PaperCut CVE-2023-27350 and CVE-2023-27351 allow remote code execution and authentication bypass on PaperCut MF/NG servers, with unpatched systems actively exploited in the wild. The article highlights PoC dispersion via hacktivist channels and rising ransomwa…
Category: Threat Research
BellaCiao is a highly customized dropper linked to Charming Kitten (APT35) that targets US, European, Middle Eastern, and Indian victims with victim-specific data and C2 communication. The implant combines a tailored payload, a DNS-based command channel, and m…
JPCERT/CC documented an attack around February 2023 that targeted a crypto asset exchanger with Parallax RAT delivered via spam emails directing victims to a Google Drive link. The operation used OneNote files with embedded VBS, a PowerShell payload, Windows s…
Educated Manticore is an Iran-aligned threat cluster that has evolved its toolset to deploy a newer PowerLess variant via ISO-based lures targeting Israel. The operation uses a multi-stage infection chain with a mixed-mode .NET loader and in-memory execution t…
A malicious PyPI package named termcolour reappeared in March as a three-stage downloader, illustrating how repurposing an abandoned package name can seed a supply-chain attack. The incident shows how PyPI’s name-reuse policy and lack of visibility into who re…
Tomiris is a Russian-speaking threat actor whose operations target CIS government and diplomatic entities, deploying a wide range of burners, backdoors, and file stealers across multiple campaigns and languages. The analysis links Tomiris to Turla toolsets lik…
Gh0st RAT is a decades-old open-source remote administration tool that still shows up in phishing campaigns, including against a European medical technology organization, highlighting its enduring availability and adaptability. While once tied to nation-state …
Identifying Connected Infrastructure and Management Activities Introduction This blog post seeks to build on recent public reporting on…
Symantec’s Threat Hunter Team links a broader X_Trader software supply chain attack to multiple victims, including two critical infrastructure organizations in the energy sector in the U.S. and Europe, plus two other financial trading firms. The operation uses…
Cyble researchers report Qakbot’s evolving delivery using OneNote attachments that drop CHM files, which load a PowerShell script to download and execute a DLL via rundll32. This method—along with embedded ISO content and hardcoded URLs—helps Qakbot evade dete…
OCX#HARVESTER is a threat campaign by Securonix Threat Labs leveraging the More_eggs malware suite to target financial-sector victims, with activity observed from late 2022 through early 2023 and new C2 infrastructure shifts. The campaign uses image-based LNK …
Researchers observed in-the-wild exploitation of zero-day vulnerabilities in PaperCut MF/NG that allow unauthenticated remote code execution via an authentication bypass. The campaign uses post-exploitation payloads (including Atera and Syncro RMM installers) …
Trend Micro details a new ViperSoftX campaign that hides its loader in illicit software packages and uses DLL sideloading, advanced encryption, and anti-analysis techniques to steal cryptocurrency wallets and passwords. The operation targets both consumers and…
Unit 42 researchers document a surge in ChatGPT-related scams, including domain squatting and copycat services that abuse OpenAI branding to lure users into malware or data theft. The article presents phishing, malware delivery, crypto and financial scams, and…
EvilExtractor is a Windows-focused info stealer with modular components that exfiltrate browser data, credentials, and system information to an attacker’s FTP server, and it includes a Kodex ransomware capability. FortiGuard Labs links its phishing delivery, P…