McAfee Labs reports scammers exploiting Ukraine donation efforts by deploying crypto donation phishing sites and deceptive emails to harvest funds and personal data. The campaigns use fake chat boxes, donation verifiers, and counterfeit logos to appear legitim…
Category: Threat Research
Researchers describe ongoing ISO-based campaigns that deliver AsyncRAT, LimeRAT, and other commodity malware via obfuscated VBScript in a multi-stage infection chain. The campaigns appear tied to a new version of the 3LOSH crypter, which embeds payloads with g…
CaddyWiper is a Windows wiper that destroys data and wipes drives on Ukrainian infrastructure. It is delivered via Group Policy after compromising Active Directory, and follows WhisperGate, HermeticWiper, and IsaacWiper as the fourth observed in the same perio…
The Stolen Images campaign used IcedID as the initial access vector to drop Cobalt Strike beacons, leading to Conti ransomware deployment across a domain. The operation blended off-the-shelf remote-access tools (Atera, Splashtop), multiple Cobalt Strike server…
VajraEleph is described as a South Asia-based threat actor linked to state-backed activity, carrying out a nine-month campaign targeting Pakistan and other regional interests. The article outlines the group’s organization, tactics, and multi-stage operations, …
Morphisec Labs detects a new Remcos Trojan infection chain delivered through financial-themed phishing emails that lure users to open a malicious Excel file. The multi-stage attack uses VBScript and PowerShell to fetch further payloads from a C2, employs persi…
Trend Micro’s Managed XDR team uncovered a campaign where SocGholish drops a BLISTER loader that in turn delivers the LockBit ransomware, highlighting layered evasion and loader-to-beacon chaining. The investigation details how these loaders operate together, …
Threat actors run a tax-season phishing campaign impersonating the IRS to trick targets into downloading malware. The attack chain uses an IRS-themed lure, a captcha step, an XLL file, and a ZIP payload that installs Netsupport Manager as a remote access Troja…
Beastmode, a Mirai-based DDoS campaign, rapidly expanded its exploit arsenal in early 2022 by adding multiple TOTOLINK-focused vulnerabilities, enabling broader device infections and botnet growth. The campaign leverages publicly released exploit code, uses shell scripts downloaded via wget, and culminates in a suite of DDoS capabilities; users are urged to update affected firmware. #Beastmode #Totolink
A Lazarus threat actor campaign used a Trojanized DeFi application to deliver a full-featured backdoor, targeting cryptocurrency and DeFi services through multi-stage C2 infrastructure hosted on South Korean servers. The backdoor communicates via HTTP with RC4…
SentinelLabs describes AcidRain, an ELF MIPS wiper that targets modems and routers to overwrite flash storage, in the context of the KA-SAT outage tied to the Russia-Ukraine conflict. The report also notes potential overlaps with VPNFilter/Sandworm activity an…
BlackGuard is a .NET information stealer advertised as malware-as-a-service on underground forums, capable of stealing credentials from crypto wallets, VPNs, messengers, FTP, saved browser data, and email clients, with ongoing development and obfuscation to ev…
Mars Stealer is a modern infostealer derived from Oski, sold on underground forums with ongoing development and it targets browser credentials and cryptocurrency wallets. The Morphisec report details its delivery methods, compromised infrastructure, and expose…
A SentinelOne analysis examines Hive Ransomware’s IPfuscation technique, which hides a shellcode payload by encoding ASCII IP addresses that are translated into binary to form the shellcode. The write-up covers IPfuscated, UUIDfuscation, and MACfuscation varia…
Talisman is a PlugX variant that loads a modified DLL via a signed benign binary to decrypt and execute a backdoored payload with plug-in capabilities. The campaign is attributed with medium confidence to the Chinese state-backed RedFoxtrot group, targeting So…