Secureworks CTU researchers link Moses Staff and Abraham’s Ax as likely the same operator tied to COBALT SAPLING, based on similarities in iconography, videos, and leak-site infrastructure. The groups share multilingual WordPress leak sites, near-identical braā¦
Category: Threat Research
Resecurity identifies Nevada Ransomware as a relatively new ransomware family with an active affiliate platform on the RAMP underground. It operates a Windows and Linux/ESXi locker, supports post-exploitation workflows, and uses a TOR-based affiliate portal toā¦
TrickGate is a transformative, shellcode-based packer-as-a-service used to conceal malware from security tools since 2016 and has wrapped a wide range of threats including Cerber, Trickbot, Maze, and Emotet. The packerās core building blocksāshellcode loader, ā¦
BlueBravo is a threat group linked to Russian APT activity (AP T29/NOBELIUM and SVR) and deployed GraphicalNeutrino via a compromised site lure themed around ambassadors. It also increasingly uses legitimate Western services like Notion for C2 to blend malwareā¦
Infostealer was the leading malware category in the Jan 16ā22, 2023 period, accounting for 43.0% of samples, followed by downloader (30.06%) and backdoor (19.9%). The report highlights BeamWinHTTP, AgentTesla, Formbook, SmokeLoader, and Pony as top families, wā¦
Magniber is a ransomware family that exploits a wide range of public-facing vulnerabilities and uses layered execution, evasion, and delivery techniques to encrypt targeted files. It also employs typosquatting, fake installers, and signature bypass methods to ā¦
The article explains how to reconstruct Gootloader registry payloads using off-host Python scripts and CyberChef workflows, as well as on-host PowerShell decoding. It also catalogs technical indicators, network signals, and YARA rules related to GOOTLOADER, FOā¦
Security researchers at eSentire TRU unravel the operator behind Golden Chickensābadbullzvenomāconnected to VENOM SPIDER, with links to FIN6, Cobalt Group, and Evilnum. The report details the malwareās modular components, evolving campaigns, and defense recommā¦
Realtek CVE-2021-35394 exploitation surged in 2022, with tens of millions of attempts targeting the Realtek Jungle SDK remote code execution vulnerability and a significant shift to delivering IoT malware. The campaign affected hundreds of device models acrossā¦
ASECās weekly briefing analyzes phishing email threats from January 8ā14, 2023, highlighting attachments as the main delivery method for Infostealer, FakePage, and other malware families, including OneNote (.ONE) extensions. It also outlines case distributionsā¦
GuLoader is an advanced shellcode downloader that uses anti-analysis tricks to evade detection and hinder reverse engineering, and its campaign remains ongoing through 2022. Trellix observed threat actors increasingly delivering GuLoader via NSIS-based installā¦
Two sentences summarizing the content: Scammers impersonate recruiters to target job seekers amid tech layoffs, using fake postings, portals, and forms to harvest personal data and potentially extort victims. The campaign relies on newly registered domains, coā¦
Two agencies warn defenders about the malicious use of legitimate remote monitoring and management (RMM) software, showing how attackers abused tools like ScreenConnect (ConnectWise Control) and AnyDesk via phishing to steal funds and gain backdoor access. Theā¦
Threat actors are increasingly using Go (Golang) to develop crossāplatform information stealers, with Titan Stealer highlighted as a recent example. The article covers Titan Stealerās Go-based builder, its C2 infrastructure and dashboards, the data it collectsā¦
Trend Micro researchers uncovered Mimic, a new ransomware that leverages the Everything toolās APIs to locate files for encryption and operates with multiple defense-evading capabilities. The malware appears linked to Conti-inspired tooling and dropped componeā¦