ESET researchers uncovered a new wiper called Fantasy and its execution tool Sandals, attributed to the Agrius APT, deployed through a supply-chain compromise against an Israeli software developer. The operation targeted Israeli HR/IT firms, diamond-industry s…
Category: Threat Research
Zerobot is a Go-based IoT botnet observed by FortiGuard Labs that exploits multiple vulnerabilities to infect devices, self-replicate, and propagate using various protocols. It communicates with a WebSocket-based C2 and has evolved to include a selfRepo module…
Mandiant Managed Defense recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines. Mandiant tracks this activity as UNC4191 and we assess it has a China nexus.
UNC4191 operations have affected a range of public and private sector entities primarily in Southeast…
Citrine Sleet (formerly DEV-0139) targeted cryptocurrency investment companies, leveraging social pretexting on Telegram and a weaponized Excel document to deliver a backdoor via DLL proxying. The campaign shows sophisticated industry knowledge, multiple deliv…
Fortinet FortiGuard Labs analyzes a Cryptonite ransomware sample that was open-sourced on GitHub and later observed to behave like a wiper in the wild. The investigation covers static and dynamic analyses, reveals a flawed design that prevents data recovery, a…
North Korea-linked Lazarus APT ran a campaign distributing fake cryptocurrency apps under the BloxHolder brand to push the AppleJeus malware and gain initial access to crypto users. The operation, active June–October 2022, used a cloned HaasOnline site and mul…
Cybereason’s Purple Team Threat Analysis explores how Windows Installer MSI packages can be weaponized to deploy payloads, including embedded binaries and stagers that fetch commands from a C2 server. The report also analyzes related malware families (Magniber…
During the 2022 holiday shopping season, cybercriminals have intensified seasonal phishing and fraud campaigns that blend with legitimate shopping activity. Trustwave SpiderLabs outlines package-delivery, fake-order, and promotional scams impersonating brands …
Erbium Stealer is an information-stealing malware distributed as MaaS, observed by CYFIRMA in Aug-2022 and advertised on Russian-speaking forums. It decrypts obfuscated code, drops a DLL in %temp%, loads it via LoadLibraryA, and communicates with a C2 panel an…
ZetaNile is a set of open-source software trojans used by North Korea’s Lazarus/ZINC to trojanize tools like PuTTY and TightVNC, enabling in-memory backdoors and C2 communications. The campaign blends social engineering, trojanized open-source software, and a …
Lazarus is analyzed as a financially focused APT group with suspected Northeast Asian origins, noted for multi-stage VHD-based attacks that bypass common defenses and target financial institutions and crypto exchanges. The operation includes spearphishing bait…
CryWiper is a Windows-based Trojan masquerading as ransomware that secretly destroys data instead of encrypting it. It uses stealthy techniques like scheduled tasks, C2 communication, registry timing, and targeted file deletion to complicate incident response …
CRIL from Cyble analyzed phishing campaigns that impersonate ExpressVPN to distribute the Redline Stealer, delivered through fake ExpressVPN sites. Attackers use shortened URLs with valid SSL to lure users, download a malicious ZIP, and then the payload is inj…
Cyble Research and Intelligence Labs reports a new Malware-as-a-Service strain, DuckLogs, that bundles stealer, keylogger, clipper, and remote access capabilities for threat actors. It features a sophisticated web panel for building, monitoring, and deploying …
IoT botnets are increasingly evading detection as attackers modify malware to hide from analysts, using UPX packing, ELF header changes, and other anti-analysis tricks. The study of 728 IoT samples collected from honeypots over 15 days also shows how attackers…