Saitama is a backdoor that uses DNS tunneling to encapsulate its C2 messages, hiding commands within IPv4 addresses. The activity has been linked to APT34 and was observed in a phishing email targeting Jordanās foreign ministry; Morphus Labs also released a trā¦
Category: Threat Research
Two sentences summarizing: Check Point Research exposes an Iranian-backed spear-phishing operation targeting former Israeli officials and other high-ranking figures, leveraging a custom phishing infrastructure and inbox takeovers to steal credentials and identā¦
Purple Fox malware evolved from an exploit kit used by RIG EK into an independent threat that deploys a multi-stage, stealthy infection chain featuring a rootkit, LOLBIN abuse, and privilege escalation via public CVEs. The analysis maps observed behaviors to Mā¦
SeaFlower is a highly sophisticated intrusion set that targets web3 wallets by delivering backdoored iOS/Android apps, injecting covert code to exfiltrate seed phrases and balances. It uses provisioning-based sideloading, dylib injections, React Native bundle ā¦
PureCrypter is a fully featured loader sold since 2021 that distributes a range of remote access trojans and information stealers. It uses a .NET-based, obfuscated, and encrypted delivery chain with protobuf-configured options for persistence, injection, and dā¦
Avast researchers document Syslogk, a Linux kernel rootkit under development in the wild that leverages Adore-Ng foundations to hide itself and a Rekoobe backdoor embedded in a fake SMTP server. The malware can be revealed, loaded, and controlled via on-demandā¦
IP2Scam tech support campaigns use malvertising to push visitors to browser locker pages. The operators rotate infrastructure and impersonate brands to misdirect users, while researchers tracked the activity and coordinated takedown efforts with hosting providā¦
Unit 42 identifies PingPull, a new remote access Trojan used by the GALLIUM group, expanding its targeting beyond telecommunications to financial institutions and government entities across multiple regions. PingPull supports three C2 channels (ICMP, HTTP(S), ā¦
Two security researchers describe how crypto-mining operations leveraged Atlassian Confluence zero-day CVE-2022-26134 to drop and execute mining payloads on Linux and Windows hosts, using a multi-stage chain from initial exploitation to persistence and lateralā¦
HelloXD is a ransomware family performing double extortion on Windows and Linux, with negotiations conducted via TOX chat and onion-based services instead of a leak site. Unit 42ās analysis links HelloXD to x4k and reveals details on its packers, memory-based ā¦
Symbiote is a highly evasive Linux threat that infects running processes by loading as a shared object via LD_PRELOAD to gain rootkit capabilities and remote access. Researchers describe its stealthy behaviorāhiding itself and other malware, evading live forenā¦
Lyceum Group, an Iranian state-sponsored APT, deployed a new .NET DNS backdoor (DnsSystem) in campaigns targeting the Middle East, delivered via a macro-enabled Word document and attacker-controlled DNS. The backdoor communicates over DNS (TXT and A records) tā¦
Threat actors behind a Magecart skimmer use in-browser virtual-machine detection via WebGL to distinguish real victims from researchers or sandboxes. If the machine passes the check, the skimmer exfiltrates sensitive data by a single POST while employing obfusā¦
An ISC guest diary analyzes the modern coin miner malware variant “redtail” and its capabilities across four CPU architectures, showing how attackers gain initial SSH access, upload payloads, and establish persistence on compromised hosts. The report traces twā¦
A malvertising-driven campaign now pushes a fake Firefox update, a lookalike of FakeUpdates (SocGholish), delivering an encrypted payload via a simple loader that drops adware. The infrastructure reuse and long-running MakeMoney gates highlight persistent attrā¦