Network Security, Email security, Phishing

Threat actors use spam bombardment in social engineering campaign

A computer screen displays a digital alert of an email phishing threat, accompanied by a striking red warning sign.

Cybersecurity researchers at Rapid7 identified a social engineering campaign targeting enterprises with spam emails to gain initial access for further exploitation, The Hacker News reports.

Click for more special coverage

The main version of the ongoing campaign, which has been active since late April 2024, overwhelms users with legitimate newsletter sign-up confirmations to bypass email protection systems. The threat actors then impersonate the company's IT team, contacting users by phone to persuade them to install remote monitoring software like AnyDesk or Microsoft’s Quick Assist. Once remote access is established, attackers execute batch scripts to download additional payloads, including OpenSSH for Windows, creating a reverse shell to their command-and-control server. The campaign also attempts to deploy Cobalt Strike beacons, although one observed attempt failed.

This activity shows overlap with tactics previously associated with Black Basta ransomware operators. The campaign has also utilized remote monitoring tools such as ConnectWise ScreenConnect and the NetSupport RAT, a remote access trojan linked to FIN7, a cybercriminal group with connections to Black Basta.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.