The haunting hunting has put up a new company that uses the search engine poisoning methods (SEO) to focus on mobile employees’ mobile devices and facilitate wage fraud.
Activities, for the first time revealed reliaquest in May 2025, focused on the unnamed customer in the production sector, is characterized by the use of counterfeit pages to enter the wage portal and redirect salaries to the actor’s threat control.
“The infrastructure of the attacker used violated home office routers and mobile networks to mask their traffic, shy away from detecting and sliding past traditional security measures,” cybersecurity company – Note in an analysis published last week.
“The opponent, aimed at mobile staff member devices with a fake site that presents itself for the organization’s login page. Armed with stolen powers, the enemy gained access to the organization’s wages portal, changed information about a direct deposit and redirected the salaries of employees to his own accounts.”
While the attacks were not attributed to a specific hacking group, Reliaquest said it was part of a broader, current campaign from the two similar incidents he investigated at the end of 2024.
It all starts when the employee is looking for a wage portal of his company on search engines such as Google, with deceptive sites that reach the top results using sponsorship links. Those who end up pressing fictitious links lead to the WordPress site, which redirects to a phishing page that mimics the Microsoft input portal when visiting a mobile device.
Account data entered on the fake target page Jog.
This gives the attackers the opportunity to re -use the powers before they are altered and gained unauthorized access to the salary system.
In addition, the targeting of the employee’s mobile devices is twice because they lack the measures of businesses that are usually available on desktop computers, and they are connected outside the corporate network, effectively reducing visibility and interfere with the efforts of the investigation.
“Aiming at unprotected mobile devices that do not have safety and registration solutions, this tactic not only eliminates the detection, but also violates the efforts to analyze the phishing site,” Reliaquest said. “This prevents the safety teams from scanning the site and add it to the compromise (IOC) indicators, which further complicate the efforts to mitigate the consequences.”
In the further attempt to detect the decrease, harmful entry attempts that occur from residential IPs related to home office routers, including brands like ASUS and PEDGE, were revealed.
This indicates that the threats are used by weaknesses such as security deficiencies, default powers or other incorrect settings that often drive such network devices to launch gross attacks. Then compromised routers are infected with malware proxy -buttawhich ultimately rented on cybercriminals.
“When the attackers use proxy networks, especially those associated with residential or mobile IP, they become much harder for organizations to discover and investigate,” Reliaquest said. “Unlike VPN, which are often indicated because their IP -residues were previously abused, residential or mobile IP -ses allow the attackers to fly under the radars and avoid classification as malicious ones.”
“Moreover, the proxy networks allow the attackers to make them traffic like that it originates from the same geographical location as the target organization, bypassing the security measures designed to enter the system from unusual or suspicious places.”
Disclosure is going on as hunt.io minute A phishing company that uses a fake web page Shared File Service to steal the Microsoft Outlook login credentials to allow the files to access the files. Pages according to the company designed by W3ll Phishing Kit.
It also coincides with the opening of the new CoDename Cogui phishing kit, which is used for active targeting on Japanese organizations, presenting itself by famous consumer and financing brands such as Amazon, PayPay, Myjcb, Apple, Orico and Rakuten. Already 580 million letters were sent from January to April 2025 as part of the company using the kit.
“Cogui is a complex set that uses advanced evading methods, including Geofencing, Feathers Feathers and Fingerprinting to avoid detecting automated viewing systems and sandboxes – Note In an analysis released this month. “The purpose of the companies is to steal users’ names, passwords and payment data.”
Phishing sheets observed in the attacks include links that lead to phishing accounting sites. In view of this, it is noteworthy that COGUI does not include the possibilities of collecting multifactorial codes (Foreign Ministry).
It is said that Cogui has been used at least from October 2024, and is believed Darkula – assuming the first one can become part of the same Chinese Sycas Sycas Sycas System Named Smishing Triad, which also includes experienced and lighthouse.
Considering this, one of the important aspects that separates the Darkul from Cogui is that the first is more focused on mobile and hammer, and seeks to steal credit card data.
“Darcula is becoming more affordable, both in terms of cost and in the presence, so in the future it can imagine a significant threat,” said the Hacker News in the statement. “On the other hand, Lucid continues to remain under the radar. It is still difficult to determine the phishing kits, just looking at SMS or URL posts because they often use total shipping services.”
Another new customizing set that appeared from the Chinese cybercrime landscape is Panda Shop, which uses telegrams and interactive bots to automate services. Phishing pages are designed to imitate popular brands and public services for theft of personal information. Discooked credit card data are sent to underground shops and sold to other cybercriminals.
“In particular, Chinese cybercrime syndicates involved in the breakdown – Note. “They emphasized that in their communication they do not care about law enforcement.
Transfiguration, which determined the Panda store in March 2025, said the actor threatens the crime model-like service, similar to breakdown of the triad, offering customers the ability to distribute messages using Apple Imessage and Android RCS using Apple and Gmail accounts.
It is believed that Panda Shop includes breakdown of triad based on similarity in phishing kits. There are also many threatening subjects that use the Smishing kit for Google Wallet and Apple Pay Makod.
“The actors standing behind the beaten companies are closely linked to those who participate in the fraudulent fraud and the money laundering activities,” said the safety resort. “Signination is one of the main catalysts behind the cards, providing cybercrime drugs of significant volumes of violated data collected from the victims.”
