SEO poisoning is described as a rising method threat actors use to seed malicious sites in top search results after blocking malicious macros in Office. The article analyzes the Gootkit loader’s multi-stage delivery, decoding, and C2 behavior, highlighting how…
Category: Threat Research
Rapture is a ransomware family observed in March–April 2023 that is packed with Themida and shows similarities to Paradise yet behaves distinctly. The attackers leverage memory-based execution via a Cobalt Strike beacon, staged through PowerShell and WMI, to d…
The ASEC weekly malware statistics summarize the top families by distribution from November 21–27, 2022, led by AgentTesla and SmokeLoader. The post also details their command-and-control infrastructure and common disguise techniques such as invoices and purch…
Researchers detail a Magecart campaign in which a threat actor uses a custom fraudulent modal to hijack checkout and steal credit card data from compromised Prestashop stores. The skimmer relies on a well-crafted modal, dynamic HTML, obfuscated code, and a red…
ESET researchers linked a campaign to the Evasive Panda APT group that hijacked update channels of legitimate Chinese software to deliver MgBot, the group’s flagship backdoor. The report also details MgBot’s modular plugin toolkit and analyzes two main deliver…
Cyble researchers reveal a Golang-based macOS stealer named Atomic macOS Stealer (AMOS) advertised on Telegram, designed to exfiltrate a wide range of victim data. The malware collects keychain passwords, system information, Desktop/Documents files, macOS pass…
Authored by Dexter Shin McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate…
The post Fakecalls Android Malware Abuses Legitimate Signing Key appeared first on McAfee Blog….
TrafficStealer uses Docker containers to generate revenue by proxying users’ traffic and manipulating ad engagement, turning honeypots into monetization machines. Attackers leverage public container images and automation via YAML to scale the operation, while …
RTM Locker marks the RTM group’s first Linux ransomware binary, targeting Linux, NAS, and ESXi hosts, and appears inspired by Babuk’s leaked source code, using ECDH Curve25519 and ChaCha20 for file encryption. Uptycs provides detection guidance with XDR and YA…
Researchers documented the first evidence of attackers abusing Kubernetes RBAC to backdoor clusters, using DaemonSets to hijack resources and mining Monero across numerous targets. The activity highlights how misconfigurations can enable persistence and widesp…
PaperCut CVE-2023-27350 and CVE-2023-27351 allow remote code execution and authentication bypass on PaperCut MF/NG servers, with unpatched systems actively exploited in the wild. The article highlights PoC dispersion via hacktivist channels and rising ransomwa…
BellaCiao is a highly customized dropper linked to Charming Kitten (APT35) that targets US, European, Middle Eastern, and Indian victims with victim-specific data and C2 communication. The implant combines a tailored payload, a DNS-based command channel, and m…
Unit 42 identified a new PingPull Linux variant used by Alloy Taurus, alongside a related backdoor dubbed Sword2033, expanding their Linux-focused espionage toolkit. The findings link these tools to Alloy Taurus’s C2 infrastructure and regional activity in Sou…
Zero Day Initiative — TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal
Zero Day Initiative flagged Mirai expanding its toolkit by incorporating CVE-2023-1389 to target TP-Link Archer AX21 routers, with evidence of active exploitation starting in April after TP-Link’s patch. The malware downloads and executes architecture-specific…
The Tonto Team targets mainly Asian countries and has been distributing Bisonal malware, using anti-malware-related files to facilitate DLL side-loading. ASECs analysis traces evolving CHM-based campaigns in Korea, persistence via RUN keys, and C2 communicatio…