Earth Longzhi is a newly identified APT41 sub-group that conducted two campaigns (2020–2022) across Asia-Pacific with custom Cobalt Strike loaders and multiple loaders/tools to target government, infrastructure, healthcare, and defense sectors. The campaigns b…
Category: Threat Research
LNK (Shell Link) files are Windows shortcuts that threat actors increasingly abuse to execute binaries and stage attacks, including delivering payloads via PowerShell, VBScript, or MSHTA. The article explains the LNK file format, how attackers leverage it in s…
Cyble researchers uncovered a phishing campaign targeting Bank Rakyat Indonesia (BRI) that escalates by distributing Android SMS stealers to harvest OTPs and bypass 2FA. The operation begins with credential- and OTP-phishing sites, then installs a custom SMS s…
QBot (Qakbot/QuackBot/Pinkslipbot) is leveraging a new HTML Smuggling technique to deliver and execute payloads through HTML5/JavaScript-encoded content embedded in HTML attachments, enabling attackers to bypass some network controls. This article details the …
StrelaStealer is an undocumented custom malware analyzed by DCSO CyTec that aims to steal mail credentials from Thunderbird and Outlook. It spreads via ISO-delivered lures using polyglot DLL/HTML techniques, encrypts data with a XOR key, and communicates with …
IPFS is being exploited by threat actors to host phishing pages and malware payloads, leveraging its censorship-resistant hosting to resist takedowns. Cisco Talos observes multiple campaigns using IPFS to host and retrieve malicious content, complicating defen…
Magniber has evolved to bypass Mark of the Web (MOTW) protections by using script-based delivery and a digital signature, while continuing to adapt delivery methods such as typosquatting. The analysis highlights how MOTW, UAC bypass via fodhelper, and registry…
A VBScript-based sample demonstrates how script-based ransomware can be built and evade many antivirus products by using a multi-stage PowerShell payload delivered via environment variables. It encrypts a wide range of file types, drops a ransom note, and atte…
Emotet has re-emerged, spreading worldwide again via spam emails with Excel attachments and macro-enabled documents to download its payloads. The campaign delivers follow-on payloads like IcedID and Bumblebee and has historically offered Malware-as-a-Service (…
Zimperium zLabs uncovered Cloud9, a Chrome browser botnet/RAT that can steal cookies, log keystrokes, mine cryptocurrency, and drop additional malware on a victim’s device. It spreads via threat-actor communities using fake installers and malicious sites (not …
Five DLL sideloading cases targeting government organizations in Asia show how threat actors reuse well-known techniques and progressively add complexity, including a USB worm in one case. A common loader shellcode and repeated infrastructure overlap across ca…
FormBook is a cheap, malware-as-a-service infostealer that appeals to operators with limited technical skills, yet it includes advanced evasion and data-collection capabilities. The article analyzes its behavior, distribution, and execution flow using ANY.RUN,…
Cyble researchers uncovered a data-destructive ransomware tied to the pro-Russian Killnet group, rebranding Chaos ransomware to target adversaries. The analysis details Killnet ransomware’s execution flow, including privilege escalation, persistence, targeted …
Fortinet threat researchers demonstrate a technique to use the net obfuscator against itself to reveal strings from a Warzone RAT variant, focusing on decoding encoded strings stored in a resource. The post walks through implementing a custom decoder in Visual…
DeimosC2 is presented as an open-source post-exploitation C2 framework that attackers may consider alongside Cobalt Strike, with details on how it operates, how its traffic and binaries can be identified, and defensive recommendations. The report covers Deimos…