Phishing-as-a-service kit 16shop enabled operators to deploy mass phishing sites targeting major brands and collect victims’ data for years, with administration and servers ultimately taken down in a Trend Micro–Interpol cooperation. The operation involved clo…
Category: Threat Research
Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. This analysis focuses on a Brute Ratel badger/agent that uses API hashing, a configurable C2 with a user-agent, password, and encryption key, a…
Rhadamanthys is a rising infostealer whose core architecture mirrors Hidden Bee, evolving through a family of custom executable formats (NS, RS, HS, XS) and multi-stage in-memory loading. The report analyzes format design, shared techniques, converters to reco…
Resecurity uncovered a large-scale smishing campaign called Smishing Triad that impersonates postal services to harvest PII and payment data from US and international victims, delivered primarily via iMessage from compromised iCloud accounts. The operation fun…
Threat actors increasingly weaponize PDFs in email-borne attacks to gain initial access, with Qakbot and IcedID delivering payloads via malicious links and multi-stage chains. The article also covers social engineering, exploit techniques against PDF readers, …
ASEC analyzes Andariel’s recent activity in Korea, linking Go-based backdoors such as Innorix Agent abuse, Goat RAT, TigerRat, NukeSped, AndarLoader, and DurianBeacon to past campaigns and possible Lazarus affiliation. The post highlights Go-language malware t…
Rapid7 observed increased threat activity targeting Cisco ASA SSL VPN appliances since March 2023, including credential stuffing and brute-force attempts, with MFA not always enabled for all users. Several intrusions culminated in ransomware deployments by the…
Trend Micro researchers detail Earth Estries, a sophisticated cyberespionage operation focusing on governments and technology-sector targets, with overlaps to FamousSparrow. The group uses multiple backdoors (Zingdoor, TrillClient, HemiGate), DLL sideloading, …
Openfire CVE-2023-32315 is being exploited to deploy Kinsing malware and a cryptominer via a path traversal attack that grants unauthenticated access to the setup environment. Aqua Nautilus observed a campaign with a high attack volume (over 1,000 attacks in u…
Good Day ransomware (ARCrypter) campaigns expanded in 2023 with TOR-based victim portals and ties to the Cloak extortion site. The findings connect Good Day ransom notes, victim portals, and Cloak data leaks through public chats on the portals. #GoodDay #ARCry…
Gazavat, also known at least partially as Expiro, is a multi-functional backdoor with code overlaps to DMSniff, including webinjection, form grabbing, and plugin loading. The analysis highlights a hard-to-detect DGA for C2 and a browser-extension delivery chai…
Artificial intelligence (AI) and large language models (LLMs) can help threat intelligence teams to detect and understand novel threats at scale, reduce burnout-inducing toil, and grow their existing talent by democratizing access to subject matter expertise. However, broad access to foundational Open Source Intelligence (OSINT) data and AI/ML technologies has quickly…
Threat actors used paid Facebook ads themed around LLMs to lure users to password-protected archives that contained an MSI installer which deploys a malicious Chrome extension impersonating Google Translate to harvest Facebook session cookies, access tokens, a…
The Qakbot botnet (Qbot) was disrupted in a multinational operation in August 2023, with Secureworks CTU monitoring the activity and law enforcement seizing over $8.6 million and identifying more than 700,000 infected computers. Qakbot served as a delivery veh…
QR codes are being exploited in phishing to hide malicious URLs and bypass filters, with threat actors using QR codes in emails and PDFs to lure victims into credential harvest pages. The campaigns increasingly impersonate MFA/SSO flows and rely on chained red…