Proofpoint researchers link TA416 to ongoing European-targeted campaigns using web bugs to profile victims before delivering PlugX payloads, with recent activity showing updates to the PlugX variant and its delivery chain. The operator impersonates diplomatic …
Category: Threat Research
Microsoft Power BI is being impersonated in a credential-harvesting campaign that uses realistic-looking notification emails and fake sign-in pages to collect Microsoft account credentials. The campaign leverages stolen credentials to create believable notific…
TeamTNT is a prolific cryptomining threat actor that has targeted Linux servers for years, evolving from Redis to Docker and now Kubernetes-focused campaigns, with some Windows artifacts observed. The analysis details their TTPs, tools (including Tsunami, Rath…
CyCraft’s first-hand investigation reveals a China-state-backed operation, dubbed “Operation Cache Panda,” targeting Taiwan’s financial sector through a broad supply-chain attack exploiting software vulnerabilities and deploying multi-stage, memory-resident ma…
CryptBot’s latest version is distributed via deceptive crack/tool pages with redirect-heavy delivery, increasing infection risk. The update consolidates C2 communications, removes several infostealing features, and expands Chrome data theft to support newer br…
Arkei, a flexible information stealer, now expands to pilfer MFA data in addition to crypto-wallet information, using SmokeLoader as a deployment vector. Its configurable setup and use of legitimate components help it evade detection while exfiltrating data ba…
Cobalt Strike is being distributed to unsecured MS-SQL servers, leveraging brute force, dictionary attacks, and command execution to deploy a memory-based beacon. The campaign overlaps with other malware like Lemon Duck, Kingminer, and Vollgar that abuse port …
Ukrainian banks and government websites were targeted by a moderate DDoS campaign attributed to the Katana botnet, a Mirai variant used to flood services. Preparation for the attack appears to have begun as early as February 13, with delivery through exploited…
In a November 2021 intrusion, threat actors gained a foothold with Qbot (Quakbot) and used Zerologon to elevate to domain admin, enabling Cobalt Strike deployment and broader network compromise. They conducted AD discovery, exfiltrated sensitive documents, and…
A Check Point Research analysis uncovers a coordinated IRIB cyberattack (Jan 2022) that hijacked state TV/radio playout, deployed backdoors, and used a wiper to disrupt broadcasting. The report details tools like SimplePlayout, Winscreeny, HttpCallbackService,…
SentinelLabs tracks TunnelVision, an Iranian-aligned threat actor cluster exploiting VMware Horizon and Log4j vulnerabilities to deploy backdoors, harvest credentials, and move laterally in the Middle East and the US. The operation heavily relies on tunneling …
ASEC researchers trace PseudoManuscrypt distribution in Korea since May 2021, noting it masquerades as a Cryptbot-like installer and is spread via malicious sites surfaced in top search results for illegal software (Crack/Keygen). The malware uses NSIS to drop…
Remcos RAT was delivered via a phishing email that attached a double-compressed archive, then unpacked to reveal an obfuscated VBScript dropper. The dropper uses a COM object (MSXML2.XMLHTTP.3.0) to fetch a Powershell-based payload and culminates in a Remcos p…
Fortinet FortiEDR uncovered a Moses Staff campaign targeting Israeli organizations, leveraging ProxyShell exploits to deploy web shells and a multi-component backdoor for espionage, data exfiltration, and payload delivery. The operation includes a loader that …
Kraken is a developing Windows botnet written in Go that can download payloads, run commands, steal cryptocurrency wallets, and take screenshots, spreading via SmokeLoader. It uses UPX packing and Themida protection, persists via Run keys, and has evolved dash…