Lightning Framework is a modular, undetected Linux malware framework with a downloader, core, and multiple plugins, including rootkit-capable components, that can communicate with a threat actor via a malleable C2 configuration. It leverages typosquatting, per…
Category: Threat Research
LockBit 3.0 (aka LockBit Black) is an evolved ransomware capable of aggressive anti-analysis and evasion, rapid encryption, and expanded data-leak and affiliate-management features. The piece provides a technical dive into its payload behavior, persistence, ge…
TA4563 is a threat actor using the EvilNum backdoor to target European DeFi, cryptocurrency, and forex entities, with campaigns evolving in how they deliver the malware and evade defenses. EvilNum functions as a backdoor for data theft and loading additional p…
CloudMensis is a macOS backdoor that spies on victims by exfiltrating documents, keystrokes, and screen captures, and communicates with its operators exclusively via public cloud storage services. It uses a two-stage architecture where the first stage download…
Fortinet’s FortiGuard Labs documented a phishing campaign delivering a new QakBot variant via an attached HTML file that auto-executes to drop a ZIP, load a loader, and ultimately run QakBot within a Windows process. The analysis details the infection chain fr…
NukeSped RAT is a Windows-based remote access trojan attributed to the Lazarus Group that uses phishing Word documents with malicious macros to drop staged payloads. It exfiltrates data, captures keystrokes and screenshots, and downloads additional payloads, e…
Amadey Bot is a information-stealing malware that also acts as a downloader for additional payloads when commanded by a C2 server, and it has been spread via SmokeLoader as part of downloader activity. It targets systems through disguise in software cracks, th…
Cyble Research Labs analyzes Redeemer 2.0, a ransomware variant distributed via an affiliate program that shares 20% of victims’ Monero ransom with affiliates and uses a builder to tailor campaigns. Redeemer 2.0 adds an affiliate toolkit, GUI-based decrypter, …
Over the last month a crimeware group best known as 8220 Gang has expanded their botnet to roughly 30,000 hosts globally through Linux vulnerabilities and poorly secured configurations. The infection script, IRC botnet, and updated PwnRig cryptocurrency miner …
Cyber threat actors, including state-sponsored APT groups, continue to exploit CVE-2021-44228 (Log4Shell) in unpatched VMware Horizon and Unified Access Gateway (UAG) servers to gain initial access and move laterally within organizations. They deploy loader ma…
Pegasus spyware was used against Thailand’s pro-democracy movement, with at least 30 civil society victims infected between October 2020 and November 2021, triggering Apple security notifications in November 2021 and a collaborative forensic investigation. The…
Researchers document Cloaked Ursa (APT29) campaigns that weaponize trusted cloud storage services to hide malware delivery, notably Dropbox and Google Drive. The campaigns deploy EnvyScout HTML droppers to fetch Agenda.iso payloads and use Google Drive-based e…
Resecurity reports attackers are increasingly using tools to generate malicious shortcut files (.LNK) for payload delivery, with MLNK Builder 4.2 adding AV evasion and icon masquerading. Campaigns by APT groups and cybercriminals—including Bumblebee Loader and…
Unit 42 describes a campaign targeting Elastix/Digium phones where a PHP web shell is implanted to exfiltrate data and fetch additional payloads. The activity links to a Rest Phone Apps RCE (CVE-2021-45461) and is mitigated by Palo Alto Networks WildFire and T…
Two sentences: Wordfence reports a surge of attacks targeting Kaswara Modern WPBakery Page Builder Addons exploiting CVE-2021-24284 to upload PHP files and take over sites; the plugin is closed with no patch available, leaving all versions affected. Wordfence …