The in2al5d p3in4er loader is a highly evasive component that powers Aurora’s delivery chain. Morphisec explains its anti-VM checks, runtime payload decryption, process hollowing, and decoy-website/social-engineering techniques that rely on YouTube distributio…
Category: Threat Research
EclecticIQ analysts found a publicly exposed SMTP web panel used by Gamaredon to automate spear-phishing campaigns targeting Ukrainian government entities, delivering malicious Word documents via RAR attachments and spoofed sender addresses. The operation show…
BabLock (aka Rorschach) is a stealthy, fast-moving ransomware with a multi-component attack chain that blends elements from LockBit but appears to be from a different actor. The analysis details its extension variation scheme, loading chain, and anti-analysis …
Fortinet FortiGuard Labs details a tax-season campaign delivering the XWorm RAT via malicious tax documents, LNK files, and HTA/Powershell chains. The article describes the infection flow, defense-evasion tricks, multiple variants, and indicators to help defen…
Trigona is a Delphi-based ransomware that encrypts files using RSA and AES with a novel residual block termination, adds a multi-step decryption workflow, and recently gained a data wiper capability. ThreatLabz notes overlap in tactics with BlackCat/ALPHV, but…
Uptycs researchers identified Zaraza bot, a credential-stealing malware that uses Telegram as its command-and-control channel to collect browser credentials and other sensitive data. It targets 38 web browsers and transmits stolen information to a Telegram ser…
Two former Conti and FIN7 affiliates are linked to a new backdoor family named Minodo, delivered alongside Dave Loader and other ITG14/ITG23-aligned tooling, with Nemesis infostealer as a key payload. The campaign chain shows cross-group collaboration, overlap…
Money Ransomware uses a double extortion model, encrypting data and exfiltrating sensitive information to threaten public release if the ransom isn’t paid. The article analyzes the Money Ransomware sample, detailing its configuration, infection flow, and netwo…
Tax accounting firms and CPAs are being targeted during peak tax season with a precision malware attack delivering GuLoader via social engineering and a novel Windows-based exploit. The operation starts with a deceptive email, followed by a password‑protected …
Threat actors targeted tax preparation and financial services firms with a Tax Day-themed phishing campaign delivering the Remcos remote access trojan (RAT), culminating in network access and lateral movement. The attackers use a chain that hides the lure behi…
RTM Locker operates as a ransomware-as-a-service with affiliates under strict governance, aiming to stay under the radar and monetize rather than seek headlines. The article provides a technical deep dive into their Windows ransomware, including panel operatio…
Legion is a Python-based credential harvester and hacktool sold via Telegram, designed to abuse various services by extracting credentials and hijacking cloud resources for email and SMS abuse. It exhibits capabilities to perform web server exploitation, crede…
ASEC’s RAPIT weekly analysis (Apr 3–9, 2023) shows backdoors as the dominant category (61.1%), followed by infostealers (20.8%), downloaders (16.9%), and ransomware (1.1%). RedLine leads the threat list with over half of detections, with AgentTesla, GuLoader, …
The Bitter (T-APT-17) group has been distributing CHM-based malware to Chinese organizations via email attachments, continuing its pattern of targeting government-related entities using Microsoft Office workflows. The CHM payloads employ obfuscation to evade d…
SentinelLabs tracks a cluster of malicious Office documents that stage Crimson RAT, distributed by APT36 (Transparent Tribe), targeting the education sector in the Indian subcontinent. The researchers note ongoing evolution in Crimson RAT implementations and t…