SlowMist analyzes a North Korean APT operation that carried out a large-scale phishing campaign targeting NFT users, exposing how hundreds of fake NFT domains and decoy mint sites were used to harvest wallet approvals and data. The findings tie this campaign tā¦
Category: Threat Research
Team Cymru analyzes IcedIDās BackConnect protocol and uncovers how operators repurpose infected hosts as proxies to support distributed C2 activity, including VPN/Starlink/Tor-based routing and remote-access channels. The post also highlights observed tools anā¦
Two sentences summarizing the article: Google ad traffic redirected users to a fake TeamViewer page that delivered malware via a JavaScript download and a Windows Installer package chain. The infection used legitimate-looking software components (IrfanView, Auā¦
ASEC researchers report that the Nitol DDoS Bot is used to install Amadey Bot, a downloader that drops additional malware. Amadey has resurfaced in cracks, keygens, and spam campaigns and was linked to LockBit 3.0 attacks targeting Korean corporate users. #Nitā¦
Vice Society has adopted a new custom-branded ransomware payload named PolyVice that uses NTRUEncrypt and ChaCha20-Poly1305 for strong encryption. The analysis indicates the same developers are selling customized payloads to multiple groups, signaling an outsoā¦
Trend Micro researchers document a shift in the IcedID botnetās distribution, now leveraging Google PPC malvertising to push the malware via fake pages of legitimate brands and apps. The campaign uses a patched loader built into DLLs, executed through a chain ā¦
FortiGuard Labs details a resurgence of Emotet delivering a tax-themed phishing attack purporting to be IRS-related. The chain starts with a compromised Pakistan-based email, moves through a password-protected ZIP containing a K-1 form spreadsheet with an Exceā¦
Trustwave SpiderLabs analyzed Ekipa RAT in the wild and found threat actors adopting Microsoft Publisher macros to push the trojan, alongside Word macros and XLL variants, as part of remote-template campaigns. The research shows Ekipaās deployment in the Russiā¦
Kiss-a-Dog, a cryptojacking campaign, has evolved to broaden its reach from Docker/Kubernetes to Redis-based targets, introducing a 20-year-old open-source process hider and other payloads like Tsunami and XMRig. The variant uses Redis for initial access, downā¦
Microsoft Defender for IoT researchers track Zerobot, a Go-based IoT botnet evolving with new exploits and DDoS capabilities, spreading via IoT and web-vulnerability abuse and deployed as a service. Zerobot 1.1 expands attack methods, adds CVE-based exploits, ā¦
Two waves of ransomware and wiper attacks targeted Albanian government and law-enforcement systems, with later samples signed using stolen digital certificates from Nvidia and Kuwait Telecommunications Company. The campaigns show cross-language cooperation, poā¦
Meddler-in-the-Middle (MitM) phishing uses reverse-proxy servers to relay legitimate login pages to victims, enabling credential theft and MFA bypass. This article surveys how MitM phishing kits work, real-world campaigns targeting Microsoft, CircleCI/GitHub, ā¦
Talos explores the use of Excel XLL add-ins as a new infection vector after VBA macros are being blocked by Microsoft. The piece details how XLLs operate, lists notable actors and malware families using XLLs, and offers defensive guidance. #XLL #ExcelDNA #APT1ā¦
Cyble Research and Intelligence Labs (CRIL) identify new ransomware strainsāPutin Team, ScareCrow, BlueSky, and Meowāthat were created from leaked Conti source code. These variants encrypt victim files, drop ransom notes, and frequently use Telegram to interacā¦
The article explains how Windows AMSI can be bypassed and how security teams can detect such abuse using Trend Micro Vision One and related products. It also outlines common bypass techniques, real-attack examples, and practical indicators for defenders. #AMSIā¦