MSP cybersecurity news digest, June 30, 2025

ConnectWise ScreenConnect installer exploited by authenticode stuffing technique

 

Threat actors are exploiting the ConnectWise ScreenConnect installer to create signed remote access malware by modifying hidden configuration settings within its Authenticode signature.

This technique, known as "authenticode stuffing," allows malicious data to be added to the certificate table without breaking the digital signature. Researchers discovered identical malicious ConnectWise binaries with altered certificate tables, enabling remote access to attacker-controlled servers while appearing legitimate. These samples were distributed through phishing attacks involving PDFs or Canva links that redirected users to malicious files hosted on Cloudflare’s R2 servers. One such file, disguised as a Windows Update, connected victims to an IP controlled by the attackers.

ConnectWise has not yet responded, while similar tactics were seen in trojanized SonicWall VPN clients used to steal login credentials.

 

Attackers breach data of insurance firms Aflac and Erie Insurance

 

Aflac, the largest supplemental insurance provider in the U.S. with an annual revenue of $18.93 billion in 2024, disclosed a data breach as part of a broader cyberattack campaign targeting American insurance companies. While Aflac confirmed that ransomware did not impact its systems, it remains unclear whether the attackers attempted to deploy ransomware or solely exfiltrated data.

The company initiated cyber incident response protocols and hired external experts to investigate the breach and assess the exposure of sensitive information, including health data and Social Security numbers. The attack appears consistent with tactics used by Scattered Spider, a notorious threat group known for advanced social engineering techniques like phishing, SIM swapping and MFA bombing.

In a separate case, Erie Insurance, with an annual revenue of $3.8 billion, is gradually restoring operations after a cyberattack on June 7, making progress in safely reconnecting business systems with help from external cybersecurity experts. The company confirmed there is no evidence of ransomware or ongoing threat actor activity, but the investigation into potential data exposure is still ongoing. Erie urged customers to remain vigilant by avoiding clicking on suspicious links and reporting any unusual financial activity, while clarifying it will not request payments by phone or email. The third incident of this broader campaign affected Philadelphia Insurance with an outage on June 10, but the company has continued to handle claims and customer service via phone and email.

 

Eleven countries attacked by Dire Wolf ransomware’s double extortion tactics

 

The newly discovered Dire Wolf ransomware group has attacked 16 organizations across 11 countries, including the U.S., Thailand, and Taiwan since May 2025, primarily targeting the technology and manufacturing sectors using double extortion tactics.

Researchers revealed that Dire Wolf customizes its encryptors for each victim and demands ransoms around $500,000, giving a one-month deadline before leaking stolen data. Victims who fail to pay have their data published, and researchers found that the malware is written in Golang, which helps evade detection and ensures cross-platform functionality. The ransomware disables system logging, removes recovery options, and uses strong encryption (Curve25519 and ChaCha20), appending a .direwolf extension to affected files.

A unique ransom note is dropped, containing hardcoded credentials and live chat access for direct negotiation, reinforcing the targeted nature of these attacks. Dire Wolf has not yet revealed its initial access methods, so organizations are urged to patch vulnerabilities, secure endpoints, and monitor for signs of system compromise. The group's rise comes amid a surge in ransomware activity, with early 2025 showing record attack numbers despite recent takedowns of groups like LockBit and Ghost.

 

Energy, oil and gas sectors targeted by OneClik campaign abusing Microsoft deployment tool

 

The OneClik campaign targets organizations in the energy, oil and gas sectors by abusing Microsoft’s ClickOnce deployment tool and deploying a custom Golang backdoor called RunnerBeacon via phishing emails.

Researchers analyzed three variants of this campaign, noting its advanced evasion tactics, use of .NET-based loaders, and heavy obfuscation techniques to avoid detection. The attackers leverage trusted cloud infrastructure like AWS (CloudFront, Lambda, API Gateway) to disguise command-and-control traffic as benign cloud activity. The malware uses AppDomainManager injections to load malicious payloads via legitimate executables, running under dfsvc.exe to bypass user account control. RunnerBeacon communicates using encrypted RC4 traffic and supports modular commands for file operations, network scanning, process injection, and SOCKS5 tunneling. Its design resembles Go-based Cobalt Strike forks like Geacon, suggesting it may be a stealthier variant tailored for cloud environments.

By blending with normal cloud activity and leveraging known executables, the attackers maintain stealth and evade detection. While some tactics and infrastructure hint at China-linked threat actors, researchers remain cautious in making a formal attribution.

 

New ClickFix attack variant FileFix abuses Windows File Explorer via phishing tactics

 

A cybersecurity researcher has introduced FileFix, a new variant of the ClickFix attack that abuses the Windows File Explorer address bar to execute malicious commands. Unlike traditional ClickFix, which asks users to paste commands into the Run dialog, FileFix leverages the more familiar interface of File Explorer, increasing the likelihood of user compliance.

The attack is delivered via a phishing page disguised as a file-sharing notification, tricking users into pasting a clipboard-loaded PowerShell command into File Explorer. To maintain stealth, the malicious command is hidden behind a fake file path using PowerShell comment syntax, making only the decoy visible in the address bar. The proof of concept cleverly disables the actual file upload function to prevent users from unintentionally selecting a file, guiding them instead to complete the attacker's intended action.

In a separate case, Trezor has warned users about a new phishing campaign that exploits its automated support system to send deceptive emails from the legitimate help@trezor.io address. Attackers submit fake support tickets using alarming subject lines that contain phishing links, making the emails appear official and urgent. These messages direct users to a phishing site designed to steal their wallet seed phrases, which are critical to accessing cryptocurrency stored on Trezor devices. Possession of a user's 24-word seed phrase allows attackers to fully restore and control the victim’s wallet on another device.