A Trend Micro analysis uncovers a new signed rootkit loader cluster that acts as a universal kernel-driver loader, enabling second-stage unsigned modules to be loaded in the target system. The activity is linked to a China-based actor (associated with FiveSys)…
Category: Threat Research
WhiteSnake Stealer is a .NET stealer that builds configurable payloads (EXE, VBS, CMD, MSI, PY, DOCM, HTA, etc.), decodes embedded Base64 blobs (often via certutil), runs from %TEMP%, collects browser/crypto wallet/app data, encrypts exfiltrated logs with RC4 …
Rekoobe is a Linux backdoor used by the APT31 group that communicates with a C2 server to download, upload, and execute commands, including a reverse shell, with multiple variants observed in Korea. It uses encryption to protect C2 traffic (AES-128 via an HMAC…
A batch-file malware campaign disguises itself as document viewers (Word/HWP) and uses email distribution to download scripts tailored to the target’s anti-malware software. The operation is attributed to the Kimsuky group, leveraging Google Drive/Docs, regist…
AhnLab’s ASEC reports NetSupport RAT distributed via spear phishing emails and phishing pages disguised as invoices, shipment documents, and purchase orders. The campaign uses a malicious JavaScript in a ZIP attachment that, once executed, downloads and runs a…
Microsoft IR documents a five-day intrusion where BlackByte 2.0 ransomware operators moved from initial access to impact using a mix of exploits, living-off-the-land techniques, and custom tooling. Key actions included ProxyShell exploitation of Exchange, web …
Malvertising is used to carry out phishing by impersonating brands in search ads, targeting USPS package trackers. The campaign collects addresses, credit card details, and banking credentials through a dynamic phishing site. #USPS #JPMorganChase #Google #Clou…
Lab52 detects a maldoc-based campaign targeting Chinese-speaking users, delivered via Chinese phishing and designed around a resume decoy. While the infection chain shares some traits with APT29, it features significant differences (Chinese-language decoy, pro…
ARCrypter ransomware, also known as ARCrypt, has evolved since 2022 to target Windows and Linux and now uses a Go-based Linux variant. Threat actors rely on victim-specific Tor mirror sites and TOX messaging, while favoring Monero for payments to preserve anon…
Trend Micro investigated a malvertising campaign that lured users to a cloned WinSCP download page which delivered an ISO that deployed a trojanized Python environment and Cobalt Strike beacons, enabling AD discovery, credential theft, persistence, and lateral…
CRIL (Cyble Research and Intelligence Labs) reports the emergence of Underground Team Ransomware, a new strain that tailors ransom notes to victims and offers additional services such as vulnerability insights and data recovery guidance. The article details it…
TA453 (Charming Kitten) expands its espionage toolkit with new file types and cross‑platform Mac malware, deploying LNK infection chains and a PowerShell backdoor named GorjolEcho. Proofpoint and partners disrupted the operation, but TA453 continues targeting …
ReversingLabs’ researchers uncovered more than a dozen malicious npm packages used to power a dual-use campaign that blends phishing against Microsoft 365 users with software supply chain manipulation. Dubbed Operation Brainleeches, the campaign features two d…
Cloud‑native attackers are building a worm‑like campaign targeting exposed JupyterLab and Docker APIs, deploying Tsunami malware, cryptomining, and a backdoor while concealing infrastructure with proxies and DNS‑over‑HTTPS. Researchers attribute the activity t…
ReliaQuest’s Threat Hunting Team traced a May 2023 incident to Gootloader, a JavaScript-based initial-access malware that can seed second-stage remote access tools and enable ransomware deployments. The assessment details Gootloader’s infection chain, the Syst…