CISA’s Malware Analysis Report examines CovalentStealer, a data-exfiltration malware used against a Defense Industrial Base (DIB) organization by suspected APT actors, detailing its file-enumeration, targeting, and upload workflow. The malware leverages embedd…
Category: Threat Research
Team Cymru’s Recon/BARS analysis dissects IcedID (BokBot) campaigns from September 2022, shedding light on Stage 1 downloader C2 infrastructure, delivery chains, and victim telemetry to reveal how threat actors evolve infrastructure across campaigns. The post …
CRIL identified a malicious site cloud-spoofer.xyz that redirects users to a Discord channel to buy a FiveM unban spoofer. The tool is modified to download AsyncRAT and a stealer from remote servers, delivering malware to gamers. #CloudSpoofer #FiveM #Discord …
Cybersecurity analysts from CISA analyzed HyperBro malware samples linked to a Defense Industrial Base incident, detailing a backdoor capable of file transfer, keystroke logging, and remote command execution. The report covers four analyzed files, a C2 endpoin…
The article documents BazarCall’s evolution from email bait to phone-based social engineering that prompts victims to download malware, including BazaarLoader and other families such as Trickbot, Gozi IFSB, and IcedID. It outlines a three-phase attack (bait, a…
FortiGuard Labs analyzed an Excel document delivering Redline malware via CVE-2017-11882. The loader uses in-memory techniques and persistence via Task Scheduler to exfiltrate sensitive data to a C2 server over HTTP using a WCF SOAP channel. Hashtags: #Redline…
Trustwave SpiderLabs observes HTML file attachments being used prominently in phishing spam, with HTML/HTM collectively accounting for about 14.09% of attachments, second only to EXE files. The report describes how these HTML attachments mimic sign-in pages an…
Cyble Research and Intelligence Labs (CRIL) tracked phishing campaigns distributing a fake ransomware that does not encrypt files but renames them, drops ransom notes, and threatens payment. The campaign uses masquerading techniques (double extensions like Sex…
Researchers from DCSO CyTec uncovered Maggie, a novel backdoor for Microsoft SQL servers hidden as an Extended Stored Procedure DLL called sqlmaggieAntiVirus_64.dll. Maggie runs commands, interacts with files, and can function as a network bridge with a SOCKS5…
BlackBerry Research & Intelligence uncovers a Mustang Panda operation targeting Myanmar that uses PlugX malware delivered via legitimate HP utilities embedded in RAR archives. The campaign employs DLL side-loading and domain-based C2 infrastructure masqueradin…
LilithBot is a multifunction malware sold as Malware-as-a-Service by the Eternity group, distributed through Telegram and Tor, with modules for botnet operations, stealer, clipper, miner, and more. The campaign showcases evolving features, including anti-debug…
Researchers built a sinkhole for PseudoManuscrypt and mapped its infections by analyzing a custom UDP/TCP C2 protocol layered over KCP, including how L1/L2 messages are structured and parsed. The work reveals extensive domain-based C2 activity and a rapid botn…
Fortinet FortiGuard Labs analyzes phishing-driven malware campaigns in Q3 2022, highlighting the use of HTML Smuggling, Excel 4.0 macros, Word VBA macros, and ISO image delivery to drop Emotet, Qbot, and Icedid. The report details multiple delivery chains and …
Researchers analyzed a Go-based BlackByte variant and uncovered an advanced technique to bypass security products by abusing a legitimate but vulnerable driver (RTCore64.sys) to disable protection. The technique, a “Bring Your Own [Vulnerable] Driver” approach…
eSentire has observed a significant rise in SolarMarker infections delivered via drive-by download attacks that rely on social engineering to persuade users to execute malware disguised as document templates. SolarMarker is a modular information-stealing malwa…