FortiGuard Labs observed a new DDoS botnet named Enemybot, attributed to Keksec, that borrows code from Gafgyt and Mirai while using obfuscation and a Tor-hidden C2 to complicate takedowns. It targets routers from Seowon Intech and D-Link and leverages a wide …
Category: Threat Research
A Cofense Phishing Defense Center report details a COVID-19 themed phishing campaign where threat actors impersonate companies to deploy fake COVID-19 forms and harvest credentials via online form builders. The campaign includes compromised sender addresses an…
SolarMarker has evolved into a multi-stage threat delivering backdoors and infostealers, primarily via SEO-driven campaigns that lure users to download malicious documents. Itexfiltrates browser data, can transfer files, and executes commands from a C2, while …
SystemBC is a proxy malware that has been used by various attackers for years, functioning as both a proxy bot and a downloader for additional payloads. It has recently been distributed through SmokeLoader and Emotet and has featured in ransomware campaigns, i…
Trend Micro Threat Research observed active exploitation of CVE-2022-22965 (Spring4Shell) enabling threat actors to weaponize and execute the Mirai botnet. The exploit chain drops Mirai in /tmp, changes permissions, and deploys a JSP web shell to execute comma…
FFDroider is a Windows-based credential and cookie stealer that targets social media platforms by harvesting browser data and using stolen cookies to access accounts. ThreatLabz (Zscaler) details its delivery, obfuscation, registry persistence, C2 communicatio…
Cado Labs documents the first publicly-known malware designed to run specifically inside an AWS Lambda environment, named Denonia, which uses DNS over HTTPS for its command-and-control lookups and mines Monero via an embedded XMRig variant. This cloud-focused …
Cybereason Nocturnus details a new espionage campaign by APT-C-23 targeting Israeli officials, featuring upgraded malware (Barb(ie) Downloader, BarbWire Backdoor, and VolatileVenom Android implant) and sophisticated social engineering to gain initial access. T…
Parrot TDS is a pervasive traffic direction system that hijacks compromised web servers to deliver malicious campaigns such as FakeUpdate, reaching users worldwide. Avast Threat Labs notes it has been active since October 2021, with hundreds of thousands of us…
Fortinet FortiGuard Labs analyzes a phishing-driven Remcos RAT campaign that delivers a malicious Excel macro to Windows users, initiating a multi-stage VBS/PowerShell payload chain. The malware uses a decrypted configuration block, process hollowing into RegA…
Malicious Word documents impersonating AhnLab are being distributed to corporate users to trigger macros. The attack chain downloads a second Word file containing a VBA macro, uses Windows Media Player to auto-run the code, downloads additional payloads, and p…
Colibri Loader is a malware family that delivers and manages payloads onto infected PCs. A new campaign delivers Mars Stealer as the final payload, using a novel persistence technique that combines a scheduled task with PowerShell and a remote template injecti…
FIN7’s intrusion landscape evolves from LOADOUT and GRIFFON in 2020 to POWERPLANT as the main PowerShell-based backdoor in 2021, with BEACON acting as a secondary access path and extensive PowerShell tradecraft continuing to shape their operations. The report …
Symantec details Cicada (a China-linked APT) widening its espionage activity, targeting governments and NGOs across multiple regions with Exchange server exploits, custom loaders, and backdoors such as Sodamaster and Mimikatz loader, plus tools like VLC and Wi…
The diary documents a MetaStealer infection chain delivered via malicious Excel attachments that drop and persist a Windows EXE and DLL after macro execution and a VBScript loader. It also notes the malware abusing legitimate services like GitHub and transfer.…