Check Point Research shows how state-sponsored APT groups are exploiting the Russia-Ukraine war to run cyber-espionage campaigns worldwide, using war-themed spear-phishing, decoy documents, and multi-stage payloads against financial, governmental, and energy s…
Category: Threat Research
FortiGuard Labs uncovered a spearphishing operation targeting a Kyiv fuel company that used a spoofed invoice to entice a recipient to open a zipped attachment containing an ISO image that drops the IcedID banking Trojan. The actors use a LNK shortcut and Regs…
FortiEDR detected a Deep Panda operation exploiting the Log4Shell flaw in VMware Horizon servers, resulting in opportunistic infections across multiple sectors and countries. The campaign introduced a backdoor called Milestone and a novel kernel rootkit named …
Cisco Talos reports a new Transparent Tribe campaign targeting Indian government and military entities, deploying CrimsonRAT alongside bespoke stagers and implants. The operation uses fake domains mimicking legitimate government sites and multiple delivery met…
Emotet—a modular banking trojan that can download other malware such as TrickBot and IcedID—has re-emerged, with Cisco GTA enhancing detection coverage for its latest wave. The article details its infection flow, PowerShell payload chain, observable IOCs, and …
Purple Fox is a long-standing threat that has evolved with a new arrival vector and early access loaders, distributing trojanized installers masquerading as legitimate apps. This campaign expands the botnet by introducing new payloads, including a FatalRAT var…
A new IcedID campaign uses conversation hijacking in phishing emails delivered from compromised Microsoft Exchange accounts to drop the IcedID loader. The operation shifts from office documents to ISO attachments, uses regsvr32 to proxy-run a DLL, and targets …
ThreatLabz analyzed Conti ransomware’s January 2022 update, noting it appeared before the February 2022 leaks but continued attacks afterward and added encryption and evasion improvements. The update introduced Safe Mode boot encryption, new command-line optio…
Juniper Threat Labs uncovered a Muhstik-bot variant that targets Redis Servers via CVE-2022-0543 in Redis Debian packages, enabling code execution through Lua sandboxing. The campaign ties Muhstik activity to prior Confluence and Log4j attacks, deploying a dow…
Ukraine CERT (CERT-UA) ties the Chinese threat actor Scarab to UAC-0026, marking one of the first publicly reported Ukraine-targeted operations by a non-Russian APT. The campaign centers on a HeaderTip backdoor delivered via macro-enabled lure documents and a …
Morphisec Labs reports a new JSSLoader variant delivered via unsigned XLL Excel add-ins, leveraging Excel’s add-in loading to fetch a payload. The campaign highlights evasion tactics (obfuscation and varying user-agents) and notes FIN7 as the historical threat…
Threat actors exploit timely events with phishing emails to harvest PII and establish footholds, using Emotet delivered through Excel 4.0 macros in tax-season and Ukraine-related scams. Fortinet FortiGuard Labs observed these campaigns and highlights defenses …
Avast Threat Labs identify Operation Dragon Castling, a Chinese-speaking APT campaign targeting betting companies in Southeast Asia (Taiwan, the Philippines, and Hong Kong). The operation uses a modular toolkit (MulCom backdoor, Proto8 CoreX/Core Module, and W…
ThreatLabz analyzes Thanos-based ransomware variants (Prometheus, Haron, Spook, and Midas) to show how operators shifted tactics in 2021, using RaaS builders, double extortion, and variant revamps to extend campaigns. The Midas variant encrypts files with Sals…
Phishing email delivers an ISO attached as request.doc that unpacks a CHM loader and Vidar payload. Vidar collects system and browser data, downloads dependencies from Mastodon-based C2, and can fetch additional malware from the same infrastructure. #Vidar #CH…