CryptBot resurfaces as a streamlined infostealer distributed through compromised pirate sites offering cracked software and games. The latest variant trims its capabilities to focus on data exfiltration, using obfuscated scripts and a multi-stage delivery chai…
Category: Threat Research
Opportunistic cybercriminals are advertising cyber tools to target Russian entities, but the downloaded tools are actually infostealers that steal credentials and cryptocurrency data. The campaign leverages Telegram and sympathetic online spaces tied to the Ru…
eSentire documented a TunnelVision-linked intrusion into a VMware Horizon server, exploiting Log4Shell to harvest credentials and establish access. The operation included a backdoor DomainAdmin, PSExec/RDP lateral movement, C2 via activate-microsoft.cf, and Ng…
ASEC researchers uncovered an infostealer that is being distributed through YouTube disguised as a Valorant game hack, with instructions to disable anti-malware protections. The malware collects system information, browser credentials, cryptocurrency wallet fi…
Threat actors have exploited the Ukraine invasion with scam emails that solicit humanitarian aid and donations, often delivering malware or links to malicious pages. The activity mirrors opportunistic crime seen after other crises, combining social engineering…
Talos links MuddyWater to Iranian interests and describes a conglomerate of sub-groups conducting global campaigns using maldocs, PowerShell/VB/JavaScript tooling, and Windows RATs such as SloughRAT to achieve espionage, IP theft, and potentially ransomware an…
Qakbot spreads by inserting malicious replies into ongoing email conversations, using compromised accounts to push a zip containing a malicious Office document. The malware is modular, downloads payloads, injects into system processes like Edge and Explorer, a…
Researchers tracked a LazyScripter campaign in 2021 targeting European entities, revealing a double-compromise chain involving H-Worm and njRAT delivered via obfuscated scripts. They also uncovered use of a free online obfuscation service and a waterhole-style…
Raccoon Stealer is a multifunctional stealer that uses Telegram to store and update its C2 addresses and to receive commands. Avast Threat Labs detail its data theft capabilities, distribution methods, and global prevalence, including locale checks to avoid ce…
Black Lotus Labs notes Emotet’s resurgence since November 2021, with about 130,000 unique bots across 179 countries and evolving infrastructure that could serve as footholds or proxy C2s. The report highlights changes in encryption, process-list handling, and …
RURansom is a wiper targeting Russia, not a ransomware variant, as encryption is irreversible. It spreads like a worm via removable disks and mapped network shares, encrypting files and dropping a wiper note, while some versions exhibit geo-targeting and obfus…
APT41’s operations against U.S. state governments leveraged multiple, overlapping campaigns: initial access via a USAHerds web app vulnerability (CVE-2021-44207) followed by Log4Shell (CVE-2021-44228) deserialization to deploy backdoors, including KEYPLUG.LINU…
FortiGuard Labs uncovered a phishing operation masquerading as a purchase order to a Ukrainian manufacturer, delivering Agent Tesla via a PPAM PowerPoint add-in. The campaign uses a multi-stage dropper with Bit.ly and MediaFire stages, ends with PowerShell-bas…
Trend Micro researchers present evidence that Nokoyawa ransomware is likely connected to Hive, sharing parts of the attack chain, tools, and even infrastructure, with most Nokoyawa targets in Argentina. The analysis also highlights similarities and key differe…
Fortinet FortiGuard Labs analyzed a campaign that uses an MS Office Excel macro to deliver the Emotet Trojan, detailing how the macro writes and executes VBScript and PowerShell components to download and run a DLL payload. The research also covers anti-analys…