Threat actors abuse a compromised Microsoft Dynamics 365 Customer Voice account to send spoofed eFax notifications and lure recipients into credential phishing. The campaign spreads broadly across sectors by leveraging a legitimate service to host a fake eFax/…
Category: Threat Research
Threat actors distributing infostealers are gaining momentum by targeting victims seeking to illegally download pirated software. The analysis covers two infection chains—Case 1 with RedLine Stealer and Case 2 with RecordBreaker Stealer—highlighting evasion te…
Part 2 of the wiper series explains how threat actors exploit legitimate third-party kernel drivers to bypass detection and perform disk wiping in kernel space, focusing on ElRawDisk and EPMNTDRV. It also covers how these drivers are loaded (via Service Contro…
Two sentences summarizing: U.S. CISA and MS-ISAC warn that multiple CVEs in Zimbra Collaboration Suite are being actively exploited in government and private networks, with attackers able to gain access and maintain persistence. The advisory provides patch gui…
ASEC’s analysis shows BitRAT and XMRig CoinMiner being distributed as a Windows license verification tool, with the payloads deployed via a MediaFire-hosted 7z SFX bundle and downloader chains that depend on the victim’s environment. The campaign uses Defender…
AsyncRAT is being distributed in a fileless form via phishing emails, where a compressed attachment leads to an HTML file that generates a malicious ISO containing VBScript and BAT components. The infection chain culminates in a PowerShell-based loader that in…
Attack activity targeting Ukrainian .ua domains has risen, with a wide range of attack types observed and a shift toward broad automated exploit attempts. The findings detail top vectors such as malicious IPs, malicious user-agents, and attempts to upload or d…
Two sentences: Cyble Research Labs dissected an IBAN Clipper malware that targets Windows by monitoring the clipboard and swapping bank account numbers with the attacker’s data. The malware uses remote fetching of IBANs, multithreading for speed, and persisten…
Today’s diary describes a Brazilian malspam campaign delivering Astaroth (Guildma) malware via a Boleto-themed email pretending to be from Grupo Solução & CIA. The malicious ZIP contains a Windows shortcut and a batch file used to infect a Windows host and exf…
XCSSET, a macOS malware family, updated in 2022 to adapt to macOS Monterey and to prepare for a future without Python by removing Python-based components and shifting toward SHC-compiled droppers and run-only AppleScripts. The analysis outlines infection refin…
Fortinet FortiGuard Labs analyzes a spearphishing campaign against a South Asian telecommunications agency, weaponizing an RTF document with Royal Road to exploit CVE-2018-0798 and drop a DLL chain leading to PoisonIvy (PivNoxy/Chinoxy) backdoors. The report o…
Cyble Research Labs highlights BianLian as a Go language-based ransomware variant that targets multiple industries and leverages cross-platform capabilities to complicate reverse engineering. The campaign includes file encryption across drives, ransom notes, a…
ThreatLabz observed a Grandoreiro banking Trojan campaign targeting Mexico and Spain across multiple industry verticals, using spear-phishing emails that impersonate government officials to lure victims to download and execute Grandoreiro. The loader employs a…
Cyble researchers exposed a dark web post by a malware developer selling a powerful Windows RAT suite, including XWorm with ransomware and HVNC capabilities. The article details the toolset, persistence and anti-analysis techniques, data exfiltration, and the …
TA558 is a financially motivated threat actor targeting hospitality, hotel, and travel organizations, predominantly in Latin America, with activity in Western Europe and North America. From 2018 onward, Proofpoint observed TA558 repeatedly using reservation-th…