Overview:
- Phish Tale of the Week
- North Korea’s Contagious Interview Campaign Expands With Nearly 200 New Malicious npm Packages
- Dark LLMs Promise Chaos, Deliver Training Wheels for Low-Tier Cybercriminals
- How can Netizen help?
Phish Tale of the Week
Ofteften times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as USPS, the United States Postal Service, and informing you that action needs to be taken regarding your delivery. The message politely explains that “USPS” is holding our package at a warehouse, and that we just need to update our address in order to receive it. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.
Here’s how we can tell not to click on this smishing link:
- The first red flag in this message is the senders’ address. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In this case, the actors neglected to spoof their messaging address, and a simple look at the sender’s address makes it very apparent that the email is not from USPS. In the future, review the sender’s address thoroughly to see if a text could be coming from a threat actor.
- The second warning signs in this text is the messaging. This message tries to create a sense of urgency by using language such as “cannot be delivered” and “within 12 hours.” Phishing scams commonly attempt to create a sense of urgency in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link sent through SMS.
- The final warning sign for this email is the lack of legitimate USPS information. Fortune 500 companies, the government and similar organizations standardize all communications with customers. This text includes a small “thank you” message at the bottom in an attempt to gain credibility, but it lacks all of the parts of a credible USPS message and can be immediately detected as a phishing attempt.
General Recommendations:
A smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages.
- Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
- Verify that the sender is actually from the company sending the message.
- Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
- Do not give out personal or company information over the internet.
- Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this month’s Cybersecurity Brief:
North Korea’s Contagious Interview Campaign Expands With Nearly 200 New Malicious npm Packages
North Korean operators have widened their Contagious Interview activity with another wave of poisoned npm packages, adding 197 new entries to the registry in just a few weeks. Socket’s telemetry places the total download count at more than 31,000, which suggests the threat actors are still finding plenty of opportunities to slip their tooling into ordinary JavaScript workflows. The new uploads act as loaders for an updated OtterCookie variant that blends traits from BeaverTail and earlier OtterCookie builds, reinforcing what researchers have been observing for several months: the two codebases are drifting into the same family rather than standing apart as separate projects.
Much of the activity is wrapped in familiar-sounding packages such as bcryptjs-node, cross-sessions, json-oauth, node-tailwind, react-adparser, session-keeper, tailwind-magic, tailwindcss-forms, and webpack-loadcss. Once installed and run, the malware begins with basic checks to spot sandboxes or virtual machines, then gathers details about the device before opening a command channel. From that point, the operators gain a remote shell and a broad set of collection tools, ranging from clipboard theft and keylogging to screenshot capture, browser credential extraction, document harvesting, and pulling cryptocurrency wallet data and seed phrases.
Cisco Talos noted last month that the line between OtterCookie and BeaverTail has been fading. Analysts linked this to an earlier incident involving a Sri Lanka-based organization where a user was coaxed into launching a Node.js application as part of a fake job interview. The loader packages in the current wave behave in a similar way. They reach out to a hard-coded Vercel address, tetrismic.vercel[.]app, and retrieve the cross-platform payload from a GitHub repository tied to the now-removed account “stardev0914.” The infrastructure’s disappearance came only after researchers identified it publicly.
Security researcher Kirill Boychenko described the pace of uploads as one of the clearest signs of how deeply North Korean teams have woven themselves into JavaScript and crypto-adjacent development habits. The operators are treating npm as both a distribution network and a trust anchor, counting on developers to install small utilities that look harmless during setup.
Parallel efforts tied to the same adversary set have been pushing another malware family called GolangGhost, also known as FlexibleFerret or WeaselStore. These infections often start from fake skills tests or hiring portals that imitate real technical assessments. Victims are sent instructions resembling ClickFix-style troubleshooting steps for camera or microphone issues. Running the provided material leads to a Golang-based payload that reaches out to a fixed command server, maintains a steady instruction loop, and can run system commands, move files, and scrape Chrome data. It also establishes persistence on macOS through a LaunchAgent and displays a decoy application that impersonates a Chrome permission prompt. Afterward, a fake Chrome password box appears, capturing whatever the user enters and uploading it directly to a Dropbox account controlled by the threat actors.
Researchers studying this branch of activity emphasize that it differs from DPRK schemes built around long-term infiltration of legitimate companies through falsified identities. Contagious Interview focuses on corrupting the hiring process itself, relying on staged recruitment workflows, malicious coding tasks, and fraudulent job platforms to compromise individuals before they ever reach a real workplace.
To read more about this article, click here.
Dark LLMs Promise Chaos, Deliver Training Wheels for Low-Tier Cybercriminals
Dark-language-model storefronts have been buzzing with activity for the past few years, but the results still fall far short of the sweeping predictions made when generative AI first arrived. The excitement that followed the release of early chatbots led many in security to believe attackers would soon be able to generate advanced malware or run fully automated operations with minimal effort. The underground’s current tools show a different reality. They help inexperienced users write cleaner phishing messages, fix awkward grammar, and produce simple scripts, but little else.
This gap becomes clear when looking at platforms like WormGPT 4 and KawaiiGPT, which Palo Alto Networks’ Unit 42 recently examined. Both models sell themselves as unfiltered alternatives to mainstream AI systems, promising unrestricted output and freedom from safety constraints. In practice, the capabilities hardly rise above basic malware scaffolding. They can assemble small pieces of Python, churn out smooth ransom notes, and give amateur operators a sense of confidence, though their technical contributions stay well within the boundaries of what has been circulating online for years.
Dark LLMs first captured attention in 2023 with WormGPT, a paid service marketed as an escape hatch from ChatGPT’s limitations. Its creators claimed it was trained on malware and exploit content, making it ideal for novice attackers who needed a quick utility for phishing messages or simple code snippets. The model generated plenty of conversation but left little evidence of serious use in real intrusions. Even so, it established a template for the tools that followed, including the current WormGPT 4 variant.
WormGPT 4 repeats many of the same promises, offering to generate “any content” without oversight. When prompted for resources to aid a ransomware operation, it delivered a polished ransom note and a crude locker that targeted PDF files, expandable to other extensions and configured to use Tor. KawaiiGPT, another rising favorite in the underground, produced comparable output during Unit 42’s tests. It drafted plain but coherent phishing emails, basic scripts for data theft, and even supported limited lateral movement on a Linux host.
These features are enough to draw a crowd. KawaiiGPT’s developer claimed in a Telegram channel that more than 500 users have registered, with roughly half staying active. WormGPT 4, offered through a subscription tier, also maintains a broad community across Telegram channels. The market as a whole is growing, according to Check Point’s Oded Vanunu. He describes a landscape where commercial dark LLMs coexist with private, custom-trained models that operators integrate into their own infrastructure, bypassing public marketplaces entirely.
Even with the buzz around these tools, researchers still struggle to measure their real influence. Analysts lack reliable ways to detect AI-generated malicious code unless attackers leave clear indicators behind. This makes usage difficult to track, and much of the evidence remains anecdotal or based on conversations in underground forums.
The technical ceiling for these systems appears low. They generate incorrect code as often as they produce working snippets, a direct result of LLM hallucinations. They also lack the contextual reasoning needed to build full malware samples that adapt to specific targets. Unit 42 researchers note that human operators still need to correct errors, refine logic, and handle environment-specific details. Instead of pioneering new techniques, these models recycle familiar patterns and rely heavily on code fragments available in open repositories.
To read more about this article, click here.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
