An unknown APT group has targeted Russian government entities with at least four spear-phishing campaigns since late February 2022, aiming to install a Remote Access Trojan that can monitor and control infected machines. The operation blends sophisticated anti…
Category: Threat Research
A BlackBerry Research & Intelligence analysis traces the Chaos ransomware family from its Chaos v1.0 origins to Yashma (Chaos v6.0), showing how Onyx emerged from Chaos v4.0 and how Yashma expands capabilities. The piece also covers spear-phishing activity tar…
Cyble researchers found a threat actor distributing fake PoCs for CVE-2022-26809 and CVE-2022-24500 on GitHub, targeting the Infosec community. The culprit malware is a .NET binary packed with ConfuserEX that displays fake exploit messages and then calls Power…
Nokoyawa is a Windows ransomware variant that traces its lineage to Karma/Nemty and increasingly reuses publicly available code to expand its capabilities. FortiGuard Labs reports new features such as Babuk-derived process and volume-enumeration code, a TOR-ba…
Check Point Research details the Twisted Panda operation, a Chinese state-sponsored espionage campaign targeting Rostec’s defense institutes in Russia (and possibly Belarus), leveraging sanctions-based lures and novel tools like SPINNER and a multi-layer loade…
Sonatype researchers detected a malicious Python package named “pymafka” on PyPI that typosquats the popular library PyKafka and delivers a Cobalt Strike beacon across Windows, macOS, and Linux. The package downloads platform-specific payloads from external IP…
ThreatLabz uncovered a campaign distributing Vidar infostealer via backdoored Windows 11 ISO downloads that spoof the official Windows 11 portal. The malware retrieves its C2 configuration from attacker-controlled social media channels on Telegram and Mastodon…
CrateDepression is a Rust crate supply-chain attack targeting Rust developers and GitLab CI pipelines, using a typosquatted dependency (rustdecimal) to drop a second-stage Go-based payload built on Mythic Poseidon. The campaign could enable larger-scale supply…
Emotet is being distributed through link files (.lnk) and Excel attachments, with distribution expanding since April. The emails disguise themselves as replies to the user to spread the malware, and the delivered payloads download additional loaders and malwar…
Two sentences summarizing the article in English. APT-C-24 (Rattlesnake) unveiled a notably redesigned attack flow centered on FileSyncShell.dll, employing DLL side-loading via explorer.exe to achieve persistence and payload loading. The operation features two…
Lazarus Group targeted Korea by exploiting the Log4j CVE-2021-44228 vulnerability on unpatched VMware Horizon to install NukeSped and related components. The operation includes NukeSped backdoors, INFOSTEALER, and Jin Miner modules, with data exfiltration and …
EXOTIC LILY is observed distributing Bumblebee malware through TransferXL by sharing ZIP archives that contain ISO disk images. The infection chain includes mounting the ISO, running a Windows shortcut that launches a hidden DLL via rundll32, followed by Bumbl…
CISA warns that malicious actors linked to APT activity are exploiting CVE-2022-22954 and CVE-2022-22960 in VMware Workspace ONE Access and related products to achieve remote code execution and root-level access, chaining vulnerabilities for full system contro…
IBM X-Force researchers dissect ITG23’s crypter operations, revealing a sprawling ecosystem where ITG23 and partner groups crypt, distribute, and deploy malware across Trickbot, Emotet, IcedID, Qakbot, MountLocker, Gozi, and more. The findings show a highly co…
Emotet resurfaced in November 2021 after a law-enforcement takedown and by January 2022 had returned to prominence as an email-distributed threat with evolving delivery chains. The report covers infection patterns from November 2021 to January 2022, including …