Catan and Mouse

Cisco Talos is alerting organizations to a sophisticated phishing-as-a-service (PhaaS) platform known as ARToken. This platform shares significant infrastructure and operational patterns with the previously documented EvilTokens platform, indicating a mature and evolving threat. ARToken offers a comprehensive suite of tools designed to facilitate advanced phishing and business email compromise (BEC) operations.
The ARToken panel provides access to over 80 API endpoints, enabling a wide range of malicious activities. These capabilities include device code phishing, which can be used to steal authentication tokens, and Primary Refresh Token (PRT) persistence, allowing attackers to maintain access to compromised systems. Additionally, the platform supports email access, BEC operations, and the exfiltration of data from SharePoint environments. The user interface is built on a React framework, presenting a modern and accessible dashboard for operators.

Researchers note that the extensive features of ARToken suggest it is more than a basic phishing kit; it functions as a complete operational environment for BEC attacks. The platform's maturity and the breadth of its functionalities pose a significant threat to organizations.
Security professionals are advised to be aware of the capabilities offered by ARToken. Cisco Talos has provided indicators of compromise (IOCs) that can be used to detect and block malicious activity associated with the platform. Organizations should leverage these IOCs for their internal threat hunting efforts to identify any potential compromises.
In other cybersecurity news, an aggressive password-spraying campaign was observed targeting Microsoft 365 environments, resulting in over 81 million login attempts within a two-week period. The attackers utilized valid username and password combinations, likely obtained from previous data breaches, and attempted authentication through Microsoft's Azure command-line interface.

Threat actors are also increasingly exploiting enterprise-grade AI agents to power complex cyberattacks. By compromising misconfigured or exposed AI endpoints, adversaries can leverage these automation tools against their owners, enabling more sophisticated and evasive attack strategies.
Separately, an authentication bypass vulnerability in SimpleHelp remote monitoring and management (RMM) software has been exploited for malware delivery. The flaw, tracked as CVE-2026-48558, affects the software's OpenID Connect authentication flow and allows remote attackers to gain full technician session privileges.
Cisco Talos also highlighted recent research on common malware, including a coinminer, a tool identified as Procpatcher, and a KMS activator. Additionally, a malicious HTML file was detected, identified by its SHA256 hash.





