Older malware can still pose a threat, as FortiGuard Labs documents a renewed MyDoom campaign that uses aged tools in new phishing lures and C2 techniques. The campaign deploys UPX-packed payloads, masquerades as legitimate Windows processes, and relies on rot…
Category: Threat Research
MQsTTang is a new Mustang Panda backdoor that uses MQTT for C2 and operates as a single-stage, minimally obfuscated tool. The campaign targets government and diplomatic entities, employs spearphishing distribution with decoy filenames, and includes anti-analys…
Trend Micro’s Managed XDR team uncovered a spear-phishing campaign targeting hospitality staff that delivers RedLine Stealer via oversized multi-stage payloads. The operation uses Dropbox/Bitly links, a PowerShell-based loader chain, and WMI-based data exfiltr…
CYFIRMA analyzes EXFILTRATOR-22, a new post-exploitation framework marketed via Telegram and YouTube with anti-analysis capabilities and an affiliate model. The actors use domain fronting and CDN infrastructure to conceal C2 traffic and promote a subscription-…
FortiGuard Labs describes a new LockBit ransomware campaign that uses a multi-stage, defense-evasion approach to bypass AV/EDR, including .img containers, UAC bypass, and auto-login persistence. The campaign targets Spanish-speaking firms in Mexico and Spain, …
BlackLotus is a real UEFI bootkit that bypasses Secure Boot on up-to-date Windows 11 systems and establishes persistence via a MOK enrollment, delivering a kernel driver and HTTP downloader to fetch additional payloads. It exploits CVE-2022-21894, uses self-si…
Microsoft OneNote is increasingly used as a carrier to deliver malware via phishing attachments, exploiting benign file formats to bypass defenses. The piece traces its evolution, highlights sample campaigns and loader stages, and outlines layered defenses org…
Trend Micro’s report details Iron Tiger’s update to SysUpdate, adding Linux-targeting capabilities and new C2 features, including DNS-based communication. It also notes hardened loading techniques, signed binaries abuse, and a lure using a chat application, in…
Blind Eagle (APT-C-36) targeted Colombia and nearby Latin American entities with spear-phishing PDFs impersonating the DIAN tax authority to deploy a multi-stage infection chain, culminating in AsyncRAT payloads hosted via Discord. The campaign uses in-memory …
ThreatLabz analyzes the Snip3 Crypter, a multi-stage RAT loader offered as a crypter-as-a-service, which deploys new TTPs to deliver DcRAT and QuasarRAT across multiple industries via spear-phishing. The campaigns repeatedly evolve techniques to evade detectio…
Microsoft OneNote is becoming a growing vector for malware delivery, as threat actors embed malicious payloads in OneNote documents distributed via phishing emails and other deceptive tactics. Across multiple case studies, attackers use obfuscation and scripti…
Unidentified threat actor(s) have deployed MortalKombat ransomware alongside a GO variant of Laplas Clipper in a financially motivated campaign since December 2022, using phishing and an automated loader to drop payloads. The operation also leverages RDP scann…
Threat actors are weaponizing ChatGPT’s popularity to spread malware and phishing campaigns across Windows and Android, using fraudulent pages and typosquatted domains to lure victims into downloading malicious payloads. The campaigns distribute stealer malwar…
Trend Micro’s MxDR team found x32dbg.exe, a legitimate Windows debugger, being used to sideload a PlugX variant via DLL Search Order Hijacking. The operation establishes persistence across multiple locations, uses scheduled tasks and Run keys, and culminates i…
Blackfly (also known as APT41, Winnti Group, Bronze Atlas) continues targeting Asia, focusing on the materials and composites sector and hitting two subsidiaries of an Asian conglomerate to steal intellectual property. Researchers detail a late-2022 to early-2…