As endpoint detection and response (EDR) solutions improve malware detection efficacy on Windows systems, certain state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers.Earlier this year, Mandiant identified a novel malware ecosystem…
Category: Threat Research
Avast released a MafiaWare666 ransomware decryptor tool for variants such as JCrypt and BrutusptCrypt. The ransomware encrypts files in user folders using AES, adds new extensions, and Avast’s decryptor guides victims through recovering their data, sometimes l…
Black Lotus Labs analyzed ~100 Go-based Chaos samples and found a cross‑platform, multi‑architecture botnet that persists, beacons to TLS C2s, steals or brute‑forces SSH credentials, exploits CVEs to propagate, and can run additional modules for DDoS and crypt…
CrowdStrike Falcon platform identified a supply chain attack tied to a trojanized Comm100 Live Chat installer, delivering a backdoor via a signed installer. The activity, with a suspected China nexus, involved a second-stage script, loader DLL, and multiple C2…
ESET researchers uncovered Lazarus APT campaigns in autumn 2021 that used Amazon-themed documents to target a Netherlands aerospace employee and a Belgian journalist, with data exfiltration as the goal. The operation combined multiple tools, including the BLIN…
New findings by R3D, with technical support from the Citizen Lab, document Pegasus infections of Mexican journalists and a human rights defender between 2019 and 2021, including an infection of opposition politician Agustín Basave Alanís in 2021. The report sh…
Check Point researchers detail Bumblebee loader’s rapid evolution, shifting delivery formats (ISO and VHD) and its move toward broader victim reach, plus how it loads encrypted configurations and communicates with its C2. They also note payload differences by …
Fortinet FortiGuard Labs analyzed malicious Microsoft Office documents that abused legitimate sites MediaFire and Blogger to deliver two malware variants: Agent Tesla and njRat (Bladabindi). The operation uses a multi-stage chain—VBA macros, mshta, and PowerSh…
DeftTorero (Lebanese Cedar/Volatile Cedar) activity from late 2019 to mid-2021 shows a shift toward fileless/LOLBIN techniques and the use of public/offensive tooling to blend in with normal activity. The report details initial access via web shells (Caterpill…
Sygnia attributes Cheerscrypt and Night Sky to the same actor, Emperor Dragonfly, a China-based group that rebrands payloads across campaigns. The investigation shows Emperor Dragonfly deploys Windows and ESXi ransomware, uses open-source Go tools, and conduct…
DJVU ransomware masquerades as legitimate software or decoy files and often partners with other threats to download information stealers for data exfiltration. It evolved from STOP ransomware, adding obfuscation and a highly flexible infection chain that inclu…
Water Labbu is a threat actor that parasitically hijacks scam DApp websites by injecting malicious JavaScript to steal cryptocurrency. The campaign uses injected payloads and delivery servers to obtain wallet permissions and drain USDT balances, disguising act…
Securonix Threat Labs uncovered a covert campaign targeting military contractors, leveraging sophisticated PowerShell-based stagers, multi-layer obfuscation, and robust C2 infrastructure. The attackers used spearphishing with a .lnk shortcut, extensive anti-an…
Operation In(ter)ception continues Lazarus’ macOS malware activity, using decoy job postings for Coinbase and Crypto.com to lure victims and install a multi-stage payload. The campaign features persistence via a LaunchAgent, staged download components, and har…
GTSC’s security team documented a 0-day remote code execution vulnerability in Microsoft Exchange being actively exploited in August 2022, leading to webshell deployment, credential dumping, and lateral movement. They provided a temporary, community-focused re…