Aoqin Dragon is a long-running Chinese-speaking APT tracked by SentinelLabs, active since 2013 and targeting government, education, and telecom organizations in Southeast Asia and Australia. The group uses document exploits, fake removable devices, DLL hijacki…
Category: Threat Research
Bumblebee is a sophisticated loader that replaces BazarLoader and delivers frameworks like Cobalt Strike, Shellcode, Sliver, and Meterpreter, while also dropping other malware such as ransomware. It is distributed via spear-phishing ISO downloads, employs exte…
The FakeCrack campaign lures users with fake cracked software and delivers a crypto-stealing malware that collects browser data, crypto wallets, and other sensitive information. It relies on a broad delivery infrastructure, password-protected ZIP payloads, and…
Palo Alto Networks’ analytics uncovered a sophisticated threat operation centered on the Popping Eagle malware family, with a Go-based second stage (Going Eagle) used for control and lateral movement. The campaign abused DLL hijacking to load a proxy DLL, esta…
WatchDog has evolved a multi-stage cryptojacking campaign that targets exposed Docker Engine API endpoints and Redis servers, repurposing TeamTNT payloads while attempting to foil attribution. The attack uses timestomping, process hiding, and worm-like propaga…
Researchers document Black Basta’s observed TTPs during a recent incident response, detailing lateral movement, defense evasion, discovery, and encryption activities against Hyper-V environments and Veeam backups. The post also provides a technical breakdown o…
Trend Micro Research analyzed a resurgence of the Cuba ransomware group with a new variant that uses optimized infection techniques, including a new staging downloader. The update also expands safelists, adds victim support features, and implements double exto…
The report analyzes how the MangLingHua group (APT-Q-37) has updated its phishing and delivery techniques, including CHM attachments and DDE automation, to target defense contractors such as the Bangladesh Navy. It also covers related activity from APT-Q-41 (M…
Threat actors exploited CVE-2021-44077 to gain initial access to an internet-facing ManageEngine SupportCenter Plus instance, planted a web shell, and began days-long data exfiltration via web shell and RDP. The operation involved Plink-based SSH tunneling, LS…
Mindware is a ransomware operation active since March 2022, likely a rebrand of SFile, with attacks across healthcare and other sectors. It leverages Reflective DLL Injection, encrypts targeted files, and uses a public leaks site to pressure victims, including…
Broadcom Software has exposed Clipminer, a crypto-mining Trojan that also hijacks clipboard data to steal cryptocurrency, potentially earning operators at least $1.7 million. Symantec describes Trojan.Clipminer as bearing similarities to KryptoCibule and notes…
Travel-themed lures are being used to push malware onto Windows users, delivering AsyncRAT, Netwire RAT, and Quasar RAT through disguised travel documents like itineraries and ISO files. FortiGuard Labs highlights manual execution of these payloads, domain-bas…
DeadBolt ransomware targeted NAS devices (notably QNAP and ASUSTOR) with a multitiered extortion scheme that includes both victim and vendor payout options and a web-based ransom interface. The report highlights DeadBolt’s configuration-driven, automated appro…
Trend Micro’s Threat Hunting team analyzed a series of CMD-based ransomware variants, culminating in YourCyanide, a multi-stage malware that uses layered downloads and heavy obfuscation. The family evolves from GonnaCope through Kekpop and Kekware, employing D…
LuoYu is a China-focused threat actor active since 2008, known for malware families SpyDealer, Demsty and WinDealer that target Windows, Linux, macOS and Android. A standout development is WinDealer’s man-on-the-side capability, delivered via several novel dis…