Unit 42 analyzes PlugX variants hidden on USB devices, detailing novel USB infection and hiding techniques as part of a broader Black Basta-related investigation. The findings show USB-based persistence, stealthy file hiding, and multiple PlugX variants linked…
Category: Threat Research
Kronos malware has reemerged with increased functionality and is now observed alongside ransomware, with activity reported in Mexico. IBM Security Trusteer warns the campaign could spread to North America and Europe, urging stronger email filtering and offline…
Rapid7 analyzes exploitation activity surrounding CVE-2022-47966, a pre-authentication RCE in ManageEngine on-premise products, noting public PoC code and ongoing compromises since January 2023. Organizations using affected products should patch and monitor fo…
Emotet has returned after a period of dormancy, expanding its toolkit with new evasion and propagation methods and heavily leveraging phishing campaigns to drop multiple payloads. It now features an SMB spreader for lateral movement, a Chrome data-stealer modu…
SentinelLabs tracks DragonSpark, a cluster of opportunistic East Asia–targeted attacks that leverage the SparkRAT open-source RAT and Golang-based runtime source-code interpretation to evade static analysis. The activity is attributed with high likelihood to a…
TA444 is a North Korea–sponsored threat actor that has tested a wide range of infection methods in 2022 and remains financially motivated, with a strong shift toward cryptocurrency-related theft. The group blends traditional APT techniques with a startup-like …
Trend Micro telemetry links Vice Society to manufacturing attacks and notes the group has evolved from using known ransomware variants to developing a custom ransomware builder, potentially hinting at a ransomware-as-a-service model. The group continues to emp…
HUMAN’s Satori Threat Intelligence and Research Team dismantled a sophisticated malvertising operation named VASTFLUX that injected JavaScript into ad creatives to stack multiple video players behind a single banner and fraudulently register views. The operati…
Huntress shares their take on the ConnectWise Control vulnerability discussions, arguing there was no demonstrated exploit at the severity level claimed and advocating for responsible disclosure and collaboration. They emphasize social engineering and phishing…
Analyst1 presents a human-centric examination of the LockBit operation, tracing its evolution from ABCD to LockBit Red/Black and detailing the personalities, inter-gang dynamics, and operational innovations behind one of the world’s most prolific ransomware or…
The article explains how attackers exploit jQuery and JavaScript to inject malicious code into legitimate websites, including disguising malware as legitimate jQuery plugins and stealing credentials through deceptive login forms. It also outlines an incident r…
Mandiant tracks a suspected China-nexus operation that exploited Fortinet FortiOS SSL-VPN CVE-2022-42475 as a zero-day, deploying a backdoor named BOLDMOVE on Windows and Linux and targeting internet-facing devices. The campaign highlights how such devices ena…
Cyble Research and Intelligence Labs document a rising Amadey bot campaign spreading via phishing sites and spam, acting as a downloader and loader for additional malware while stealing browser data and crypto wallet information. The campaign employs persisten…
Bitdefender researchers document ProxyNotShell/OWASSRF exploit chains targeting on-prem Microsoft Exchange, outlining how SSRF can lead to backend access and how multiple exploit chains culminate in RCE and payload deployment. The report also walks through rea…
Confiant reports a cookie-stuffing campaign by DatalyMedia that uses cloaking, hidden iframes, and multi-domain redirection to inflate ad conversions across programmatic platforms, with a Black Friday uptick. The analysis maps the actors, laundering traffic pa…