Cobalt Strike’s Beacon uses customizable Malleable C2 profiles to shape how it talks to its team server, enabling realistic emulation and evasion of detection. The article contrasts the default profile with customized profiles, showing how URI patterns, header…
Category: Threat Research
BlackBerry Threat Intelligence identifies LokiLocker as a new RaaS ransomware family that encrypts Windows files using AES-256 and RSA-2048, with virtualization protection via KoiVM/NETGuard to hinder analysis. The campaign also features a possible false-flag …
DirtyMoe’s worming module autonomously spreads by exploiting several known vulnerabilities and by generating target IPs based on geolocation, enabling mass-scale infection and lateral movement. This Avast Threat Lab analysis details the worm’s kill chain, the …
Talos analyzes how BlackCat/ALPHV operates as a growing ransomware-as-a-service with affiliates linked to prior groups like BlackMatter and DarkSide, outlining how the affiliates evolved the operation and used shared infrastructure. The piece details attack fl…
A Windows host was infected with Qakbot (Qbot) on 2022-03-14, with Cobalt Strike and VNC remote-access activity appearing about 17 hours later. The incident highlights the obama166 distribution tag, the DLLs downloaded during infection, and notable changes in …
A Ukrainian-focused campaign linked to UNC1151 is analyzed, describing CHM-based loaders, obfuscated VBScript, and memory-resident backdoors that connect to C2 servers, echoing Ghostwriter/UNC1151 activity. The finding in…
Dragos reports sustained network chatter between Emotet C2 servers and multiple auto manufacturers, with the Emotet infrastructure suspected to be controlled by the Conti ransomware group. No confirmed initial access or encryption has been observed yet, and ac…
Trend Micro analyzes Cyclops Blink, a modular botnet linked to Sandworm that targets ASUS routers (and WatchGuard Firebox devices) and lists more than 150 current and historical C2 servers. The report details the malware’s architecture, encryption, and persist…
Gh0stCringe (CirenegRAT) is a Gh0st RAT variant being spread to vulnerable MS-SQL and MySQL database servers, with detailed analyses showing its execution, persistence, and data-exfiltration behaviors. It targets poorly managed credentials, supports multiple m…
Cyble’s deep-dive into Pandora ransomware unveils its encryption behavior, links to ROOK-like TTPs, and notable anti-analysis and cleanup techniques. The analysis details a UPX-packed, C++-compiled payload that uses mutexes, privilege escalation, ETW/AMSI evas…
FBI and CISA warn that Russian state-sponsored cyber actors gained network access by exploiting default MFA configurations and the PrintNightmare vulnerability, enabling document exfiltration from an NGO via compromised credentials and MFA bypass. The advisory…
B1txor20 is a Linux backdoor that uses DNS tunneling to build C2 channels, with features like a SOCKS proxy and remote rootkit installation. The article details its reverse analysis, BotID generation, DNS tunnel encoding/decoding, C2 communications, and a list…
EnemyBot is a Linux-based botnet targeting a broad range of Linux devices with multi-architecture ELF payloads. The report details its infection chain, capabilities (network scanning, flooding, and data exfiltration), observed indicators of compromise, and mit…
DanaBot is delivered via a VBS-based downloader that uses a distinctive obfuscation scheme and is associated with a social-engineering lure built around unclaimed property. The article also covers three methods to decode the VBS, noting DanaBot’s ties to the S…
OverWatch tracked a widespread intrusion campaign that used bundled .msi installers masquerading as legitimate software to download and execute NIGHT SPIDER’s Zloader trojan (and in some cases, Cobalt Strike). The defenders focused on anomalous behavior, low-p…