Emotet resurfaced in November 2021 after a law-enforcement takedown and by January 2022 had returned to prominence as an email-distributed threat with evolving delivery chains. The report covers infection patterns from November 2021 to January 2022, including …
Category: Threat Research
Trend Micro’s Managed XDR investigated a Kingminer botnet attack that targeted an MSSQL server by abusing obfuscated PowerShell and VBScript, leading to a fileless miner deployment. The findings trace the attack chain from initial exploitation through payload …
FortiGuard Labs reports a Chaos ransomware variant that appears to side with Russia, delivering destructive payloads and offering no decryption option. The malware encrypts small files with AES-256 (RSA-wrapped keys) and fills larger files with random data, wh…
Unit 42 analyzes a multi-stage attack that begins with a malicious Compiled HTML Help (.chm) file delivered inside a 7z archive and culminates with Agent Tesla loading and exfiltrating data via FTP. The operation uses obfuscated JavaScript and PowerShell acros…
Threat actors lure Germans with updates about the Ukraine crisis via a decoy Baden-Württemberg site, delivering a PowerShell-based RAT that can steal data and execute commands. The operation uses AMSI bypass, creates a persistent scheduled task, and exfiltrate…
Onyx is a ransomware observed in April 2022 that encrypts files, appends the .ampkcz extension, and leaves a readme.txt ransom note. It uses several evasion, persistence, and exfiltration techniques, including process checks, startup-folder modifications, and …
KurayStealer is a Python-based malware builder that harvests passwords and screenshots and exfiltrates them to Discord via webhooks. The tool is offered in free and VIP versions, with OSINT linking the author to Spain and a presence on YouTube and Discord. #Ku…
Two sentences: Researchers observed a rapid exploit campaign against F5 BIG-IP CVE-2022-1388, deploying web shells and Mirai-era malware within days. The events highlight the danger of exposed devices and the need for secure configurations and timely patching.…
Quantum Locker is a fast, human-operated ransomware strain linked to MountLocker that encrypts data within hours of infection, often leaving defenders little time to respond. Cybereason Nocturnus classifies the threat as HIGH, notes a RansomOps playbook, and h…
Fortinet FortiGuard Labs uncovered a phishing campaign that delivers three fileless malware families on Windows via a malicious Excel Add-In with VBA macros, leveraging WMI, HTML/JavaScript, and PowerShell to load and execute payloads. The operation uses persi…
Secureworks CTU researchers analyzed COBALT MIRAGE’s ransomware operations in the United States, spotting two intrusion clusters: Cluster A uses BitLocker/DiskCryptor for opportunistic ransomware, while Cluster B pursues targeted intrusions with some ransomwar…
APT34 (OilRig/COBALT GYPSY) targeted Jordan’s government with a new backdoor called Saitama delivered via a malicious Excel macro. The backdoor uses DNS-based C2, a finite-state machine, and various anti-analysis and persistence techniques, indicating a target…
RedLine Stealer campaign analyzed by Netskope Threat Labs shows attackers using YouTube videos to lure victims into downloading a fake Binance NFT Mystery Box bot hosted on GitHub, which leads to a multi-stage RedLine payload. The write-up details loader stage…
JFrog Security researchers uncovered a highly targeted npm supply chain attack aimed at German-based companies, using fake npm maintainers to host malicious packages that deliver a sophisticated backdoor payload. The operation appears to involve dependency con…
Proofpoint profiles Nerbian RAT, a Go-based malware with aggressive anti-analysis and evasion capabilities that uses COVID-19 themes to lure victims. The attack chain starts with a maldoc phishing email, drops a Go-based loader UpdateUAV.exe, which then retrie…