Threat actors abuse DLL sideloading to run malicious code through legitimate Microsoft applications (Teams and OneDrive), dropping and loading a malicious DLL that communicates with a remote C2 and leverages Cobalt Strike Beacon for post‑exploitation. The camp…
Category: Threat Research
Yoroi’s ZLab tracks Hive (TH-313) ransomware and its evolution from Go-based payloads to Rust-based variants under a Double Extortion/RaaS model, highlighting its expanding victimology including healthcare and critical infrastructure. The report details increa…
TA551/Monster Libra (aka SVCReady) has been distributing IcedID (Bokbot) alongside SVCReady since 2022, with campaigns that used password-protected archives and ISO images to drop malware and scripts. The infection chain led to DarkVNC activity and Cobalt Stri…
LockBit 3.0, dubbed LockBit Black, shows Clear borrowings from BlackMatter, including API harvesting, anti-debugging, and a suite of configuration flags that govern encryption and lateral movement. The variant deepens LockBit’s capabilities with BlackMatter-li…
CosmicStrand is a sophisticated UEFI firmware rootkit attributed to a Chinese-speaking threat actor, designed to persist from the earliest boot stages and deploy kernel- and user-mode payloads. It achieves durable persistence by implanting in firmware (CSMCORE…
Cyble Research Labs analyzed Luca Stealer, a Rust-based stealer targeting Chromium browsers, crypto wallets, chat apps, and games, whose source code leaked on a cybercrime forum in July 2022. Since then, the malware has seen multiple updates and wider adoption…
Sophos X-Ops describes a coordinated Observe-Orient-Decide-Act loop among SophosLabs, SecOps, MTR, and Sophos AI to study and disrupt a wave of Microsoft SQL Server attacks leveraging old RCE CVEs and delivering Remcos or various ransomware families including …
Avast Threat Labs uncovered a targeted zero-day in Google Chrome (CVE-2022-2294) used in the wild to attack Avast users in the Middle East, including Lebanese journalists. The campaign combined watering hole attacks, a Chrome WebRTC exploit chain, and a BYOVD …
Cyble Research Labs uncovered a new Qakbot playbook that uses DLL sideloading and a multi-stage delivery chain, including HTML-embedded ZIPs and an ISO with a disguised LNK file to trigger execution. The campaign evolves with legitimate apps loading malicious …
YamaBot, linked to Lazarus, targets both Linux and Windows with HTTP-based C2 communication and RC4-based encoding for configuration and commands. The report details Linux and Windows variants, their C2 interactions, commands, and the infrastructure and hashes…
The ASEC analysis tracks attacks against vulnerable Atlassian Confluence Servers exploiting CVE-2021-26084 and CVE-2022-26134, leading to WebShell deployment and coin-mining payloads on unpatched systems. Multiple threat actors and malware families—such as 822…
Threat researchers observed a new attack campaign named STIFF#BIZON targeting high-value targets in the Czech Republic, Poland, and other countries, with artifacts possibly linked to North Korea’s APT37 (Konni). The campaign uses a multi-stage infection chain …
Cisco Talos uncovered a GoMet backdoor campaign targeting a Ukrainian software development firm, with indicators pointing toward Russian state-sponsored actors or their interests. The GoMet variant is a modified open-source backdoor capable of cross-OS deploym…
Fraudsters abused Google’s ad network to redirect users searching for popular brands to a network of tech-support scam pages, effectively hijacking browser sessions through malvertising. The operation used cloaking, multi-stage redirects, and iframe-based brow…
CloudMensis is a macOS backdoor that spies on victims by exfiltrating documents, keystrokes, and screen captures, and communicates with its operators exclusively via public cloud storage services. It uses a two-stage architecture where the first stage download…