FortiGuard Labs’ Ransomware Roundup analyzes Black Basta, detailing its multi-platform operations (Windows and ESXi), RaaS model, and double-extortion tactics. The report covers infection vectors, encryption specifics, Tor-based negotiation sites, victimology,…
Category: Threat Research
Two sentences summarizing the content: UPS Canada warns that its shipment-tracking data has been used to craft highly targeted SMS phishing messages that impersonate UPS and other brands, sometimes including recipients’ names and order details. The attackers t…
ITG23 crypters continue to be deployed by post-Conti factions, providing a window into current campaigns and collaborations. The research tracks how crypters like Forest, Snow, Dave, Tron, and others remain active across multiple malware families and ransomwar…
Modern cyber-crime rings are becoming increasingly attracted to the use of
legitimate components to achieve their goals. Execution of malicious components
via DLL hijacking and persisting on affected systems by abusing legitimate
scheduled tasks and services are just a few examples of their agility and focus.
State-affiliated actors such as the notorious APT29 group have successfully used
this approach in the past by switching a binary responsible for updating Adobe
Reader with a malicious com
Microsoft researchers uncovered a campaign targeting internet-facing Linux-based systems and IoT devices that uses a patched OpenSSH to take control of devices and deploy cryptomining malware, backdoors, and rootkits. The operation leverages a hijacked OpenSSH…
Mallox ransomware has a new variant that uses the .malox extension and is delivered via BatLoader, enabling on-the-fly payload delivery through a batch script injected into MSBuild.exe. The campaign demonstrates heavily obfuscated payloads, PowerShell-based ex…
Check Point researchers traced Camaro Dragon, a Chinese-based espionage actor, deploying self-propagating USB malware (WispRider/HopperTick) that could spread globally from Southeast Asia, with DLL-side loading and antivirus evasion. The operation combines USB…
Kopeechka.store offers to rent established email addresses to expedite large-scale account signups for criminal campaigns, dramatically cutting costs for spammers. Researchers link the service to Mastodon spam campaigns by quotpw, crypto scam networks like Imp…
Unit 42 outlines a Mirai variant campaign targeting IoT devices since March 2023, exploiting a wide set of IoT vulnerabilities to recruit devices into a botnet used for DDoS and other attacks. The campaigns share infrastructure and malware characteristics, wit…
RedEyes (APT37/ScarCruft/Reaper) targeted individuals such as defectors and activists, using a CHM-based initial access chain and a GoLang backdoor that leverages the Ably real-time messaging platform for command-and-control, along with a wiretapping-infosteal…
FortiGuard Labs analyzed Condi, a DDoS-as-a-service botnet that spreads by exploiting CVE-2023-1389 on TP-Link Archer AX21 routers and has been expanding since May 2023. The post details Condi’s propagation, C2 protocol, attack methods, and the threat actor’s …
The Flea (APT15) group deployed a new backdoor called Graphican to target foreign ministries in the Americas during late 2022 to early 2023, expanding its toolkit for intelligence-gathering campaigns. Graphican uses Microsoft Graph API and OneDrive for its C2 …
Mallox ransomware is distributed to poorly managed MS-SQL servers using BAT files, a fileless tactic that leverages PowerShell and CMD to download and execute payloads like Mallox and Remcos RAT. It injects via process hollowing into MSBuild.exe, terminates pr…
MULTI#STORM is a phishing-driven campaign that deploys a Python-based loader to drop multiple RAT payloads over OneDrive links, culminating in Warzone RAT and Quasar RAT infections. The operation uses obfuscated JavaScript, PowerShell payloads, and UAC-bypass …
ASEC tracked the Kimsuky group’s use of CHM files for malware distribution in May, applying a variety of subject topics to deceive targets. The CHM payload executes malicious scripts via a shortcut object, downloads additional components, and exfiltrates user …