ASEC reports the PlugX backdoor being installed through Sunlogin and AweSun remote control software via their remote code execution vulnerabilities, using a multi-stage dropper and DLL side-loading to decrypt and load PlugX in memory. The campaign links to Chi…
Category: Threat Research
Cyble researchers describe BlackSnake, a Chaos ransomware-derived variant that integrates a clipper module to steal cryptocurrency addresses and supports affiliate-driven deployment. The malware uses language checks, process and directory discovery, registry-b…
IceFire re-emerges with a Linux variant that targeted enterprise networks, expanding beyond its previous Windows focus. It exploits a deserialization vulnerability in IBM Aspera Faspex (CVE-2022-47986) to drop and execute a Linux payload that encrypts files an…
Fortinet FortiGuard Labs tracked the 8220 Gang’s use of ScrubCrypt to obfuscate and encrypt payloads and deliver a Monero-mining operation via a WebLogic vulnerability. The operation combines PowerShell-based loading, in-memory execution, registry-based persis…
Zscaler ThreatLabz analyzed Nevada, a Rust-based variant of Nokoyawa ransomware, noting strong code similarities across Nokoyawa versions and two parallel branches in different languages. The findings describe hardcoded and CLI-configured encryption, shadow-co…
Two sentences summarizing the content. Trellix researchers document Qakbot’s evolution to OneNote-based malware distribution, showing how OneNote attachments deliver a loader DLL and the main Qakbot payload across multiple campaigns. The report also covers how…
Fortinet’s FortiGuard Labs’ Ransomware Roundup highlights two notable variants, Sirattacker and ALC, detailing their execution methods, ransom notes, and observed activity, including Bitcoin wallet interactions associated with the Sirattacker actor. The report…
GlobeImposter ransomware is being distributed by MedusaLocker actors, with evidence suggesting the RDP vector facilitates initial access. The operation deploys Mimikatz and port scanners among other tools to map networks, exfiltrate credentials, and extend the…
Check Point Research traces the evolution of Sharp Panda tools into a newer Soul malware framework used against Southeast Asian government entities, culminating in late-2022 activity that loaded the Soul modular backdoor. The report links these campaigns to a …
Bitdefender Antispam Labs warns of a fresh phishing campaign that uses a copycat ChatGPT platform to swindle eager investors. The scam targets several countries, leveraging unsolicited emails, a fake investment platform, and a call-center style operation to ha…
Unit 42 researchers uncover a LokiBot distribution campaign delivered via business email compromise (BEC) phishing emails, with an ISO payload that ultimately drops LokiBot. The analysis covers the loader and obfuscation, a persistence mechanism, and an HTTP-b…
WhiteSnake is a cross-OS infostealer targeting Windows and Linux, offering multi-channel data theft capabilities and ongoing updates via threat actors. It exfiltrates collected data through a Telegram bot and is marketed with a MAAS-style model; the Linux vers…
Sysdig’s Threat Research Team uncovered SCARLETEEL, a sophisticated cloud-attack operation that started in a Kubernetes pod and escalated into AWS to steal proprietary software and credentials. The operation leveraged Terraform state and AWS services to move l…
LOCKBIT claimed to have compromised IL&FS in February 2023 and began a triple-extortion leak wave, threatening data deletion if demands weren’t met. The report covers the LOCKBIT Green variant, leaked data samples, and practical cybersecurity recommendations. …
Threat actors are abusing OneNote’s embedded files feature in phishing campaigns by hiding and executing payloads behind embedded pictures. The article explains how this technique works, how to detect it with YARA rules, and how Microsoft blocks many of these …