Threats

A large-scale campaign leveraging deceptive Chrome extensions with over 900,000 installs. These extensions request broad permissions to scrape the DOM of AI chat interfaces, stealing proprietary prompts, session tokens, and active tab URLs, which are then exfiltrated to attacker-controlled C2 servers.

A high-pressure social engineering attack impersonating Booking.com and other travel services. Victims are led to a fake BSOD page that instructs them to run a 'fix' command. The payload leverages MSBuild.exe to bypass execution policies and deploy DCRat malware.

A sophisticated T-Mobile smishing kit that fingerprints victims and logs clicks before presenting a fake payment interface. Captured data includes credit card numbers, CVV codes, and SMS OTPs, often used for unauthorized wallet provisioning or account takeover.

A ClickFix-family lure dressed as a Cloudflare 'I am not a robot' challenge. JavaScript silently writes a PowerShell command to the clipboard while the page tells the user to open Windows Terminal as admin, paste, and press Enter. The pasted command fetches and executes an attacker-controlled binary.

Attackers buy paid search ads on brand keywords, then route the click to a lookalike domain hosting a phishing page. Because the ad sits above the organic results, it intercepts traffic before users ever see the legitimate site.