Microsoft researchers warn that vulnerable Boa web servers embedded in IoT SDKs create supply-chain risk across critical infrastructure by enabling attackers to silently access networks and gather information. The post highlights Boa prevalence, CVEs in RealTe…
Category: Threat Research
IBM X-Force reports that RansomExx has been rewritten in Rust as RansomExx2, targeting Linux with a Windows variant likely in development. The rewrite highlights Rust’s cross-platform appeal and the ransomware’s continued use of AES-256 encryption with RSA-pro…
Zscaler ThreatLabz documents four under-documented groups carrying out payment card skimming against Magento and PrestaShop e-commerce stores, with activity since mid-2022 and a spike during the holiday season. The campaigns rely on heavily obfuscated JavaScri…
ViperSoftX is a long-running information stealer that hides inside large system log files and uses multi-stage PowerShell payloads to drop VenomSoftX, a browser extension that performs man-in-the-browser attacks to steal cryptocurrency. The campaign spreads ma…
QakBot (Qbot) uses obfuscated Regsvr32-based execution to load its DLL payload, often by moving or renaming system binaries and triggering execution via LNK and batch files. The threat starts with phishing delivering a password-protected ZIP/ISO, leading to us…
Trellix researchers identify World Cup/Arab-region themed email campaigns that impersonate FIFA and related entities to deliver phishing pages and malware to organizations. The top malware families seen are Qakbot, Emotet, Formbook, Remcos, and QuadAgent, with…
Cisco Talos discusses new LodaRAT variants (including a VenomRAT-derived S500 drop) observed in 2022, their how-it-works changes, and how LodaRAT appears alongside RedLine and Neshta in attack chains. The post highlights C2 beacon changes, added removal-to-dri…
Researchers identify the WASP threat actor behind a Python package campaign that delivers a polymorphic WASP Stealer via PyPI and uses steganography to hide its payload. The malware targets Discord accounts, wallets, and other files, exfiltrating data through …
Recorded Future’s Insikt Group analyzes the threat landscape around the 2022 FIFA World Cup in Qatar, covering state-sponsored cyber operations, cybercrime, influence operations, and physical security threats. The assessment finds no imminent disruptive cyber …
Hive ransomware operates as a ransomware-as-a-service (RaaS) that has victimized thousands across sectors like Healthcare and Public Health, encrypting data and threatening leaks. The advisory inventories Hive’s TTPs, IOCs, and mitigations, including initial a…
Cyble researchers uncovered Chrome extensions that hijack browsers and redirect user searches for monetary gain, affecting over two million users. The extensions modify default search engines, open persistent tabs, and route traffic through multiple redirects …
Unit 42 researchers present a machine learning approach to predicting the maliciousness of .NET samples by analyzing the DoubleZero wiper. The study shows how .NET-specific structures, unmanaged API calls, and plain-text strings can reveal malicious intent bey…
Aurora began as a Golang MaaS botnet advertised by Cheshire and Zelizzard, and evolved into an infostealer adopted by multiple traffers, with activity that later slowed and then resurged in different forms. Sekoia.io’s analysis shows multifaceted data collecti…
AXLocker, Octocrypt, and Alice ransomware families are analyzed, detailing AXLocker’s file encryption alongside its Discord token theft, and presenting Octocrypt and Alice as RaaS-style offerings with builder tools and wallet-based ransom models. The piece emp…
Earth Preta spear-phishing campaigns targeted governments, academia, and research sectors worldwide, distributing TONEINS, TONESHELL, and PUBLOAD through Google Drive links. The activity is attributed to Earth Preta (Mustang Panda/Bronze President), with new i…