ASEC reports the distribution of malware disguised as coin exchange and investment content, delivered as self-extracting executables and Word documents. The operation is attributed to the Kimsuky group, and it uses macros, scripting, and URL-based commands to …
Category: Threat Research
Cyble Research and Intelligence Labs details a multi-stage AgentTesla infection chain delivered via a malicious CPL file embedded in a tax-themed spam email, which triggers PowerShell scripts and a .NET loader to inject AgentTesla. The campaign uses obfuscated…
ReversingLabs discovered a campaign of malicious PyPI packages (including VMConnect) that embed Base64‑encoded payloads in release artifacts to spawn processes, decode and execute secondary commands from a C2 server. The actors also published benign-looking Gi…
Authored by: Lakshya Mathur and Yashvi Shah As the Back-to-School season approaches, scammers are taking advantage of the opportunity to…
The post The Season of Back to School Scams appeared first on McAfee Blog….
Guardio Labs discovered an active campaign that abused a flaw in Salesforce’s Email-to-Case and Organization‑Wide Email flows to verify and send phishing messages from @salesforce.com addresses, directing victims to phishing pages hosted on Facebook’s apps pla…
Big Head Ransomware is a nascent ransomware family first seen in May 2023, consisting of multiple variants and an elusive actor behind it. It uses deceptive methods such as fake Windows updates and malvertising, communicates with victims via Gmail and Telegram…
Cisco Talos tracks an ongoing ransomware operation tied to a likely Vietnamese actor, using a customized Yashma variant that mimics WannaCry across multiple regions. The group downloads ransom notes from an actor-controlled GitHub repo via an embedded batch fi…
Insikt Group tracks BlueCharlie, a Russia-nexus threat group that’s evolving operations, with 94 new domains since March 2023.
FortiGuard Labs’ bi-weekly Ransomware Roundup covers the DoDo and Proton variants, detailing their infection vectors, encryption behavior, and observed indicators, along with Fortinet protections and recommended defenses. The report highlights DoDo as a Chaos …
Cleafy Labs reports that SpyNote spyware has been repurposed to perform aggressive banking fraud campaigns across Europe by abusing Android Accessibility services, media projection APIs, and built-in remote access workflows. The malware collects keystrokes, SM…
Remcos is a remotely accessible trojan for Windows that has been actively developed and sold since 2016, enabling attackers to build botnets and steal data. The article outlines its distribution via phishing emails with macros, frequent updates from the vendor…
An e-mail-based malspam campaign delivered a small LNK dropper that pretends to be a Purchase Order PDF. The LNK ultimately downloads a PDF lure, a BAT file, and two obfuscated .NET binaries that are loaded reflectively in memory, with low VirusTotal detection…
Three crimeware families—DarkGate, LokiBot, and Emotet—are described with their infection chains and capabilities, including a four-stage DarkGate loader, a LokiBot phishing campaign, and an Emotet resurgence via OneNote attachments. The report highlights memo…
Rhysida Ransomware Group emerged in May 2023 as a RaaS operation, targeting sectors such as education and manufacturing with double-extortion and public data leakage. The attackers use phishing and Cobalt Strike, encrypt data with RSA-4096 and ChaCha20, and ma…
Metabase Q uncovered a LATAM-focused botnet named Fenix that targets taxpayers in Mexico and Chile through fake tax portals to steal credentials. The operation features a multi-stage infection chain, including phishing websites, a JS/JSE downloader, PowerShell…