In a significant shift, the threat actors associated with the RedLine and Vidar information stealers have adapted their tactics, moving from data theft to ransomware attacks. A recent analysis by Trend Micro reveals that these actors are now employing phishing campaigns to deliver initial payloads signed with Extended Validation (EV) code signing certificates. This strategic shift suggests a more streamlined and multipurpose approach. In a recent cybersecurity incident investigated by researchers, an undisclosed victim fell victim to this evolving threat. Initially, the victim received info stealer malware bearing EV code signing certificates, followed by a ransomware attack using the same delivery method. Historically, QakBot infections have utilized samples signed with valid code signing certificates to bypass security measures. The attack vector begins with phishing emails utilizing familiar lures to deceive recipients into opening malicious attachments disguised as PDF or JPG files. These attachments are, in fact, executables that kickstart the compromise process. While the victim received info-stealing malware in July, a ransomware payload was delivered in early August, triggered by a deceptive email with a fake TripAdvisor complaint attachment ("TripAdvisor-Complaint.pdf.htm"). This chain of events ultimately led to the deployment of ransomware. Notably, the files used to deliver the ransomware payload did not possess EV certificates, but their common delivery method suggests a division of labor within the threat actor group between the payload provider and the operators. This development coincides with IBM X-Force's discovery of new phishing campaigns distributing an enhanced version of the malware loader known as DBatLoader. This loader is actively maintained and serves as a conduit for distributing malicious programs like FormBook and Remcos RAR, capable of UAC bypass, persistence, and process injection. The recent wave of attacks, detected in late June, is designed to distribute various commodity malware, including Agent Tesla and Warzone RAT. While primarily targeting English speakers, these campaigns have also been observed using emails in Spanish and Turkish. Moreover, the threat actors behind these campaigns have demonstrated control over email infrastructure, allowing malicious emails to bypass SPF, DKIM, and DMARC email authentication methods. They often use OneDrive to stage and retrieve additional payloads, with some campaigns utilizing transfer[.]sh or new/compromised domains. In related news, a new malversating campaign has surfaced, targeting users searching for Cisco's Webex video conferencing software on search engines like Google. This campaign redirects users to a fake website that spreads BATLOADER malware, which, in turn, downloads a second stage encrypted payload known as DanaBot. Notably, this threat actor uses tracking template URLs to fingerprint and select potential victims, redirecting those who don't meet their criteria to the legitimate Webex site. This latest evolution in cyber threats highlights the increasing sophistication of threat actors, necessitating heightened vigilance and robust security measures to safeguard against evolving cyberattacks. Solutions to the Evolving Threats Be careful about what emails you open and what attachments you download. Keep your software up to date, including your operating system, web browser, and security software. Use strong passwords and enable two-factor authentication. Be aware of social engineering scams. Have a plan in place in case of a cyber-attack.