Researchers at Cado Labs report the re-emergence of WatchDog, a threat actor known for cryptojacking cloud resources. The new campaign targets East Asian Cloud Service Providers using a shell script and a Monero wallet, revealing defense evasion, competitive m…
Category: Threat Research
This post explains how Fortinet researchers debugged a multi-stage .NET malware chain used for Warzone RAT by exporting and running each stage independently, then dumping the next stage for analysis. It covers building a wrapper app to run KeysNormalize.dll, r…
ARCrypter is a previously unknown ransomware family that emerged in Latin America (notably Chile, with Invima involvement) and has expanded to victims in China and Canada, featuring a two-stage dropper and payload and a ransom note delivered before encryption.…
Venus ransomware, also known as Goodgame, operates as a standalone legacy package with links to Zeoticus and has been encrypting files globally since August 2022. It relies on publicly exposed RDP and common attack techniques rather than sophisticated malware,…
The article surveys more than twenty wiper families, examining trends, techniques, overlaps, and how actors—from activists to nation-states—use destructive software in 2022. It also discusses defense tips and the complexities of attribution, highlighting how w…
An online banking fraud group calling itself the Disneyland Team uses Punycode-based domains to spoof banks and harvest credentials, often coordinating with Gozi 2.0/Ursnif malware to drain accounts. They employ a Web-based control panel, fake bank pages, and …
Two-sentence summary: The article describes using a Python script to extract and summarize HTTP CONNECT requests from PCAPs captured at a honeypot, illustrating how such traffic can reveal proxy-based tunneling activity. It also notes that larger datasets may …
Emotet resurfaced in early November 2022 after a four-month hiatus, resuming high-volume email campaigns and acting as a delivery network for other malware families. Proofpoint notes significant changes to Emotet’s lures, payloads, modules, loader, and packer,…
Cyble Research Labs uncovered Typhon Stealer and its updated variant Typhon Reborn, crypto-miner/stealer tools marketed for hire with wallet theft, keystroke monitoring, and anti-analysis features. Typhon Reborn adds stronger anti-analysis, expanded data colle…
DAGON Locker ransomware is being distributed in Korea, often via phishing emails, and operates as a ransomware-as-a-service with variable distribution strategies. It uses a memory-resident 64-bit EXE and employs strong encryption with ChaCha20 and RSA-2048, wh…
FortiGuard Labs reports that RapperBot has re-emerged in October 2022 as a DDoS-focused IoT botnet aimed at game servers, leveraging Telnet brute-forcing with embedded credentials to propagate. The campaign maintains a similar C2 protocol to earlier RapperBot …
DTrack is a Lazarus group backdoor used across a wide range of targets, including financial environments, a nuclear power plant, and targeted ransomware campaigns. The analysis highlights a multi-stage deployment with decryption and obfuscation, plus expanding…
Symantec links a state-sponsored activity to Billbug (aka Thrip/Lotus Blossom), targeting a certificate authority and government/defense agencies across Asia since March 2022. The operation employs dual-use tools and backdoors (Hannotog and Sagerunex), uses St…
A May 2022 intrusion used BumbleBee as the initial access vector via a Contact Forms campaign, delivering an ISO containing an LNK and a DLL to load Meterpreter and Cobalt Strike Beacons. The attackers conducted multi-stage post-exploitation including UAC bypa…
Earth Longzhi is a newly identified APT41 sub-group that conducted two campaigns (2020–2022) across Asia-Pacific with custom Cobalt Strike loaders and multiple loaders/tools to target government, infrastructure, healthcare, and defense sectors. The campaigns b…