Huntress shares their take on the ConnectWise Control vulnerability discussions, arguing there was no demonstrated exploit at the severity level claimed and advocating for responsible disclosure and collaboration. They emphasize social engineering and phishing…
Category: Threat Research
Analyst1 presents a human-centric examination of the LockBit operation, tracing its evolution from ABCD to LockBit Red/Black and detailing the personalities, inter-gang dynamics, and operational innovations behind one of the world’s most prolific ransomware or…
Team Cymru analyzes Vidar’s evolving threat infrastructure, highlighting domain shifts, proxy configurations, and anonymization methods (including Tor and Hola VPN) that complicate analysis. The post also covers a two-tier management architecture, payload upda…
ASEC analyzed weekly malware statistics for Jan 9–15, 2023 using RAPIT, highlighting downloader as the top category followed by Infostealer. The report details the leading families SmokeLoader, BeamWinHTTP, Formbook, AgentTesla, and Lokibot and their C2 infras…
FortiGuard Labs’ ransomware roundup analyzes CrySIS/Dharma variants and their ongoing evolution, highlighting how new versions continue to appear under different operators. It outlines infection vectors (exposed RDP and phishing), execution details (startup pe…
Cisco Talos analyzed LNK file metadata to track threat actors like Qakbot, Gamaredon, Bumblebee, and IcedID, showing how metadata can reveal campaign connections. As macros were blocked and actors shifted to LNK-based attachments, the article demonstrates how …
The LCBO disclosed a cybersecurity incident in January 2023 involving a web skimmer designed to steal customer payment information from LCBO.com during checkout. Experts identified the skimmer as Magecart, loaded via a Base64-encoded Google Tag Manager snippet…
SEO poisoning campaigns are increasingly used to serve malvertising and deliver commodity malware via manipulated search results, demonstrated by a Blender 3D example where malicious ads appear at the top before the legitimate site. Attackers rotate domains an…
This report analyzes Batloader campaigns observed in Q4 2022 linked to the Water Minyades intrusion set, highlighting its use of obfuscated JavaScript, MSI/JS payloads, and abuse of legitimate tools to evade defenses. It details how Batloader can drop multiple…
Playful Taurus (APT15) continues to evolve its toolkit, upgrading the Turian backdoor and expanding C2 infrastructure, with Iranian government networks likely compromised. The investigation maps infrastructure ties, updated variants, and supporting artifacts l…
VagusRAT is a new remote access tool delivered through Google Ads campaigns that abuse typosquatting and SEO poisoning to lure users into downloading malicious apps. CYFIRMA attributes VagusRAT to Iranian actors, notes its Malware-as-a-Service model, and highl…
Attackers use Google ads to lure users to fake Notepad++ download pages that install Aurora Stealer. The article traces the infection chain from the ad-driven page to the downloaded malware and its post-infection C2 traffic, and lists the associated IOCs.
Raspberry Robin is a Pay-Per-Install botnet that spreads via infected USB drives by launching an LNK file to download its MSI payload from compromised QNAP NAS, enabling distribution of other malware and hands-on-keyboard ransomware. The infrastructure is dyna…
Attackers rely on Office macros and transformation toolkits to preserve malicious behavior while changing signatures, making similarity detection essential for modern defenses. The article showcases real-world similarity patterns in macro malware (identifier s…
ASEC researchers uncovered a phishing campaign impersonating the National Tax Service, urging recipients to extend their password duration with an on-message about password expiry. The campaign uses a fake login site to harvest credentials, IPs, and personal d…