WoofLocker is an advanced, long-running traffic-redirection toolkit used to power tech-support scams, featuring fingerprinting, obfuscated JavaScript, and steganography to hide payloads in images. The operation has evolved since 2017, with stronger infrastruct…
Category: Threat Research
Mandiant recently published a blog post about the compromise of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Appliances related to the zero-day vulnerability tracked as CVE-2023-3519. CVE-2023-3519 is a zero-day vulnerability that can enable remote code execution, and has been observed being exploited in the wild by a threat…
A Zalando phishing campaign delivered a JavaScript dropper that downloads a Windows RAT. The dropper uses obfuscation, BitsAdmin/PowerShell-based downloads, hides artifacts, and establishes persistence while contacting a NetSupport Manager RAT C2.
BlackBerry reports Cuba ransomware has rolled out new tools in campaigns targeting U.S. critical infrastructure and a Latin American IT integrator, including the first observed use of CVE-2023-27532 against Veeam. The findings detail evolving TTPs and toolsets…
Mallox ransomware targets unsecured Microsoft SQL Servers to gain initial access and then unleashes a complex infection chain to encrypt files and drop a ransom note. It exfiltrates data to a C2 and uses a Tor onion-based site for attacker communications while…
Threat actors delivered StealC infostealer via a deceptive Google Sheets lure, loading a downloader after users encounter a fake warning and a malicious page. The campaign uses obfuscated JavaScript, anti-VM checks, and a Rust-compiled final payload that exfil…
Fortinet’s FortiGuard Labs’ Ransomware Roundup highlights Trash Panda and a new minor NoCry variant, describing infection details and defenses. Trash Panda encrypts files on Windows, replaces the desktop wallpaper, and drops a politically themed ransom note. #…
DarkRace is a newly observed ransomware variant that mirrors LockBit’s techniques, illustrating how threat actors repurpose leaked source code to craft new threats. It operates by leveraging a mutex, decrypting an XML configuration, killing services/processes,…
Sysdig Threat Research Team uncovered LABRAT, a stealthy, financially driven operation combining cryptomining and proxyjacking with multi-layer defense evasion targeting GitLab. The campaign uses undetected cross‑platform binaries, a TryCloudFlare‑based C2, a …
In May 2023, Cofense researchers observed a large phishing campaign that used QR codes to harvest Microsoft credentials across multiple industries. The energy sector was a notable target, with Bing redirect URLs and domains such as krxd.com and cf-ipfs.com inv…
Hakuna Matata ransomware has been used against Korean companies, featuring a ClipBanker function that alters Bitcoin wallet addresses in the clipboard. The operation commonly begins with RDP-based access via brute force/dictionary attacks, then encrypts files …
LummaC Stealer is being sold as MaaS on Russian-speaking forums and is used to procure the Amadey bot, which in turn loads and deploys the SectopRAT payload on victims’ systems. The campaign uses a loader chain with a startup persistence mechanism (LNK in the …
The article analyzes two malicious large language model (LLM) offerings, WormGPT and FraudGPT, advertised on underground forums for cybercrime use, including malware development and phishing assistance. It also examines how these tools compare to legitimate AI…
QwixxRAT is a new remote access trojan distributed via Telegram and Discord that silently infiltrates Windows devices to steal data and enable remote control. It combines broad data exfiltration, keylogging, screen and clipboard capture, and extensive anti-ana…
ESET researchers uncovered a mass-spreading phishing campaign targeting users of Zimbra Collaboration, active since at least April 2023 and continuing. The attackers deploy HTML attachment-based lures with a fake Zimbra login page to harvest credentials and ex…