Cyfirma analyzes a persistent Remcos RAT campaign driven by a broad infrastructure of malicious IPs and multi-stage payloads, delivering and controlling Remcos across compromised hosts. The report details how the attackers use PowerShell-enabled scripts, regisā¦
Category: Threat Research
Lazarus Group, a North Korean state-sponsored actor, targeted internet backbone infrastructure and healthcare entities in Europe and the United States, repeatedly reusing the same infrastructure across campaigns. They exploited a ManageEngine ServiceDesk vulneā¦
Lazarus Groupās latest campaign leverages CVE-2022-47966 in ManageEngine ServiceDesk to deploy multiple threats, introducing CollectionRAT alongside QuiteRAT and tying new activity to known Lazarus families. The operation shows continued infrastructure reuse, ā¦
EclecticIQ analysts describe RedLine Stealer variants in 2023 as redeveloped, low-barrier-to-entry campaigns that rely on loaders and botnets to deliver the malware. The latest iterations emphasize WMI-based information gathering, XOR/RC4 obfuscation, targetedā¦
Lumen Black Lotus Labs observed a renewed HiatusRAT campaign (midāJuneāAugust 2023) in which the actor recompiled binaries for multiple CPU architectures and hosted payloads on shifting VPS infrastructure. Telemetry linked the campaign to heavy targeting of Taā¦
Threat actors abuse Adobe Creative Cloud, Edge, and other executables vulnerable to DLL hijacking in campaign targeting the Southeast Asian gambling sector.
Raccoon Stealer has resurfaced on hacker forums with version 2.3.0 (2.3.0.1 since Aug 15, 2023), promoting new features and improvements. The update emphasizes faster search for cookies and credentials, automated bot blocking in the admin panel, and expanded dā¦
This article provides a detailed look at a new XWorm variant, covering its persistence, anti-analysis techniques, and data-exfiltration methods, including how it retrieves and decrypts configuration. It also demonstrates how ANY.RUN is used to uncover the malwā¦
This article examines how ransomware families targeting Linux and VMware ESXi have evolved, often reusing Conti, Babuk, and LockBit code to achieve cross-platform parity and rapid deployment. It highlights several Linux/ESXi payloads (MONTI Locker, Akira, Trigā¦
Threat actors continue to refine malvertising campaigns with cloaking and fingerprinting to stay under defendersā radars while delivering infostealers and other malware used by initial access brokers in ransomware operations. The article documents a recent malā¦
Spacecolon is a Delphi-based toolset used by CosmicBeetle to deploy Scarab ransomware and provide backdoor access to compromised servers. The operators are active globally, rely on vulnerable web servers or RDP brute-forcing for initial access, and are developā¦
XLoader has returned on macOS as a native C/Objective-C variant masquerading as OfficeNote and signed with an Apple developer signature to bypass trust. It drops a payload, establishes persistence via a Launch Agent, exfiltrates browser and clipboard data, andā¦
Two sentences summarizing the article: ASEC documents repeated APT-style attacks on vulnerable Korean web servers (IIS, Tomcat, JBoss, Nginx) with web shells, privilege escalation, and credential theft, suggesting possible ransomware objectives beyond ad fraudā¦
CYFIRMA researchers uncover EVLF DEV, a MaaS operator behind CypherRAT and CraxsRAT, whose Android RATs have been licensed to over 100 buyers under a lifetime license. The report shows how these tools enable real-time remote control of victimsā devices, includā¦
Symantec researchers describe Carderbee, a newly named APT group that used the Cobra DocGuard software in a supply chain attack to deploy the Korplug backdoor (PlugX) onto victim machines, primarily in Hong Kong. The operation relies on legitimate software andā¦