ModifiedElephant is a decade-long threat actor targeting India-based human rights activists, defenders, academics, and lawyers to plant incriminating digital evidence for arrests. The group relies on spearphishing with publicly available remote access trojans …
Category: Threat Research
Unit 42 outlines a renewed Emotet infection method that uses an Excel 4.0 macro in a phishing email to stage PowerShell payloads and finally deliver the Emotet binary. The approach relies on obfuscated macros, a highly obfuscated HTML application, and multiple…
GlowSpark is a multi-stage maldoc campaign linked to Actinium, using legitimate-looking documents and targeted delivery to infect Ukrainian/Eastern European targets. The operation relies on obfuscated Visual Basic scripts, sandbox evasion, and selectively deli…
ShadowPad is an advanced modular RAT deployed by Chinese government–sponsored actors since at least 2017, with broader activity by MSS and PLA-linked groups globally since 2019. CTU analysis shows ShadowPad uses in-memory decryption, DLL loaders sideloaded by …
Proofpoint details TA2541, a persistent cybercrime actor targeting aviation, aerospace, transportation, manufacturing, and defense sectors since 2017, primarily deploying remote access trojans (RATs) such as AsyncRAT. The group uses aviation- and travel-themed…
Picus Security analyzes LockBit 2.0 ransomware, detailing its evolution as a RaaS operator, its anti-detection techniques, and its methods to disrupt victim recovery and logging. The post also lists IOCs and maps LockBit 2.0 behaviors to MITRE ATT&CK technique…
FortiGuard Labs details an NFT-themed lure that hides a BitRAT infection in an Excel XLSM file, downloaded via Discord and executed through a malicious macro. The malware chain includes batch and PowerShell steps, a .NET downloader, DLL injection, persistence,…
Check Point Research analyzes TrickBot’s modular architecture and anti-analysis techniques, highlighting how TrickBot targeted customers of 60 high-profile financial and tech companies using web-injects and credential theft. The article describes key modules l…
Sansec tracked a mass Magento 1 compromise affecting hundreds of stores, with about 374 stores infected in a single day as part of a broader breach impacting 500+ shops. Attackers loaded a payment skimmer from naturalfreshmall.com and left numerous backdoors a…
Lorenz ransomware has evolved with customized attacks against organizations worldwide, often demanding large ransom fees. Cybereason links Lorenz to ThunderCrypt and notes that while a No More Ransom decryptor exists, it is limited and often ineffective. #Lore…
Researchers link VBA-based samples to threat actors in South Asia, showing code reuse across groups such as Transparent Tribe, SideCopy, Donot, and Hangover through final payloads like CrimsonRAT and ObliqueRAT. The findings emphasize shared VBA patterns, cros…
Researchers from Cado Security uncovered CoinStomp, a Linux-based malware family targeting Asian Cloud Service Providers to mine cryptocurrency using a shell-script campaign. It employs timestomping, removal of cryptographic policies, and a /dev/tcp reverse sh…
SolarMarker is a .NET information stealer and backdoor distributed via novel MSI installers and PowerShell-based deployment. SophosLabs describes how the campaign used SEO poisoning, deceptive web pages, and a multi-stage redirect and persistence technique to …
TA402, a Palestinian-aligned APT, has deployed NimbleMamba, a new implant intended to replace LastConn, in targeted Middle East campaigns. The operation blends geofenced links, actor-controlled domains, and Dropbox-based C2/exfiltration with redirects to legit…
Antlion, a Chinese APT, deployed a custom .NET loader called xPack to compromise Taiwanese targets, focusing on financial and manufacturing organizations and conducting extended credential dumping and data staging. The operation used a mix of custom loaders an…