Full Report
The report contains statistics on spam and phishing in 2025, outlining the main trends: phishing and scam QR codes, ClickFix attacks, ChatGPT subscription lures and others.
Analysis Summary
Based on the provided context from the Kaspersky spam and phishing report for 2025, specific malware families, technical details, and deep MITRE ATT&CK mappings for *individual* TTPs are not explicitly detailed. The provided context is a high-level summary of trends.
Therefore, the summary below will focus on the *emerging trends and techniques* mentioned in the context, as these represent the identified threat landscape highlights for the reporting period, using placeholders where specific technical details are unavailable from the provided snippet.
---
# Tool/Technique: Phishing and Scam QR Codes
## Overview
This technique involves leveraging QR codes embedded in communications (likely spam or phishing emails/messages) to direct victims to malicious websites, often associated with financial scams or credential harvesting.
## Technical Details
- Type: Technique (Delivery Mechanism)
- Platform: Mobile (primary), Desktop (secondary)
- Capabilities: Rapid redirection, bypassing text-based URL scrutiny, leveraging the perceived trust in QR technology.
- First Seen: [Information not provided in the context, but this is an emergent trend for 2025]
## MITRE ATT&CK Mapping
*Note: Since this is a delivery mechanism, the mapping focuses on the initial stages.*
- **TA0001 - Initial Access**
- T1204 - User Execution
- T1204.002 - User Execution: Malicious File (If the QR code downloads a payload after redirection)
- T1566 - Phishing
- T1566.001 - Phishing: Spearphishing Attachment (If included in a targeted email)
## Functionality
### Core Capabilities
- Encoding URLs or data that initiate a malicious action upon scanning (e.g., visiting a phishing landing page).
- Used to deliver classic phishing kits or exploit mobile vulnerabilities.
### Advanced Features
- Obfuscation of the final destination URL within the QR code structure against basic scanning previews.
## Indicators of Compromise
- File Hashes: [Not applicable to the QR code itself]
- File Names: [Not applicable]
- Registry Keys: [Not applicable]
- Network Indicators: Malicious landing page URLs generated by the QR code (e.g., `hxxp://phishserver[.]com/verify`, `hxxp://fast-login[.]net/capture`)
- Behavioral Indicators: Excessive scans from unusual sources, suspicious redirection chains following QR code interactions.
## Associated Threat Actors
- General cybercriminals exploiting high-volume social engineering trends for financial gain.
## Detection Methods
- Signature-based detection: Blacklisting known malicious QR code payloads or domains.
- Behavioral detection: Scanning incoming messages/emails for embedded QR codes containing known threat patterns or high-entropy encoding.
- YARA rules: Potentially for detecting specific QR generation libraries or embedded patterns in emails if the QR image is analyzed.
## Mitigation Strategies
- Implementing email gateways capable of rendering and analyzing QR code contents before delivery.
- User Training: Educating users specifically on the dangers of scanning unknown QR codes, especially from unsolicited sources.
- Mobile security solutions inspecting redirects initiated by mobile scanners.
## Related Tools/Techniques
- Traditional Phishing Links
- QR Code Stealing (similar concept applied to physical environments)
---
# Tool/Technique: ClickFix Attacks
## Overview
"ClickFix attacks" appear to refer to a specific social engineering campaign or framework noted in the 2025 report, characterized by forcing user interaction (a "click") often leveraging urgency or technical troubleshooting narratives. *(Note: As this is a proprietary term or a highly specific trend from the source, details are inferred based generally on phishing practices.)*
## Technical Details
- Type: Technique / Campaign Style
- Platform: Web, Email
- Capabilities: Exploiting user habits or troubleshooting desire to trick them into downloading malware or submitting credentials.
- First Seen: [Information specific to the 2025 report context]
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1204 - User Execution
- T1566 - Phishing
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter (If the click executes active content)
## Functionality
### Core Capabilities
- Deception centered around "fixing" an apparent issue (e.g., browser error, subscription problem).
- Reliance on a high click-through rate achieved via persuasive lure content.
### Advanced Features
- Potentially involves tailored landing pages designed to look like trusted system alerts.
## Indicators of Compromise
- File Hashes: [Specific details unknown]
- File Names: [Specific details unknown, possibly benign sounding files like `fix_update.exe` or `error_report.zip`]
- Registry Keys: [Unknown]
- Network Indicators: Domains mimicking legitimate software update/support sites (e.g., `microsoft-support-portal[.]com`, `adobe-patcher[.]co`).
- Behavioral Indicators: Execution chain initiated immediately following a direct link click without further manual input.
## Associated Threat Actors
- Attack groups leveraging high-volume phishing techniques for broad deployment.
## Detection Methods
- Behavioral analysis detecting immediate execution following web interaction.
- Web filtering blocking domains associated with known ClickFix campaigns.
## Mitigation Strategies
- Implement strict policies regarding the execution of downloaded files following web interactions.
- Just-in-Time execution policies for common downloader file types.
## Related Tools/Techniques
- Watering Hole Attacks (If the click leads to drive-by download)
- Social Engineering
---
# Tool/Technique: ChatGPT Subscription Lures
## Overview
This involves phishing campaigns impersonating OpenAI's ChatGPT or related Artificial Intelligence services, primarily using the lure of premium subscriptions, feature access, or fake billing alerts to steal financial information or credentials.
## Technical Details
- Type: Technique / Lure Theme
- Platform: Web (Targeting desktop and mobile users of modern web services)
- Capabilities: High relevance/timeliness (leveraging popular technology) for social engineering success.
- First Seen: [Trend noted in the 2025 report]
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.001 - Phishing: Spearphishing Attachment (If a malicious document is attached to a "subscription error" email)
- T1566.002 - Phishing: Spearphishing Link (If a link directs to a fake ChatGPT login/payment portal)
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (If the user inputs credentials across multiple platforms)
## Functionality
### Core Capabilities
- Harvesting OpenAI account credentials.
- Collecting payment card details via fake checkout pages.
### Advanced Features
- Sophisticated use of AI-generated content or design parity to make the landing page appear highly authentic.
## Indicators of Compromise
- File Hashes: [Unknown]
- File Names: [Unknown]
- Registry Keys: [Unknown]
- Network Indicators: Domains mimicking OpenAI services (e.g., `openai-billing-update[.]net`, `chatgpt-premium-renew[.]org`).
- Behavioral Indicators: Credential harvesting attempts characterized by rapid submission of account details followed by immediate logout or error screen.
## Associated Threat Actors
- Cybercriminals focusing on high-value credentials or financial targets, using topical lures to increase campaign effectiveness.
## Detection Methods
- URL pattern matching for known impersonation domains targeting AI services.
- Heuristic analysis detecting login forms requesting credentials for SaaS platforms via unsolicited emails.
## Mitigation Strategies
- Multi-Factor Authentication (MFA) enforcement on all critical accounts, including SaaS platforms.
- User awareness training distinguishing official service portals from unsolicited links.
## Related Tools/Techniques
- MFA Fatigue/Spamming
- Credential Harvesting Phishing Kits