Introduction In this blog post, we will provide an update on our continued analysis and tracking of infrastructure associated with…
Category: Threat Research
CISA analyzed seven samples of a novel Barracuda Email Security Gateway backdoor named SUBMARINE that persists in the appliance SQL database and preloads a shared object into the BSMTP daemon to execute commands with root privileges. The intrusion uses a malic…
CISA analyzed two SEASPY ELF samples that target vulnerable Barracuda Email Security Gateway appliances (CVE-2023-2868) and persist as a fake “BarracudaMailService”. The backdoor uses libpcap to sniff SMTP traffic for a magic string and, on match, opens a TCP …
CISA analyzed 14 samples of Barracuda exploit payloads that leverage CVE-2023-2868 to perform command injection and install Base64-encoded reverse shells on affected Barracuda Email Security Gateway appliances. The reverse shells create OpenSSL-based encrypted…
Trend Micro discovered two related Android malware families—CherryBlos and FakeTrade—used in cryptocurrency-mining and financial scam campaigns that distribute malicious APKs via fake social posts and phishing websites. CherryBlos abuses Android Accessibility …
RedLine Stealer is an information-stealing malware that harvests credentials and other sensitive data from browsers and apps, and it can deliver other malicious programs like ransomware, RATs, trojans, and miners. It leverages social engineering to spread via …
Trustwave SpiderLabs details a new version of the Rilide Stealer for Chromium-based browsers that adapts to Chrome Manifest V3, featuring modular code and data exfiltration to Telegram as well as interval-based screenshots. The report covers multiple campaigns…
Reptile is an open-source Linux kernel rootkit that conceals files, processes, and network traffic, and adds a reverse shell with a port-knocking trigger for C&C communication. It has been observed in Korea-targeted attacks and shows similarities to Syslogk an…
AhnLab ASEC highlights a campaign where malware installers masquerade as legitimate Korean VPN and software download files, distributing Sliver C2 and MeshAgent through a dedicated program developer’s ecosystem. The operators use Go-based malware, anti-sandbox…
A new and more dangerous variant of SkidMap was observed targeting unsecured Redis NO AUTH instances, featuring dual Linux infection paths (Debian/Ubuntu and RedHat/CentOS) and a sophisticated multi-stage payload chain including dropper delivery, backdoor inst…
Two sentences summarizing the content: The article references a CISA advisory about threat actors exploiting Ivanti EPMM vulnerabilities. It notes the presence of IOCs (file hashes) associated with the activity and suggests mitigation guidance from CISA. Hasht…
Halcyon researchers expose Command-and-Control Providers (C2Ps) as a key pillar of the ransomware economy, offering services to attackers while presenting themselves as legitimate businesses. The report links Cloudzy as a common service provider used by actors…
Cado Security Labs describe P2Pinfect, a Rust-based botnet targeting publicly-accessible Redis deployments with cross‑platform Linux and Windows payloads. The malware propagates via Redis replication and module loading, then uses a peer‑to‑peer C2 network, def…
Avast Threat Labs examines how the newly popular .zip top-level domain is being abused to mislead users into thinking they are downloading files, with many examples mimicking major brands like Microsoft, Google, and Amazon. The piece also details how attackers…
Two sentences: Cyber threat actors use multistage attacks and LOLBins to evade detection while delivering XWorm via WebDAV-enabled infrastructure, with BATLoader and VBScript stages helping drop and execute payloads. The campaign centers on XWorm’s versatility…