This monthly GTSC security overview highlights Chimera Group’s multi-target intrusions using compromised credentials, cloud services, and Cobalt Strike beacons, and covers a separate JsOutProx JavaScript RAT campaign targeting Asian government entities, plus a…
Category: Threat Research
A new Hive0117 phishing campaign impersonates Russian conscription notices to deliver the DarkWatchman malware, targeting Russian-speaking individuals across energy, finance, transport, and software security sectors. IBM X-Force researchers note DarkWatchman o…
Hackers are abusing Google Looker Studio to host fake crypto-credential pages, part of a growing BEC 3.0 campaign. The attackers rely on legitimate Looker Studio infrastructure and social engineering to steal money and credentials from end users. #LookerStudio…
Talos reports a campaign that abuses Advanced Installer to drop GPU-coin-mining malware inside trojanized installers for graphic-design tools. The operation deploys M3_Mini_Rat as a backdoor and miners PhoenixMiner and lolMiner, targeting French-language softw…
Warp Loader, Warp Dropper, and Stealerium form a modern multi-stage stealer malware chain that delivers via email, downloads a dropper, and exfiltrates sensitive data to a Telegram-based C2. The article details anti-analysis techniques, UAC bypass, and a set o…
FortiGuard Labs found active exploitation attempts against Adobe ColdFusion deserialization flaws, where attackers inject payloads into the /CFIDE/adminapi/accessmanager.cfc endpoint to probe, spawn reverse shells, and deploy multiple malware families. Observe…
A new malvertising campaign targets Mac users with an OSX version of Atomic Stealer (AMOS), delivered through deceptive ads and a phishing page. The payload is an ad-hoc signed DMG that bypasses GateKeeper and exfiltrates stolen data to a criminal back end. #A…
Scarleteel 2.0 is analyzed through the MITRE ATT&CK framework to map how adversaries move from an exposed Kubernetes/JupyterLab deployment to credential theft, execution, privilege escalation, lateral movement in AWS, and data exfiltration. The investigation a…
Trustwave SpiderLabs details a surge in phishing campaigns that abuse Cloudflare R2 public buckets (r2.dev) to host malicious links. The campaigns combine impersonation of legitimate brands, fake login pages, and base64-obfuscated redirects, with thousands of …
CYFIRMA documents a new malware-as-a-service, Prysmax, offering a fully undetectable information stealer, stealer, RAT, and botnet services. The Python-based Prysmax stealer exfiltrates crypto wallets, passwords, and cookies, uses PowerShell for stealthy actio…
ReversingLabs discovered three additional malicious PyPI packages — tablediter, request-plus, and requestspro — that extend the VMConnect supply-chain campaign and use obfuscated payloads and C2 communications to fetch further stages. Analysis shows evasion te…
ASEC confirms a backdoor that was previously distributed as CHM is now spread via LNK files, using mshta to fetch and execute remote scripts and to receive commands from a threat actor’s server. The LNK payload is delivered with other malware in compressed fil…
Medusa Ransomware (MedusaLocker) operates as a Ransomware-as-a-Service with global affiliates, encrypting data and demanding payment. It commonly gains initial access via vulnerable RDP and phishing, erases shadow copies, escalates privileges, and uses Medusa …
Unit 42 provides the answers and deeper analysis for its July 2023 Wireshark quiz on a RedLine Stealer infection, detailing victim details, web traffic, and data exfiltration in a Windows AD environment. The post also lists indicators of compromise and maps ob…
Infamous Chisel is a modular Android toolkit attributed to the Sandworm actor that persists by replacing /system/bin/netd, collects system and application files (including military-specific apps), and exfiltrates them on a regular schedule. It deploys Tor and …