RomCom resurfaces by targeting Ukraine politicians and a U.S.-based healthcare provider aiding Ukrainian refugees, using Trojanized installers hosted on cloned websites. The campaign leverages typosquatted domains and a dedicated C2 network (startleague.net) w…
Category: Threat Research
An evolving credential phishing campaign targets Microsoft Office 365 credentials, leveraging thousands of URLs hosted on domains registered via a “bulletproof” registrar and protected by Cloudflare services. The activity is linked to the defunct Phishing-as-a…
Asylum Ambuscade is a cybercrime group that also conducts cyberespionage campaigns, targeting SMBs, cryptocurrency traders, and government entities in Europe and Central Asia. The report details the group’s SunSeed, AHKBOT, and NODEBOT toolset, their multi-lan…
JPCERT/CC reports router infections in Japan using GobRAT, a Go-based RAT that communicates with a TLS C2 server. The attack chain drops GobRAT via a Loader Script, establishes persistence with cron and startup scripts, and employs encryption to hide C2 traffi…
Check Point Research uncovered a targeted espionage operation in North Africa leveraging a new modular backdoor named Stealth Soldier, active against Libyan entities with links to a broader Eye on the Nile campaign. The malware exfiltrates data, records screen…
Qakbot shifted its initial-access and delivery methods in 2023—moving from macro-enabled Office documents to OneNote attachments, Mark-of-the-Web evasion, and HTML smuggling—while hiding command-and-control infrastructure in compromised web servers and residen…
This article documents how legitimate macOS binaries (LOOBins) such as dscl, osascript/pbpaste, xattr, and curl are abused for discovery, clipboard theft, Gatekeeper bypass, and C2. It provides command examples and detection queries customers can use with EDR/…
AhnLab’s ASEC warns that malware disguised as a job application letter is being distributed via malicious URLs that mimic a Korean job-seeking site, delivering a Windows payload. The malware exfiltrates data, performs keylogging, takes screenshots, and persist…
TargetCompany ransomware demonstrates a multi-stage attack chain, from exploiting a public-facing application to rapid execution, persistence, and data encryption. The operation leverages WMI, PowerShell, registry-based autostart, service abuse, and extensive …
IBM X-Force assesses that ITG10 is targeting South Korean government, universities, think tanks, and dissidents with RokRAT delivered via LNK-based phishing. The operation uses decoy documents and multi-stage PowerShell payloads to download RokRAT from the clo…
RedLine Stealer is a credential-stealing malware distributed via phishing URLs, malicious Chrome extensions, and loader chains, with campaigns impacting healthcare and manufacturing sectors. Splunk’s Threat Research Team analyzes a RedLine Loader, its defense …
SentinelLabs tracks a targeted social engineering campaign by the North Korean APT group Kimsuky aimed at North Korea affairs experts to steal Google and NK News/NK News Pro credentials and to deliver ReconShark reconnaissance malware. The operation impersonat…
MOVEit Transfer suffered a critical vulnerability (CVE-2023-34362) that enables SQL injection with potential admin access, arbitrary code execution, and ransomware deployment. Huntress documents the full attack chain, including a persistent webshell (human2.as…
Operation Red Deer is a targeted Israeli phishing campaign that evolves its attack chain across incidents, leveraging impersonation of Israel Post and HTML smuggling to deliver a malware payload. The actors use AsyncRAT (3LOSH RAT) variants, PowerShell and VBS…
XeGroup is a long-running threat actor whose re-emergence involves opportunistic operations such as credit-card skimming, fake websites, and data sale on the dark web. The group exploits public-facing applications (notably CVE-2019-18935 on IIS), deploys ASPXS…