Talos observed a month-long AvosLocker campaign leveraging Sliver, Cobalt Strike, and network scanners to move laterally after exploiting Log4Shell on exposed VMware Horizon UAG appliances. The incident underscores the importance of properly configured securit…
Category: Threat Research
Phishing content is increasingly delivered via Azure Front Door, with attackers using lookalike domains to harvest credentials from multiple major services. They rely on compromised email accounts to spread targeted phishing, impersonating brands like SendGrid…
ThreatLabz has tracked a voicemail-themed credential phishing campaign since May 2022 targeting US-based organizations across multiple verticals to steal Office365 and Outlook credentials. The operation shows overlap with a 2020 voicemail campaign and uses tar…
IceXLoader is a Nim-based commercial loader promoted in malware forums to download and deploy additional payloads on Windows machines, with ties to NimzaLoader used by the TrickBot group. The article outlines IceXLoader v3.0’s technical behavior, potential del…
On 2022-06-16, researchers observed a malspam wave delivering Matanbuchus via a ZIP that contains an HTML page which decodes and downloads payloads, ultimately triggering Cobalt Strike beacons. The operation uses a signed MSI, base64-encoded payloads, and HTTP…
Raccoon Stealer has returned with a new V2 version, resuming activity after a pause linked to a key developer’s death. The update introduces a more automated, faster builder/admin panel, and a Cracked Software distribution approach, with ongoing monitoring adv…
Trend Micro analyzes updated CopperStealer samples that spread via fake cracks on websites, detailing a two-stage dropper, browser data theft, and a revamped C2 setup. The report highlights code reuse, a DES-based encryption scheme, UPX-packed components, Tele…
Magecart client-side attacks are still active but appear more covert, with researchers tracing new anti-VM infrastructure and noting visibility risks if operators move to server-side skrimming. The investigation links two newly reported anti-VM skimmer domains…
ASEC’s analysis identifies active distribution of malicious HWP files that exploit an OLE object insertion feature to run a batch file, with PowerShell injecting shellcode into a normal process. The campaigns target national defense, North Korea–related materi…
Cerber2021 ransomware has resurfaced, delivered via exploitation of patched/unpatched vulnerabilities to target Confluence and Gitlab servers, then encrypts files on Windows and Linux with a Tor-based ransom site. The analysis details file encryption behavior,…
QBot (QakBot) is a long-standing banking trojan that steals credentials and is spread via spam emails with macro-enabled Office documents. The article highlights two recent distribution methods (XLSB with hidden payload sheets and XLTM macro templates), detail…
Volexity details a targeted Sophos Firewall breach that leveraged a zero-day remote code execution vulnerability (CVE-2022-1040) to install a webshell, establish persistence, and conduct MITM activity that extended to external systems such as CMS websites. Sop…
Cyble Research Labs identified an Android malware variant distributed via the Play Store that acts as a Hostile Downloader to fetch the Hydra Banking Trojan. The app masquerades as Document Manager, uses fake update prompts, and communicates with a TOR-enabled…
An unknown threat actor exploits CVE-2019-18935 in Telerik UI for ASP.NET AJAX to seize control of Windows servers, drop a Cobalt Strike beacon, and stage further malware via PowerShell commands. Sophos MTR links these campaigns to earlier Blue Mockingbird act…
Follina (CVE-2022-30190) is a remote code execution vulnerability in Microsoft Office that can be exploited without macros by loading an external reference which ultimately invokes the MSDT tool to run PowerShell. The article outlines the attack flow, the tech…