Trend Micro analyzes Gootkit loader’s infection routine targeting Australian healthcare, showing SEO poisoning for initial access and abuse of VLC Media Player for DLL sideloading and Cobalt Strike usage. The campaign features obfuscated JavaScript, fake WordP…
Category: Threat Research
SCATTERED SPIDER attempted a Bring-Your-Own-Vulnerable-Driver (BYOVD) operation to load a kernel driver via CVE-2015-2291 in the Intel Ethernet Diagnostics driver (iqvw64.sys) to gain kernel access and persistence. CrowdStrike detected and blocked the attempt,…
Cybereason’s Threat Analysis chronicles an IcedID (BokBot) campaign, detailing its use as a dropper and initial access tool, TTPs, and post-compromise activity across a Windows environment. The report notes a shift to ISO/LNK infection vectors, cross-group tec…
ASEC tracked phishing email threats for December 18–24, 2022, finding Infostealer attachments (AgentTesla, FormBook) as the top threat type, followed by FakePage and Worm Malware; attackers also used various file extensions and C2 payloads. The report highligh…
NoName057(16) is a pro-Russian hacktivist group conducting DDoS campaigns targeting Ukraine, NATO, and other entities, leveraging Telegram, a volunteer-driven DDoS program, and a GitHub-hosted toolkit. The group has impacted several sectors including governmen…
NeedleDropper is a multi-file dropper observed since October 2022 that uses a self-extracting archive to deliver and execute payloads, hiding activity with junk data and leveraging legitimate applications. It is sold as a service on hacking forums and has bloc…
Researchers identified a crypto-themed Magecart skimmer built on the Mr.SNIFFA toolkit that targets e-commerce sites, employing obfuscation and whitespace encoding to load its payload and exfiltrate payment data. The operation runs on Russian-hosted infrastruc…
Emotet has returned after four months of inactivity, reviving spam campaigns and leveraging its loader-as-a-service model to deploy other malware. The campaign shows evolving social engineering and obfuscation techniques, continuing to drop modules like IcedID…
Phylum documents a PyPI malware campaign delivering a PowerShell-based loader and a stealer/RAT combo (poweRAT) through a multi-stage setup.py, with extensive obfuscation and data theft. The campaign leverages persistence, a Cloudflare Tunnel to expose a Flask…
This weekly ASEC report analyzes phishing email threats from December 25–31, 2022, focusing on attachments used to deliver malware. It highlights Infostealer, FakePage, and Worm Malware as top attachment-based threats, detailing file extensions, distribution s…
A wild Hive-derived backdoor xdr33 was captured in the wild, repurposing CIA’s Hive project source with embedded BEACON and Trigger modules to steal sensitive data and establish footholds. The malware uses mutual TLS with client certificates, encrypts device i…
Bluebottle, a financially motivated cyber-crime group, continues targeting Francophone banks in Africa by using living-off-the-land techniques, commodity malware, and no custom malware. The campaign aligns with prior OPERA1ER activity but introduces new TTPs s…
The article surveys how major dark Web drug markets have become a multi-hundred-million-dollar ecosystem, with a shift toward mobile apps and instant messaging for buying, selling, and coordinating deliveries. It highlights ongoing wars for market share (Hydra…
CRIL researchers uncovered LummaC2 Stealer, a 32-bit GUI malware targeting Chromium and Mozilla browsers to exfiltrate crypto wallets, browser extensions, and 2FA data. The campaign includes a Russian-language seller site, Telegram channels, and active C2 serv…
Two sentences summarizing the Turla activity described: Turla leveraged USB spread to introduce legacy ANDROMEDA into Ukrainian and other targets, then deployed KOPILUWAK to profile victims and QUIETCANARY to exfiltrate data, with multiple stages delivered via…