Deep Instinct identified a Go-based C2 framework named MuddyC2Go used by MuddyWater since at least 2020; attackers deliver PowerGUI-built executables containing embedded PowerShell that automatically connect to MuddyC2Go C2 servers and switch to dynamic DNS fo…
Category: Threat Research
Attackers published malicious Python packages masquerading as obfuscation tools that execute code at install time and fetch a secondary payload called BlazeStealer. The payload runs a Discord-based remote-access bot that enables data theft, keylogging, webcam …
SysAid’s on-premises software was found to have a zero-day path traversal vulnerability that allowed code execution, exploited by DEV-0950 (Lace Tempest). The attackers deployed a WebShell via a WAR file, loaded the GraceWire loader to inject into system proce…
Imperial Kitten, an Iran-linked threat actor likely tied to the IRGC, conducted strategic web compromise operations and used novel malware families (e.g., IMAPLoader, StandardKeyboard) to target transportation, logistics, and technology sectors. CrowdStrike In…
BatLoader is a batch-based loader used to deliver payloads across multiple malware families, notably AgentTesla, QuasarRAT, AsyncRAT, Mallox Ransomware, and Cryptojacker campaigns, often via phishing. It loads payloads into memory through obfuscated PowerShell…
Predator AI is a Python-based infostealer/hacktool targeting cloud platforms, integrating a GPTj-powered ChatGPT interface to simplify use. While not production-ready, it demonstrates how AI could streamline threat-actor workflows by enriching data and adding …
Unit 42 identifies malicious Chinese APT infrastructure masquerading as cloud backup services targeting Cambodian government entities, with long-running activity tied to geopolitical aims. The operation uses a multi-domain, multi-IP C2 setup, a Cowrie honeypot…
ASEC reports active distribution of Phobos ransomware using vulnerable RDP services as an entry point. The analysis covers Phobos’ file-encryption behavior, ransom-note mechanics, persistence, defense evasion, and network-shared-folder encryption. #Phobos #Dha…
SEQRITE Labs observed multiple SideCopy campaigns that deploy Windows and Linux RATs using phishing lures, reused compromised domains, and exploitation of the WinRAR zero-day CVE-2023-38831 to trigger payloads. The actor delivered AllaKore, DRat, Key RAT and a…
Unpacking a simple Cobalt Strike loader using Debuggers and Hardware breakpoints.
A malvertising campaign impersonates a legitimate Windows portal (WindowsReport.com) to push a CPU-Z installer, delivering a signed MSIX payload that runs a malicious PowerShell script via a loader called FakeBat to install the Redline stealer. The operation u…
GhostSec unveils GhostLocker, a Ransomware-as-a-Service framework, withsold through a dedicated Telegram channel and a current focus on Israel, signaling a shift in their activity. The report details GhostLocker’s build/operation, historical attacks against Is…
Researchers identified a fresh Gootloader variant named “GootBot” that adds lateral movement and stealth to post-infection activity. It uses hardcoded C2 servers on compromised WordPress sites and avoids common off-the-shelf tools to deploy additional payloads…
CYFIRMA analyzes Millenium RAT, a .NET Win32 RAT that has evolved from version 2.4 to 2.5 and is actively developed, with access sold on GitHub and details shared via Telegram. The report highlights the tool’s extensive data theft, anti-analysis, persistence, …
An NCC Group analysis dives into the D0nut extortion group’s TTPs, detailing how they used Cobalt Strike, BYOVD, GPO modifications, RDP, and Rclone-based exfiltration to deploy ransomware. The report links potential ties to HelloXD and other groups like Hive/R…