Cyble researchers uncovered a phishing campaign impersonating Japan’s National Tax Agency to steal V-Preca card details from Japanese taxpayers, combining fake NTA sites, smishing, and Android malware (FakeCop) with extensive C2 infrastructure. The operation e…
Category: Threat Research
Cybereason GSOC analysts detail a technique that uses Notepad++ plugins to persist and evade security controls, including how a malicious DLL is injected via the plugin loading process and how PowerShell and Meterpreter are used to establish C2. The report als…
Cyble researchers uncovered a tax-refund phishing campaign targeting Greek banking users that uses a JavaScript keylogger to capture credentials entered on a fake government-site. The attackers redirect victims to fake net banking login UIs for several banks, …
Trend Micro analyzed post-exploitation activity abusing CVE-2020-14882 WebLogic vulnerability to deploy Kinsing cryptocurrency-mining malware. The report details how Trend Micro Vision One and Cloud One Workload Security detected, blocked, and traced the attac…
Secureworks CTU analyzed a June 2022 ransomware incident involving the Iranian COBALT MIRAGE group, highlighting continued use of known TTPs. The operation deployed ProxyShell exploits, web shells, and TunnelFish, encrypted servers with BitLocker, and left tra…
OriginLogger is a variant of the Agent Tesla keylogger and represents its successor with new configuration handling and deployment methods. The analysis covers its builder, string obfuscation, dropper workflow, and multi-channel exfiltration infrastructure, ty…
Researchers at ESET identified a Linux variant of the SideWalk backdoor used by SparklingGoblin against a Hong Kong university in February 2021, and found close ties to Specter RAT and Windows SideWalk variants. The campaign reveals shared C2 infrastructure, C…
Arctic Wolf Labs analyzed a Lorenz ransomware intrusion that exploited CVE-2022-29499 on a Mitel MiVoice Connect appliance to gain initial access and deploy encryption with BitLocker. The attackers used LOLBins, Chisel tunneling, and FileZilla for data exfiltr…
Symantec details a new espionage campaign targeting Asian governments that uses DLL side-loading of legitimate software to load payloads, followed by credential theft and network-wide movement with a wide toolkit. The activity, spanning April–July 2022, hit a …
The article examines how third-party software can store credentials insecurely and how attackers can retrieve them to broaden access, with concrete examples across WinSCP, Git, RDCMan, OpenVPN, and various browsers. It also discusses protections in Cortex XDR …
Cisco Talos reports Lazarus Group’s global campaign exploiting VMware Horizon vulnerabilities to gain long-term access to energy-sector targets, deploying VSingle, YamaBot, and the newly described MagicRAT implants. The activity shows post-exploitation, latera…
TA453, an Iran-aligned actor, expanded its social engineering with Multi-Persona Impersonation (MPI), using multiple actor-controlled personas within a single email thread to boost campaign credibility. The technique targets researchers and nuclear security do…
May 2022 saw an Emotet-driven intrusion that began with a phishing Excel document and culminated in a domain-wide compromise, Cobalt Strike beaconing, lateral movement, and data exfiltration via Rclone. Emotet has since resurfaced (with TrickBot support) and r…
Lampion, a banking Trojan, was analyzed as delivered through a phishing email that directs victims to a cloud-based link to obtain a ZIP file. The campaign uses a VBScript loader and WScript to fetch DLL payloads, which are injected into memory to steal bankin…
The article documents a rising ransomware trend called intermittent encryption, where attackers partially encrypt files to speed up infection and evade detection. It reviews several families adopting this approach (Qyick, Agenda, BlackCat/ALPHV, PLAY, Black Ba…