Ursnif (Gozi/ISFB) was delivered via a malicious ISO containing a LNK file, leading to a complex execution flow that included a renamed rundll32 and later persistence. The attackers then deployed Cobalt Strike, performed manual discovery, dumped LSASS memory, …
Category: Threat Research
The campaign targets Italy with phishing emails carrying a password-protected ZIP named “IT_Fattura_n99392.zip” to drop an infostealer payload. It uses a multi-stage chain (LNK and BAT files) and a PowerShell/MSHTA/Rundll32 sequence to download and execute com…
An attacker exploited a PyTorch-nightly dependency confusion by uploading a malicious Torchtriton package to PyPI, causing users to pull a counterfeit binary. The malware exfiltrates data via DNS to a domain controlled by the attacker, and the post explains th…
Cyble researchers identified a phishing campaign that uses a Zoom-themed page to deliver the IcedID payload. Attackers drop two binaries, disguise Zoom installation, load IcedID in memory, gather system details, and communicate with a C2 server via a cookie-li…
Blind Eagle (APT-C-36) has intensified its Ecuador-focused campaign with an upgraded infection chain, delivering a QuasarRAT-based payload via a password‑protected LHA package and multiple stages. The operation combines geo-filtered phishing, a MediaFire drop,…
An ASEC analysis reveals a Linux malware chain built with Shc that installs a XMRig CoinMiner and a Perl-based DDoS IRC Bot after compromising SSH services. The campaign uses RC4-based encoding, a Shc downloader, and a run script to fetch payloads and configur…
Raspberry Robin is an automated framework targeting European financial institutions, with upgraded downloader capabilities, in-memory shellcode, and encrypted command-and-control channels. Researchers note expanded victim data collection, modular C2 via a comp…
SlowMist analyzes a North Korean APT operation that carried out a large-scale phishing campaign targeting NFT users, exposing how hundreds of fake NFT domains and decoy mint sites were used to harvest wallet approvals and data. The findings tie this campaign t…
Malware authors employ a wide range of sandbox evasion techniques, from instrumentation checks and VM detection to requiring human interaction and timing tricks, and defenders counter with bespoke analysis approaches and memory-focused detection. The article s…
Threat actors misuse Google’s ad platform to push masquerAd sites that redirect users to phishing and malware pages, leveraging trusted ad traffic to gain credibility. Vermux leads mass campaigns targeting GPU users, distributing varying payloads via masquerAd…
CRIL uncovers Alibaba2044’s PureLogs stealer and related PureCoder malware offerings being sold in darkweb forums, with a December 14, 2022 spam campaign targeting Italian users. The piece details multiple tools (PureLogs, PureCrypter, PureMiner, BlueLoader, P…
ThreatLabz uncovered a campaign where threat actors use a backdoored TradingView Desktop installer to drop SmokeLoader, which then retrieves ArkeiStealer. The operation combines a fake TradingView domain, a Windows Installer masquerade, and dynamic config to h…
Wordfence Threat Intelligence tracked a critical Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium (versions
BlueNoroff group expanded its malware delivery methods to bypass Mark-of-the-Web (MOTW) protections by using ISO and VHD disk image formats, and began experimenting with Visual Basic Script, Windows Batch scripts, and a Windows executable. They also operated a…
IBM Security X-Force traced an entrenched adversary that maintained access to two organizations for 381 days via a Shadow IT bridged network, pivoting across a multi-domain forest and evading visibility with a rogue networking device. The findings highlight Sh…