Proofpoint details TA453’s irregular campaigns (2020–2022), showing a shift toward compromised accounts, malware, and confrontational lures with possible IRGC support. The report highlights the Samantha Wolf persona and aggressive outreach suggesting TA453’s t…
Category: Threat Research
Two reports show Google Ads leading to fake software pages that push IcedID (Bokbot) via SEO poisoning and multiple redirects, including a fake AnyDesk site that downloads a malicious ZIP. The infection chain delivers an MSI that drops a DLL to install IcedID,…
Venom RAT has been updated with a stealer module that exfiltrates sensitive data to its C2 server, expanding its malicious capabilities. The malware now steals browser data, passwords, cookies, history, and even credit card details, while threat actors offer V…
Cloud Atlas (Inception) is a long-running cyber-espionage group whose focus has narrowed to Russia, Belarus, and contested regions in Ukraine and Moldova since 2021–2022, including Crimea and Donetsk/Luhansk. In the past year they staged targeted intrusions us…
Phylum reports an ongoing typosquatting campaign targeting Python and JavaScript developers on PyPI and NPM, delivering a ransomware payload when executed. The attacker publishes typosquatted packages (notably around the Python requests package) that fetch a l…
FortiGuard Labs uncovered a Go-based CMS scanner and brute-forcer named GoTrim that targets WordPress and OpenCart. It operates as a botnet for distributed brute-forcing, communicates with its C2 over encrypted channels, and can switch between client and serve…
Wordfence Threat Intelligence reports spike patterns in exploits targeting two WordPress plugins, Kaswara Modern VC Addons (
Trend Micro’s report reveals a supply-chain campaign that trojanized Comm100 and LiveHelp100 installers to deploy a JavaScript backdoor and multiple modules within Electron-based chat apps. The attackers used HTTP and WebSocket C2 channels to exfiltrate data, …
The Royal ransomware group emerged in early 2022 and has grown globally, deploying through multiple TTPs and affecting organizations worldwide. It uses a unique partial encryption approach with a flexible percentage, operates in a multi-threaded manner, and sh…
Mallox ransomware activity has surged, driven by a .NET-based loader that downloads encrypted payloads and decrypts them in memory before encryption. The operation targets critical infrastructure, stops GPS-related services, and uses a private chat and leak si…
Drokbk is a .NET-based malware used by COBALT MIRAGE Cluster B, consisting of a dropper and a payload that primarily executes commands from a remote C2 server. The campaign uses a GitHub dead-drop resolver to locate its C2 and demonstrates persistence via a Wi…
Attestation signing of drivers through the Windows Hardware Compatibility process is being abused to sign POORTRY and other malware samples with legitimate Microsoft certificates. The programName field in Authenticode data helps identify associated samples and…
SentinelOne observes threat actors abusing legitimately signed Microsoft drivers to intrude into telecom, BPO, MSSP, and financial services organizations. The activity centers on a two-component toolkit (STONESTOP and POORTRY) that terminates AV/EDR and can ev…
Check Point Research details how Azov ransomware functions as a polymorphic wiper, including its ability to backdoor 64-bit executables and leverage the SmokeLoader botnet for distribution. The analysis notes an advanced, assembly-built payload with anti-analy…
Trustwave SpiderLabs uncovered threat actors using a OneNote attachment to deliver Formbook malware via a Windows Script File overlay. The attack chain activates when users view the lure and PowerShell downloads and runs the Formbook payload from a remote host…