Brute Ratel remains rare and targeted, with limited real-world use and far fewer detections than Cobalt Strike. Sophos notes that cracked versions and targeted deployments have kept it from becoming the widespread threat feared, while defenders continue to mon…
Category: Threat Research
ASEC reports SparkRAT was found distributed inside a VPN installer, indicating a supply-chain style compromise. The dropper creates SparkRAT in a local path, registers it for persistence, and enables remote control, information theft, and other malicious actio…
Two sentences summarizing: FBI, CISA, and ACSC describe BianLian ransomware and data-extortion group IOCs and TTPs identified through investigations as of March 2023, noting a shift from double-extortion to exfiltration-based extortion. The advisory covers ini…
Cyble Research and Intelligence Labs identifies BlackSuit ransomware targeting Windows and Linux, with its Linux variant sharing code with Royal ransomware. It uses command-line parameters, mutex-based single-instance checks, and network/share-based lateral mo…
Trend Micro reports that the 8220 Gang has evolved its tactics, including Linux lwp-download exploits and CVE-2017-3506 in Oracle WebLogic to deploy cryptocurrency miners across Linux and Windows. The group uses PowerShell-based droppers, AMSI bypass technique…
FortiGuard Labs identified 30+ zero-day attacks in PyPI packages during a short window in late March to late April, revealing several families and methods used to weaponize the open-source Python ecosystem. The campaigns rely on malicious setup.py behavior tha…
Water Orthrus has launched two campaigns, CopperStealth (rootkit delivery) and CopperPhish (credit card phishing), expanding their toolkit with a new rootkit and phishing modules. The campaigns share code traits with CopperStealer and indicate a shift toward t…
Lancefly’s recent activity centers on the Merdoor backdoor and ZXShell rootkit, targeting government, aviation, and other sectors with intelligence-gathering as a primary motive. The campaign shows adaptability in initial access vectors, credential theft via n…
Red Stinger is an Eastern Europe–focused APT active since 2020, tracked publicly by Malwarebytes and Kaspersky under different aliases, with campaigns targeting Ukraine’s military, transportation, and critical infrastructure. The operation used a repeatable in…
Rancoz is a rebranded ransomware variant that leverages leaked Vice Society code to tailor attacks for specific industries, organizations, or regions. It employs double extortion, real-time operation logging, and multi-thread encryption (ChaCha20-Poly and NTRU…
Akira is a newly observed ransomware strain that uses double-extortion by exfiltrating data before encryption and threatening publication or sale of stolen information. Cyble CRIL documents its behavior, including drive enumeration, file targeting, ransom note…
FortiGuard Labs’ Ransomware Roundup highlights Maori, a Linux-targeting ransomware written in Go that encrypts files in the home directory and demands payment for decryption. The report notes ransom notes, contact methods via Tox and onionmail, and Fortinet pr…
An unusual phishing campaign known as MEME#4CHAN delivers XWorm payloads through meme-filled PowerShell and obfuscated JavaScript, persisting for months and evolving with new payloads and obfuscation methods. The attack chain starts with phishing Word document…
A malvertising campaign redirects Windows users to a convincing fake system update, delivering a loader that bypasses many AVs and sandboxes to drop Aurora Stealer. The operation uses a “Invalid Printer” loader, patches it to defeat sandbox checks, and exfiltr…
BPFdoor is a Linux-focused stealth backdoor designed for long-term persistence, associated with the Red Menshen (Red Dev 18) threat actor. A new 2023 variant removes many hardcoded indicators, adds static library encryption via libtomcrypt, and uses a Berkeley…