This write-up details MedusaLocker’s technical behavior, including privilege escalation via a UAC bypass, persistence through %AppData% duplication and registry entries, termination of backup/DB services, shadow-copy removal, and AES+RSA file encryption. It al…
Category: Threat Research
An under-the-radar malvertising campaign targets Notepad++ users via compromised ad accounts, delivering time-sensitive .hta payloads and decoy Notepad++ pages. It fingerprint VM environments, uses a unique per-user ID, and communicates with a remote C2 domain…
Threat actors targeted obsolete ColdFusion 11 servers to gain access and pivot to deploying ransomware, using leaked LockBit 3.0 code, but Sophos blocked all attempts on a customer network. The activity ties to a threat actor calling itself BlackDogs 2023, who…
Qubitstrike is a sophisticated cryptojacking campaign targeting exposed Jupyter Notebooks, leveraging Codeberg for payload hosting and Discord for C2, with cloud credentials targeted for later exploitation. The operators deploy XMRig, Diamorphine rootkit, and …
Researchers analyze the cyber dimension of the Israel-Hamas conflict, highlighting hacktivist groups Cyber Av3ngers and Moses Staff and their impact on critical infrastructure. The analysis links the October 8 Dorad power station incident to Moses Staff leaks …
Cofense observed a voice-message phishing campaign that used a dated HTML attachment and an included “access key” in the email to trick recipients into interacting with a staged voice message. The lure leads users to download a file hosted on an AWS URL disgui…
Cofense observed a large credential-phishing campaign that abused LinkedIn Smart Links (Sales Navigator team/business links) to deliver Microsoft Office credential harvesters via trusted LinkedIn URLs, allowing emails to bypass secure email gateways. The campa…
Trend Micro observed a campaign that uses compromised Skype and Microsoft Teams accounts to deliver a VBA/VBS loader which retrieves an AutoIt-based DarkGate payload. The chain abuses renamed/obfuscated binaries (curl.exe), AutoIt scripts (.au3), and LNK short…
Void Rabisu continues to evolve its ROMCOM backdoor family, delivering a slimmed-down variant (PEAPOD) via a fake Women Political Leaders (WPL) Summit website that lures victims to a OneDrive-hosted SFX downloader signed by Elbor LLC. The installer performs in…
Threat actors behind the “ClearFake” campaign have shifted from Cloudflare Workers to hosting malicious JavaScript payloads inside Binance Smart Chain (BSC) smart contracts, allowing read-only eth_call requests from compromised WordPress sites to retrieve and …
The XorDDoS Trojan campaigns compromised Linux devices to form a globally distributed botnet used for DDoS attacks, orchestrated through a resilient C2 network that migrated from dedicated resources to legitimate public hosting. The analysis covers attacking b…
Kimsuky, a North Korea–sponsored threat group, leverages spearphishing and a suite of backdoors, infostealers, and remote-control tools to gain access and exfiltrate data from targets. The operation prominently relies on RDP and related tools (including RDP wr…
CVE-2023-43261 likely saw in-the-wild exploitation of Milesight industrial cellular routers, but not at scale, and the CVE description itself is incomplete and sometimes inaccurate. A real-world write-up shows the flaw allowed remote access to the router’s web…
BloodAlchemy is a backdoor shellcode loaded into a signed benign process and linked to the REF5961 intrusion set. Elastic Security notes its active development, multiple loading and persistence modes, and a flexible C2/communication design. Hashtags: #BloodAlc…
ESET researchers analyze LATAM threats under Operation King TUT, noting a shift to high‑value targets and evolving evasion methods. The study covers campaigns from 2019–2023, highlighting spearphishing, PowerShell/VBScript loaders, and RATs like njRAT and Asyn…