Pakistan has now become a target for the Smishing Triad, a threat actor expanding its operations beyond the E.U., Saudi Arabia, the U.A.E., and the U.S.
“The Smishing Triad is targeting Pakistan by sending malicious messages on behalf of Pakistan Post to customers of mobile carriers through iMessage and SMS,” Resecurity reported earlier this week. “Their aim is to steal personal and financial information.”
The threat actors, believed to speak Chinese, use stolen databases from the dark web to send fake SMS messages. These messages lead recipients to click on links under false pretenses of failed package deliveries and request them to update their address.
Clicking on the URLs directs users to counterfeit websites that prompt them to provide financial information under the guise of a service fee for redelivery.
“Apart from Pakistan Post, the group has been involved in multiple fake delivery package scams, targeting individuals expecting packages from reputable courier services like TCS, Leopard, and FedEx,” noted Resecurity.
Google recently unveiled details about the PINEAPPLE threat actor, which uses tax and finance-themed phishing lures to target Brazilian users. These scams entice users to open malicious links leading to the deployment of the Astaroth (aka Guildma) malware.
“PINEAPPLE often misuses legitimate cloud services to distribute malware to Brazilian users,” stated Google’s Mandiant and Threat Analysis Group (TAG). “The group has tried various cloud platforms, including Google Cloud, Amazon AWS, Microsoft Azure, and more.”
Google discovered the exploitation of Google Cloud Run for spreading Astaroth, flagged by Cisco Talos in February, in a high-volume malware distribution campaign across Latin America (LATAM) and Europe.
Google also identified a threat cluster known as UNC5176 targeting financial services, healthcare, retail, and hospitality sectors with a backdoor called URSA, stealing login credentials for banks, cryptocurrency websites, and email clients.
These attacks use emails and malvertising campaigns to distribute a ZIP file containing an HTML Application file, leading to the installation of a malware payload.
Another financially motivated actor in Latin America highlighted by Google is FLUXROOT, linked to distributing the Grandoreiro banking trojan. Google reported disbanding phishing pages hosted on Google Cloud by FLUXROOT impersonating Mercado Pago to steal credentials.
“FLUXROOT continues to distribute Grandoreiro, using cloud services like Azure and Dropbox to spread the malware,” Google added.
In addition, a new threat actor named Red Akodon has been observed distributing various remote access trojans via phishing messages to target organizations in Colombia since April 2024. The campaign focuses on government, health, education, financial, manufacturing, food, services, and transportation industries in Colombia.
“Red Akodon initiates its attacks through phishing emails, posing as lawsuits and judicial summonses allegedly from Colombian institutions like the FiscalÃa General de la Nación and Juzgado 06 civil del circuito de Bogotá,” mentioned Mexican cybersecurity firm Scitum.