ASEC researchers identified a malicious HWP document that exploits OLE objects and a Flash vulnerability (CVE-2018-15982), using embedded links to trigger execution. The attack drops files in %TEMP%, hides OLE objects, and can download and run additional paylo…
Category: Threat Research
SafeBreach Labs uncovered a new targeted remote access Trojan named CodeRAT that targets Farsi-speaking developers using a Word document with a DDE exploit. It features a versatile command set, uses Telegram bot API for C2 and public file-upload services for e…
BianLian emerged as a relatively new ransomware actor deploying Go-based malware and using LOL (Living off the Land) techniques to move laterally while evading EDR during encryption. They exploited initial access vectors like ProxyShell and SonicWall VPNs, rap…
IBM X-Force/MDR analysis connects Raspberry Robin infections with the Dridex malware and the Russia-based Evil Corp, revealing shared loader structures, anti-analysis techniques, and a workflow that leverages USB-based initial access. The report traces the inf…
Bitdefender’s deep-dive analyzes a corporate espionage operation targeting a small U.S. technology company, detailing how initial access was gained through an unpatched internet-facing vulnerability and how attackers staged months of data exfiltration. The ope…
Magecart threat actors target Magento-based online stores by injecting JavaScript skimmers into checkout pages to steal payment data. The skimmer loads an overlay form from an embedded JS file, collects card details and personal information, obfuscates and exf…
Zscaler ThreatLabz reveals that Prynt Stealer’s builder contains a secret backdoor that exfiltrates victims’ data to a private Telegram chat watched by the builder’s developers, and that Prynt Stealer, WorldWind, and DarkEye are nearly identical variants. The …
The Government CSIRT reports an active cyber security incident affecting a government service, attributed to ransomware targeting Microsoft and VMware ESXi servers. The malware encrypts VM-related files (changing them to a .crypt extension) and leaves a ransom…
ChromeLoader, also known as Choziosi Loader, has evolved through multiple versions since late 2021, complicating atomic indicator-based detections. The analysis tracks its execution chain from obfuscated PowerShell to a Chrome/Edge/Firefox extension, detailing…
An ASEC analysis outlines a multi-stage malware chain beginning with a VBScript downloader fetched via curl that ultimately fetches and runs a malicious HWP document. The attackers use persistence, dynamic command delivery, and shelling out to remote scripts, …
A Korean-targeted intrusion campaign leveraged FRP-based reverse proxy techniques to gain unauthorized external access to internal networks, often starting with vulnerable IIS or MS Exchange servers. The operation included Webshells (ASPXSpy), privilege escala…
The ASEC analysis team reports the ongoing distribution of malicious Word documents targeting individuals tied to national defense and North Korea, with filenames referencing real people. The embedded macros download PowerShell scripts, collect host informatio…
PureCrypter is a MaaS-type loader that promotes and downloads other malware families through a two-part downloader/injector architecture, leveraging hundreds of C2s to sustain distribution. It employs image-based masquerading, multiple encoding/encryption sche…
AsyncRAT is explored as an open-source remote administration tool that attackers abuse via a fully undetected downloader, delivered from an Amazon S3 bucket and followed by a PowerShell-based second stage. The analysis traces the infection flow from the FUD ba…
Proofpoint’s Threat Research Team links a long-running TA423/Red Ladon espionage operation to a 2022 ScanBox phishing campaign targeting Australian government, offshore energy, and international entities in the South China Sea. The operation impersonates Austr…