Typhon Reborn V2 is a rebuilt information stealer with significantly enhanced anti-analysis, anti-VM, and obfuscation capabilities, designed to evade security researchers and detections. It exfiltrates collected data via Telegram and is sold cheaply on undergr…
Category: Threat Research
Two sentences summarizing the article: Check Point researchers identified a new ransomware strain named Rorschach that was deployed against a US-based company, notable for its lack of branding and autonomous capabilities. The malware combines novel evasion, ul…
Sysdig’s Threat Research Team (TRT) uncovered proxyjacking, where attackers leverage the Log4j vulnerability to gain access to a container and then turn compromised pods into proxy servers to monetize IP addresses via proxyware services such as Pawns.app, IPRo…
Symantec tracks a new loader called Verblecon (Trojan.Verblecon) used in low-reward attacks to install cryptocurrency miners and potentially steal Discord access tokens, with greater danger if leveraged in ransomware or espionage. First spotted in January 2022…
Volexity analyzed a supply-chain compromise of the 3CX Desktop App in which a malicious ffmpeg library inserted into signed installers decoded encrypted blobs, fetched staged payloads, and reflectively loaded a 64-bit information-stealer dubbed ICONIC/ICONICST…
A sophisticated new toolset is being used to harvest credentials from multiple cloud service providers, including AWS SES and Microsoft Office 365.
The Mantis threat group (Arid Viper/Desert Falcon) continues targeting Palestinian organizations with a refreshed toolset and a persistent presence across networks. The campaign centers on updated Micropsia and Arid Gopher backdoors, credential theft, and data…
Fortinet FortiGuard Labs’ bi-weekly Ransomware Roundup highlights Dark Power and PayME100USD, outlining their file-encrypting behavior on Windows and the actor’s apparent data-leak threats, with Fortinet-provided protections and best practices. The report note…
Rhadamanthys is a feature-rich infostealer that debuted on the dark web and has drawn attention for its expansive, “everything on a bagel” design. The Check Point Research analysis covers its multi-stage loader, forensic methods to resolve in-memory API calls,…
Cyble detailed Cl0p Ransomware’s global activity, highlighting its shift to a Ransomware-as-a-Service model, double extortion, and multi-vector infection techniques across industries and regions. It also notes Linux variants and a public leak site, with techni…
ASEC researchers detected Nevada ransomware distribution, noting its Rust-based implementation and the use of the .NEVADA extension for encrypted files. The malware supports command-line options to tailor encryption, creates README.txt ransom notes with a Tor …
FusionCore is a European threat actor group that operates Malware-as-a-Service and hacker-for-hire operations, offering a wide catalog of custom malware and a ransomware affiliate program. They leverage phishing as their main initial-access vector, run a websh…
IcedID was delivered via malspam as an ISO image, which after mounting loaded a hidden LNK that ultimately dropped IcedID and a batch to disk, enabling domain-wide ransomware. The attackers used IcedID as a loader for Cobalt Strike, conducted extensive discove…
LummaC2 is a new Infostealer sold on the dark web and spread by a threat group disguising it as illegal cracks and keygens. The campaign uses obfuscation, anti-sandbox checks, and C2 communications to exfiltrate data from targeted browsers and wallet apps. #Lu…
ASEC reports a CHM-based APT technique where threat actors use Compiled HTML Help Files to execute malware via hh.exe, download a PowerShell script, and run it through mshta.exe. The operation culminates in persistence via the Run registry key and C2 communica…