The Israeli partner recently experienced an intrusion, resulting in phishing activities targeting its clients using wiper malware.

The campaign leverages compromised email infrastructure to distribute malicious downloads under the guise of the Advanced Threat Defense team. These authenticated emails deceive recipients by citing state-sponsored threats, leading them to download malware disguised as legitimate security tools.

The vulnerability was disclosed in an official statement earlier today. Although it emphasized that the incident was contained within ten minutes and did not jeopardize its systems, the vulnerability affected the company's Israeli partners.

This allows attackers to send phishing emails from seemingly legitimate domains (including ..). These emails alert recipients that their devices have been targeted by government-backed actors and provide a download link for a so-called security tool named "". However, this is merely a pretext to spread wiper malware.

Security researchers analyzed the attack and shared detailed information about the malware on social media. The malicious payload was identified as "", which has political motivations. An embedded message in the malware warns against "doing business with occupiers." The main function of the eraser is to irreversibly wipe data with no apparent recovery method.

The subject of these phishing emails is "Government-backed attackers may be trying to steal your password!" The style appears to be an official communication from the Advanced Threat Defense () team. These emails contain a download link for a file, hosted on a subdomain (....) of . Inside the file, there is an executable named ., which, when executed, releases a wiper.

Famous security researcher further analyzed the malware and published his findings on his blog space. It is claimed that this attack specifically targeted cybersecurity professionals within Israel. As part of its execution chain, the wiper also contacted legitimate Israeli organizations, which may be a technique to evade detection by mixing legitimate traffic with malicious behavior.

In an official statement, the company assured its global customer base that the breach was limited to its Israeli partners, and its own systems were not compromised. The company emphasized that its technology is actively thwarting threats, and affected customers are safe. It is working closely with its Israeli partners to further investigate the breach and monitor for any other malicious activities.

Although the scale of the incident was downplayed, third-party researchers such as and pointed out that phishing emails successfully circumvented and checks, making them appear legitimate. This indicates that the attackers could access 's mail servers, raising concerns about the depth of this intrusion.

Impact and recommendations

Serving a large number of clients across various industries, including individual users and corporate clients. The fact that this phishing campaign targets cybersecurity professionals is particularly concerning, as these users typically hold sensitive positions within organizations that handle critical infrastructure and data.

To mitigate risks and prevent further damage, it is recommended that clients, particularly those in Israel:

• Avoid opening any unsolicited emails claiming to be from Israel or containing download links, especially if they reference the program.
• Verify any email communications by cross-checking directly with through official channels.
• Avoid downloading unknown files or running unverified executable files from links sent via email, especially those from domains that have recently been compromised.
• Run a full system scan with updated security software to ensure there are no malware infections.
• Update incident response procedures and backup strategies to prepare for potential wiper malware incidents, which could result in irreversible data loss.