Recorded Future’s LaTulip feedback: “This sort of assault is an evolution of the extra conventional, text-based phishing and is the criminals’ response to advances in e-mail safety filters. Embedded photos are used to bypass the e-mail filters, with the picture used to disguise malicious content material or hyperlinks.”
Following these photos will lead unsuspecting workers to both credential-harvesting or exploit-loaded web sites.
“Criminals might also frequently edit and adapt photos by altering colours or measurement,” LaTulip says. “That is typically achieved to maintain a picture recent, in order that it will increase its possibilities of avoiding detection.”
They’re utilizing Russian fronts
KnowBe4 studies a surge in phishing campaigns leveraging Russian (.ru) top-level domains from December 2024 to January 2025.
The KnowBe4 Menace Analysis group famous a 98% rise in these phishing campaigns, that are primarily aimed toward credential harvesting.
Some Russian .ru domains are run by so-called “bullet-proof” internet hosting suppliers, outfits identified to maintain malicious domains operating and ignore abuse studies in opposition to websites run by their cybercriminal prospects.
They’re supercharging intel gathering
On the darkish net and hacker boards, AI-assisted toolsets have change into more and more frequent.
“These instruments can scrape social media posts and even establish a consumer’s actual geolocation by photos and posts — an more and more prevalent tactic,” Huntress’ Linares says.
Different intelligence-gathering instruments deal with organizations relatively than people. These can scrape LinkedIn, recruitment websites, DNS information, internet hosting companies, and third-party service suppliers to uncover worthwhile insights about an organization’s infrastructure, software program stacks, inside instruments, workers, workplace areas, and different potential targets for social engineering or cyberattacks.
Subtle attackers are additionally repurposing professional advertising and marketing instruments and platforms to establish prime alternatives for search engine marketing hijacking and phishing assaults, maximizing the attain and effectiveness of scams.
They’re professionalizing with PhaaS
Phishing-as-a-service (PhaaS) kits are anticipated to account for half (50%) of credential theft assaults in 2025, up from 30% in 2024, in line with cybersecurity vendor Barracuda.
Barracuda predicts these platforms are evolving to incorporate options that permit cybercriminals to steal multi-factor authentication (MFA) codes and make use of extra superior evasion methods, akin to using QR-based payloads.
PhaaS platforms provide a subscription-based suite of instruments and companies, together with dashboards and stolen credential storage, that facilitate phishing assaults. These cybercrime-enabling toolkits are bought by Telegram, darkish net boards, and underground marketplaces. Subscriptions value from $350 per 30 days, in line with cyber menace administration agency Adarma.
Essentially the most widely-used such platform — Tycoon 2FA — blamed by Barracuda for 89% of noticed PhaaS incidents harnesses encrypted scripts and invisible Unicode characters to evade detection, steal credentials, and exfiltrate knowledge by way of Telegram.
Constructed for adversary-in-the-middle assaults, Sneaky 2FA abuses Microsoft 365’s ‘autograb’ characteristic to pre-populate faux login pages, filtering out non-targets and bypassing 2FA, as defined in a latest technical weblog submit by Barracuda.
Arabic
Chinese (Simplified)
Dutch
English
French
German
Italian
Japanese
Korean
Latin
Portuguese
Russian
Spanish