Leveraging AI? It’s Time to Understand Growing Threats.

#1: Phantom Stealer attachment-based campaign

• Attack Chain: Email - > HTML-> ZIP - > BAT -> PS1 → Process Injection
• Phantom Stealer attacks were already surging in frequency and sophistication, and were still active as of January 2026.
• Delivered via a malicious HTML attachment disguised as a B2B payment invoices.
• Email has HTML Smug attachment which contains embedded Base64 stream and JavaScript code. Once user opens HTML, it downloads a ZIP file that contains a BAT file. BAT further drops PowerShell and performs process injection targeting .Net processes.
• It scans nearby Wi‑Fi networks and displays detailed information.
• It launches Firefox and Chrome browsers with security and resource‑related restrictions disabled, while forcing it to use a temporary custom profile.
• Uses SMTP to exfiltrate data.

Subject Lines Used:

• Confirm your account
• Re: REVISED Purchase Order
• Payment Confirmation Copy
  

Sample email:

Hashes:

• 2F2E13A9B4B1177705A2F7137382E4B35EA06645 - HTML
• a91b5ddca78598e1e85bf7f1fbc855be879cf726 - BAT
• 4585a1b23eb51277056ec26926ac316788c23b45 - EXE

SMTP C2s:

• mail[.]grupomaspaq[.]com
• mail[.]poskirantekstil[.]com
• eraqron[.]shop

IOCs

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) - Malicious emails are blocked by Cloud rules. Archive attachments are detected by Yara.
• Stage 4 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
• Stage 5 (Call Home) - Blocked C&C URLs 

#1: Epstein files email bait-and-switch campaign

• Spammers are using a sensational and trendy subject line, such as ‘Found your name in Epstein Files’, to lure recipients into opening their emails. The body then includes an apology like ‘Apologies for the unexpected subject line — I just wanted to make sure this caught your attention.’ The rest of the message shifts into sales oriented questions and promotional content.
• Email claims to come from unduitham.com, but is actually sent via Salesforce Marketing Cloud bulk mail infrastructure (*.mta.salesforce.com, *.bnc.salesforce.com).
• Header contains X-SFDC-EmailCategory: apiMassMail X-SFDC-EmailCategory: apiMassMail
• Catchy subject: No legitimate communication would use mass-mail delivery with a personal, urgent, alarmist subject line.

Sample email:

IOCs

• Sender address fiona.clark@unduitham[.]com

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• • Stage 2 (Lure) - Spam emails are blocked by Cloud rules

#2: Free web hosting redirect campaign

• Campaign uses catchy name, an obfuscated JavaScript loader that reconstructs hidden code at runtime to perform browser redirects or load external resources
• Web pages containing Ukraine name and hosted on Weebly site
  • hxxp://fundsukraine[.]weebly[.]com
  • hxxp://ukrainenewsletter[.]weebly[.]com
  • hxxp://ukrainearts[.]weebly[.]com
• The content of pages appears to be generic, non-Ukraine related blog posts, mainly about gaming, tech topics and other unrelated material.
• But code contains obfuscated JavaScript redirector used on SEO‑spam pages to secretly forward visitors to a malicious second‑stage site. 

Ukraine campaign sample page 1:

Ukraine campaign sample page 2:

IOCs

URLs:

• hxxp://fundsukraine[.]weebly[.]com
• hxxp://ukrainenewsletter[.]weebly[.]com

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

• URL blocked by Real Time Scanning (Live RTSS)