Checkmarx identified roughly 200 malicious NPM packages linked to the crime group LofyGang that abused typosquatting, sub-dependencies, and legitimate cloud services to distribute credential-stealing and Discord-targeted malware. The actors used Discord bots a…
Category: Threat Research
Cisco Talos uncovers a new all-in-one offensive framework, Alchimist, with a GoLang-based C2 and a companion RAT called Insekt that targets Windows, Linux, and Mac, featuring a Chinese web UI and remote administration. The dropper/c2 stack includes MacOSX expl…
WIP19 is a Chinese-speaking threat cluster targeting telecommunications and IT service providers in the Middle East and Asia, using a stolen DEEPSoft certificate to sign multiple malware components. The operation features mature tooling (including SQLMaggie an…
Cyble Research & Intelligence Labs (CRIL) uncovered a mass tech support scam ecosystem that uses phishing sites impersonating Microsoft and Apple support to push fake Windows Defender alerts. Victims who contact the fake helplines are then compromised via remo…
8220 Gang continues to infect misconfigured cloud workloads by exploiting outdated Docker, Apache, WebLogic, and Log4J services and expanding its cryptocurrency-mining botnet. It rotates infrastructure, uses PureCrypter MaaS, and distributes miners via Discord…
Budworm is resurfacing in the U.S. targeting high-value entities with a mix of malware and openly available tools, including DLL side-loading via legitimate processes and C2 infrastructure hosted on VPS services. The campaign centers on HyperBro, with occasion…
Attackers increasingly rely on legitimate remote access tools and backdoors to infiltrate networks, move laterally, and harvest data. The article surveys common backdoors, RATs, and remote control tools (e.g., AnyDesk, TeamViewer, ToDesk, AveMaria) used in rea…
Downloader ranked top with 38.2%, followed by info-stealer with 35.1%, ransomware with 14.7%, backdoor with 11.6%, and CoinMiner with 0.4% for the week of September 26th to October 2nd, 2022. Top families included BeamWinHTTP, Smokeloader, Stop Ransomware, Vid…
FortiGuard Labs details a Ukrainian-military-themed Excel XLSM document that hides a multi-stage loader which ends with Cobalt Strike Beacon on the victim’s machine. The campaign uses macro-based delivery, obfuscation, shortcut-based execution, and scheduled-t…
Malware is increasingly distributed via ISO files, with multiple families adopting the method. Qakbot has shifted from Excel macros to ISO-based delivery, alongside AsyncRAT, IcedID, and BumbleBee. #Qakbot #ISOFiles
Snake Keylogger is a .NET-based malware that focuses on stealing credentials, keystrokes, screenshots, and clipboard data. The article walks through multi-stage unpacking, heavy obfuscation, runtime DLL loading, process hollowing for payload execution, persist…
Security researchers outline detection strategies for the Caffeine phishing service platform, including endpoint and network indicators. They provide YARA rules, domain infrastructure details, and defensive best practices to mitigate PhaaS-based phishing campa…
Trend Micro researchers document a QAKBOT-driven intrusion that escalates to Brute Ratel C4 and Cobalt Strike payloads attributed to Black Basta operators, highlighting a shift toward commercial C2/attack emulation tools in real-world ransomware campaigns. The…
Researchers tracked the Lazarus group using DLL Side-Loading (T1574.002) to run a malicious DLL via legitimate Windows processes. The attackers staged a backdoor (mi.dll) loaded from the same folder as the host process (wsmprovhost.exe) and used open-source Bu…
Earth Aughisky (Taidoor) remains a long-running APT, gradually adapting its malware toolkit across Taiwan and Japan. The post catalogs Earth Aughisky’s malware families, their connections to other groups, and potential strategic shifts, highlighting a broader …