Recorded Future analyzes TA413, a Chinese state-sponsored group, detailing campaigns against the Tibetan community and the adoption of new capabilities, including the LOWZERO backdoor and exploitation of zero-days such as CVE-2022-1040 and Follina. The report …
Category: Threat Research
Coreid’s ransomware ecosystem continues evolving with Noberus, expanding cross-platform encryption and a growing data-exfiltration focus, supported by Exmatter and credential-stealing tools like Eamfo. Symantec/Sentinel Labs note ongoing affiliate updates and …
Domain shadowing is a stealth DNS hijacking technique where attackers create malicious subdomains under compromised domains, leveraging their benign reputation to carry out phishing, malware distribution, and C2 activities. Palo Alto Networks introduces an aut…
I found a simple batch file (2.bat) that drops a Remcos RAT using an old fodhelper UAC bypass to gain high privileges. The dropper decodes embedded Base64 with certutil, then downloads and launches the malware chain, including a PowerShell-based stage that att…
NFT-001 is a crypto/NFT malware campaign that evolved into a more evasive staged downloader delivering Remcos RAT, with phishing used to lure victims and a multi-stage payload chain designed to bypass defenses. The threat actor relies on private messages, DLL …
Magento 2 template attacks now deploy backdoors via injected template code to install a Linux RAT and web backdoors, enabling persistent access and remote command control across potentially multi-node clusters. Variants include 223sam.jpg attack, health_check.…
Two-sentence analysis of the leaked LockBit 3.0 builder, detailing how it generates RSA keys, embeds resources, and produces encryptor/decryptor payloads, with implications for potential LockBit forks. The piece highlights the tool’s capabilities and mentions …
The FBI and CISA release a Cybersecurity Advisory detailing Iranian state actors, operating as HomeLand Justice, conducting destructive cyber operations against the Government of Albania in July and September 2022, including a year-long intrusion, ransomware-s…
SocGholish is a JavaScript malware framework that uses social engineering toolkits masquerading as software updates to deploy malware on a victim’s system. Threat actors host malicious sites that lure users with fake browser updates, downloading an archive tha…
Crytox is a multi-stage ransomware that encrypts local and network drives using per-file AES-256 keys protected by a locally generated RSA key, while dropping the uTox messenger to enable victim-actor communication. It employs anti-analysis techniques (packing…
Trend Micro’s analysis shows active exploitation of CVE-2022-26134 in Atlassian Confluence servers for cryptocurrency mining and other malware. The attacker uses an OGNL payload to trigger remote code execution, downloads ro.sh and ap.sh scripts, and ultimatel…
PUP.Optional.AdMax is Malwarebytes’ detection name for a family of browser extensions that are promoted in a deceptive way as ad blockers. Malwarebytes blocks the sites promoting them and provides remediation steps to detect and remove the PUP. #PUP.Optional.A…
In July 2022, during proactive threat hunting activities at a company in the media industry, Mandiant Managed Defense identified a novel spear phish methodology employed by the threat cluster tracked as UNC4034. Mandiant has identified several overlaps between this group and those we suspect have a North Korea nexus.
UNC4034 established communication…
Cyble researchers uncovered a campaign that uses fake Zoom sites to spread Vidar Stealer to Zoom users. The malware drops binaries, injects into MSBuild, and communicates with C2 infrastructure via GitHub-hosted payloads and hardcoded addresses. #VidarStealer …
Fortinet’s FortiGuard Labs uncovered a Russian-language phishing email designed to deploy the Konni RAT linked to APT37, with persistence and C2 communications. The attack uses a Donbass.zip attachment containing decoy PowerPoint files and a malicious macro ch…