In this report Kaspersky shares insights into the validation components used in Operation Triangulation, TriangleDB implant post-compromise activity, as well as details of some additional modules.
Category: Threat Research
Manually decoding a Cobalt Strike .vbs Loader utilising advanced CyberChef and Shellcode Emulation.
An extensive NetSupport RAT intrusion in January 2023 shows attackers using phishing to deliver a malicious JavaScript loader, which then deployed a PowerShell payload to install NetSupport and establish persistence. The operation progressed to domain compromi…
Decoding a .hta script with CyberChef and analysing Shellcode with the SpeakEasy Emulator.
Cyble CRIL uncovered a new Higaisa APT operation that uses a phishing site impersonating legitimate VPN software to deliver a Rust-based payload. The malware features anti-debugging, shellcode decryption, and encrypted C2 communication, with connections to add…
Netskope analyzed a malicious Word document delivering a backdoor named Menorah attributed to APT34, distributed via spear-phishing and obfuscated VBA. The payload drops a .NET executable, persists via a scheduled task, and communicates with a C2 server over H…
Insikt Group identified an application disseminated on a Telegram Channel used by members or supporters of the Hamas terrorist organization
ExelaStealer is a new Python-based infostealer distributed as both an open-source project and a paid, customizable build that targets Windows to harvest browser credentials, cookies, clipboard contents, screenshots, and keystrokes. FortiGuard Labs’ analysis sh…
Decoding a .hta script with CyberChef and analysing Shellcode with the SpeakEasy Emulator.
Two campaigns targeted at Hong Kong residents used malvertising to push fake WhatsApp Web and Telegram pages, tricking victims into scanning QR codes or downloading malware. The operators aimed to steal data, impersonate accounts, and compromise devices, with …
Cybercriminals attack government, law enforcement, non-profit organizations, agricultural and commercial companies by slipping a cryptominer, keylogger, and backdoor into their systems.
Cisco Talos assesses that YoroTrooper is a Kazakhstan-origin, espionage-focused threat actor active since June 2022, with language and currency cues pointing to Kazakhstan and a focus on CIS government targets. The group disguises its operations as Azerbaijan,…
A Russian-targeted phishing campaign delivered a NSIS-based loader that installs backdoors and data-stealing components, with Go-written UsrRunVGA.exe as the main backdoor. The operation operated in two waves, using anti-virtualization checks, encrypted data e…
Cactus ransomware, discovered in March 2023, uses a mutex to ensure a single active copy and persistence via a scheduled task named “Updates Check Task.” It encrypts files with AES (OpenSSL), stores the public RSA key encrypted inside the binary, and renames e…
XWorm is a modular .NET RAT analyzed in-depth, detailing a multi-stage unpacking and deobfuscation process that culminates in a runnable payload. The write-up walks through the analysis from initial malspam delivery to the final unpacked sample, including conf…