Check Point Research tracks a Chinese threat actor targeting European government ministries and embassies, using HTML Smuggling to deploy a PlugX variant across Eastern Europe. The SmugX operation overlaps with RedDelta and Mustang Panda, employs two infection…
Category: Threat Research
Neo_Net runs a global eCrime campaign targeting thousands of bank clients, focusing on Spanish and Chilean banks, from June 2021 to April 2023. The operation includes Ankarex Smishing-as-a-Service, phishing panels, and Android trojans to exfiltrate data via Te…
Volexity analyzed a new POWERSTAR backdoor variant used by Charming Kitten that loads most of its functionality in memory and retrieves decryption and configuration components from remote cloud and IPFS-hosted files. The malware uses staged PowerShell loaders,…
Researchers describe the DDoSia project, a DDoS toolkit used by the NoName057(16) hacktivist group against countries critical of Russia, detailing how targets are chosen, decrypted, and attacked. The analysis covers Telegram-based distribution, an AES-GCM encr…
Clipper malware variants Atlas Clipper, Keyzetsu Clipper, and KWN Clipper target cryptocurrency users by hijacking clipboard wallet addresses to divert transactions to attacker wallets. The variants use Telegram-based C2, mutex-based persistence, and several a…
White Snake Stealer is an evolving information-stealer threat first highlighted in 2023, targeting browsers, crypto wallets, email clients, VPNs, and other applications to steal credentials and sensitive data. The article reviews the updated White Snake Steale…
Elastic Security Labs has detected a new variant of the RustBucket malware targeting macOS, with added persistence and signature-reduction tactics in active development. The REF9135 operations attributed to the Lazarus Group (DPRK) show shifting infrastructure…
QR codes are being exploited in rapid-fire phishing campaigns to harvest employee credentials, often via image-based emails that impersonate trusted brands. INKY reports hundreds of such QR code phishing emails across multiple industries, using tactics like Mi…
Sophos X-Ops MDR investigated two Microsoft 365 incidents where attackers used Microsoft Graph to compromise email accounts, manipulate permissions, and monitor activity. The linked activity across cases suggests a single actor or closely related group targeti…
Avast researchers developed and released a decryptor for the Akira ransomware and outline how Akira encrypts files, generates keys, and drops ransom notes. The article also notes similarities to Conti and explains how to use the Avast decryptor on Windows (and…
Trigona is a rapidly evolving ransomware family that began activity in 2022 and has multiple Windows and Linux variants that encrypt files using AES and append the ._locked extension. Operators gain access via ManageEngine CVE-2021-40539, MSSQL brute-force and…
ASEC reports that the Crysis threat actor is deploying Venus ransomware in attacks, using RDP to access externally exposed systems and then dropping multiple malware strains. The operation leverages NirSoft tools and Mimikatz for credential access, conducts ne…
Wordfence warns of a critical, unpatched privilege-escalation vulnerability in the Ultimate Member WordPress plugin (versions up to 2.6.6) that is actively being exploited on sites running the plugin. The advisory provides a firewall rule, remediation guidance…
Meduza Stealer is a Windows-targeted data thief designed to exfiltrate browser data, wallet extensions, and other sensitive artifacts while using country exclusions and a server check to stay stealthy. Uptycs analyzes its marketing, distribution, workflow, and…
Deep Instinct researchers uncovered PhonyC2, a custom, continuously evolving C2 framework used by MuddyWater since 2021, including in an attack on the Technion and ongoing PaperCut exploitation. The analysis details the framework’s code, infection flow, persis…