CrowdStrike tracks a new cryptojacking campaign, Kiss-a-dog, targeting vulnerable Docker and Kubernetes infrastructure with an obscured domain, container escape, and anonymous mining pools. The operation uses multiple C2 servers, user- and kernel-mode rootkits…
Category: Threat Research
CLDAP reflectors are rising as a multi-vector DDoS mechanism, leveraging UDP reflection to amplify traffic and complicate mitigation. Black Lotus Labs tracks open CLDAP reflectors, analyzes their behavior, and provides guidance on reducing exposure and blockin…
An intrusion in early June 2022 leveraged the Follina CVE-2022-30190 vulnerability embedded in a malicious Word document to install Qbot (Qakbot/Pinksliplot) and pivot through the network toward a domain compromise. Attackers used Cobalt Strike, NetSupport Man…
Brad Duncan surveys VNC-based malware activity over the years, tracing how what’s been labeled DarkVNC/HiddenVNC has evolved into broader malicious VNC use across multiple families and campaigns. The post concludes that the “Dark” label isn’t fixed, documentin…
Venus ransomware targets publicly exposed Remote Desktop services to encrypt Windows devices, abusing insecure RDP access to spread. Infections result in files ending with the .venus extension and a ransom note demanding payment. #VenusRansomware #RemoteDeskto…
Trustwave SpiderLabs details a threat campaign that uses password-protected archives with nested self-extracting RARsfx to deliver malware, predominantly via Emotet botnet spam. The payloads include CoinMiner and QuasarRAT, with adversaries employing obfuscati…
QAKBOT is observed using valid code signing certificates to sign malicious modules, enabling trusted-looking infections. The article reviews infection timelines, potential origins of abused certificates, and recommended countermeasures. #QAKBOT #Follina
The Lazarus threat actor exploited a watering hole to infiltrate target systems and then leveraged a vulnerability in MagicLine4NX to reach internal networks. They used BYOVD and a rootkit to disable anti-malware, then established internal access via RDP and S…
AgentTesla is being distributed through malicious VBScript (VBS) attached to emails, with the VBS payload obfuscated and decoded to eventually execute PowerShell and inject AgentTesla into a legitimate process. The campaign shows evolving delivery methods—from…
Microsoft’s analysis shows Raspberry Robin as part of a broader, interconnected malware ecosystem that enables pre-ransomware activity across thousands of devices, linking USB-driven infections to follow-on hands-on-keyboard attacks and ransomware deployments.…
LODEINFO underwent multiple upgrades in 2022, expanding its backdoor capabilities, encryption, and evasion techniques while continuing to target primarily Japanese entities. The article details complex C2 communications, 64-bit memory injection, and evolving b…
BlackCat (ALPHV) ransomware has risen to prominence with a Rust-based framework, triple extortion tactics, and a growing affiliate network that leverages diverse attack vectors. Trend Micro highlights evolving TTPs—from Emotet-assisted initial access to privat…
Brute Ratel’s config decoding update shows that Brute Ratel now uses a dynamic key to decrypt its onboard configuration, though the hardcoded key still exists for decrypting some strings. The article walks through RC4-based encryption, base64 decoding, and two…
FortiGuard Labs analyzed a phishing campaign that impersonates the Hungarian government to deliver the Warzone RAT through a disguised PDF-like executable. The campaign stacks multiple obfuscated .NET binaries in memory, uses MaaS-style malware, and employs ev…
360Netlab documents the return of the Fodcha DDoS botnet, detailing a renewed version with a dual OpenNIC/ICANN C2 and strong encryption to evade detection, plus large-scale DDoS operations that exceeded tens of thousands of bots and terabit traffic. The post …