Trend Micro’s honeypots detected cryptocurrency mining activity targeting cloud and container environments, with actors using Docker API abuse and worm-like propagation that resembles TeamTNT’s arsenal, though WatchDog may be mimicking or behind the campaign. …
Category: Threat Research
URSNIF’s LDR4 variant marks a shift from banking fraud to remote access capabilities, dropping banking modules in favor of enabling VNC and remote shell access on compromised machines. It introduces API call obfuscation, a redesigned configuration/storage stru…
ESET researchers uncovered a Lazarus campaign in fall 2021 that targeted a Netherlands aerospace employee and a Belgian political journalist via spearphishing attachments, leading to a multi-tool intrusion set. Notably, it marked the first publicized real-worl…
SafeBreach Labs uncovered a new fully undetectable PowerShell backdoor that disguises itself as part of the Windows update process and has targeted about 100 victims. The attack chain starts with a malicious Word document (Apply Form.docm) and culminates in C2…
FortiGuard Labs’ Ransomware Roundup analyzes Royal ransomware, detailing its Windows-based encryption, command-line operation, shadow-copy deletion, and ransom workflow via Tor, along with Fortinet protection and defender guidance. It notes the potential for a…
Security researchers tie the Spyder Loader (Trojan.Spyload) to a long-running intelligence-gathering operation called Operation CuckooBees, active since at least 2019 and targeting intellectual property. The loader is a 64-bit PE DLL derived from sqlite3.dll, …
Palo Alto Networks describes a proactive detector that spots potentially malicious newly observed domains (NODs) by ingesting WHOIS data, DNS traffic, and passive DNS signals, enabling earlier detection of abuse as domains become active. The system analyzes mi…
Emotet has re-emerged as a 64-bit variant with a multi-stage decryption and C2 communications workflow. The analysis highlights its loading sequence, encrypted resources, inner DLLs, and cryptographic changes (ECC and bcrypt.dll) compared with earlier versions…
Ransom Cartel emerged as a ransomware-as-a-service operation around late 2021, showing double-extortion techniques and notable overlaps with REvil, including possible ties to REvil’s code and infrastructure. The report analyzes Ransom Cartel’s TTPs, comparison…
Threat researchers reverse-engineered Brute Ratel C4 (BRC4) and its Badger agents, building a defender-focused analysis and an Atomic-C2 simulator to test detections. The study maps BRC4 behaviors to MITRE techniques, highlighting an ISO-based initial access c…
CYFIRMA’s analysis focuses on Infostealer Prynt, a commodity malware used in Malware-as-a-Service campaigns with a hidden backdoor, notably through process injection into a legitimate AppLaunch.exe workflow to exfiltrate data. It collects system information, f…
This fourth post in a four-part series examines the rarely used “helper” techniques wipers employ to augment data destruction, such as manipulating VSS, filling disk space, and altering boot configurations. It covers methods like shadow-copy deletion, space-fi…
BianLian ransomware, written in Go, encrypts files at high speed using concurrent processes and targets a wide range of industries across several countries. The operation includes a ransom note with contacts via Tox or email and hints at manual deployment with…
A phishing site impersonating AnyDesk delivered a stealer named Mitsu Stealer by tricking victims into downloading a malicious Anydesk.exe. The malware exfiltrates browser credentials, wallet data, and Discord tokens via a Discord webhook and even attempts to …
Uptycs reports a new campaign where WSHRAT acts as a dropper for Agent Tesla through a multi-stage infection chain emphasizing evasion techniques like steganography and in-memory DLL loading. The campaign begins with phishing emails containing GZ and R00 archi…