Trend Micro details an active Earth Bogle campaign targeting the Middle East and North Africa that uses geopolitical-themed lures to distribute NjRAT (Bladabindi). Attackers host payloads on public cloud storage and compromised web servers, distributing them v…
Category: Threat Research
Researchers report a NetSupport RAT campaign that uses a Pokemon-themed lure to trick targets into installing a trojanized NetSupport RAT client, granting attackers full control of the compromised device. The operation relies on ISO droppers masquerading as le…
ASEC’s weekly phishing threat analysis for Jan 1–7, 2023 shows phishing email attachments as the dominant attack vector, with FakePage pages designed to harvest credentials, followed by Worm, Infostealer, and Downloader campaigns. The report also highlights MO…
Avast has released a decryptor for the BianLian ransomware, making it publicly available to help victims recover encrypted files. The article outlines BianLian’s Go-based ransomware behavior, its AES-256-CBC encryption, and how to use Avast’s decryptor to rest…
Rhadamanthys Stealer is a MaaS-delivered infostealer that spreads via Google Ads and phishing sites impersonating legitimate apps, extracting browser data, crypto-wallet details, and system information. Cyble researchers describe its delivery chain from spam, …
Unit 42 researchers examine Automated Libra, the cloud threat actor behind PurpleUrchin, which freejacks cloud resources to mine cryptocurrency. They reveal CI/CD automation, massive GitHub and cloud account creation, CAPTCHA exploitation, and a Play and Run t…
TRU investigators at eSentire uncovered Gootloader using a new infection technique delivered via a compromised WordPress site, followed by a hands-on-keyboard phase with Cobalt Strike. The analysis tracks BloodHound usage, PsExec lateral movement, and PowerShe…
Deep Instinct details 2022 observations of polyglot files that combine malicious JARs with other formats to evade detection, focusing on MSI+JAR, CAB+JAR, and other appended variants tied to StrRAT and Ratty. The article also covers detection challenges, commu…
Fortinet’s analysis details a targeted FortiOS SSL-VPN heap overflow (CVE-2022-42475) used to deploy a Linux implant masquerading as an IPS component. The write-up covers malware behavior, IoCs, C2 infrastructure, affected FortiGate models/versions, and recomm…
EclecticIQ details a QakBot phishing campaign that bypasses Windows Mark of the Web (MoTW) using an unpatched vulnerability, enabling malware installation. The campaign leverages LOLBINS like Regsvr32 and WScript, delivers payloads via encrypted ZIP/ISO, and c…
Orcus RAT is being distributed on file-sharing sites disguised as a cracked Hangul Word Processor, linked to the same actor who previously pushed BitRAT and XMRig under a Windows license verifier guise. The campaign employs a multi-stage delivery chain with ob…
JPCERT/CC describes cloud-based malware analysis operations (MAOps) that automate C2 monitoring, malware hunting, YARA rule generation, surface analysis, and memory forensics using AWS serverless services and GitHub workflows. The article showcases several cas…
Holiday season spikes in attack attempts were driven by reduced monitoring, with two notable waves targeting the Downloads Manager plugin. The findings emphasize removing outdated plugins, keeping WordPress components updated, and relying on firewall protectio…
Rapid7 details how threat actors deploy Hive ransomware with a mix of known techniques and new methods to drop defenses, enable lateral movement, and encrypt across victim machines and network shares. The article also covers new Hive flags (-timer, -low-key) a…
FortiGuard Labs’ Ransomware Roundup analyzes Monti, BlackHunt, and Putin ransomware, detailing distinct methods from Linux file encryption to RDP-driven intrusions and data-leak strategies. The piece also outlines Fortinet protections and defense recommendatio…