A WhatsApp mod with a built-in spy module has been spreading through Arabic and Azeri Telegram channels since August 2023.
Category: Threat Research
Unpacking an Asyncrat loader using Process Hacker and Dnspy
Jamf Threat Labs identified a new macOS malware variant attributed to the BlueNoroff APT group, linked to the Rustbucket campaign, embedded in a Mach-O universal binary labeled ProcessRequest. The malware communicates with swissborg.blog (resolved to 104.168.2…
Jamf has identified ObjCShellz, a new macOS malware linked to North Korean BlueNoroff/Lazarus actors and likely part of the RustBucket Campaign, targeting crypto exchanges. The sample shows a simple remote-shell capability with a hardcoded C2 address, and rese…
Threat researchers from eSentire’s TRU describe how DarkGate loader is used to deploy DanaBot, highlighting drive-by download delivery, a rich feature set, and advanced evasion techniques. The post also covers observed IOCs, attacker infrastructure, and remedi…
The Russia-based SWAT USA Drop reshipping service, a major operation laundering stolen merchandise, was hacked, exposing its internal operations, finances, and organizational structure. The leak details how “drops” and “stuffers” use stolen credit cards to buy…
eSentire’s TRU team details a stealthy NetWire RAT deployment chain starting with a drive-by download and culminating in process hollowing via Frenchy Shellcode, aided by AntiVM checks, UAC bypass, and persistence. The write-up covers the delivery chain, core …
Demonstrating three additional methods for obtaining unpacked malware samples. Using Process Hacker, Pe-sieve, Hxd and Pe-bear.
Hive0051 is documented by X-Force as executing large-scale, synchronized multi-channel DNS fluxing to remap its C2 infrastructure across Telegram channels and Telegraph sites, enabling persistent operations and dynamic reallocation of victims across Gamma malw…
PDFs are a popular vector for delivering malware, often via phishing emails, and attackers abuse PDF features like JavaScript, embedded streams, and reader vulnerabilities to drop payloads. The article demonstrates real-world examples, open-source tools for an…
CYFIRMA highlights Good Day ransomware, an ARCrypter family member that disguises as a Microsoft Windows Update and employs stealthy techniques (like VSS deletion and debug-detection) while encrypting files and exfiltrating data. The report also covers related…
Trap Stealer is an open-source Python-based stealer that claims to pilfer a wide range of data from compromised systems in just 6 seconds, with exfiltration to threat actors via Discord webhooks. It leverages deceptive methods like fake gift-card generators an…
Unit 42 investigates a destructive, data-theft campaign attributed to the Iranian-linked Agonizing Serpens (Agrius) APT, targeting Israeli higher-education and tech sectors from January to October 2023. The operation blends data exfiltration with new wipers (M…
Prolific Puma is a DNS threat actor that has operated unnoticed for over four years, primarily focusing on domain generation and link shortening services for malicious activities. This underground network creates a vast number of domains using an RDGA to suppo…
Social media platforms offer immense opportunities for financially motivated
threat actors to conduct large-scale attacks against unsuspecting Internet
users. Fraudulent and malicious threats are prevalent on all social networks and
it has become crucial for users to be aware of the latest tricks that can
compromise the security of their accounts, data, reputation and finances.
Cybercriminals always seek to trick users into taking all sorts of unwelcome
actions, and one way they achieve this is