Symantec details Witchetty’s expanded toolset, including Backdoor.Stegmap and the LookBack backdoor, which use steganography and a GitHub-hosted bitmap loader to hide and deliver payloads. The operation is tied to TA410 and Cicada/APT10, with past and present …
Category: Threat Research
Bl00dy is a newly discovered ransomware strain that uses double extortion and leaks victim data via Telegram rather than hidden Tor channels. It encrypts files with CryptoAPI, renames them with a .bl00dy extension, drops ransom notes, and propagates laterally …
eSentire’s Threat Response Unit details a Redline Stealer campaign against a manufacturing customer, delivered via a malicious Mozilla Thunderbird setup hosted on a lookalike thunderbiird[.]com and distributed in an ISO. The attacker uses an obfuscated AutoIT …
Part 3 of a four-part series on wiper malware analyzes how input/output controls (IOCTLs) and related Windows kernel interfaces are weaponized to gather disk information, manage disk volumes, and destroy data. It highlights IOCTLs used by DriveSlayer and other…
Unit 42 reveals a polyglot CHM file used to deliver the IcedID information stealer, weaving deception to evade detection by showing a benign decoy window first and launching malicious activity on a second run. The threat chain includes phishing with a ZIP, an …
Void Balaur is a prolific cyber mercenary group expanding its hack-for-hire campaigns globally through 2022, continuing to adapt its operations despite disruptions to its advertising personas. The group targets a broad mix of individuals and organizations, foc…
Threat actors increasingly rely on unsigned DLL loading to execute payloads, enabling stealthy operations by abusing signed processes. The investigation highlights Stately Taurus (PKPLUG/Mustang Panda) and Selective Pisces (Lazarus Group) and shows how unsigne…
ThreatLabz details a campaign delivering Agent Tesla via a configurable “Quantum Builder,” which creates LNK, HTA, and ISO payloads to execute a multi-stage infection. The campaign uses obfuscated PowerShell, LOLBins, and UAC bypass techniques to obtain admin …
CRIL researchers traced a malicious domain used in a spear-phishing campaign to steal Office 365 credentials and to host a new information stealer, Doenerium Stealer, which masquerades as legitimate Windows tools and is available on GitHub. The malware exhibit…
LockBit 3.0 is distributed via phishing emails disguised as job applications, using NSIS installers that deliver a nested payload. It encrypts user files, disables security services, and leaves a ransom note and wallpaper changes, with AhnLab detailing detecti…
Two sentences summarizing the article: ReversingLabs details a malicious npm package masquerading as Material Tailwind that installs via a postinstall script to download a password-protected ZIP containing a Windows executable. The campaign employs obfuscated …
NullMixer acts as a dropper delivering a wide range of malware families by redirecting users from cracked software sites through SEO-driven pages. It drops numerous trojans and stealers, including SmokeLoader, RedLine Stealer, PseudoManuscrypt, ColdStealer, an…
Mass malicious mailing campaigns are moving toward targeted-style operations, impersonating real companies and delivering malicious attachments. The payload is Agent Tesla, a credential-stealing malware that can exfiltrate data through various channels and per…
May 2022 intrusion used BumbleBee as the initial access vector to deploy Cobalt Strike and Meterpreter across the network. The actors delivered a hidden DLL via an ISO/LNK chain, then moved laterally with RDP/SMB and remote access tools before being evicted; t…
Threat actors targeted GitHub users with a phishing campaign impersonating CircleCI to harvest credentials and 2FA codes, affecting many organizations even though GitHub itself was not breached. Attackers leverage stolen credentials to persist, access private …