Activities align with CryptoChameleon: While many threat researchers have linked PoisonSeed actors to Scattered Spider, Silent Push believes the alignment is more accurate with the CryptoChameleon advanced phishing kit from 2024.The mailchimp-sso[.]com domain, which is the basis of the association made with Scattered Spider, was registered on Porkbun from the previous attack up until March 24, 2025, when it was re-registered on NiceNic, a registrar of choice for both Scattered Spider and CryptoChameleon, the analysts pointed out.PoisonSeed’s cryptocurrency seed phrase poisoning attack utilizing a supply chain spam operation does not align with Scatter Spider TTPs, which Silent Push tracked as still active in 2025 with targeted brands including Credit Karma, Forbes, Nike, Louis Vuitton, and Vodafone. On the other hand, CryptoChameleon heavily targets Coinbase and Ledger, just like PoinsonSeed, along with other crypto brands. Silent Push shared a list of indicators of future attacks (IOFA) associated with the PoisonSeed campaign and promised a much larger and real-time list exclusively to its customers.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3956008/poisonseed-targets-mailchimp-mailgun-and-zoho-to-phish-high-value-accounts.html
