Phishing on bubka hacks stuff

LD-Lumma Stealer - DLL Side-Loading via Click Fix Phishing

Tue, 14 Apr 2026 00:00:00 +0000

A Click Fix phishing email impersonating Microsoft lured Dylan into visiting a malicious site, which executed a disguised PowerShell command launching mshta.exe to download Lumma Stealer payload from overcoatpassably.shop. The host was contained before confirmed data exfiltration.

LD-Malicious Macro Executed

Tue, 14 Apr 2026 00:00:00 +0000

A phishing email from jake.admin@cybercommunity.info delivered a ZIP-archived Word macro document, which executed a PowerShell downloader fetching messbox.exe from greyhathacker.net. The host Jayne was contained after execution was confirmed.

ELK-BumbleBee - GOLD CABIN

Mon, 13 Apr 2026 00:00:00 +0000

An employee at CompliantSecure received a phishing email from emkei.cz, downloaded a malicious ISO containing BumbleBee loader 23.dll, which established C2 to 3.68.97.124 and injected into ImagingDevices.exe, dumped LSASS credentials, laterally moved to DC01 via PsExec using markw credentials, staged AdFind and AnyDesk, created sql_admin backdoor account, moved to FileServer01 and Support01, exfiltrated archived share data, and deployed Conti ransomware dropping R3ADM3.txt ransom notes.

ELK-Black Basta

Thu, 09 Apr 2026 00:00:00 +0000

A finance employee opened a malicious Excel macro from a drive-by download, which executed a VBS dropper, loaded WindowsUpdaterFX.dll via regsvr32, established persistence, dropped Pancake.jpg.exe as a C2 backdoor, performed internal reconnaissance, laterally moved to a domain controller via PsExec using compromised credentials, exfiltrated client data to MEGA via rclone, deleted shadow copies, and deployed BlackBasta ransomware.

CDEF-HawkEye

Wed, 25 Mar 2026 00:00:00 +0000

A victim host downloaded a HawkEye Keylogger dropper via HTTP, which established persistence, periodically checked the external IP via bot.whatismyipaddress.com, and exfiltrated harvested credentials every 10 minutes over SMTP.

HTB-Liberty

Wed, 25 Mar 2026 00:00:00 +0000

Password spraying led to domain account compromise, followed by NetNTLM hash theft via a malicious .url file, RDP access, data exfiltration to a C2 server, and PSWA backdoor installation for persistence.

LD-Deceptive Mail Detected

Tue, 17 Mar 2026 00:00:00 +0000

A phishing email with a password-protected ZIP delivered AsyncRAT via a SILENTBUILDER dropper. The victim executed the payload, establishing an active C2 channel and triggering full host reconnaissance before containment.

LD-Malicious Attachment Detected

Mon, 16 Mar 2026 00:00:00 +0000

Investigation of a phishing email delivering a malicious Excel attachment exploiting CVE-2017-11882, leading to payload download and privilege escalation via JuicyPotato

THM-Phishing Unfolding

Mon, 16 Mar 2026 00:00:00 +0000

THM-Phishing

Tue, 10 Mar 2026 00:00:00 +0000

Three phishing campaigns were identified across four alerts: a legitimate HR onboarding email (false positive), a fake Amazon delivery notification whose bit.ly link was blocked by the firewall, and a Microsoft account spoofing email from m1crosoftsupport.co whose link was allowed through the firewall

HTB-A Call from the Museum

Sat, 07 Mar 2026 00:00:00 +0000

A phishing email with a password-protected ZIP delivered an LNK file that executed an obfuscated PowerShell stager — collecting system fingerprint data, checking in to a C2, and fetching a next-stage implant using hardcoded credentials. A decoy PDF was opened simultaneously to distract the victim.