Proofpoint details ZenRAT, a modular Windows RAT distributed through fake Bitwarden installation packages on bitwariden.com, featuring masquerading, anti-VM checks, and data exfiltration. It gathers host information and browser data, then sends it to a C2 via …
Category: Threat Research
Smishing Triad has expanded its UAE-focused operations, using domain registrations via Gname.com to host fake Emirates Post lures and geo-targeted delivery of smishing pages. The group hijacks iCloud accounts to send iMessages, leverages Dark Web data for geo-…
Trend Micro researchers identified a new Linux backdoor, SprySOCKS, used by the China-linked group Earth Lusca; it is derived from the Trochilus RAT and implements a SOCKS proxy plus an AES-ECB encrypted C2 protocol. The actor delivers SprySOCKS via a mandibul…
Lookout researchers analyzed BadBazaar, a mobile surveillanceware family attributed to APT15, describing an Android variant with broad data‑collection features and an iOS variant (masqueraded as TibetOne) with more limited but still privacy‑invasive capabiliti…
Two-wave or multiwave intrusions targeted a Southeast Asian government, with a moderate confidence attribution to Alloy Taurus (GALLIUM) operating on behalf of Chinese state interests. The operations exploited Exchange Server vulnerabilities to deploy web shel…
A Southeast Asian government target was observed in a CL-STA-0046 activity cluster potentially linked to the Gelsemium APT group, showcasing a rare blend of backdoors and proxy tools used over six months in 2022–2023. The cluster prominently used OwlProxy and …
CRIL researchers document Drinik malware’s return with a broader target set in India, including UPI apps, plus new features to sustain persistence and complicate removal. The updated variant uses smishing to deliver a malicious itrMobile APK, exploits Android …
Check Point Research details an active BBTok banker campaign in Latin America that uses server-side components and LOLBins to deliver unique payloads per victim, evading detection across Brazil and Mexico. The report covers how infection chains are generated o…
McAfee Labs describes CVE-2023-38831, a critical RCE in WinRAR before version 6.23 exploited by weaponized ZIP archives that execute a malicious script during extraction. The article traces the infection chain from a crafted archive targeting traders to a C2 c…
SentinelLabs observed a new threat activity cluster by an unknown actor named Sandman targeting telecommunications providers across the Middle East, Western Europe, and the South Asian subcontinent, using a LuaJIT-based modular backdoor named LuaDream. The Lua…
Checkpoint researchers expose a dual-use ecosystem where GuLoader and Remcos are marketed as legitimate tools, with GuLoader acting as a crypter to help Remcos evade antivirus and deliver payloads. The investigation ties BreakingSecurity and VgoStore to ThePro…
Multi-RMM intrusion in 2022 leveraged ScreenConnect to stage Hive ransomware, illustrating how adversaries abuse legitimate remote monitoring tools for initial access, C2, and lateral movement. The operation progressed through Cobalt Strike and Metasploit payl…
Fortinet FortiGuard Labs’ bi-weekly Ransomware Roundup analyzes two Windows-focused variants, Retch and S.H.O, detailing their file-encrypting behavior, ransom notes, and attacker notes. The post also outlines Fortinet protections, recommended defenses, and as…
Unit 42 analyzes CL-STA-0044, a Stately Taurus–linked cyberespionage operation targeting a Southeast Asian government from 2021 through 2023, focusing on establishing long-term footholds and exfiltrating sensitive documents. The campaign leveraged ToneShell, S…
This article surveys Turla, a long-running Russian APT, detailing its evolving toolkit and the MITRE techniques linked to campaigns from 2014 to 2023. It highlights multi-stage attacks, Linux and Windows backdoors, watering holes, phishing, and C2 methods, inc…