather than individually, Microsoft said Tuesday.

The takedown simultaneously went after Amadey, a botnet that can serve as a malware delivery system, and StealC, an infostealer. Cybercriminals often use them in conjunction and they rely on the same infrastructure, Microsoft said.

“When multiple parts of an operation are disrupted together, attacks are harder to launch, scale, and recover from,” said Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit. “The result: fewer disrupted services, fewer opportunities for cybercriminals to profit, and more friction when they try to rebuild. It’s no longer enough to go after threats one by one. We need to interrupt how the attacks are put together.”

Microsoft had been tracking Amadey with ESET, BitSight, Lumen and Mitsui Bussan Secure Directions. Meanwhile, Europol had been investigating StealC alongside law enforcement partners including Germany’s Federal Criminal Police Office and the Dutch and Danish National Police as well as IBM X-Force and Proofpoint.

They then joined forces and turned to the Racketeer Influenced and Corrupt Organizations (RICO) Act, used to help authorities go after organized crime, to disrupt more than 200 command-and-control servers. Microsoft said it gained insights from its artificial intelligence product Copilot that “allowed the legal team to treat both malware families as part of a single criminal conspiracy.”

Microsoft regularly leads court-authorized disruption operations, but the industry and law enforcement partnerships combined with AI to expand data collection and identify connections beyond what one company could normally do, it said.

Amadey and StealC were linked to more than 140,000 infected computers around the globe in the first week of May alone, the company said. StealC has ranked among the top infostealers for years since its emergence in 2023 and sells in underground forums as a malware-as-a-service. It’s typically used by Russia-linked groups.

Amadey dates back to 2018, and is also commonly employed by Russian groups, including in attacks on Ukraine.

Their interaction shows the assembly line-like structure of modern cybercrime, Microsoft said. Even if the cybercriminals behind both tools never coordinate, their tools are designed to work together, it said.

“StealC is an infostealer that collects sensitive data from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms,” the company wrote in a separate blog post. “It is a malware-as-a-service (MaaS) offering that threat actors use to generate customized payloads and manage stolen data through a centralized web panel. Meanwhile, Amadey is a MaaS loader that threat actors use to deliver StealC and other malware. Modular, pay-as-you-go models like StealC and Amadey allow threat actors to use a single initial infection to quickly escalate into multiple other threats.”

The post In a first, a court takedown goes after two cybercrime tools at once appeared first on CyberScoop.

Authorities on Thursday disrupted a botnet, a malware framework and seized infrastructure that Evil Corp and other cybercrime groups used to steal data and break into various networks.

The globally coordinated effort targeted SocGholish, multi-stage malware that has compromised websites, redirected users to traffic distribution systems (TDS) and slipped malware into their networks since 2017.

“The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage,” the FBI’s cyber division said in a statement. 

Cybersecurity firms, researchers and officials from the United States, Canada, Germany, the Netherlands and Europol took down 106 servers and remediated nearly 15,000 sites that were infected with the malware. Officials also disabled the botnet and notified victims.

Sites infected with SocGholish, which are primarily hosted on WordPress, were widespread and provided everyday services including restaurants and auto repair shops, according to the Dutch National Police. 

The botnet, also known as “FakeUpdates,” is linked to the Russian cybercrime group Evil Corp. It also provided initial access to other ransomware variants, including DoppelPaymer, WastedLoocker, Hades Ransomware, LockBit, RansomHub and others, according to Infoblox, which participated in the takedown. 

Proofpoint, which also participated in the disruption, described Evil Corp as one of the most prominent cybercrime groups in operation and the “grandfather” of a threat type that compromises websites and uses TDS to redirect users to malware.

Following the takedown, the FBI issued a public service announcement warning about cybercriminals using TDS to break into victim networks for ransomware or other financial scams. 

Cybercriminals redirect traffic from sites to bypass firewalls, obscure their activity, identify potential victims and send them to phishing pages to steal credentials, initiate financial scams, access networks, deliver other malware, and sell access to other cybercriminals, officials said.

The law enforcement action was part of Operation Endgame, a multinational effort targeting cybercrime since 2024, and more narrowly for the FBI part of Operation Riptide, an ongoing campaign targeting cybercriminals and the infrastructure and financial networks they use to commit fraud.

The post Authorities disrupt Evil Corp’s SocGholish botnet appeared first on CyberScoop.

The FBI is warning organizations and defenders about Kali365, a growing phishing-as-a-service platform that retrieves Microsoft 365 access tokens, issuing a public service announcement Thursday. 

The toolkit bypasses multi-factor authentication and abuses OAuth device code authorizations via phishing lures impersonating common enterprise services. This technique grants cybercriminal-controlled applications access to Microsoft 365 accounts, opening victims up to a host of follow-on malicious activity, including data theft, fraud, extortion and ransomware attacks.

Kali365 is one of many rapidly emerging device-code phishing tools, which are gaining popularity as a more effective means for cybercriminals to circumvent security controls while abusing legitimate Microsoft device authorization pages, according to researchers. 

Instead of gaining access to accounts via phishing kits that steal credentials and second-factor authentication codes, device-code phishing platforms connect a malicious app to a legitimate account with a single code. The process requires fewer steps and less interaction with the user, but victims do have to copy-and-paste a code generated by the Kali365 platform to grant access.

“We see quite a bit of this device-code phishing activity, but so much of it looks really similar. They’re all using the same types of lures, the same types of content, the same branding,” Selena Larson, senior threat researcher at Proofpoint, told CyberScoop. “It is very much AI generated, AI driven, and the threat actors, I think, are finding it pretty effective because we’re seeing this shift happen kind of all at once.”

Proofpoint researchers observed seven device-code phishing tools that looked nearly identical during a 10-day period last month.

Device-code phishing isn’t new, but platforms like Kali365 have integrated new techniques that differ from MFA phishing, and might be more effective as a result. “It’s something that people might not be used to. It’s a little bit sleeker,” Larson said.

This also partly explains why these cybercriminal tools are growing so quickly. Larson said Proofpoint observed an explosion in device-code phishing activity starting in February. 

By April, Kali365 was up and running and primarily distributed on Telegram, according to the FBI. “Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the agency said in the public warning. 

Researchers at Arctic Wolf Labs, which has also been tracking large-scale campaigns linked to Kali365, said the platform charges affiliates $250 for 30 days of service or $2,000 for a full year.

Kali365 stores the OAuth access and refresh tokens it captures, and makes those available to affiliates on its platform. Those tokens can also be shared and reused by other cybercriminals who didn’t participate in the initial phishing lure, Arctic Wolf researchers added. 

The FBI also noted that these Microsoft 365 tokens provide persistent access, allowing attackers to wade through multiple Microsoft services without a password or additional MFA requests. 

“Identity can be very, very powerful once you’re in an organization,” Larson said, adding that attackers can abuse that access to impersonate people, access and steal data for extortion, commit fraud and deploy malware.

The post FBI warns about fast-growing phishing kit targeting Microsoft 365 users appeared first on CyberScoop.

A Chinese cyberespionage group has shifted its gaze back to Europe after years of focusing on other parts of the world, Proofpoint research published Wednesday found.

The surge began in mid-2025, with a bevy of issues bubbling up between China and Europe, the company said. Proofpoint labels the government-linked group TA416, but other companies track it as Twill Typhoon, Mustang Panda or other names.

“This renewed focus most heavily targeted individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU,” Proofpoint’s Mark Kelly and Georgi Mladenov wrote. “TA416’s return to European government targeting occurred during heightened EU–China tensions over trade, the Russia–Ukraine war, and rare earths exports, and commenced immediately following the 25th EU–China summit.”

Separately, the same group took up targeting the Middle East in March after the start of the conflict in Iran, something it had never been spotted doing before, Proofpoint found.

“This aligns with a trend observed by Proofpoint of some state-aligned threat actors shifting targeting toward Middle Eastern government and diplomatic entities in the aftermath of the war,” the firm said. “This likely reflects an effort to gather regional intelligence on the status, trajectory, and broader geopolitical implications of the conflict.”

TA416 was active in Europe in 2022 and 2023, coinciding with the onset of the Ukraine-Russia war, but stepped away from the continent afterward, according to the researchers. Its focus turned to Southeast Asia, Taiwan and Mongolia for a couple years.

The group’s focus on Europe through early 2026 used a variety of web bug and malware delivery methods, including setting up reconnaissance by dangling lures about Europe sending troops to Greenland. It also included phishing emails about humanitarian concerns, interview requests and collaboration proposals, Proofpoint said.

“During this period, TA416 repeatedly altered its initial infection chains while maintaining a consistent goal of loading the group’s customized PlugX backdoor via DLL sideloading triads,” the researchers wrote.

Proofpoint’s is not the only report of late about Chinese cyberespionage groups targeting Europe, with another focused on LinkedIn solicitations to NATO and European institutions.

The post European-Chinese geopolitical issues drive renewed cyberespionage campaign appeared first on CyberScoop.

A cyberattack that an Iranian hacking group said it carried out against medical device manufacturer Stryker might mark Tehran’s first significant cyber action since the start of the joint U.S.-Israel conflict.

But even that may have been a happy accident for Iranian hackers in what has been a low buzz of activity during that timeframe, with the attackers striking paydirt by happenstance rather than on purpose.

Cybersecurity firms, threat intelligence trackers and critical infrastructure owners have been fighting to separate the noise about proclaimed attacks out of Iran, and the warnings and threats related to the conflict, from what is actually happening and poses any significant danger.

“Everybody is scrambling right now,” said Alex Orleans, a long-time Iran threat analyst and head of threat intelligence at Sublime Security. Others said the nascent nature of the conflict is making assessments difficult.

“What we see is quite difficult to quantify or characterize about whether there’s been an increase or decrease,” said Saher Naumaan, senior threat researcher at Proofpoint. “I think since we’re only a couple weeks into the conflict, and the regular cadence of Iranian actors isn’t very consistent, necessarily, we don’t have enough data points or enough time to really judge.”

Signs of activity

In the early days of the conflict, there were indications that physical attacks on Iran might have hampered Iranian retaliatory efforts or other cyber activity, as those who would carry out cyberattacks were probably “hiding in bunkers,” Orleans said, and as Iran suffered internet outages.

In recent days, however, the Stryker attack and other indicators suggest that Iranian cyber activity could be heating up.

“For several days following the outbreak of the conflict, there was a noted decrease in cyber threat activity emanating from Iran,” a group of industry information and sharing analysis centers warned Wednesday. “However, there are signs of life in Iranian offensive cyber operations.”

The Stryker attack stands out for both the size and location of the target, a Michigan-based medical device manufacturer with more than $25 billion in revenue in 2025.

But both Orleans and Sergey Shykevich, threat intelligence group manager at Check Point Research, said the attack has the hallmarks of an opportunistic one rather than a deliberate, focused one. The group claiming credit for the attack, Handala — a Ministry of Intelligence-linked outfit — is known more for seizing advantage of weaknesses they happen upon rather than doggedly pursuing particular targets.

Notably, Stryker is also the class of a military vehicle used by U.S. forces. That military connection, even if confused with the medical device manufacturer, could possibly explain why the company was a target.

Still, “it was a much higher-profile attack than we expected from Handala,” Shykevich said. “Unfortunately, it’s possible to define it as a relatively big success for them.”

There have been reports of other cyber activity that might be connected to the conflict. Albania said the email system of its parliament had been targeted, with Iranian hackers taking credit. There was the targeting of cameras from Iran-linked infrastructure in countries that Iran then launched missiles into. Poland said it was looking into whether Iran was behind an attempted cyberattack on a nuclear research facility.

Some of the claims don’t match reality. “There are many hacktivist groups that are very active in Telegram, but actually they don’t have any significant successes,” Shykevich said.

There are other cyber-related developments in the conflict, too, like espionage, the proliferation of artificial intelligence-fueled misinformation and the possibility of Russia or China helping out in cyberspace on Iran’s behalf, even if some experts doubt the likelihood of the latter.

How effective any of it has been is still unclear. Stryker, for instance, said the attack mainly affected its internal networks, although there were signs it might be affecting communications at hospitals, too.

But the damage might be beside the point. Orleans said the attacks could be psychological in nature, aimed at producing fear abroad and affirming hackers’ standing with domestic leaders in Iran during the conflict.

Even low-level defacement or distributed denial-of-service attacks can play a role.

“Coming into work and finding an Iranian flag on your workstation would be a little bit  disconcerting, because they’re letting you know that, ‘I can reach out and touch you,’” said Sarah Cleveland, senior director of federal strategy at ExtraHop and a former cyber officer in the U.S. Air Force.

Possible follow-up impacts

While primarily known as a medical supply company, Stryker has received sizable contracts with the military for hospital equipment and surgical supplies, for example. It is unclear whether the hackers intended to use Stryker’s military connection to exploit government systems.

The Pentagon has long warned of increased, complex cyberattacks against the defense industrial base, a vast network of companies — with disparate levels of cybersecurity — that the military relies on for advanced weaponry to basic stretchers. The DIB is often seen by adversaries as a backdoor into military systems.

While he did not directly address the Stryker hack, the Army’s principal cyber adviser, Brandon Pugh, outlined some of the challenges to the DIB and the service’s part in trying to protect it during a webinar Thursday in response to a question on the topic.

He said adversaries “right or wrong” see companies “as an extension of the military” and that they believe an attack on private industry would have a secondary impact on the armed forces.

“Some are very large, sophisticated multinational companies,” he said, noting that security needs across the DIB aren’t universal. “Others are very small companies that are lucky to have a director of IT, let alone a sophisticated cyber team, and I think that’s where it’s really important to lean into.”

Pugh said that agencies across the federal government have been working with the DIB to boost its resilience to attacks, and that the Army’s cyber effort emphasizes entrenching cybersecurity from the beginning of the acquisition process.

“Cyber can’t be an afterthought — not saying it is,” Pugh added. “I’d say the Army does a great job here, but making sure it’s never forgotten and is always considered along that way.”

Matt Tait, the CEO and president of MANTECH, said in response to a question about the Stryker attack and DIB protections that defending against such incidents includes leveraging government agreements and access, such as with the NSA, and quickly sharing information following an attack.

“To me, it’s about real time information sharing,” he said. “You need real time information sharing when you’re getting attacked to be able to actually share that information with the rest of industry, as well as with government, because they can actually share that information across” federal cybersecurity entities.

“If you want to do mission focused technology work, this is the world you have to live in, and that you should be sharing this information on a real time basis,” he added. “24 hours later, 48 hours later, I call that ambulance chasing. That’s too far after the fact from a cyber perspective.”

The post Stryker attack highlights nebulous nature of Iranian cyber activity amid joint U.S.-Israel conflict appeared first on CyberScoop.