SentinelLabs detected a cluster of virtualized .NET loaders, named MalVirt, distributed via malvertising to deliver Formbook/XLoader infostealer payloads. The loaders use KoiVM-based virtualization and anti-analysis techniques, rely on a Windows Process Explor…
Category: Threat Research
Threat actors are increasingly using OneNote attachments in spam campaigns to deliver Qakbot and other malware families. The infection chain drops an HTA loader via mshta, downloads a Qakbot DLL, and then executes it, enabling credential theft and lateral move…
EclecticIQ details Mustang Panda’s campaign against government and public-sector targets in Asia and Europe, delivering a modified PlugX variant via malicious ISO images embedded with LNK shortcuts and employing DLL hijacking, in-memory loading, and a multi-st…
An ASEC analysis uncovers a malicious LNK file disguised as a normal HWP document, bundled with a text file impersonating the National Tax Service. The attack chain uses PowerShell to run payloads, iterates through multiple VBScript/Batch components, and exfil…
Trend Micro analyzes a December 2022 campaign attributed to APT34, deploying a new .NET backdoor (MrPerfectInstaller) to steal credentials and exfiltrate data via compromised mailbox accounts. The attackers leverage Microsoft Exchange Web Services to relay sto…
HeadCrab is a novel, memory-resident Redis malware that has quietly compromised Redis servers worldwide since 2021, forming a botnet of at least 1,200 servers. It loads a custom Redis module via SLAVEOF/master replication, operates entirely in memory to evade …
Proofpoint researchers report a rising trend of malware delivery via OneNote attachments in email campaigns from December 2022 to January 2023, spanning multiple threat actors and broad targets. End users must interact with embedded OneNote content to execute …
The ASEC analysis tracks CoinMiners targeting Korean and overseas users, detailing cases of Ethereum Classic mining and related tooling. It covers distribution methods (Discord, dnSpy disguises), involved malware families, wallet addresses, and the broader tre…
Unit 42 researchers describe a machine learning pipeline that analyzes memory-based artifacts from a hypervisor-based sandbox to detect evasive malware like GuLoader. The article discusses limitations of static and sandbox analysis and demonstrates how memory-…
Rapid7 observed attackers using Microsoft OneNote to deliver base64-encoded payloads that decrypt to Redline Infostealer or AsyncRat, via a multi-stage chain starting with a phishing OneNote attachment. The analysis details how a hidden batch script launches a…
VectorStealer is an information-stealer capable of harvesting data from browsers, chat apps, and .rdp session files, enabling threat actors to perform RDP hijacking and remote access. It is sold via a web panel and Telegram channel, uses the KGB Crypter and Ko…
INKY uncovered a widespread Southwest Airlines credential harvesting phishing campaign that uses newly created domains to lure victims via a fake survey and gift-card offer. The scam escalates from impersonation and enticing branding to a credential-harvesting…
IcedID has shifted from email-based delivery to drive-by infections delivered via Google Search Ads that target common enterprise applications. The TRU team explains how ads, cloaking, and a Cobalt Strike foothold are used to compromise endpoints and deliver I…
Magniber is a ransomware family that exploits a wide range of public-facing vulnerabilities and uses layered execution, evasion, and delivery techniques to encrypt targeted files. It also employs typosquatting, fake installers, and signature bypass methods to …
FortiGuard Labs tracked a campaign using malicious Excel VBA macros (OLE Compound File) to cryptojack Windows systems for Monero. The attackers deliver a .NET payload, load a miner via process hollowing, and maintain persistence through Task Scheduler while ex…