FBI and CISA warn of active exploitation of CVE-2023-27350 in PaperCut MF/NG servers, enabling unauthenticated remote code execution. The Bl00dy Ransomware Gang targeted Education Facilities Subsector, exfiltrated data and encrypted systems, and a patch has be…
Category: Threat Research
GuLoader (GULoader) campaigns deploy a highly evasive shellcode-based loader using NSIS-based installers delivered via malspam, incorporating XOR-encoded payloads and anti-analysis tricks. The article outlines a three-stage infection chain—shellcode deployment…
Dragos faced a failed extortion attempt after a cybercriminal group compromised a new sales employee’s personal email to access internal resources, but Dragos systems and controls remained uncompromised. The company blocked the account, engaged CrowdStrike and…
ASEC’s RAPIT weekly analysis covers malware statistics from May 1–7, 2023, showing infostealers as the top category and AgentTesla leading the threat landscape. It details the main families (AgentTesla, Formbook, Amadey, GuLoader, Lokibot), their distribution,…
SentinelLabs identified 10 ransomware families using VMware ESXi lockers derived from the 2021 Babuk leaks, showing a growing adoption of Babuk code for ESXi lockers. Leaked Babuk source enables actors to target Linux systems and complicates attribution as mor…
Bitdefender uncovered DownEx, a newly identified espionage malware family targeting Central Asia (Kazakhstan and Afghanistan) with a data-exfiltration focus and a multi-stage attack chain. The operation combines spear-phishing, a disguised Word document launch…
CLR SqlShell is a DLL-based malware component used on MS-SQL servers to run threat actor commands and enable post-exploitation activities, including loading additional malware like CoinMiner or ransomware. The article details how various SqlShell variants abus…
A late-April malspam campaign delivers a previously unseen PowerShell malware family dubbed PowerDash, using a Word document exploiting CVE-2017-0199 to drop further payloads. The operation employs VBScript to PowerShell chaining, HTA-based stagers for persist…
Authored by By Yashvi Shah McAfee Labs have identified an increase in Wextract.exe samples, that drop a malware payload at…
The post Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution appeared first on McAfee Blog….
FortiGuard Labs documents RapperBot expanding from a DDoS botnet into cryptojacking on Intel x64 machines by merging the bot with an XMRig miner. The campaign updates include a revamped C2 protocol, multi-layer encoding to evade detection, and SSH-key persiste…
Cofense Intelligence analyzes credential phishing that uses man-in-the-middle (MiTM) attacks to proxy authentication between users and destinations, enabling harvesting of usernames, passwords, and session cookies and potentially bypassing MFA. The report note…
Royal ransomware is a private group formed by former Conti members that has targeted critical infrastructure, notably healthcare, since September 2022. It uses BATLOADER to drop a Cobalt Strike beacon and has expanded to a Linux/ESXi variant, with public extor…
The article explains how threat actors use fake applications impersonating trusted brands (notably IRCTC) to deceive users into downloading spyware, with social engineering and phishing as core tactics. It analyzes an IRCTC advisory, details the spyware’s capa…
SideWinder has been observed employing server-side polymorphism to deliver campaigns against Pakistan government officials, and the operation is now targeting Turkey. Campaigns rely on dynamically generated payloads delivered via malicious RTF attachments and …
Fortinet FortiGuard Labs documents a new botnet named AndoryuBot that targets Ruckus Wireless Access Points via CVE-2023-25717 to gain control of devices. The malware then uses a SOCKS-based C2, downloads a propagation script, and implements DDoS capabilities.…