Attackers are distributing LockBit 3.0 by leveraging Amadey Bot as a downloader, using malicious Word documents and executables disguised as Word files to drop the malware. Amadey is used to contact a C2 server and fetch LockBit payloads, including PowerShell-…
Category: Threat Research
DeimosC2 is presented as an open-source post-exploitation C2 framework that attackers may consider alongside Cobalt Strike, with details on how it operates, how its traffic and binaries can be identified, and defensive recommendations. The report covers Deimos…
SocGholish operators have significantly expanded and diversified their malware staging infrastructure since mid-2022, adding about 18 new second-stage servers per month to counter defenders and scale operations. The majority of these new servers are in Europe …
IronNet analyzes how the Robin Banks phishing-as-a-service platform has evolved to evade takedowns, relocate infrastructure to a Russian provider, and add features like cookie-stealing to bypass MFA. The study highlights how open-source code and off-the-shelf …
APT-36 (Transparent Tribe) targets Indian government personnel with evolving TTPs, including malvertising, credential harvesting, and a newly documented data exfiltration tool named Limepad. Zscaler ThreatLabz explains how the group abuses Google Ads and third…
RomCom threat actor campaigns spoof SolarWinds, KeePass, and PDF Reader Pro to deliver RomCom RAT, focusing on Ukraine with possible targets in the United Kingdom. Researchers note connections to Cuba Ransomware and Industrial Spy, while clarifying that vendor…
SentinelLabs provides a comprehensive analysis of Black Basta’s operational TTPs, revealing custom tools, EDR-evasion capabilities, and a likely link to FIN7. The findings suggest FIN7 developers may have contributed to Black Basta’s toolset, with privilege es…
eSentire’s TRU investigates ChromeLoader, a Chrome extension-based adware delivered via ISO shortcuts and activated through PowerShell to install the extension from the registry. The analysis highlights its persistence via Run keys, high-privilege browser mani…
Cyble Research and Intelligence Labs tracks SmokeLoader campaigns that carry SystemBC and Raccoon Stealer 2.0 (RecordBreaker) alongside a new clipper named Laplas Clipper targeting cryptocurrency users. Laplas Clipper uses clipboard hijacking to swap wallet ad…
Text4Shell (CVE-2022-42889) is a critical remote code execution vulnerability in Apache Commons Text (versions 1.5–1.9) that can be triggered by crafted input strings to run code on vulnerable hosts. The advisory covers exploitation methods, potential post-exp…
Symantec Broadcom Software uncovered a previously undocumented dropper, Trojan.Geppei, that reads commands from IIS logs to install a new backdoor (Trojan.Danfuan) and other tools. The campaign is linked—though not conclusively—to Cranefly and UNC3524, and it …
Financially motivated banking Trojans are analyzed for how they evade detection, steal data, and serve as infrastructure to deliver other malware. The article covers families such as Zeus, Kronos, Trickbot, IcedID, Emotet and Dridex, and discusses defenses lik…
Two MDR case studies show attackers leveraging public clouds for C2, memory-resident toolsets, and targeted server-side intrusions across Exchange and SQL Server. The report also details long-text payloads, custom loaders, and exfiltration techniques used to s…
Surtr ransomware is being distributed in Korea, encrypting files and appending a unique Surtr extension to filenames. It also alters the infected system’s desktop, drops ransom notes SURTR_README.hta and SURTR_README.txt, and performs anti-analysis checks befo…
The article analyzes F-Automatical (FoxAuto) as Anonymous Fox’s seventh version of an automatic C2 script that runs post-exploitation tasks on compromised web servers. It covers how the script can persist, fetch remote modules, target multiple CMS, obfuscate i…