Monster is a Delphi-based ransomware-as-a-service (RaaS) that hides its capabilities and uses configurable features to customize encryption and evasion, raising the risk of attribution confusion. The BlackBerry analysis details its encryption methods, use of I…
Category: Threat Research
Fortinet’s Ragnar Locker Ransomware Roundup explains that Ragnar Locker encrypts files, exfiltrates data, and uses double extortion to pressure victims, including negotiations via a Tor-based site and leaking stolen information on a “Wall of Shame.” It also no…
Threat actors run credential-phishing campaigns that spoof U.S. government departments (DoL, DoC, DoT) to lure victims into submitting credentials via multi-step, convincingly branded PDFs and pages. The campaigns have evolved since 2019, improving email conte…
CRIL researchers uncovered a fake Telegram download site that leads Windows users to a malicious MSI installer, which abuses Windows Defender components to operate a remote-access Trojan. The malware uses DLL side-loading, memory injection, and a C2 channel to…
FortiGuard Labs analyzed an Excel document that embeds a randomized payload and exploits CVE-2017-11882 to drop malware on Windows. The analysis traces how the document loads the embedded file, uses a vulnerability to execute code, downloads Formbook/Redline p…
The blog analyzes three recent honeypot infections attributed to TeamTNT, suggesting renewed activity after their 2021 farewell. It details multiple campaigns (Kangaroo, Cronb, What Will Be) that reuse familiar TeamTNT tools and techniques, including misconfig…
Publicly available Slam Ransomware Builder lowers the barrier to entry for cybercriminals by offering free tooling, while presenting credible threats to enterprises. The article details Slam’s features, capabilities, and indicators of compromise to help defend…
Two sentences summarizing: A self-spreading malware bundle centers on the RedLine stealer, using cheats/cracks ads and YouTube video posts to propagate while stealing browser credentials and other data. The campaign combines loaders, startup persistence, and G…
Insikt Group profiles UAC-0113 infrastructure linked with Sandworm, highlighting ongoing Ukrainian targeting and the use of dynamic DNS masquerades as Ukrainian telecom providers to host C2 and payload delivery. The analysis shows a shift from DarkCrystal to C…
Cisco Talos reports a new Gamaredon APT campaign targeting Ukrainian government entities, leveraging spear-phishing with Russian invasion-themed Office documents and malicious VBScript macros to seed infection. The operation uses a multi-stage chain (LNK in RA…
SEKOIA analysts document PrivateLoader as a modular downloader that operatess within the ruzki Pay-Per-Install (PPI) service to download and execute multiple payloads, enabling broad distribution of malware. The report links PrivateLoader to ruzki’s PPI ecosys…
Attackers continue to abuse Google Sites and Microsoft Azure Web Apps to host cryptocurrency phishing campaigns targeting major wallets and exchanges, with new pages and targets emerging over time. The operation relies on two stages—SEO-driven first pages and …
Malvertising on the Microsoft Edge News Feed redirects users to tech support scam pages via the Taboola ad network. The operation uses a cloud-based infrastructure and fingerprinting to target victims while avoiding bots or blocks. #Taboola #EdgeNewsFeed #brow…
IRGC-affiliated cyber actors exploited known Fortinet FortiOS and Microsoft Exchange vulnerabilities, plus VMware Horizon Log4j flaws, to gain initial access and conduct ransomware-like operations involving data encryption and data extortion. The advisory outl…
A Word OOXML document (docx) is used as a downloader by embedding a frameset that loads a second-stage payload when opened. The phishing sample “Order Confirmation 22839.docx” first delivers a malicious RTF (“92.doc”) which downloads the final malware, the Red…