Robin Banks is a phishing-as-a-service (PhaaS) platform that sells ready-made phishing kits targeting financial information for users in the U.S., U.K., Canada, and Australia. IronNet researchers observed a large-scale June 2022 campaign using Robin Banks to s…
Category: Threat Research
This analysis details how Emotet intrusion employs obfuscated Excel macros to download and run an Emotet loader, which is then executed via regsvr32 for payload deployment. It highlights how the loader stores an encrypted payload in its resources, uses a Windo…
RedLine Stealer is a data-collection malware distributed as cracked software that harvests browser data, cryptocurrency wallet credentials, and other applications, then exfiltrates the results via SOAP to a hard-coded C2 server. The report details its deployme…
Threat actors impersonate Atomic Wallet with a phishing site to deliver Mars Stealer, a credential-theft malware. The campaign uses a staged download chain, PowerShell, AES decryption, and a Discord-hosted payload that exfiltrates data to a C2 server. #MarsSte…
Cisco Talos uncovered Manjusaka, a new offensive framework advertised as an imitation of Cobalt Strike, featuring Rust-based implants for Windows and Linux and a Go-based C2 with a Simplified Chinese UI that can generate configured implants. A COVID-19 themed …
Trend Micro researchers analyze a new SolidBit variant that disguises itself as legitimate gaming/social apps on GitHub to lure victims and recruit ransomware-as-a-service affiliates. The campaign features multi-stage infection (Rust LoL Accounts Checker -> Lo…
Industrial Spy is a relatively new ransomware group that emerged in April 2022, starting with data extortion and later adding encryption for double extortion. The group operates a dark web marketplace to exfiltrate and monetize stolen data, while its ransomwar…
BPFDoor is a Linux/Unix backdoor that uses Berkeley Packet Filters (BPF) to filter data through sockets and support multiple C2 protocols (TCP, UDP, ICMP), enabling stealthy remote access. The BPFDoor campaign is attributed to the Chinese threat actor Red Mens…
IPFS is being used as a new platform for phishing, hosting content across a decentralized network and complicating takedowns. The article surveys IPFS phishing URLs, highlighting the services attackers abuse (Infura IPFS, Filebase/IPFS, NFT Storage, Surge.sh) …
Two-sentence summary: A newly identified family of malicious documents from Iran, dubbed Green Stone, embeds an executable payload (nvidiax.exe) delivered via a macro and executes it after unpacking from base64-encoded content. The malware hides itself, gather…
Two-sentence summary: An in-depth look at a convoluted infection chain embedded in an Excel document that lures users to enable macros, then unleashes a multi-stage payload across embedded worksheets. The campaign uses obfuscated .NET loaders (Tupak, Chimchim)…
SHARPEXT is a clever post-exploitation browser extension used by SharpTongue (often associated with Kimsuky) to inspect and exfiltrate data from a victim’s webmail (Gmail and AOL) as users browse. The attackers deploy SHARPEXT by modifying browser preferences …
Symbiote hooks libc and libpcap to hide its activity on Linux, including hiding processes, files, and network connections. It steals credentials from SSH/SCP by hooking the libc read function, encrypts them with RC4, stores them locally, and exfiltrates via DN…
Two-sentence summary: An in-depth analysis shows how the Follina exploit (CVE-2022-30190) is weaponized to achieve remote code execution via MSDT and to enable persistent, live-off-the-land attacker activity using native Windows tools. The report details three…
Gootkit loader now employs more advanced fileless techniques to drop Cobalt Strike, using SEO-poisoned compromised websites and legal document templates to lure victims. The attack chain involves registry stuffing, memory-only execution via PowerShell, and a C…