NOBELIUM (APT29) has launched a targeted EU campaign aimed at governments assisting Ukraine, utilizing geopolitically themed lure content tied to Poland’s diplomatic activity. The operation combines weaponized HTML/ISO dropper techniques and Notion-based C2 th…
Category: Threat Research
ASEC/ASEC Security Emergency Response Center (AhnLab) reports Mallox ransomware distribution in Korea, targeting vulnerable MS-SQL servers. The malware disguises as a DirectPlay-related program, downloads a Base64-encoded DLL, uses PowerShell and process injec…
ESET linked a campaign to the Tick APT group targeting an East Asian data-loss prevention (DLP) software developer, where attackers trojanized installers and compromised update servers to spread malware to the company’s customers. The operation involved Shadow…
Two sentences: Netskope Threat Labs observed a 17x increase in traffic to malicious pages hosted on DigitalOcean, driven by new campaigns of tech support scams mimicking Windows Defender and by phishing pages targeting financial institutions and webmail users.…
Volexity describes how the AVBurner tool (attributed to the SnakeCharmer/Earth Longzhi actor) disables EDR/AV by patching Windows kernel process-creation callback entries so security drivers appear loaded but are neutered. The post shows how to detect this tam…
Prometei v3 continues to evolve with updated execution-chain modules, self-updating capabilities, and a bundled Apache webserver with a PHP web shell, expanding both Windows and Linux variants. The threat remains financially driven, targeting a wide global vic…
Emotet malware activity has resumed, delivering non-password-protected ZIP attachments containing Office documents with macros that download and execute the Emotet DLL. Modern Emotet can be used for ransomware, DDoS, and credential theft, and can spread across…
A detailed look at a Mirai payload generator shows how Linux devices were being abused to deliver Mirai payloads across multiple architectures using web, FTP, and TFTP services. The post also describes a backdoor created via a rogue root account and multi-arch…
A CHM-based malware campaign attributed to the Kimsuky group has been identified, delivered via password-protected email attachments disguised as North Korea-related interview requests to exfiltrate user data. The malware uses a shortcut object to execute comm…
A new ATM malware variant named FiXS has been identified by Metabase Q, targeting Mexican banks and other LATAM institutions by leveraging a vendor-agnostic approach to ATM XFS middleware and an external keyboard for its criminal operators. The malware uses a …
Lumen Black Lotus Labs discovered the “Hiatus” campaign that compromises business-grade DrayTek Vigor routers to deploy HiatusRAT and a tcpdump variant, enabling remote access, SOCKS5 proxying, and packet capture. Lumen observed ~100 infected routers (primaril…
Mandiant, with SonicWall PSIRT, identifies a suspected Chinese campaign that maintains long-term persistence by running malware on an unpatched SonicWall SMA appliance, with capabilities to steal credentials, provide shell access, and survive firmware upgrades…
ASEC reports Netcat-laced campaigns targeting poorly managed MS-SQL servers, leveraging multiple tools (including Cobalt Strike, RasmanPotato, Stowaway, and SharpDecryptPwd) to gain control, escalate privileges, and move laterally. The operation employs LOLBin…
BatLoader continues to abuse Google Search Ads to deliver Vidar Stealer and Ursnif by masquerading as legitimate software and using Windows Installer and Python-based loaders to fetch and run payloads. The campaign also impersonates popular apps (ChatGPT, Zoom…
GoBruteforcer is a Golang-based botnet that targets web servers running phpMyAdmin, MySQL, FTP, and Postgres, using CIDR-range scanning and brute-force login to gain access. It then deploys an IRC-based C2 bot, a web shell, and persists via cron, with ongoing …