BianLian continues to operate and expand its victim list while shifting its monetization from encrypting files to data-leak extortion, with tailored threats aimed at pressuring targets. The group maintains a Go-based backdoor for remote access and operates a r…
Category: Threat Research
Sophos X-Ops observed continued exploitation of Microsoft Exchange servers using the OWASSRF chain that leverages CVE-2022-41080 and CVE-2022-41082 to achieve ProxyShell/ProxyNotShell-style access. The campaigns targeted high-profile entities such as Rackspace…
Winter Vivern is investigated by SentinelLabs with observations from the Polish CBZC and Ukraine CERT, revealing a new wave of espionage campaigns linked to pro-Russian objectives. The APT targets governments and private entities globally, using tailored lures…
An in-depth look at APT-C-36 campaigns shows ties to Hagga/Aggah and documents a five-stage infection chain that ends with NjRAT/LimeRAT, including memory-resident techniques and evolving C2 infrastructure. The analysis highlights spearphishing with OLE-trigge…
Cisco Talos has identified a new espionage actor named YoroTrooper active since at least June 2022, targeting CIS governments, embassies, and a EU health care agency and WIPO. The group uses Python-based information stealers, commodity RATs (AveMaria/Warzone, …
CatB ransomware uses MSDTC DLL hijacking to drop and load its payload, then encrypts files while attempting to steal browser data and credentials. It employs sandbox evasion, DLL injection, and service abuse to survive analysis and deliver its ransom demands, …
In part one on North Korea’s UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970 utilized Bring Your Own Vulnerable Device (BYOVD) to further enable their operations.
During our investigation, Mandiant consultants…
Since June 2022, Mandiant has been tracking a campaign targeting Western Media and Technology companies from a suspected North Korean espionage group tracked as UNC2970. In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company. During this operation, Mandiant observed UNC2970 leverage…
Juniper Threat Labs analyzes email traffic to reveal how malicious files propagate via attachments, macros, and exploits, based on a random sample of one million files from 2022. The findings show that most malicious files are first-stage downloads, often deli…
The article analyzes Fortinet FortiOS vulnerability FG-IR-22-369 (CVE-2022-41328) and its targeted exploitation of FortiGate and FortiManager devices, revealing multiple IoCs and several malware components used for persistence and control. The findings indicat…
MedusaLocker ransomware operates via RDP vulnerabilities and phishing, evolving into a RaaS model where developers and affiliates share profits from encrypted victims. It targets healthcare, education, and government sectors worldwide, using a sophisticated ch…
Silicon Valley Bank’s collapse in March 2023 heightened risks for startups and the broader fintech ecosystem, attracting threat actors who exploited the event with crypto-focused phishing campaigns. CRIL (Cyble Research & Intelligence Labs) identified suspicio…
A malicious Chrome extension marketed as “Quick access to Chat GPT” (FakeGPT) hijacks the browser context to steal session cookies, harvest Facebook business/ad account data via the Graph API, and exfiltrate that data to attacker-controlled worker domains befo…
Securonix Threat Labs highlights five persistent ransomware IOCs used to inhibit system recovery: vssadmin (shadow copy deletion), WMI/wmic (shadow copy deletion), wbadmin (delete backups), bcdedit (disable recovery), and PowerShell (shadow copy deletion). The…
Microsoft Threat Intelligence tracks DEV-1101 (now Storm-1101) for developing and promoting an open-source AiTM phishing kit that enables high-volume campaigns and MFA bypass via reverse-proxy session hijacking. The post details the tool, its campaign workflow…