8220 Gang is a low-skill crimeware actor known for infecting cloud hosts via SSH brute forcing and exposed services. The article walks through an educational SOC investigation of the group’s infection script, payloads, and infrastructure to help analysts track…
Category: Threat Research
Researchers from ReversingLabs found a surge of malicious PyPI packages masquerading as HTTP libraries, using typosquatting and deceptive naming to distribute downloaders and info stealers. The campaign shows how open-source repositories continue to be abused …
HardBit 2.0 is a ransomware variant observed from late 2022 that encrypts data after stealing sensitive information, negotiating ransom rather than paying a fixed bitcoin amount. It combines data theft, encryption, and multiple defense-evading and persistence …
Qakbot (QBot) is spread through multiple OneNote- and script-based channels, including OneNote attachments, WSF/JS/JSE/HTA paths, and HTML applications, each delivering a DLL payload that is executed via Rundll32 and often injected into processes. The campaign…
Royal ransomware has expanded its targets to Linux-based ESXi servers, introducing a Linux variant that encrypts files on virtualization hosts. The analysis outlines how the Linux variant uses ESXi tooling and traditional encryption (AES/RSA) to disrupt data c…
A new threat cluster has been targeting telecommunication providers in the Middle East and abusing Microsoft, Google and Dropbox cloud services.
DarkCloud Stealer is a multi-stage information-stealer that can exfiltrate data via SMTP, Telegram, Web Panel, and FTP, and is distributed through spam campaigns with a customizable builder for grabber and clipper features. Researchers observed a rise in DarkC…
Two office-document threat vectors are described: attackers are moving from VBA macros to malicious Microsoft Office Add-ins, specifically XLLs, to deliver payloads. The article details a Raccoon Stealer V2 campaign that uses obfuscated .NET installers loaded …
Hydrochasma targets medical laboratories and shipping organizations in Asia in an intelligence-gathering campaign that relies on publicly available tools and living-off-the-land techniques. The operation, active since October 2022, appears focused on informati…
First introduced in July 2022, Icarus Stealer is an infostealer that uses an hVNC capability to create a hidden desktop for covert navigation on infected machines. It packs a wide range of features (2FA bypass, rootkit, macros, VBS payloads, CCleaner, Bot Kill…
Security researchers warn of a widespread ESXiArgs ransomware campaign exploiting CVE-2021-21974 in VMware ESXi, with warnings issued starting February 3. SecurityScorecard’s STRIKE and ASI analyses reveal affected ESXi versions and IPs involved in potential e…
Redline Stealer has re-emerged with new TTPS-detection findings, detailing its infection chain, data-theft capabilities, and persistence mechanisms. The article outlines how the malware spreads, what data it targets, and the indicators that security teams can …
FortiGuard Labs’ ransomware roundup analyzes CatB, detailing its Windows-focused dropper, DLL sideloading, anti-analysis checks, and a high ransom demand. It also covers infection methods, payload behavior, and Fortinet protections and guidance. #CatB #FortiGu…
Security researchers report that the BlackCat ransomware group briefly claimed an attack on a major U.S. electronic health record (EHR) vendor, but the entry disappeared within days. STRIKE analysis links possible BlackCat activity to its ExMatter/Fendr exfilt…
EclecticIQ analyzes three cases of cyberattacks likely linked to the Gamaredon APT group, targeting the Security Service of Ukraine, Culver Aviation, and Latvian/NATO allies with phishing, HTML smuggling, and CVE-2017-0199 Word exploits. The report notes overl…