Cyber espionage threat actors continue to target technologies that do not support endpoint detection and response (EDR) solutions such as firewalls, IoT devices, hypervisors and VPN technologies (e.g. Fortinet, SonicWall, Pulse Secure, and others). Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over…
Category: Threat Research
Two sentences summarizing the content: A new Magecart skimmer family named Kritec has been discovered on Magento stores, appearing alongside a separate skimming campaign and sharing indicators of compromise with older campaigns. Kritec loads its malicious Java…
CYFIRMA researchers identified a sample named ALC Ransomware that masquerades as ransomware but functions as scareware, since it does not encrypt files. The malware locks the screen, disables Task Manager, drops multiple files, and delivers a ransom note while…
Trigona is a newly observed ransomware strain that security researchers first noted in Oct 2022 and was highly active in Dec 2022 with at least 15 victims across multiple industries. The operation uses HTML Application ransom notes with embedded JavaScript con…
Malware authors continually tweak techniques to evade automated detection, prompting tailored sandboxing approaches like dependency emulation and VMI-based SSL/TLS traffic decryption to improve detonation and visibility. Palo Alto Networks highlights how adapt…
SideCopy APT, a Pakistan-based actor active since 2019, targets South Asia with a multi-stage infection chain that leverages LNK and HTA loaders to deploy DLLs and final payloads. The campaign against India’s DRDO demonstrates DLL side-loading, anti-virus evas…
Emotet now delivers payloads via OneNote attachments in spam emails, moving away from ZIP-based delivery and introducing a dropper that uses Windows Script File (WSF) with regsvr32 to execute the payload. The campaign downloads Emotet payloads from multiple UR…
Zscaler ThreatLabz analyzes APT37 (ScarCruft/Temp.Reaper), a North Korea-based threat actor targeting South Korean organizations, with activity noted in early 2023. The investigation reveals a GitHub leak exposing a wealth of malicious payloads and multiple at…
Rapid7 observed active exploitation of Adobe ColdFusion across multiple customer environments beginning in January 2023, leveraging CVE-2023-26360 and related ColdFusion vulnerabilities for initial access. The campaign involves dropping web shells, encoding Po…
CrowdStrike observed eCrime adversaries shifting from macro-based delivery to OneNote attachments, embedding HTA, CMD, and JSE payloads to drop second-stage loaders. After Microsoft patched the MOTW vulnerability in ISO files (CVE-2022-41091) in November 2022,…
Bad Magic is a Russo-Ukrainian conflict–related APT campaign delivering a modular malware stack starting with a ZIP delivered via a phishing-like lure, then a malicious LNK that leads to an MSI dropper. The operation unfolds as PowerShell-based loaders and a P…
JFrog Security Research uncovered a sophisticated NuGet-based campaign targeting .NET developers, employing typosquatting and deceptive metadata to push a PowerShell-based dropper that downloads a second-stage Impala payload. The attack demonstrates how NuGet …
Lazarus’ FudModule subverts kernel protections by leveraging a vulnerable Dell driver to elevate to ring 0 and tamper with telemetry data streams to hide its activities. The article also outlines practical, detection-focused strategies such as monitoring ETW d…
Uptycs Threat Research Team uncovered HookSpoofer, a new C#-based infostealer spread via bundlers that includes keylogging and clipper capabilities and exfiltrates stolen data to a Telegram bot. It’s inspired by StormKitty and uses in-memory loading of a hidde…
Check Point Research provides an in-depth analysis of the dotRunpeX injector and its evolution, detailing both the old and new versions and how they are protected by virtualization (KoiVM) and obfuscation (ConfuserEx). The report explains how dotRunpeX acts as…