InfoSec Briefing - January 24, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Friday, January 23, 2026, covering 4 articles analyzed overnight. All attribution is by the article authors. All article analysis is automated.

Okta reports that attackers are deploying advanced phishing kits that synchronize with live vishing calls to bypass MFA protections. The kits enable real-time browser manipulation during phone calls, allowing attackers to intercept credentials and trick users into approving fraudulent MFA prompts targeting Google, Microsoft, Okta, and cryptocurrency platforms.

The United States Department of Justice announced that two Venezuelan nationals were convicted for their involvement in an ATM jackpotting scheme and are set to be deported. The scheme involved manipulating ATMs to dispense cash fraudulently, representing a physical cybercrime operation targeting financial infrastructure.

Ctrl Alt Intel has identified a suspected state-affiliated threat actor deploying KazakRAT, a Windows-based Remote Access Trojan, in a campaign ongoing since August 2022. The malware targets entities in Kazakhstan and Afghanistan, with additional targeting of extremist groups in Uzbekistan and Syria using modified Android spyware.

NIST is revising Special Publication 800-82 to provide updated guidance on Operational Technology security for sectors including energy, manufacturing, and transportation. The revision incorporates emerging technologies such as AI and machine learning, zero trust, IoT, digital twins, and 5G, while addressing the evolving OT cybersecurity threat landscape.

That concludes today's briefing.

📰 Articles Covered

Phishing kits adapt to the script of callers - Okta

A new wave of phishing kits is adapting to support voice-based social engineering (vishing) attacks, making them more sophisticated and effective. These kits are offered as a service, enabling attackers to intercept credentials and manipulate user browsers in real-time to bypass multi-factor authentication (MFA) and trick users into approving fraudulent actions.

**What Happened:**
Attackers are using advanced phishing kits that synchronize with live vishing calls. When a target is on the phone with an attacker, the attacker can guide them to a phishing site. The phishing kit then captures the user's credentials and can manipulate the displayed web pages to match the legitimate login process, including MFA challenges. This allows attackers to trick users into approving MFA prompts or revealing sensitive information. 【1】

**Who is Affected:**
Users of services from **Google, Microsoft, Okta, and cryptocurrency providers** are particularly at risk. The attackers are targeting credentials for these platforms, leveraging vishing tactics to overcome security measures. 【1】

**Security Implications:**
The primary security implication is the **increased effectiveness of phishing and vishing attacks**, particularly against non-phishing-resistant MFA methods. These attacks can:
- **Bypass MFA:** By manipulating the user's browser in real-time, attackers can trick users into approving MFA challenges, including push notifications with number matching. 【1】
- **Credential Theft:** Attackers can steal usernames, passwords, and other sensitive information. 【1】
- **Account Takeover:** Successful credential and MFA bypass can lead to full account compromise. 【1】
- **Real-time Manipulation:** The ability to adapt the phishing page to the live interaction makes the attack appear more legitimate and harder to detect. 【1】

**Technical Details:**
The process involves several stages:
1. **Reconnaissance:** Attackers gather information about their targets. 【1】
2. **Phishing Page Setup:** A custom phishing page is created using the kit. 【1】
3. **Vishing Call:** The attacker calls the target, often impersonating a trusted entity. 【1】
4. **User Guidance:** The target is directed to the phishing site. 【1】
5. **Credential Capture:** User credentials entered on the phishing page are intercepted. 【1】
6. **MFA Manipulation:** The phishing kit observes the legitimate login process and presents corresponding MFA challenges to the user, guiding them to approve or provide the necessary information. 【1】
7. **Browser Manipulation:** The attacker can manipulate the user's browser in real-time to ensure the phishing experience aligns with the legitimate flow. 【1】

**What Defenders Should Know:**
Security teams should be aware of these evolving threats and implement the following measures:
- **Enforce Phishing-Resistant MFA:** Prioritize the use of MFA methods that are resistant to phishing, such as **Okta FastPass or FIDO passkeys**. These methods do not rely on user interaction with potentially compromised prompts. 【1】
- **Network Security Controls:** Implement **network zones or access control lists** that block access from anonymizing services (like VPNs or proxies) that threat actors frequently use to mask their origin. 【1】
- **User Education:** Continue to educate users about the risks of vishing and the importance of scrutinizing unexpected requests, even if they seem to align with a current online session. 【1】
- **Threat Intelligence:** Stay informed about the latest phishing kit capabilities and attack vectors. 【1】
Venezuelan Nationals Convicted in ATM Jackpotting Scheme to Be Deported - United States Department of Justice

The provided article from the U.S. Department of Justice (DOJ) homepage does not contain information about a specific cybersecurity event, such as an ATM jackpotting scheme. Instead, it focuses on general cybersecurity practices for official government websites.

Here's a summary based on the provided text:

* **What happened:** The article does not describe a specific incident. It serves as a general advisory about the security of official government websites.
* **Who is affected:** The general public who interact with official U.S. government websites are the intended audience.
* **Security implications:** The article emphasizes the importance of secure connections for government websites. It highlights that official ".gov" websites use HTTPS to ensure secure communication.
* **Technical details:** The key technical details mentioned are the use of the **".gov" domain** and **"HTTPS"** for secure connections.
* **What defenders should know:** For defenders, the article underscores the importance of these indicators (".gov" and "HTTPS") in establishing **trust** and ensuring the **security of government digital presences**. It advises users to only share sensitive information on official, secure websites.
Attack on *stan: Your malware, my C2 - Ctrl Alt Intel

A cybersecurity analysis has revealed **KazakRAT**, a Windows-based Remote Access Trojan (RAT), being used in a persistent campaign by a suspected state-affiliated actor.

**What Happened:**
The threat actor has been actively deploying KazakRAT, with the campaign ongoing since at least August 2022. The malware is delivered through `.msi` files and establishes persistence on infected systems by utilizing the Run registry key. Command and Control (C2) communications are unencrypted and employ a basic HTTP beaconing method. Researchers were able to gain control of a KazakRAT C2 domain, allowing them to redirect victim traffic and collect IP addresses. They have since reimplemented the C2 server in Python for further analysis.

**Who is Affected:**
The primary targets of this campaign are entities located in **Kazakhstan** and **Afghanistan**. Additionally, the threat actor has been observed to target extremist groups in **Uzbekistan** and **Syria** by employing modified Android spyware, such as XploitSpy.

**Security Implications:**
The use of KazakRAT poses significant security risks, including the potential for **espionage**, **data exfiltration**, and the **execution of arbitrary commands** on compromised systems.

**Technical Details:**
- **Malware Type:** Windows-based Remote Access Trojan (RAT).
- **Delivery Method:** `.msi` files.
- **Persistence Mechanism:** Run registry key.
- **C2 Communication:** Unencrypted HTTP beaconing.
- **Associated Android Spyware:** Modified XploitSpy.
- **Campaign Duration:** Ongoing since at least August 2022.

**What Defenders Should Know:**
Defenders need to be aware of the specific **C2 domains, IP addresses, file hashes, and YARA rules** associated with KazakRAT for effective detection and mitigation. While the threat actor shows some signs of limited operational maturity, such as expired C2 domains, their persistence and use of both custom and modified open-source tools necessitate vigilance.
NIST Special Publication (SP) 800-82 Rev. 4 (Draft), Pre-Draft Call for Comments: Guide to Operational Technology (OT) Security - The **National Institute of Standards and Technology (NIST)**, specifically its **Computer Security Division**, controls the content posted at the URL https://csrc.nist.gov/pubs/sp/800/82/r4/iprd.

The National Institute of Standards and Technology (NIST) is revising its **Special Publication (SP) 800-82, Guide to Operational Technology (OT) Security** 【1】. This revision is an ongoing process, and NIST has issued a pre-draft call for comments to gather input from the public, especially those in the Operational Technology (OT) community.

**Who is affected:**
The revision is intended to benefit the **OT community across various sectors**, including energy, manufacturing, and transportation 【1】. It will also provide expanded guidance for a wider range of OT systems, such as building automation, transit, and maritime systems 【1】.

**Security Implications:**
The revision aims to **address the evolving OT cybersecurity threat landscape** by incorporating lessons learned and aligning with current NIST guidance and OT cybersecurity standards 【1】. This proactive approach seeks to enhance the management of OT cybersecurity risks.

**Technical Details:**
The updated guidance will incorporate emerging technologies and concepts relevant to OT security. This includes:
- **Behavioral anomaly detection** 【1】
- **Digital twins** 【1】
- **Internet of Things (IoT)** 【1】
- **Artificial Intelligence (AI)** and **Machine Learning (ML)** 【1】
- **Zero trust** architectures 【1】
- **Cloud computing** 【1】
- **5G** technology 【1】
- **Edge computing** 【1】

The revision will also update information on **OT threats, vulnerabilities, and recommended practices** 【1】.

**What defenders should know:**
Defenders in the OT space should be aware that NIST is actively updating its guidance to reflect current threats and technologies 【1】. They should anticipate **enhanced recommendations for managing OT cybersecurity risks** and be prepared to adopt practices that align with the latest standards and emerging technologies 【1】. The call for comments provides an opportunity for the OT community to influence the direction of this crucial guidance 【1】.