The article examines how steganography is being revived in recent malware campaigns to hide payloads inside benign files like images, and demonstrates a hands-on analysis using ANY.RUN and CyberChef to extract and inspect hidden code. It covers phishing-based …
Category: Threat Research
Rusty Droid is an Android RAT that masquerades as Chrome (package com.catajuhufepusuwo.xenonome), requests Accessibility service, then decrypts and loads a DEX payload to steal credentials, SMS, and other sensitive data while contacting a hardcoded C2. The mal…
Threat actors are distributing the information-stealer Lumma Stealer via Discord by hosting malicious installers on Discord’s CDN and luring victims with direct-message social engineering. The malware executes a downloaded binary that contacts the C2 domain ga…
Anomali’s Cyber Watch roundup covers multiple campaigns including ROMCOM 4.0 (PEAPOD) backdoors targeting defense and government sectors, a typosquatted RedAlert Android infostealer, EtherHiding via blockchain hosting, the NoEscape ransomware, and ShellBot DDo…
Malware researchers analyzed how Discord is being abused to download payloads and exfiltrate data, including a Ukrainian-targeted sample that points to emerging APT-like activity. The attack chain leverages Discord’s CDN to fetch a next-stage payload and Disco…
Cyble reports a threat actor targeting Italian-speaking users with a Tor Browser phishing site delivering a fileless Pure Clipper campaign. The operation uses a .NET dropper obfuscated with SmartAssembly, loads loader/crypto payloads, stores data in the regist…
Akira Stealer is a Python-based information stealer offered as Malware-as-a-Service (MaaS) via a dedicated portal at Akira.red, with Telegram used for updates and command-and-control. It harvests credentials, financial data, and system information, exfiltratin…
QuasarRAT employs a novel dual DLL sideloading technique using two trusted Microsoft processes, ctfmon.exe and calc.exe, to stealthily deploy payloads and evade detection. The analysis covers the two-phase execution flow, resource encryption/decryption, memory…
Threat hunting today blends structured methodologies, real-time data analysis, and adaptive automation to uncover anomalies, threats, and attacker activity across logs, networks, and endpoints. The article showcases traditional approaches, a modern futuristic …
BlackCat operators introduced a new tool called Munchkin that uses a customized Alpine VM to deploy and propagate the BlackCat payload across remote machines and SMB shares. Unit 42 explains how Munchkin runs inside a VirtualBox VM, decrypts strings at runtime…
Threat actors leveraged malvertising and a Punycode-based domain to impersonate KeePass, directing users to a lookalike site. The campaign delivers a malicious MSIX installer signed to look legitimate, which runs PowerShell code linked to the FakeBat family an…
Vietnamese threat actor clusters are using Malware as a Service infostealers and RATs (DarkGate, Ducktail, Lobshot, Redline stealer) to hit the digital marketing sector, with a strong focus on Facebook Business accounts. The campaigns show heavy overlap in lur…
Crambus (OilRig/APT34) conducted an eight-month intrusion against a Middle Eastern government in early 2023, stealing files, passwords, and emails while deploying backdoors and credential dumping tools. The operation relied on PowerShell backdoors (PowerExchan…
Two North Korean threat actors, Diamond Sleet and Onyx Sleet, were observed exploiting CVE-2023-42793 in JetBrains TeamCity servers to gain access and persist in victim environments. They used two distinct attack paths—ForestTiger backdoor deployment and DLL s…
Cyble Research and Intelligence Labs uncovered a phishing-driven VPN malware campaign that delivers BbyStealer via VPN installer downloads. The campaign impersonates VPN services, drops BbyStealer to steal browser and crypto wallet data, and even performs a cl…