A WordPress ad-fraud operation abuses a backdoored plugin named fuser-master to turn dozens of blogs into fraud machines that load and refresh ads via a hidden popunder flow triggered by a special entrypoint URL. The plugin simulates human browsing (scrolling,…
Category: Threat Research
Brute Ratel, a Red Team framework, has been abused by attackers including APT29 to conduct cyber intrusions, with methods such as ISO-delivered LNK files used for DLL sideloading of version.dll. The article also details the framework’s technical underpinnings,…
Trend Micro researchers attribute a new backdoor to the Earth Kitsune threat group, delivered via a watering hole operation and social engineering. The campaign blends patched installers, Chrome native messaging persistence, ECC-based cryptography for C2, and …
DarkBit is a new ransomware strain that targeted Technion in Israel, encrypting files and demanding a Bitcoin ransom. The group uses a branded onion site and social media to publicize the attack and promote geopolitical messaging. #DarkBit #Technion #Onion #To…
Earth Yako is an intrusion set linked to Operation RestyLink/EneLink, with newly observed TTPs and infrastructure for cyberespionage against Japanese researchers and think tanks (also some Taiwan targets). The campaign features multiple malware families (Mirro…
Two sentences summarizing the content: GlobeImposter has spanned multiple campaigns and rebrands, with the TZW ransomware identified as a new variant that shares infrastructure and techniques with GlobeImposter. The findings show shared onion-based victim port…
ASEC analyzed RedEyes (ScarCruft/APT37) activity in Korea, revealing the group’s use of the Hangul EPS vulnerability CVE-2017-8291 to spread malware via steganography and a new M2RAT backdoor that employs shared memory for C2. The operation combines persistenc…
The ESXiArgs ransomware campaign exploited CVE-2021-21974 via the OpenSLP service to remotely execute code on exposed ESXi servers. VMware patched the vulnerability in early 2021, while Trellix details how attackers probe the internet for unpatched systems, en…
Morphisec identifies a highly evasive ProxyShellMiner campaign that leverages ProxyShell flaws to gain access to Windows Exchange servers and deploys a multi-stage coin-mining operation across an organization. The campaign uses domain-wide persistence, obfusca…
DarkBit ransomware targeted a large Israeli university with politically motivated aims, and Cyble Research and Intelligence Labs analyzed its Go-based binary, encryption behavior, and public messaging around motives. The attackers’ ransom note, Twitter bio, an…
Paradise ransomware is being distributed via exploitation of the AweSun vulnerability, with the same actors previously linked to Sunlogin-related BYOVD and Sliver C2 campaigns. The attackers use AweSun-generated cmd/PowerShell to install DP_Main.exe, encrypt f…
Mirai variant V3G4 emerged in 2022, leveraging numerous vulnerabilities to propagate across Linux-based IoT devices and convert them into a botnet capable of DDoS and other attacks. It uses hardcoded C2 domains, XOR-based decryption, string encryption, and a s…
Zscaler ThreatLabz researchers analyzed a government-targeting campaign that uses Havoc, an open-source post-exploitation C2 framework, to blend evasive techniques with multi-stage delivery and execution. The operation leverages a downloader chain, a signed sh…
SecurityScorecard’s STRIKE Team investigates a ransomware incident affecting a major U.S. city housing authority and concludes with moderate confidence that the event involved ransomware, despite past false claims by LockBit. The analysis ties activity to a kn…
Bitdefender researchers describe opportunistic threat actors abusing CVE-2021-21974 to target VMware ESXi, leveraging OpenSLP (port 427) for pre-auth remote code execution and deploying ESXiArgs ransomware against VM files. The advisory covers attack patterns,…