The Royal Ransomware encrypts files across all volumes, including network shares, using .Royal, .Royal_w, or .royal_u extensions and a tor-based README.TXT for attacker contact. It combines AES with a RSA public key embedded in the executable, deletes shadow c…
Category: Threat Research
AsyncRAT is explored through a widely used OneNote spearphishing campaign that delivers an HTA downloader to load a PowerShell-based loader and decrypts/loads AsyncRAT payloads. The post also details AsyncRAT’s capabilities, persistence, defense evasion, scrip…
ASEC analyzes phishing email threats from March 5–11, 2023, focusing on attachments and FakePage credential-theft campaigns, with a breakdown of threat types, file extensions, and distribution cases. The post also lists attacker C2 URLs, notable keywords to be…
Securonix Threat Research documented the STARK#VORTEX campaign that uses Ukrainian-themed .chm (Microsoft Help) lure files to execute obfuscated JavaScript and PowerShell which download and deploy MerlinAgent payloads. The chain establishes persistence via a r…
Proofpoint traces TA473, also known as Winter Vivern, exploiting a Zimbra vulnerability to access publicly facing webmail portals and target European government-related email accounts, with bespoke JavaScript payloads crafted for each portal. The researchers u…
FortiGuard Labs tracked bursts of attacks in January and March exploiting Realtek CVE-2021-35394 and Cacti CVE-2022-46169, spreading ShellBot and Moobot malware. Moobot (a Mirai variant) can be controlled via a C2 server to conduct further attacks such as DDoS…
TACTICAL#OCTOPUS targets US entities with tax-themed phishing, delivering GuLoader/CloudEyE to drop additional payloads. The campaign uses heavily obfuscated VBScript and PowerShell, process hollowing, and multiple C2 channels (notably rebrand.ly) to evade det…
ASEC analyzes weekly malware statistics from March 13–19, 2023, led by Infostealer at 43.8% and Backdoor at 34.5%, with RedLine and AgentTesla among the top detections. RedLine and AgentTesla dominated the top tiers with widespread C&C activity, credential the…
ShellBot is being distributed to poorly managed Linux SSH servers, leveraging SSH credential brute-forcing and IRC-based C2 channels to control infected hosts. The report details three ShellBot variants (LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots…
ChinaZ DDoSBot has been found installed on poorly managed Linux SSH servers, turning compromised hosts into bots capable of performing DDoS attacks. The article details Linux and Windows variants, their C2 communications, persistence mechanisms, and defender g…
SentinelOne details a multi-stage supply-chain campaign that trojanizes the 3CXDesktopApp, loading shellcode and pulling ICO data from GitHub to deliver a 3rd-stage infostealer DLL. The operation also extends to macOS with separate stages (libffmpeg.dylib and …
Web application vulnerabilities are like doorways: you never know who or what will walk through. Between December 2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded to three UNC961 intrusions at different organizations that each started in similar fashion. Two of these victims were under the protection…
Researchers uncovered Mélofée, a Linux-targeted implant with a kernel-mode rootkit tied to Winnti and Chinese state-sponsored actors, featuring evolving capabilities such as a SelfForwardServer. The analysis traces multiple samples, their infrastructure, and l…
BitSight analyzes the Tofsee botnet, showing a proxy plugin that routes most traffic via HTTPS to popular sites, including Russian targets. It also details spam delivery via compromised sites and Masari mining activity, with fastpool.xyz as a working pool and …
The article analyzes the March 2023 NullMixer malware operation, highlighting how opportunistic attackers used malvertising and cracked software to infect thousands of endpoints across Europe, including Italy and France. It also details a MaaS/PPI ecosystem de…