NCC Group analyzes Everest ransomware operations and argues a link to Black-Byte, detailing how Everest-related activity deployed during an incident response used TTPs such as RDP-based lateral movement, credential dumping, and C2 via remote tools. The report …
Category: Threat Research
ApolloRAT is a Python-based Remote Access Trojan that uses Discord as its C&C server. Cyble researchers note that the RAT is compiled with Nuitka to increase evasion and that threat actors are selling it for a low price on Telegram and their site. #ApolloRAT #…
Cisco Talos reports a new campaign by the Transparent Tribe APT targeting Indian educational institutions, deploying CrimsonRAT to establish long-term access into victim networks. The operation also implicates a Pakistani hosting provider, Zain Hosting, as par…
Unit 42 analyzes Brute Ratel C4 (BRc4) activity tied to a Roshan_CV ISO, showing how a red-teaming tool can evade modern defenses and operate with nation-state-like tradecraft. The post covers the tool’s packaging, delivery via a LNK lure, in-memory execution,…
OrBit is a new undetected Linux threat that hijacks the execution flow by loading a malicious shared object and infects all running and upcoming processes. It provides remote SSH backdoor, harvests credentials, logs TTY commands, and persists via two methods (…
Cyble Research Labs uncovered NoMercy stealer being sold on Telegram, primarily targeting Indian threat actors, with the developer rapidly adding new capabilities (including clipper and VPN client-stealer features). The stealer exfiltrates extensive host infor…
This joint Cybersecurity Advisory explains that Maui ransomware has been used by North Korean state-sponsored actors since May 2021 to target Healthcare and Public Health sector organizations, detailing TTPs and IOCs. It urges mitigations and reporting, and wa…
Bitter (T-APT-17) continues to target Bangladesh, employing a multi-stage infection chain beginning with an Excel Maldoc that exploits CVE-2018-0798 to drop additional payloads. The operation culminates in Almond RAT, a .NET-based backdoor that uses AES-CBC en…
BumbleBee is a new loader actively used to deliver payloads via phishing campaigns and to establish an initial foothold in target networks. The analysis highlights its living-off-the-land techniques, notably using a Microsoft-signed odbcconf.exe to indirectly …
MS-SQL servers are commonly targeted by attackers who gain control and install malware, including coin miners and ransomware. The article details a case where attackers deploy Cobalt Strike and Meterpreter on vulnerable MS-SQL servers to install AnyDesk for re…
An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. McAfee Labs has seen a rise in malware being delivered using LNK…
Two sentences summarizing the content: ReversingLabs uncovered a widespread npm software supply chain attack where malicious JavaScript packages were published to steal form data from apps and websites. The campaign used typosquatting to impersonate legitimate…
DarkComet RAT has re-emerged with new TTPS-based detection and response coverage, highlighting its capabilities as a stealthy remote access Trojan that can spy on systems, steal credentials, and add infected machines to a botnet. The article outlines a multi-s…
VSingle, a Lazarus-linked malware, has been updated to fetch C2 server information from GitHub instead of relying solely on hard-coded C2 endpoints. The Linux variant uses wget for C2 communication, stores responses in /tmp/.sess_* files, and dynamically disco…
Cyble Research Labs analyzed Xloader’s updated infection technique, detailing a multi-stage chain that starts with a phishing email delivering a PDF attachment, then traverses through embedded XLSX and an RTF-triggered dropper to load a final Xloader payload. …