Welcome to The Optery Dispatch — a newsletter delivering the latest insights on threat intelligence and proactive cybersecurity strategy. In Issue #8, published December 16, 2025, we cover:
- Trend Micro outlines how AI is transforming cybercrime into a high-speed, highly scalable operation, automating reconnaissance, accelerating social engineering and identity-based attacks, and pushing organizations beyond purely reactive defenses.
- Proofpoint highlights three modern phishing campaigns that bypass email controls by shifting delivery and detection challenges onto end users.
- Beazley and SentinelOne provide a rare look inside a modern infostealer operation after a threat actor ran PXA Stealer repeatedly on his own machine.
The AI-fication of Cyberthreats: Trend Micro 2026 Predictions
The cyber threat landscape is evolving into a contest of speed, adaptability, and automation, requiring a shift beyond reactive defenses
Trend Micro’s Security Predictions for 2026 describes a threat landscape entering a new phase defined by automation, scale, and speed.
The report warns that attackers will use autonomous agents to automate fraud, run large, highly personalized social engineering campaigns, and orchestrate multistep attacks without human oversight.
As AI-generated messages become indistinguishable from human-written ones, traditional defensive models will lose their effectiveness. Trend Micro notes that attackers are already training models on victims’ public data to tailor messages to a person’s role, organization, and communication style, making both phishing and BEC harder to detect.
The report expects identity-based attacks such as phishing-as-a-service, adversary-in-the-middle operations, session hijacking, and cloud-native phishing to accelerate as AI automates reconnaissance, payload generation, and delivery.
Advanced persistent threat (APT) groups and ransomware operators are incorporating AI to scale reconnaissance, identify vulnerable systems, blend malicious activity into normal behavior, and operate more quickly across hybrid environments. Trend Micro predicts attackers will increasingly purchase direct access rather than conduct their own reconnaissance, while AI-enabled OSINT will continue to make profiling easier and more precise.
Defensively, Trend Micro stresses that content-based detection is becoming obsolete. Organizations must shift toward trust verification architectures, stronger identity and access management, behavioral analytics, Zero Trust principles, and continuous authentication. Existing IAM systems, which were designed for human users and long-lived service accounts rather than ephemeral AI agents, are expected to become a growing point of compromise.
Trend Micro highlights how AI-driven attacks increasingly depend on public and online information about people to personalize lures and generate convincing messages. As attackers train models on scraped public data and expand identity-based attacks, organizations must reduce the available PII that enables targeting.
Removing employee and executive information from data brokers, people-search sites, and social media limits the inputs used to power AI-assisted social engineering and directly reduces the attack surface for today’s most common cyber threats.
Read the full report for more insights and predictions:
Proofpoint Highlights Three Phishing Methods Evading Email Security Controls
Phishing campaigns increasingly avoid gateways by shifting risk to the user layer
In our last issue, we highlighted two emerging phishing techniques, ClickFix and Quantum Route Redirect, that bypass traditional email defenses. Proofpoint recently documented additional evasion methods that follow the same pattern: attackers are deliberately engineering delivery paths where malicious content reveals itself only after user interaction, while evading static or one-time inspections performed by email security systems.
Proofpoint’s analysis provides three concrete examples of how threat actors are getting past modern defenses.
The first is the link verification exploit, where a malicious site is hidden behind a legitimate authentication page such as OneDrive, Dropbox, or DocuSign. Because the initial URL contains nothing harmful, email gateways classify it as clean. Only after a user authenticates do the attackers reveal the credential-harvesting form or malware payload. The security tools never see the malicious content; only the user does.
The second tactic, the sandbox mirage, takes this further. Attackers build servers that detect whether a visitor is a human or a security sandbox by analyzing user-agent strings, IP ranges, HTTP headers, JavaScript execution, and navigation behavior. If the request looks automated, the server displays harmless content; if it looks like a real user, the malicious site loads. This selective delivery ensures that gateways consistently misclassify the threat.
The third technique completely bypasses email infrastructure. In the Google Calendar exploit, attackers create calendar events in a Gmail account and add corporate targets, but never send the invitations. Google Workspace syncs the event automatically, delivering phishing links and malicious attachments directly to users’ calendars without passing through any email gateway.
Proofpoint recommends enhanced analysis, browser-level protections, and ongoing user awareness to address these campaigns. In addition to these, reducing exposed personal data remains a critical defensive layer, as all three tactics rely on targeting specific users. Without emails, job roles, and org-chart relationships, attackers’ lures can’t reach their intended targets, limiting the effectiveness of these evasive delivery techniques.
Read more: How Threat Actors Engineer Attacks to Evade Email Security US | Proofpoint US
Beazley & SentinelOne’s PXA Stealer Investigation: A Rare Look Inside a Modern Infostealer Operation
A Vietnamese threat actor ran PXA Stealer on his own machine, providing valuable insights into infostealer development, testing, delivery, and monetization
Beazley Security Labs’ latest investigation, conducted in partnership with SentinelOne Labs, provides one of the most unusual and valuable intelligence windows into a modern infostealer operation.
Beazley’s MDR team initially detected and contained an infostealer campaign in a client environment, but the investigation expanded dramatically when PXA Stealer suddenly began exfiltrating data from the attacker’s own development machine, likely a test environment, into a Telegram channel the analysts were monitoring. The data included credentials, screenshots, infrastructure details, and operational accounts.
This gave researchers rare visibility into the attacker’s tooling, development lifecycle, infrastructure, monetization channels, and social engineering tradecraft.
The investigation reveals how infostealers now operate as full-scale, professionalized criminal ecosystems. PXA Stealer was tied to Telegram C2 channels, Cloudflare Workers for traffic redirection, cryptocurrency wallets, log-selling marketplaces, and accounts on cybercriminal forums.
Beazley and SentinelOne also uncovered evidence of how the operation evolved over time. Earlier campaigns relied on commodity malware such as XWorm and RedLine, with components staged through GitHub repositories. Over time, the actor, known as LoneNone, transitioned from using commodity infostealers to operating PXA Stealer, a distinct, actor-controlled infostealer, paired with more ephemeral hosting infrastructure designed to reduce visibility and resist disruption. This evolution highlights how infostealer operators are increasingly moving toward attacker-controlled tooling to maintain control over delivery, infrastructure, and evasion.
The behind-the-scenes access also revealed the social engineering foundation of the campaign. Screenshots and artifacts showed the use of copyright-infringement-themed lures, a pattern consistent with earlier campaigns and reinforced by the discovery of the actor’s account with a commercial DMCA-takedown service. The lure themes mirror the attacker’s real-world affiliations, making the phishing material more convincing. This aligns with broader industry findings: successful infostealer deployment almost always begins with social engineering.
Beazley and SentinelOne also observed disciplined operational testing. The attacker repeatedly tested payloads with Kleenscan, a malware-scanning service (for malware authors) used to ensure files remain “Fully Undetected,” and leveraged Cloudflare Workers to obscure the C2 origin. Combined with delivery via deceptive documents and side-loaded DLLs, the campaign exemplifies how infostealers are engineered to bypass enterprise defenses and deliver credential theft at scale.
As Beazley notes in its Q3 report, stolen credentials remain one of the most common entry points for ransomware operators, and infostealers continue to be a major upstream enabler.
In practice, those infostealer infections are usually delivered through social engineering lures, which depend on exposed employee PII to reach the right targets.
More and more, attackers are using infostealers as first stage payloads, and organizations must limit employee exposure across data broker sites and other sources to help prevent being targeted.
Learn more:
- Part 1 — Ghost in the Zip: New PXA Stealer and its Telegram-Powered Ecosystem: https://labs.beazley.security/articles/ghost-in-the-zip-or-new-pxa-stealer-and-its-telegram-powered-ecosystem
- Part 2 — Chasing a Ghost: PXA Stealer Part 2: https://labs.beazley.security/articles/chasing-a-ghost-pxa-stealer-part-2
- Quarterly Threat Report: Third Quarter, 2025
Thanks for reading! Want us to write about something specific? Submit a topic or idea.
If you’re looking to reduce your organization’s exposed PII and prevent phishing, voice and messaging scams, credential theft, and other PII-based threats, Optery can help. Get started here: Optery for business
Subscribe to receive future editions of The Optery Dispatch