Keypoints
- QR codes were widely adopted by attackers in 2023 for credential phishing and malware delivery and are expected to increase in 2024.
- Both zero-day and N-day vulnerabilities (e.g., MOVEit, ScreenConnect) were actively exploited by APT and eCrime actors, sometimes before public disclosure.
- Ecrime actors rapidly change TTPs in response to defensive pressure, using TDSes like 404 TDS and Keitaro, uncommon filetypes (.url, .svg), new loaders, and information stealers.
- Older malware such as DarkGate has resurfaced as a common payload alongside loaders and stealers.
- Macro-enabled documents are becoming less effective due to improved defenses, pushing attackers toward vulnerability exploitation and other methods.
- AI is being adopted to scale operations and improve tooling (e.g., malware clustering with Camp Disco), increasing attacker efficiency.
- Community sharing of IOCs, PCAPs, and TTPs remains a critical defensive resource.
MITRE Techniques
- [T1566] Phishing – Used for credential collection and delivery of malicious content (‘credential phishing and malware campaigns’)
- [T1204.002] User Execution: Malicious File (macro-enabled) – Attackers have used macro-enabled documents as an initial vector (‘macro-enabled documents — much less useful’)
- [T1190] Exploit Public-Facing Application – Actors exploited both zero-day and known vulnerabilities in publicly facing services and appliances (‘zero-day and N-day vulnerability exploitation’, ‘MOVEit file transfer service vulnerability’)
- [T1218] Signed Binary Proxy Execution / Living off the Land Binaries (LOLBins) – Adversaries leveraged legitimate binaries to evade defenses (‘living off the land binaries (LOLBins)’)
Indicators of Compromise
- [Threat Actors] observed actor names – TA473, TA577
- [Malware/Tools] payloads and tooling – DarkGate, Qbot
- [Vulnerable Products/Exploits] exploited services – MOVEit, ScreenConnect
- [Traffic Distribution Systems] TDS infrastructure – 404 TDS, Keitaro TDS
- [File Types] uncommon delivery artifacts – .url, .svg
- [Defensive/Analytic Tools] research tooling referenced – Camp Disco (malware clustering engine)
Attackers increasingly use QR codes as an initial vector to bypass traditional email defenses: QR images point victims to phishing pages or payloads that are convenient for users to access via mobile devices. Proofpoint added in-line sandboxing to detect QR-mediated threats, but actors remain in the eCrime space where QR phishing and credential-capture workflows are rising.
Exploitation of both zero-day and N-day vulnerabilities continues to be a primary technique. APTs and eCrime groups have exploited publicly accessible services and appliances (examples cited include TA473 activity and a zero-day in an email security gateway) and rapidly weaponized flaws in MOVEit and ScreenConnect, sometimes before public disclosure. As macro-enabled documents lose effectiveness due to improved detections, adversaries are shifting to vulnerability chaining, custom loaders, and information-stealer payloads to achieve initial access and persistence.
Defensive pressure drives behavioral change: attackers adopt traffic distribution systems (404 TDS, Keitaro), leverage uncommon file formats (.url, .svg) as delivery artifacts, and resurrect older payloads like DarkGate while introducing new loaders and stealers. At the same time, adversaries and researchers use AI—attackers to scale operations and create content, defenders for tooling like Camp Disco to accelerate malware clustering and threat hunting—making rapid sharing of IOCs and telemetry across the community essential.
Read more: https://www.proofpoint.com/us/blog/threat-insight/threat-landscape-always-changing-what-expect-2024