Executive Summary
Mandiant identified an operation focused on the Ukrainian government via trojanized Windows 10 Operating System installers. These were distributed via torrent sites in a supply chain attack.
Threat activity tracked as UNC4166 likely trojanized and distributed malicious Windows Operating system installers which drop malware that conducts reconnaissance and deploys additional capability…
Nokoyawa is a 64-bit Windows-based ransomware family that evolved from an earlier C version to a Rust-based 2.0, introducing a configurable command-line setup and faster encryption. The operation uses double extortion with a TOR-hosted ransom portal and data l…
Royal ransomware resurfaces as a Royal variant tied to a Conti Team One splinter group, employing callback phishing and a mix of stolen and living-off-the-land tooling to deploy and execute the ransomware. The campaign features rapid encryption using OpenSSL w…
Unit 42 documents continued Trident Ursa (Gamaredon) activity targeting Ukraine, detailing a long-running, multi-faceted campaign with hundreds of new domains and samples. The analysis highlights DNS manipulation, phishing campaigns delivering LNK/HTA/VBS payl…
Raspberry Robin is a multi-layer, packed backdoor that spreads via infected USB using LNK files to trigger a downloader and, in some samples, a fake payload to evade analysis while the real payload remains heavily obfuscated and connects to Tor for C2. The ope…
CrowdStrike’s analysis reveals GuLoader’s new anti-analysis shellcode, VM-detection, and a redundant code-injection approach that helps ensure execution. The researchers also map all DJB2 hashes for GuLoader’s APIs, providing a complete view of its behavior to…
Two researchers uncovered a malicious PyPI package masquerading as a SentinelOne SDK client, named “SentinelSneak,” which actually implements a backdoor and data-exfiltration capabilities. The campaign highlights open-source software supply-chain risks, especi…
Threat actors are increasingly using blockchain to hide and distribute malicious data and C2 instructions. Nozomi Networks researchers track Glupteba activity on the Bitcoin blockchain, showing how OP_RETURN data, XOR encryption, and Tor-based C2 are used, wit…
Cyble researchers examined a fraud operation where impostors posing as Village Level Entrepreneurs duped CSC Bank Mitra subscribers through a counterfeit CSC registration portal and staged KYC-like interactions. The scheme leveraged fake website ecscgov.co.in,…
MCCrash is a cross‑platform DDoS botnet tracked by Microsoft Threat Intelligence that targets Windows, Linux, and IoT devices to attack private Minecraft servers. It propagates via SSH credential brute‑forcing, downloads multi‑stage components, and issues Mine…
CRIL uncovered a sophisticated DarkTortilla campaign distributed via typosquatted phishing sites impersonating Grammarly and Cisco that deliver a .NET-based loader and a final payload. The operation uses multiple infection techniques, in-memory execution, LNK-…
Agenda (Qilin) has introduced a Rust variant of its ransomware, expanding cross‑platform reach beyond the Go version to target manufacturing and IT sectors. The Rust edition shows continued emphasis on targeted extortion, with intermittent encryption, hard-cod…
CYFIRMA tracks three campaigns—Evian, UNC064, and Siberian bear—believed to be operated by Russian-speaking threat groups on behalf of their Russian masters, targeting various industries and geographies for espionage, financial gains, and reconnaissance. The r…
Checkmarx and Illustria uncovered a large-scale phishing operation that polluted NuGet, NPM, and PyPi with automated packages containing links to phishing campaigns. The effort involved tens of thousands of package names, phishing sites, and referral rewards, …
ESET researchers exposed Operation LiberalFace, a MirrorFace spearphishing campaign aimed at Japanese political entities around the 2022 House of Councillors election. The operation leveraged the LODEINFO backdoor, introduced a new credential stealer MirrorSte…