Guardio Labs found a new FakeGPT Chrome extension variant that forks a legitimate open-source “ChatGPT For Google” project to hide malicious code that steals Facebook session cookies. The extension encrypts those cookies with AES and exfiltrates them via a cus…
Category: Threat Research
Intezer traces Bitter APT activity targeting the Chinese nuclear energy sector in an Asia-Pacific espionage campaign, ties it to prior Bitter APT tooling including CHM/Excel payloads and Microsoft Office exploits. The operation uses social engineering with lur…
Microsoft’s guidance explains how CVE-2023-23397 enables a secret Net-NTLMv2 hash leak via Outlook reminders and outlines Forest Blizzard (STRONTIUM), a Russian state-sponsored group linked to GRU Unit 26165, as an actor exploiting this vulnerability to access…
Earth Preta orchestrates a long-running cyberespionage operation involving multiple APT subgroups (724, 1358, 5171) with a centralized development unit, targeting a range of sectors and regions and expanding to maritime and government entities. The study highl…
Cyble Research and Intelligence Labs uncovered a Malware-as-a-Service platform named “Cinoshi” that bundles a stealer, botnet, clipper, and cryptominer, with free stealer and web-panel access. The MaaS includes a web panel for build configuration, botnet task …
Magecart campaigns are exploiting client-side obfuscation to load skimmers during checkout, using Hunter to conceal JavaScript code and inject malicious forms. The techniques culminate in encoded credit card data stored in a cookie and exfiltrated via POST, al…
ThreatLabz (Zscaler) analyzes a new DBatLoader campaign active in Europe that delivers Remcos RAT and Formbook to manufacturing companies and other businesses. The operation uses WordPress-hosted payloads with authorized SSL certificates, multi-format obfuscat…
Proofpoint catalogs three IcedID variants—Standard, Lite, and Forked—and notes a shift from banking-focused activity to payload delivery, including ransomware. It links the Forked variant to Emotet infections and multiple threat actors (TA581, TA578, TA551, TA…
MacOS threat actors are increasingly focusing on data theft rather than ransom, exfiltrating session cookies, keychains, SSH keys, and other sensitive data to monetize or enable espionage. The article outlines where these data assets reside, how attackers acce…
MacStealer is a macOS stealer distributed via DMG that is controlled over Telegram, marking a new platform for stealer operations. It exfiltrates browser credentials, Keychain data, and files, sending stolen data via HTTP POST to a C2 and to Telegram channels/…
The article analyzes the Dark Power ransomware gang, detailing its Nim-based ransomware, encryption techniques (AES-CTR), and anti-forensic tactics such as service and process termination, log clearing, and extensive file/folder exclusions. It also covers the …
InQuest Labs analyzed a credential phishing campaign targeting a municipal government, tracing a sequence from a compromised sender to a cloud-hosted phishing infrastructure. The attacker used Raven cloud hosting and Microsoft Azure blob storage to lure victim…
Warning for Microsoft Office Outlook Privilege Escalation Vulnerability (CVE-2023-23397) – ASEC BLOG
Microsoft has disclosed a privileged escalation vulnerability in Outlook for Windows (CVE-2023-23397) used to steal NTLM credentials via a crafted Reminder alert. The issue can be exploited by a malicious email that forces authentication to a threat actor-cont…
Earth Preta has updated its TTPs across campaigns to bypass security solutions, introducing new tools like TONEINS, TONESHELL, PUBLOAD, and NUPAKAGE. The campaign relies on decoy documents, Google Drive links, and password-protected archives to evade detection…
SentinelLabs and QGroup describe attacks in Q1 2023 against Middle East telecoms, linked to the Operation Soft Cell activity and likely conducted by a Chinese cyberespionage group in the Gallium/APT41 nexus. The operation centers on mim221, a maintained creden…