SideWinder has been observed employing server-side polymorphism to deliver campaigns against Pakistan government officials, and the operation is now targeting Turkey. Campaigns rely on dynamically generated payloads delivered via malicious RTF attachments and …
Category: Threat Research
Fortinet FortiGuard Labs documents a new botnet named AndoryuBot that targets Ruckus Wireless Access Points via CVE-2023-25717 to gain control of devices. The malware then uses a SOCKS-based C2, downloads a propagation script, and implements DDoS capabilities.…
Promising Jobs at the U.S. Postal Service, ‘US Job Services’ Leaks Customer Data – Krebs on Security
A Georgia-based online operation promised USPS jobs and exposed a backend database with nearly 900,000 customers. Investigators traced the scheme to US Job Services and Next Level Support, with ties to a Pakistan-based developer and a Tennessee telemarketing f…
DarkWatchman is spread via phishing sites that imitate CryptoPro CSP to deliver the malware, which stores data in the Windows Registry and uses a staged execution flow to deploy a RAT and a keylogger while avoiding disk writes. The campaign targets Russian use…
drIBAN is a web-inject kit used in Italian corporate banking fraud, paired with the sLoad loader to infect Windows workstations and bypass anti-fraud measures. The operation evolved into an APT-like campaign with persistence, LOLBins, DNS checks, and Ramnit pa…
Fortinet researchers detail a SideCopy-linked operation that uses decoys and HTA-based payloads to deploy a multi-stage Windows malware chain aimed at defense-sector targets. The campaign blends phishing, LOL decoys, DLL side-loading, in-memory execution, and …
CrossLock is a Go-based ransomware group that emerged in April 2023, targeting a Brazilian digital certifier and operating with a Go-based encryptor. It uses a double-extortion model by threatening to leak stolen data on a deep web site if the ransom isn’t pai…
Two-stage DLL sideloading campaigns build on classic sideloading by introducing a second clean application that auto-executes a malicious loader, which then runs the final payload. The operation, linked to Dragon Breath/Golden Eye Dog, targets online-gambling …
Cyble Research and Intelligence Labs (CRIL) uncovered a KEKW malware variant spreading via malicious PyPI wheel packages, combining stealer and clipper capabilities to harvest browser data and hijack cryptocurrency transactions. Python security teams quickly r…
Mustang Panda-linked actors are linked to a targeted campaign against Australia amid the AUKUS security pact, using a ZIP-based lure that delivers a DLL payload via DLL side-loading to achieve persistence and enable PlugX deployment. The operation highlights C…
Security researchers detail persistent malware campaigns like NodeStealer and Ducktail that abuse browser extensions, ads, and social media to compromise business accounts and run unauthorized ads. They describe how these custom families persist, steal browser…
Lookout researchers uncovered BouldSpy, an Android surveillance tool attributed with moderate confidence to Iran’s Law Enforcement Command (FARAJA) that has been used to target minorities and collect extensive device data. The spyware installs via physical acc…
Authored by Dexter Shin Minecraft is a popular video game that can be played on a desktop or mobile. This…
The post HiddenAds Spread via Android Gaming Apps on Google Play appeared first on McAfee Blog….
Raspberry Robin is a global USB-based malware campaign that acts as a loader, delivering ransomware operators and other loaders to target networks. It propagates via infected USB drives, uses legitimate Windows binaries to execute payloads, and relies on compr…
Two sentences summarizing the content here. EclecticIQ links a spearphishing campaign against Poland’s healthcare sector to Vidar Infostealer, with overlaps to Djvu and LockBit 2.0 ransomware activity, and describes how Vidar collects sensitive data and exfilt…