Cyble researchers describe SharpPanda, a China-linked APT, expanding its arsenal with undetected loaders and weaponized Office documents to target high-level government officials in G20 nations. The campaign relies on spear-phishing with exploits in Microsoft …
Category: Threat Research
BlackSuit ransomware shows striking similarities to Royal ransomware across Linux and Windows variants, including ESXi targets, ransom notes with TOR links, and nearly identical encryption behavior. The analysis also highlights shared and unique command-line a…
Attackers are actively scanning for unprotected Apache NiFi instances and add a malicious processor to NiFi to install a crypto miner, while also attempting lateral movement via SSH keys. Persistence is achieved through cron-based re-downloads, and scripts run…
GuLoader’s VBScript variant uses a tax-themed lure and a multi-stage PowerShell chain to load shellcode and drop Remcos RAT, all while staying largely in memory and evading analysis. The TRU team details the execution flow, from initial user action to payload …
The article presents a large list of SHA-256 file hashes, described as a “File hash, simple list” related to LanceFly APT activity. It links to a Symantec Enterprise Blog post about LanceFly targeting government and aerospace sectors. #LanceFly #Symantec
Check Point Research traces Camaro Dragon activity to a Go-based backdoor named TinyNote used against Southeast and East Asian foreign affairs targets, detailing its multi-stage persistence and C2 infrastructure. The campaign includes SmadAV evasion, ties to M…
Horabot is a new PowerShell-based Outlook phishing botnet that delivers a Delphi-based banking trojan and a spam tool, active since 2020 and targeting Spanish-speaking users in the Americas. The campaign uses multi-stage phishing to propagate by compromising m…
Two sentences summarize the campaign: a novel PyPI supply-chain attack embeds a compiled Python bytecode file (fshec2) to run malicious code and evade source-code scanners by loading the module with Importlib. The operation relies on a remote C2 to fetch comma…
Researchers from Kaspersky analyzed Operation Triangulation, a campaign targeting iOS devices by delivering exploits via iMessage attachments and loading stages from a C2 server to deploy a full APT platform. The operation has been ongoing since at least 2019 …
An unknown financially motivated threat actor—likely from Brazil— targets Spanish- and Portuguese-speaking victims in Portugal, Mexico, and Peru to steal online banking access using CMD-based scripts and LOLBaS (Living Off the Land Binaries and Scripts). The c…
Eclypsium reveals a backdoor-like risk in Gigabyte’s app center firmware where a Windows native executable is dropped into UEFI and executed at startup, enabling further payloads to be downloaded and run. The disclosure underscores supply-chain and local-envir…
Chapter 2 continues the Ramnit/drIBAN investigation, detailing how sLoad and Ramnit are connected and how MiTB attacks and injection kits are delivered. It covers Ramnit’s capabilities, the Lua-coded web inject kit, DGA-based C2, persistence, and anti-analysis…
A clever phishing campaign impersonates OpenAI/ChatGPT branding and uses a personalized, IPFS-hosted link to harvest credentials. It combines brand forgery, display-address spoofing, and dynamic redirection to steal data while making takedown harder and avoidi…
CryptoClippy is evolving beyond simple crypto-wallet theft to target a broader set of Brazilian payment services, using multi-stage delivery and data-exfiltration tactics. The campaign now leverages NSIS installers, PowerShell loaders, and UAC bypass to persis…
AceCryptor is a long-running cryptor that packs tens of malware families and uses extensive obfuscation and anti-analysis techniques to hide its payload. ESET researchers describe its three-layer architecture, diverse distribution, and the scale of its impact …