ASEC identifies Qakbot being distributed in Korea via hijacked email threads containing malicious PDF attachments. The attack chain involves opening the PDF, downloading a password-protected ZIP, an obfuscated WSF script, PowerShell, and rundll32 to execute Qa…
Category: Threat Research
eSentire observed a surge in Qakbot information-stealing malware incidents across multiple industries in early April 2023, with phishing emails delivering zip archives containing a Windows script (.wsf), a PDF, or an HTML file via HTML smuggling. The campaign …
GuLoader, also known as CloudEyE, targeted the financial sector via a tax-themed phishing lure and delivered Remcos RAT through a multi-stage PowerShell/VBS chain. eSentire’s TRU team documented the attack, including phishing, registry-based persistence, in-me…
Attackers who previously abused DigitalOcean to host a tech support scam have expanded their operation to StackPath CDN to distribute the scam. Netskope Threat Labs observed a 10x increase in traffic to StackPath-hosted scam pages from February 1 to March 16 a…
TEHTRIS Threat Hunters document illicit cryptomining activity targeting Linux-based machines, observed on a France-hosted honeypot in January. The campaign, named Color1337, toggles between full-capacity cryptomining using diicot and rebound reconnaissance via…
FortiGuard Labs documents a malicious spoofed document impersonating Energoatom that delivers Havoc Demon backdoor via a multi-stage macro. The operation blends anti-analysis techniques, a payload hidden in a custom XML part, and Havoc C2 communications, with …
Part 2 of the HTA file analysis explains how the embedded payload is decrypted: base64 decoding, AES decryption in ECB mode, and gzip decompression to reveal the final payload. It also outlines the tooling workflow (base64dump.py, myjson-transform.py, numbers-…
Security researchers uncovered a zero-day CLFS elevation-of-privilege flaw (CVE-2023-28252) used to deploy Nokoyawa ransomware, with patches issued by Microsoft on April 11, 2023. The campaign involved multiple unique CLFS exploits and a chain that includes ba…
JFrog Security analyzes a NuGet supply-chain attack delivering Impala Stealer, a custom crypto stealer used against Exodus Wallet via typosquatting NuGet packages. The campaign uses a two-stage payload: a PowerShell init.ps1 that downloads and runs a Windows e…
Two paragraphs summarize ongoing Chinese APT activity against EU governments and businesses, highlighting groups, tools, and defensive recommendations. The report details APT27, APT31, APT15, and Mustang Panda campaigns, including Linux and Windows backdoors a…
Check Point Research uncovered three MSMQ vulnerabilities, including the critical QueueJumper (CVE-2023-21554) that enables unauthenticated remote code execution via the 1801/tcp port, which was patched in the April Patch Tuesday update. Administrators are urg…
IcedID (Bokbot) activity is described as thread-hijacked emails with PDFs linking to Google Firebase Storage hosting password-protected ZIP archives. The ZIP contains a digitally-signed EXE that installs IcedID on a Windows host, with persistence via scheduled…
The Lazarus group’s DeathNote cluster uses weaponized Word documents with decoys related to cryptocurrency to drop multi-stage payloads, evolving to target defense contractors and supply chains with new infection methods like remote template injection and Troj…
Sygnia analyzes RagnarLocker, detailing its double-extortion operations against critical infrastructure and the group’s TTPs, including the use of RMS and AnyDesk for C2 and data exfiltration. The report also offers mitigations and hunting guidance to help org…
ASEC tracked phishing email threats for the week of March 26 to April 1, 2023, focusing on attachments and detailing distribution cases across FakePage, Downloader, Infostealer, Backdoor, Worm, and Trojan variants. FakePage was the dominant method (59%), accom…