SharpExt is a browser-extension malware used by Kimsuky to steal emails and attachments, as detailed by Volexity and related researchers. The campaign maps to older activity, leverages a large network of domains for delivery and C2, and targets US, Europe, and…
Category: Threat Research
Orchard is a botnet family that uses DGA technology to generate C2 domains, incorporating Bitcoin wallet transaction data as inputs to the DGA to increase unpredictability. It has evolved across three versions since 2021, combining hardcoded DuckDNS domains wi…
Researchers analyze CrowdStrike’s Adversary Quest 2022 CATAPULT SPIDER track, which centers on a Dogecoin-driven ransomware campaign leveraging CHM phishing, encoded PowerShell, and a Dogecoin-based C2. The storyline uncovers multi-stage payloads, a vulnerable…
APT31 renewed its attacks on Russian media and energy companies by leveraging a malicious document that loads a VMProtect-packed payload, linking the activity to the APT31 toolkit. The campaign uses cloud storage services (notably Yandex.Disk) as C2 to blend i…
GwisinLocker.Linux is a Linux-based ransomware variant linked to the Gwisin threat actor, targeting South Korean industrial and pharmaceutical firms. It encrypts files using per-file AES keys (with RSA-wrapped keys), stores keys in .mcrgnx0 files, appends .mcr…
Projector Libra (EXOTIC LILY) distributes Bumblebee via email campaigns that use file-sharing services to deliver malware, replacing the previous loader BazarLoader. The campaign chains ISO images with Windows shortcuts to execute Bumblebee, often followed by …
FortiGuard Labs tracks RapperBot, a rapidly evolving IoT malware family that borrows heavily from Mirai but switches from Telnet to SSH brute forcing for initial access on Linux devices. The campaign shows notable persistence and credential-access capabilities…
Woody Rat is a new feature-rich Remote Access Trojan active in the wild for at least a year, attributed to a threat actor targeting Russian entities. It spreads via archive file spearphishing and weaponized Office documents using the Follina vulnerability (CVE…
ASEC has observed ongoing distribution of North Korea–related Word files used in Kimsuky campaigns, including variants that rely on mshta. Attackers impersonate Korean organizations to trigger a follow-up email with a link to download a malicious Word document…
Dark Utilities is a C2-as-a-Service platform released in early 2022 that provides remote access, DDoS, and cryptocurrency mining capabilities, with payloads for Windows, Linux, and Python hosted on IPFS to resist takedowns. Since launch, malware samples have r…
ROADSWEEP encrypts files across discovered drives using RC4 and marks them with a .lck extension, then performs a wipe with a self-delete to cover its tracks. The activity is part of a broader campaign involving ZEROCLEAR and CHIMNEYSWEEP, tied to a politicall…
LOLI Stealer is a Golang-based infostealer sold via a MaaS model, capable of stealing passwords, cookies, wallet data, and screenshots from infected machines. Cyble Research Labs tracked LOLI Stealer and its evolving capabilities, including data exfiltration t…
IcedID is evolving its delivery by using PrivateLoader as a load service, with SmokeLoader handling payloads and DNS-based C2 activity to fetch additional modules. The report ties together multiple loaders, ransomware and stealer payloads, and questions why ma…
VirusTotal’s Deception at scale report analyzes how malware abuses trust by hiding in legitimate installers, signing certificates, and masquerading as popular applications to deliver malicious payloads. It highlights social engineering trends and practical tec…
Robin Banks is a phishing-as-a-service (PhaaS) platform that sells ready-made phishing kits targeting financial information for users in the U.S., U.K., Canada, and Australia. IronNet researchers observed a large-scale June 2022 campaign using Robin Banks to s…