TA578, identified by Proofpoint as the threat actor behind the Contact Forms campaign, is pushing ISO files for Bumblebee malware through thread-hijacked emails. The analysis compares two May 2022 infection chains and notes similarities to the Contact Forms op…
Category: Threat Research
APT34 (OilRig/COBALT GYPSY) targeted Jordan’s government with a new backdoor called Saitama delivered via a malicious Excel macro. The backdoor uses DNS-based C2, a finite-state machine, and various anti-analysis and persistence techniques, indicating a target…
Cisco Talos detects an ongoing Bitter APT operation targeting Bangladesh since August 2021, featuring a new Trojan called ZxxZ with remote file execution capabilities. The campaign employs spear-phishing with Office exploits and a C2 infrastructure that uses A…
Cobalt Strike Beacon communicates with an external TeamServer to emulate long-term C2 activity, while using multiple encoding schemes to hide metadata in HTTP traffic. The post analyzes five encoding methods (Base64, Base64URL, NetBIOS, NetBIOSU, and Mask), ho…
Ursnif is a long-running banking trojan that steals credentials, downloads other malware, and acts as a keylogger. It is primarily delivered via spear-phishing emails that impersonate authorities and exploit current events, using macro-enabled attachments and …
Secureworks CTU analyzed REvil samples tied to the GOLD SOUTHFIELD infrastructure, finding that the threat actor appears to be actively developing REvil and even has access to its source code. The March 2022 sample shows notable changes including updated strin…
Black Basta’s infection routine is dissected, revealing how the ransomware relies on credential access, privilege escalation, and careful system manipulation to achieve encryption and extortion. The analysis also covers its methods for disabling recovery, alte…
Check Point uncovered a months-long targeted operation against German automotive entities, using ISO/HTA delivery to install MaaS info-stealers such as AZORult, BitRAT, and Raccoon. The attackers registered dozens of lookalike domains impersonating German car …
North Korea-linked Lazarus continues its Dream Job espionage campaign targeting chemical sector organizations, using fake job offers, Trojanized tools, and a multi-stage payload chain to infiltrate networks and steal intellectual property. Symantec’s findings …
FortiGuard Labs details Emotet’s maldoc outbreak, showing a multi‑stage infection chain via malicious Office files that deploy VBA/Excel 4.0 macros to drop and run Emotet payloads. The campaign escalated from November 2021 through March 2022, with Excel docume…
Orion Threat Research Team uncovered BumbleBee, a new loader used by Initial Access Brokers to deploy campaigns and inject Cobalt Strike into victims’ memory. The operation leverages spoofed identities and ISO-based delivery via TransferXL to lure users, with …
Fodcha is a rapidly spreading DDoS botnet tracked by CNCERT and 360Netlab, with thousands of live bots and hundreds of victims, using ChaCha20 encryption and a dual C2 infrastructure. The malware propagates via NDay vulnerabilities and Telnet/SSH brute-force, …
Emotet has evolved into a modular botnet capable of downloading up to 16 modules for credential theft, email harvesting, and spam delivery. The analysis covers its infection chain, module types (Process List, Mail PassView, WebBrowser PassView, Outlook/Thunder…
BlackCat (ALPHV) is a Rust-based ransomware-as-a-service operation linked to BlackMatter and REvil lineage, notable for cross-platform samples and a sophisticated exfiltration workflow using Fendr/ExMatter. Telemetry suggests a close tie to past BlackMatter ac…
The ASEC analysis details Excel-based malware campaigns that infect normal Excel files via VBA and can also act as downloaders or perform DNS spoofing. The malware drops components into the Excel startup path to auto-execute on Excel launch, enabling additiona…