Fortinet’s FortiGuard Labs analyzes the Rancoz ransomware in its Ransomware Roundup, detailing its Windows-focused encryption, ransom notes, wallpaper change, and potential links to related variants like Buddy ransomware. The report also notes limited victim s…
Category: Threat Research
Vade’s Threat Intelligence and Response Center (TIRC) detected a new Microsoft 365 phishing campaign delivered via a malicious HTML attachment that loads a fake authentication form hosted on glitch.me. The operation uses base64-encoded payloads, JavaScript in …
A deceptive PoC has been found that hides a backdoor inside what should be a safe learning tool for security researchers. Discovered by Uptycs, the PoC downloads and executes a hidden Linux bash script, persists via kworker and bashrc, and can exfiltrate data …
Independent cybersecurity researchers uncovered a cluster of malicious Chrome extensions in the Chrome Web Store, with a total of about 87 million downloads. The extensions could load remote code, modify search results, and potentially exfiltrate data from use…
Two weeks after reporting PDF Toolbox, researchers uncovered a broader campaign: 34 malicious Chrome Web Store extensions with a combined 87 million users, using obfuscated code and remote configuration to inject JavaScript into visited sites. The malware vari…
The article outlines a new APT29 campaign called “Information,” detailing an SVG dropper, DLL side-loading, and C2 behaviour used in a multi-stage infection. It describes an email phishing chain impersonating the Norwegian embassy, HTML smuggling via an SVG, a…
Lumen Black Lotus Labs uncovered a multi-year campaign that infected SOHO routers with an ARM-targeted Linux RAT named AVrecon to build a covert residential proxy network used for activities like ad fraud and password spraying. The botnet employed a multi-stag…
DomainNetworks runs a snail-mail scam that dresses up as a bill for domain-related services to chill people into paying for non-existent offerings. The investigation traces a web of front entities, domain registrations, and aliases (including Sammy Sam Alon and UBSagency) used to obfuscate the operation. #DomainNetworks #USDomainAuthority #TheDomainsVault #UBSagency #SammySam_Alon #ShmuelOritAlon #EliranBenz #Houzz #WebListingsInc
Trustwave’s honeypot network across six countries reveals how Mirai, Mozi, and Kinsing botnets targeted enterprise applications to upload web shells and recruit devices into botnets for DDoS or cryptomining. The report details leveraging PoCs and CVEs (GoAnywh…
In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both…
Replace Rapid7 tracks a staged Blackmoon/KRBanker campaign that started in late 2022, focusing on evasion and persistence rather than credential theft to drop multiple unwanted programs and linger in victims’ environments in the USA and Canada. The operation u…
Wordfence Threat Intelligence tracked a targeted exploit campaign against WooCommerce Payments CVE-2023-28121, which allowed unauthenticated attackers to obtain administrative privileges on vulnerable sites. The attackers used a multi-stage workflow including …
Trend Micro analyzes the Big Head ransomware family and its multiple variants, detailing their infection chain, embedded resource decryption, dropped binaries, and operational behaviors. The report highlights use of AES and RSA for encryption, Telegram-based c…
SCARLETEEL 2.0 expands into AWS Fargate and Kubernetes, refining its cloud-focused toolkit to steal credentials, escalate privileges, and mine cryptocurrency while evading newer security controls. Sysdig Threat Research Team documents a more resilient C2 archi…
An actor behind a cloud credentials-stealing campaign expands from AWS to Azure and Google Cloud Platform, introducing modular tooling, Docker-targeting propagation, and data exfiltration to AnonDNS. Research notes similarities to TeamTNT and highlights ongoin…