An ISC SANS diary documents an IcedID (Bokbot) infection that uses .url and WebDAV to fetch and run its payload, including a 64-bit DLL retrieved from mandalorecnote.com. The report catalogs the WebDAV activity, the payload delivery chain, and the IOCs and inf…
Category: Threat Research
TA569 operates a prolific injection-based operation delivering SocGholish and other payloads, functioning as an initial access broker and potentially a pay-per-install service. The campaigns rely on diverse injections, Traffic Distribution Services, and reinfe…
Publicly released PoC for CVE-2022-39952 in FortiNAC enables threat actors to perform arbitrary file writes and potentially deploy web shells on vulnerable systems. The article highlights exposed FortiNAC instances, affected versions, and urges timely patching…
Team Cymru tracks infrastructure linked to the IcedID threat, revealing a Chilean IP involved in accessing IcedID BackConnect/C2 activity and related DNS services. The findings show a network of domains, VPN usage, and tools frequently associated with IcedID o…
Securonix Threat Labs details multiple PowerShell methods attackers use to hide invoke-expression (IEX) execution, including string splitting, character substitution, variable extraction, wildcard “globfuscation”, reordering, DNS TXT retrieval, and XOR-encoded…
Magniber has relaunched its campaign by delivering MSI installers through Edge and Chrome, after shifting away from the old IE vulnerability. It uses a loader that injects Magniber into user processes, persists via Run registry keys, and downloads a new instan…
A hitherto unknown attack group named Clasiopa was observed targeting a materials research organization in Asia, wielding a distinct toolset that includes a custom backdoor (Atharvan). The operation exhibits multiple defense-evading and data-exfiltrating techn…
ESET researchers analyzed Wslink and its WinorDLL64 payload, a backdoor that loads in-memory modules and communicates over an existing Wslink connection. The backdoor collects extensive system information, manipulates files, and executes commands, with Lazarus…
Bitdefender Labs observed a global wave of opportunistic attacks exploiting CVE-2022-47966 in ManageEngine products, with 2,000–4,000 internet-facing servers potentially vulnerable. The advisory documents four attack clusters (Initial Access Brokers, Buhti Ran…
Checkmarx researchers uncovered a mass-spam campaign in the NPM ecosystem where automated processes published thousands of malicious packages that link to phishing campaigns. The operation involved automated package creation, masquerading as legitimate entries…
Rhadamanthys is a two‑component information stealer consisting of a loader and a main module that exfiltrates credentials from KeePass, browsers, VPN clients, chat apps and cryptocurrency wallets. It employs VM‑based obfuscation, a custom embedded file system,…
Stealc is a copycat information stealer advertised by Plymouth, drawing on Vidar, Raccoon, Mars and Redline. Sekoia.io analyzes its features, C2 communications, infection chain, and ongoing development, noting its rapid uptake among cybercriminals. #Stealc #Vi…
HardBit 2.0 is a ransomware variant observed from late 2022 that encrypts data after stealing sensitive information, negotiating ransom rather than paying a fixed bitcoin amount. It combines data theft, encryption, and multiple defense-evading and persistence …
Qakbot (QBot) is spread through multiple OneNote- and script-based channels, including OneNote attachments, WSF/JS/JSE/HTA paths, and HTML applications, each delivering a DLL payload that is executed via Rundll32 and often injected into processes. The campaign…
Royal ransomware has expanded its targets to Linux-based ESXi servers, introducing a Linux variant that encrypts files on virtualization hosts. The analysis outlines how the Linux variant uses ESXi tooling and traditional encryption (AES/RSA) to disrupt data c…