New Eddie Steeler malware distributed via click fix capture phishing. ConnectWise breached in cyber attack linked to nation state threat Actors now abusing Google App script in phishing attacks and thieves. Gain access to about 140,000 social insurance numbers in the Nova Scotia Power breach. This is cybersecurity today, and I'm your host, David Shipley. Let's get started. A new malware campaign is distributing a novel rust based information.
Steeler dubbed Eddie Steeler using the popular Clicks Fix social engineering tactic initiated via fake capture verification pages. The campaign leverages deceptive capture verification pages that trick users into executing a malicious PowerShell script, which ultimately deploys the info stealer, harvesting sensitive data such as credentials, browser information, and cryptocurrency wallet details according to Elastic Security Labs.
The attack chain begins with threat actors compromising legitimate websites with malicious JavaScript, pay payloads that serve bogus capture check pages, which prompt site visitors to prove you are not a robot by following a three-step process, a prevalent tactic called click fix. Click Fix involves instructing potential victims to open the Windows Run dialogue, prompt paste an already copied command into the verification window. For example, the run dialogue and press enter.
This effectively causes the obfuscated PowerShell command to be executed, resulting in the retrieval of the next stage of the payload from an external server. The JavaScript payload G Verify GA js is subsequently saved to the victim's download folder and executed using CS script in a hidden window. The main goal of this intermediate script is to fetch the Eddie Steeler binary from the same remote server and store it in the Downloads folder with the Cyto random 12 character file name.
Written in Rust. Eddie Steeler is a commodity Steeler malware that can gather system metadata, receive tasks from a command and control or C two server, and siphon data of interest from infected hosts. The exfiltration targets include cryptocurrency, wallets, web browsers, password managers, FTB clients and messaging apps. IT management software firm ConnectWise says, A suspected state-sponsored cyber attack breached its environment and impacted a limited number of screen connect customers.
ConnectWise said that it recently learned of suspicious activity within its environment that it believed was tied to a sophisticated nation state actor, which they say affected a very small number of screen connect customers in a brief advisory note. We have launched an investigation with one of the leading forensic experts, Mandiant. We have contacted all the affected customers and are now coordinating with law enforcement. End quote.
ConnectWise is a Florida based software company that provides IT management, remote monitoring and management. RMM, cybersecurity and Automation Solutions for managed service providers and IT departments. One of its products is Screen Connect, a remote access and support tool that allows technicians to securely connect to client systems for troubleshooting, patching, and system maintenance.
As first reported by CRN, the company now says it is implemented in enhanced monitoring and hardening of security access across its network. They also state that they have not seen any further suspicious activity in customer instances, ConnectWise did not answer questions from bleeping computer about how many customers were impacted when the breach occurred, or whether any malicious activity was observed in customers screen connect instances.
However, a source told bleeping computer that a breach occurred in August, 2024 that ConnectWise discovered this activity in May, 2025 and that it only impacted cloud-based screen connect instances. Bleeping computer says they have not been able to independently confirm those breach dates.
Jason Slagel, president of Managed Service provider C-N-N-W-R, told Bleeping computer that only a very small number of customers were impacted, suggesting the threat actor carried out a targeted attack against specific organizations in a Reddit threat. Customers shared further details stating the incident is linked to a high severity screen connect vulnerability tracked as CVE 20 25, 39 35, which a patch was issued on April 24th.
Howard Solomon has a great story that gives a Google twist to the abuse of the Microsoft domain that Jim reported on earlier this week. Threat actors have discovered a way to abuse Google apps scripts to sneak links into malicious websites past phishing defenses. According to new research from Cofense, this new attack has been discovered, and if an employee clicks on a link in a phishing email, they get taken to a page on script.google.com. Now, what is a Google app script?
App Script is a cloud-based JavaScript platform powered by Google Drive that lets developers integrate with and automate tasks across different Google products. With it, Google says developers can add custom menus, dialogues, and sidebars to Google Docs, sheets and forms. Write custom functions and macros or Google sheets, publish web apps either standalone or embedded in Google sites. Interact with other Google services, including AdSense, analytics, calendar drive, Gmail maps, and more.
The attacker is betting the user will see and trust the Google brand, and therefore trust the content. By using a trusted platform to host the phishing page, the threat actor creates the false sense of security, obscuring the underlying threat with the goal of getting the recipient to enter their email and password without thinking about it, says the report from Cofense.
CISOs need to remind employees in regular security awareness training sessions to not let their guard down and to read every email closely for scam clues. they also need to be reminded that a caution popping up, that a message is using a tool from a well-known brand like Google is no guarantee. The message is safe. And a reminder for all listeners. Email filters are fallible.
If your team believes that no possible phishes can get by your email filter, they can actually click 140% more on phishing scams. So make sure they know their vigilance can make all the difference. Nova Scotia Power CEO says up to 140,000 social insurance numbers could have been stolen by cyber thieves, who recently hacked into the utilities. Customer records.
Peter Greg said in interview with the Canadian Press Thursday that the privately owned utility collected the numbers from customers to authenticate their identities, for example. Greg said that they needed the social insurance numbers to differentiate people who had the same name. If there are a number of John McDonald's in the province, the social insurance number determines which one the utility was talking to.
On May 23rd, Greg said the data of about 280,000 Nova Scotia Power customers was breached in a ransomware attack. More than half of the total asked Thursday about how many of those records contain the confidential nine digit social insurance numbers. Greg said approximately half. This breach continues to be among the largest, at least in Canada, but likely increasingly in North America of a utility with highly sensitive customer data exposed.
If you've enjoyed today's episode, please consider liking and sharing it. We wanna help even more people stay on top of the crazy world of cybersecurity. We are always interested in your opinion, and you can contact us at [email protected] or leave a comment under the YouTube video. I've been your host, David Shipley, sitting in for Jim Love, who will be back on Wednesday. Thanks for listening.