ESET researchers link Lazarus to the 3CX supply-chain attack, detailing Operation DreamJobās Linux payload OdicLoader delivering the SimplexTea backdoor via OpenDrive. The findings reinforce Lazarusās cross-OS toolkit (Windows, macOS, Linux) and its engagementā¦
Category: Threat Research
Symantec Threat Hunter details Daggerfly/MgBot activity targeting telecoms in Africa and Asia, highlighting a modular malware framework used for extensive information gathering. The campaign shows ongoing tool development, credential dumping, AD enumeration, aā¦
Unit 42 observed a rapid shift toward using IPFS as a vehicle for malicious activity in 2022, spanning phishing, credential theft, C2 communications, and payload delivery. The decentralized, bullet-proof hosting nature of IPFS makes takedowns difficult, enabliā¦
AuKill is a defense-evasion tool that exploits an outdated Microsoft Process Explorer driver to disable EDR protections and then deploys ransomware, with multiple variants observed since 2023. The technique, a BYOVD (bring-your-own vulnerable driver) approach,ā¦
Play ransomware group (Balloonfly) has been observed using new custom data-gathering tools to enumerate software, backups, and remote admin utilities, exfiltrate the data, and compress it for leakage. The article also covers the VSS-based copy technique, log dā¦
ASEC reports BlackBit ransomware being distributed in Korea, masquerading as svchost.exe and active since September of last year. It obfuscates with .NET Reactor and shows traits similar to LokiLocker; the campaign includes persistence, recovery prevention, anā¦
Two sentences summarizing the article. Bumblebee malware was distributed via trojanized installers for Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace, using a malicious Google Ad chain and a compromised WordPress site to drive victims to fake download pā¦
Uptycs researchers uncovered Poseidon, a Linux backdoor tied to APT-36 (Transparent Tribe), delivered via a tainted Kavach 2FA tool to compromise Indian government-related systems. Poseidon functions as a versatile backdoor offering keystroke logging, screen cā¦
BlackBerry Threat Research tracks two parallel campaigns using the same infrastructure: a Google Ads malvertising campaign pushing fake software (Vidar and IcedID) and a massive spear-phishing campaign impersonating Spainās tax agency AEAT to harvest credentiaā¦
A sophisticated phishing campaign targeted EPOS Net customers with meticulously crafted emails and a cloned website designed to harvest banking information and OTP data. The attackers leveraged spoofed emails and real EPOS support numbers to create legitimacy ā¦
CrossLock is a Go-based ransomware that encrypts victimsā data and exfiltrates it for double-extortion. It uses ETW event tracing bypass, extensive cleanup of backups and logs, and service disruption to hinder recovery and pressure victims to pay. #CrossLock #ā¦
Mint Sandstorm (PHOSPHORUS) has refined its tradecraft, weaponizing new-day vulnerabilities and conducting targeted phishing to access high-value targets in energy and transportation sectors. The group develops bespoke tooling (Drokbk, Soldier, CharmPower) andā¦
Zscaler ThreatLabz uncovered a new multifunctional backdoor named DevOpt, built with Free Pascal, capable of keylogging, stealing browser credentials, clipper functionality, and persistence. The campaign shows two development variants, lure infrastructure on aā¦
The in2al5d p3in4er loader is a highly evasive component that powers Auroraās delivery chain. Morphisec explains its anti-VM checks, runtime payload decryption, process hollowing, and decoy-website/social-engineering techniques that rely on YouTube distributioā¦
Trigona ransomware campaigns target poorly managed MS-SQL servers, leveraging a CLR SqlShell dropper and service-based execution to escalate privileges and encrypt data. The operation includes credential abuse, registry and Run key persistence, and a ransom noā¦