{"id":15582,"date":"2025-11-25T18:24:33","date_gmt":"2025-11-25T05:24:33","guid":{"rendered":"https:\/\/kinetics.co.nz\/?p=15582"},"modified":"2025-11-25T18:24:33","modified_gmt":"2025-11-25T05:24:33","slug":"cybersecurity-alert-holiday-phishing-on-the-rise-and-attackers-are-using-your-own-tools","status":"publish","type":"post","link":"https:\/\/new.kinetics.co.nz\/?p=15582","title":{"rendered":"Cybersecurity Alert: Holiday Phishing on the Rise \u2014 And Attackers Are Using Your Own Tools"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content” custom_padding=”9px|||||”][et_pb_row column_structure=”1_2,1_2″ _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”1_2″ _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

As the festive season kicks into gear, so too does the cybercriminal playbook<\/strong>.<\/h2>\n

We\u2019ve noticed a spike in phishing attempts disguised as \u201cpre-Christmas party invites\u201d.\u00a0 While the festive spirit is infectious, so too is the threat. These aren\u2019t just generic holiday greetings \u2014 they\u2019re carefully crafted lures designed to hook users into downloading malware, often via links to malicious installers or fake login prompts.<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type="1_2" _builder_version="4.27.4" _module_preset="default" global_colors_info="{}" theme_builder_area="post_content"][et_pb_image src="https:\/\/new.kinetics.co.nz\/wp-content\/uploads\/2025\/11\/Bad-Santa2.png" title_text="Bad Santa2" _builder_version="4.27.4" _module_preset="default" border_radii="on|20px|20px|20px|20px" box_shadow_style="preset1" global_colors_info="{}" theme_builder_area="post_content"][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version="4.27.4" _module_preset="default" global_colors_info="{}" theme_builder_area="post_content"][et_pb_column type="4_4" _builder_version="4.27.4" _module_preset="default" global_colors_info="{}" theme_builder_area="post_content"][et_pb_text _builder_version="4.27.4" _module_preset="default" global_colors_info="{}" theme_builder_area="post_content"]<\/p>\n

This isn\u2019t new. Cybercriminals are well aware of the seasonal rush \u2014 Black Friday, Cyber Monday, and the holiday rush all create the perfect storm for phishing. Expect to see emails promising \u201cexclusive deals,\u201d \u201cfailed transactions,\u201d \u201crefunds pending,\u201d or \u201curgent login required.\u201d These are classic tactics used to trigger urgency and bypass caution.<\/p>\n

But here\u2019s the twist \u2014 and the reason we\u2019re raising the alarm: the tools they\u2019re using are the same ones your MSP and IT teams rely on daily.<\/strong><\/p>\n

Attackers are now deploying ScreenConnect, LogMeIn Resolve, Naverisk, SimpleHelp, PDQ, and even Atera \u2014 the very same remote management tools many IT companies use to support your clients, manage systems, and maintain uptime.<\/span><\/p>\n

This isn\u2019t a coincidence. It\u2019s a calculated move.<\/p>\n

What\u2019s happening?<\/strong><\/h2>\n

A persistent, highly active threat actor, first observed in April 2025, has evolved its tactics. Initially, they leveraged ScreenConnect as their primary foothold. By June 2025, they began incorporating SimpleHelp and by October 2025, LogMeIn Resolve and Naverisk were added to the mix \u2014 and now, multiple common IT support tools are often installed sequentially, sometimes weeks after initial access.<\/p>\n

Why? The theory is simple: Redundancy. Resilience. Obfuscation.<\/strong><\/p>\n

By installing multiple tools, attackers create a layered, persistent access point. They can rotate tools to avoid detection, mask their presence behind legitimate admin software, and even disable security controls like Windows Defender using tools like Defender Control. Credential harvesting tools like WebBrowserPassView are also frequently deployed, all to extract data, maintain access, and maximise their return.<\/p>\n

Analyst\u2019s take:<\/strong><\/h2>\n

This is not just a shift in tactics.\u00a0 It is a strategic evolution. The attackers are no longer relying on a single, easily detectable tool.\u00a0 Instead, they\u2019re building a resilient, multi-tool infrastructure that mimics legitimate IT operations \u2014 making detection and attribution far more difficult.<\/p>\n

The fact that they\u2019re using tools your own suport team uses makes this even more concerning. It\u2019s not just about access.\u00a0 It is about blending in, staying long-term, and exploiting the very systems you\u2019re trying to protect.<\/p>\n

What should you do?<\/strong><\/h2>\n
    \n
  1. Be vigilant<\/strong> \u2014 especially during the holiday rush. Don\u2019t click links in unsolicited emails, even if they look like they\u2019re from your manager, a client, or a colleague.<\/li>\n
  2. Verify before you click<\/strong> \u2014 use your own security tools or contact the sender directly to confirm legitimacy.<\/li>\n
  3. Educate your teams<\/strong> \u2014 remind them that attackers are using tools they know \u2014 and that\u2019s why they\u2019re even more dangerous.<\/li>\n<\/ol>\n

    This isn\u2019t a \u201cmaybe\u201d or \u201cpossibly\u201d.\u00a0 This is happening now.<\/p>\n

    Stay alert. Stay secure. And don\u2019t let the holidays fool you.\u00a0 The real threat is lurking behind every festive email.<\/p>\n

    P.S. If you\u2019ve received a suspicious \u201cparty invite\u201d or any other email with a suspicious link \u2014 don\u2019t click it. Forward it to us, and we\u2019ll help you investigate.<\/em><\/p>\n

    Source:\u00a0 October 2025 | https:\/\/www.security.com\/threat-intelligence\/rmm-logmein-attacks<\/a><\/em><\/p>\n

    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    As the festive season kicks into gear, so too does the cybercriminal playbook. We\u2019ve noticed a spike in phishing attempts disguised as \u201cpre-Christmas party invites\u201d.\u00a0 While the festive spirit is infectious, so too is the threat. These aren\u2019t just generic holiday greetings \u2014 they\u2019re carefully crafted lures designed to hook users into downloading malware, often […]<\/p>\n","protected":false},"author":5,"featured_media":15585,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[],"class_list":["post-15582","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/posts\/15582","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15582"}],"version-history":[{"count":0,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/posts\/15582\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/"}],"wp:attachment":[{"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15582"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15582"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15582"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}