Follina (CVE-2022-30190) is a remote-code-execution vulnerability in Microsoft’s MSDT exploited via Word documents that load a remote template containing a payload. Researchers show how attackers used remote templates and base64-encoded PowerShell to run code,…
Category: Threat Research
Cybereason GSOC analyzes a Bumblebee Loader infection, detailing the attack chain from initial lure to full network compromise and Active Directory takeover, with notes on post-exploitation actions, credential theft, and data exfiltration. The report also high…
DarkTortilla is a highly configurable .NET-based crypter that delivers commodity information stealers and RATs, with targeted payloads such as Cobalt Strike and Metasploit. It uses a two-component architecture (initial loader and core processor) with strong an…
Two newly discovered malicious PyPI packages masquerade as a popular library to steal data and credentials, delivering a multi-stage payload that culminates in the W4SP Stealer which exfiltrates browser data and Discord tokens via a Discord webhook. The campai…
Raccoon is an info-stealer malware offered as malware-as-a-service since 2019, capable of stealing passwords, cookies, autofill data, and cryptocurrency wallet data from browsers. The campaign uses phishing campaigns and trusted Windows components to drop, exe…
A Checkmarx analysis details a large typosquatting campaign targeting Python’s top packages that drops Windows malware hosted on GitHub and uses a domain-generation algorithm for C2. The operation also includes DDOS capabilities, anti-sandbox tricks, and persi…
UNC3890 is an Iran-linked threat cluster tracked by Mandiant that targets Israeli shipping, government, energy and healthcare organizations using social-engineering lures and watering holes. The operation leverages a backdoor (SUGARUSH), a credential stealer (…
Browser extensions can be convenient, but many disguise real threats, collecting data, showing affiliate ads, or even stealing credentials. The report documents several malicious and unwanted extension families (WebSearch, DealPly, AddScript, FB Stealer) and e…
Shuckworm (also known as Gamaredon or Armageddon) is a Russia-linked group that has focused on Ukraine since 2014, conducting espionage and information-stealing campaigns. Symantec’s observations detail the infection chain, malware families, and IOCs tied to a…
Sonatype uncovered secretslib, a PyPI package that masquerades as a secrets-management library but secretly runs an in-memory Linux cryptominer, a technique used by fileless malware. The incident also involved identity impersonation of a real Argonne National …
Cyble researchers uncovered a phishing site impersonating Lindesbergs Kommun that delivers Typhon Stealer via a crafted .lnk file and PowerShell to download the payload. The stealer harvests data from browsers, wallets, gaming apps, and messaging tools, with e…
Trend Micro tracks CopperStealer’s new campaign, which distributes a malicious Chromium-based browser extension to steal cryptocurrencies and wallet keys. The operation uses a multi-stage dropper, heavy JavaScript obfuscation, and browser-configuration manipul…
Conti Group, a globally renowned ransomware operation, has recently targeted high-value sectors by exploiting Exchange vulnerabilities to launch targeted campaigns against affluent firms. The report also covers BruteSql Group and links to Conti activity, inclu…
Iron Tiger’s operation against Mimi chat installers shows a supply chain compromise delivering HyperBro on Windows and rshell on macOS/Linux across multiple targets. The campaign spans three major platforms, uses code obfuscation, and establishes C2 communicat…
Cyble Research Labs uncovered MikuBot, a new Windows botnet that steals data and runs hidden HVNC sessions for remote access, with USB propagation and the ability to download and execute additional malware. The actor markets MikuBot with a panel, uses encrypti…