Cyble researchers report a threat actor began releasing MiniStealer’s builder and panel for free, with Parrot Stealer allegedly based on MiniStealer. The campaign targets Windows systems and steals data from Chromium-based browsers and FTP applications, signal…
Category: Threat Research
Check Point Research uncovered Nitrokod, a Turkish-based crypto-miner campaign that hides malware in legitimate-looking apps like Google Translate Desktop and has infected machines across 11 countries. The operation uses a multi-stage infection chain with long…
BlueSky ransomware is an emerging threat observed since mid-2022 that spreads through trojanized downloads and phishing emails, with rapid encryption and outbound lateral movement in Windows environments. It uses multi-stage PowerShell droppers, SMB-based prop…
Mitiga uncovered an advanced business email compromise (BEC) campaign that targets executives via Office 365, combining high-end spear-phishing with adversary-in-the-middle (AiTM) techniques to bypass MFA and achieve persistence. Attackers monitor significant …
Remcos RAT is a remote access trojan sold by Breaking Security, marketed for legal use but widely used for malicious operations, including the potential to build botnets. It can capture screenshots, log keystrokes, and exfiltrate data to attacker servers, with…
An analyst investigates whether 64-bit malware is becoming more common by analyzing 217GB of ZIP archives from MalwareBazaar, applying YARA to differentiate 32-bit and 64-bit PE files. The study finds a rising but still-small share of 64-bit samples and highli…
Cyble Research Labs analyzed a targeted .NET-based ransomware variant named Moisha, linked to the PT_MOISHA team. Moisha uses double-extortion to exfiltrate and encrypt data, while disabling defenses and threatening data leakage if payment isn’t made. #Moisha …
BleachGap is a single-executable ransomware variant analyzed by K7 Labs that functions as a stealer and encryptor, using in-memory encoding to evade detection and exfiltrates data to a Discord webhook. The campaign includes disabling security tools, enumeratin…
A Go-written ransomware named Agenda targets healthcare and education organizations in Asia and Africa, customizing payloads per victim with unique IDs and leaked credentials. It can reboot in safe mode, terminate server-related processes, and uses affiliate-s…
IronDefense documented a unique Black Hat NOC environment where real malware activity and classroom demos co-exist, revealing notable infections like SHARPEXT, Shlayer, and NetSupport RAT. The findings highlight the challenges of defending a highly segmented, …
Qbot (QakBot) infections surged in 2022, with Trellix SecOps documenting its evolving delivery vectors and detection strategies to outpace defenses. The post details Qbot’s infection chain, MITRE technique mappings, IOCs, and Trellix detection/hunting guidance…
Security researchers describe a phishing campaign attributed to 0ktapus that targets Okta identity credentials, using a large set of look-alike domains to harvest user data. The article catalogs hundreds of IPs and domains used in the campaign’s infrastructure…
Threat actors abuse a compromised Microsoft Dynamics 365 Customer Voice account to send spoofed eFax notifications and lure recipients into credential phishing. The campaign spreads broadly across sectors by leveraging a legitimate service to host a fake eFax/…
Kimsuky’s GoldDragon cluster is a multi-stage operation targeting Korea-related entities, evolving rapidly with new infection chains and a layered C2 network. The campaign starts with spear-phishing and uses HTML Application (HTA), VBScript, and mshta to fetch…
A phishing campaign spreading the AgentTesla information stealer targets businesses worldwide by sending spoofed emails with malicious disk images (.IMG/.ISO) named “Draft Contract”; the attack harvests browser and email credentials and other system data. A Po…