Cyble Research & Intelligence Labs (CRIL) highlights a spike in fake donation schemes exploiting the Turkey–Syria earthquake, where scammers impersonate charities to harvest personal data and funds. The attackers host phishing sites, redirect victims to legiti…
Category: Threat Research
Bitsight profiles Mylobot, a proxy botnet that turns infected hosts into proxies controlled by a C2, with a downloader that expands the network via WillExec and links to BHProxies. The operation features extensive hardcoded and encrypted domain lists, large DN…
Huntress linked a February 2023 GoAnywhere MFT-related intrusion to a zero-day vulnerability and a Truebot-like post-exploitation activity, leading to a mitigation before a ransomware event could unfold. The effort highlighted how certutil and rundll32 were us…
ASEC reports that attackers are leveraging a Gnuboard 4-based site to host fake Kakao and Naver login pages aimed at credential theft. Attribution points to the Kimsuky group, noting deceptive links and autocompletion behavior designed to trap users. #Kimsuky …
Dalbit (Moonlight) is a threat group tracked by AhnLab’s ASEC, which has conducted 50+ attacks against Korean companies since 2022 using open-source tools, WebShells, and proxy-based C2 infrastructure through *.m00nlight.top. The operation progresses from init…
ReversingLabs identified aabquerys, a malicious npm package that downloads second and third stage malware payloads to systems that have downloaded and run the npm package. This incident highlights growing open source supply chain risks in npm, PyPi, and GitHub…
AsyncRAT is being distributed through Windows CHM (CHM) files, with a multi-stage chain that downloads and executes payloads via mshta, VBScript, and HTA. The campaign culminates in a fileless AsyncRAT deployment featuring anti-VM, keylogging, and screenshot c…
Malicious Google Ads were used to promote AWS credential phishing pages, delivered through a multi-hop redirection chain that ends at a legitimate AWS login page. The operation includes a proxy Blogspot page, anti-analysis JavaScript, and Brazil-linked infrast…
HTML smuggling is a rising method used by criminals to deliver malware via HTML attachments and archives masquerading as legitimate brands. The Trustwave SpiderLabs piece catalogs campaigns by Qakbot, IcedID, Cobalt Strike, and Xworm that abuse HTML smuggling …
The advisory outlines ongoing DPRK state-sponsored ransomware activity targeting Healthcare and Public Health Sector organizations and other critical infrastructure, detailing TTPs, IOCs, and cryptocurrency ransom payments. It also describes how actors acquire…
NewsPenguin, a previously unknown threat actor, targeted organizations in Pakistan using spear-phishing tied to the Pakistan International Maritime Expo & Conference (PIMEC-2023) and delivered a multi-stage payload. The final espionage tool is XOR-encrypted wi…
ASEC’s analysis reveals Quasar RAT being distributed via a private Home Trading System (HTS) called HPlus, used by illicit investment groups to lure victims and install malware. The campaign shows HTS masquerading as legitimate investment services, delivering …
ESXiArgs is a ransomware variant that targeted exposed ESXi hypervisors by exploiting CVE-2021-21974 via OpenSLP to deploy a Python-based backdoor and a web shell. The campaign encrypts virtual machine data using RSA and Sosemanuk, overwrites ransom notes on t…
SentinelLabs documented the first Linux ELF variant of Cl0p ransomware, which includes a flawed encryption routine that can decrypt files without paying. A free decryptor for this Linux variant was released by SentinelLabs. Hashtags: #Cl0p #Cl0pELF #Linux #Sen…
Proofpoint tracks a new financially motivated threat actor cluster, TA866, linked to the Screentime activity that uses custom tools WasabiSeed and Screenshotter to gather victim information via screenshots before deploying additional payloads. The operation le…