Cyble Research Labs analyzes Onyx ransomware, a .NET-based threat that uses double extortion, exfiltrating data before encryption and renaming its leak site to VSOP NEWS after a period of inactivity. The analysis highlights its encryption methods (.ampkcz exte…
Category: Threat Research
Attackers distribute XMRig Monero CoinMiner via Korean webhards by disguising the miner as a game installer and bundling it with cracked software. The payload downloads xmrig.exe, config.json, and MsDtsServer.exe, installs a startup shortcut for persistence, a…
DeathStalker’s VileRAT campaign targets foreign exchange and cryptocurrency venues with a multi-stage infection chain, involving spearphishing, DOTM remote templates, VBA macro stomping, VileDropper and VileLoader loaders, and a Python-based VileRAT. The repor…
ThreatLabz analyzes a large-scale AitM phishing campaign targeting enterprise Gmail/G Suite users, showing strong overlap with a prior Microsoft email-targeted attack. The operation used multi-stage URL redirection, client-side fingerprinting, and MFA-bypass c…
Raspberry Robin is a worm that spreads via infected external disks and downloads its payload through msiexec from QNAP cloud accounts, using TOR for its C2 channel. It executes payloads via system binaries (rundll32.exe, shell32.dll) and elevates with fodhelpe…
Morphisec Labs details DoNot Team (APT-C-35) updates to their Windows framework (YTY/Jaca), including new modules, a shellcode loader, and an upgraded browser stealer, with a focus on modular delivery and evasion techniques. The post also highlights infection …
The article compiles a large set of file hash indicators tied to Zeppelin ransomware activity as described in the CISA alert AA22-223a, associated with the StopRansomware campaign. It presents these indicators in a purely IOC-focused format without narrative d…
BlueSky ransomware is an emerging Windows-focused family employing multithreading to speed up file encryption and evade defenses. The analysis ties BlueSky to Conti v3 in structure and network behavior, while its cryptography resembles Babuk (ChaCha20 with Cur…
Cisco Talos and CSIRT describe a May 2022 compromise in which a Cisco employee’s Google account credentials (synced from a personal browser) enabled initial VPN access after MFA bypass via vishing and MFA fatigue. The investigation links the actors to an initi…
Unit 42 analyzes Tropical Scorpius (UNC2596) activity, detailing Cuba Ransomware’s evolution with new tools like ROMCOM RAT, KerberCache, and a kernel driver to defeat defenses, plus its connection to the Industrial Spy marketplace. The report covers ransomwar…
SmokeLoader (Dofoil) continues to leverage aging vulnerabilities to deliver its payload via a crafted phishing email chain, decrypt an embedded OLE stream, and drop a final DLL payload that is associated with zgRAT. The campaign demonstrates how attackers rely…
Two sentences summarizing: This analysis confirms a Maui ransomware incident in 2022 attributed to Andariel, who deployed a DTrack variant about ten hours earlier on the same target. The operation appears global in scope, with a Japanese victim and overlaps to…
Threat actors repurpose Open Redirect vulnerabilities to bypass spam filters and deliver the LogoKit phishing content using trusted domains such as Snapchat and Google. LogoKit dynamically generates landing pages, steals credentials, and leverages compromised …
Authored by Dexter Shin McAfee’s Mobile Research Team has identified new malware on the Google Play Store. Most of them…
The post New HiddenAds malware affects 1M+ users and hides on the Google Play Store appeared first on McAfee Blog….
An April 2022 intrusion saw BumbleBee act as the initial access loader, enabling multi-stage payloads and outbound C2 communication within a Windows environment. The operation featured credential dumping, Kerberoasting, privilege escalation tooling, and Cobalt…