Cisco Talos identifies a new Lazarus Group remote access trojan named MagicRAT, deployed after exploiting publicly exposed VMware Horizon platforms. The malware, linked to TigerRAT and Lazarus infrastructure, includes persistence, reconnaissance, and the hosti…
Category: Threat Research
PlugX is a long-running, modular RAT used by Asia-based threat actors like APT27, featuring a loader that combines a legitimate executable, a malicious module, and a malicious payload. The report traces six loader samples from 2012–2022, detailing DLL side-loa…
The article documents a rising ransomware trend called intermittent encryption, where attackers partially encrypt files to speed up infection and evade detection. It reviews several families adopting this approach (Qyick, Agenda, BlackCat/ALPHV, PLAY, Black Ba…
Bronze President targeted government officials using PlugX payloads across multiple documents and delivery methods. The campaign involved malicious archives, shortcuts, DLLs, and encrypted payloads linked to PlugX, with identified C2 servers associated to the …
Monti ransomware gang emerged during a July 2022 incident, encrypting 21 servers after exploiting Log4Shell in a VMware Horizon setup and leveraging both traditional Conti-like TTPs and new tooling. The operation highlighted Monti’s mimicry of Conti, its use o…
Unit 42 researchers describe MooBot, a Mirai variant, that leverages four D-Link vulnerabilities to seize control of exposed devices and deploy a botnet for DDoS attacks. The campaign downloads MooBot from a remote host, communicates with a C2 server, and incl…
Joint FBI/CISA/MS-ISAC advisory details Vice Society’s ransomware operations, highlighting their methods, IOCs, and recommended mitigations for education-sector defenders. It notes that Vice Society uses variants such as Hello Kitty/Five Hands and Zeppelin and…
Wordfence alerted to an actively exploited zero-day vulnerability in BackupBuddy that allowed unauthenticated file downloads from WordPress sites. Nearly 5 million attacks were blocked since August 26, 2022, and a patched version 8.7.5 was released on Septembe…
ThreatLabz reports an update to the Ares banking trojan that adds a domain generation algorithm (DGA) mirroring Qakbot’s DGA, likely to extend infection lifetimes and monetize compromised systems. The update includes C2 fallback via DGA, web inject testing, an…
Cyble Research and Intelligence Labs (CRIL) detected active PowerShell Empire infrastructure being used in the wild, including multiple infections and post-exploitation activities leveraging the Empire framework. The article details Empire’s listener/stager/ag…
DangerousSavanna is a two-year campaign targeting financial institutions in French-speaking Africa, employing spear-phishing and a diverse set of infection chains to deploy PoshC2 and AsyncRAT. The operation features evolving lures, modular payloads, and exten…
Avast Threat Labs details Bobik, a .NET Remote Access Trojan that now functions as a DDoS module within a botnet used by the pro-Russian group NoName057(16) to target Ukraine and nearby countries. The report maps the botnet’s C2 infrastructure, the multi-stage…
Play is a new ransomware family that mirrors Hive and Nokoyawa, suggesting shared operators and attack infrastructure. It differentiates itself with AdFind-based Active Directory discovery and a blend of LOLBins, GPO-based deployment, and double-extortion tech…
IBM X-Force/MDR analysis connects Raspberry Robin infections with the Dridex malware and the Russia-based Evil Corp, revealing shared loader structures, anti-analysis techniques, and a workflow that leverages USB-based initial access. The report traces the inf…
BumbleBee is described as a refactored, modular backdoor evolved from BookWorm, featuring a two-app architecture (server/controller and client/slave) with layered deployment and a loader chain that uses a legitimate executable to run shellcode. The campaign ap…