Antlion, a Chinese APT, deployed a custom .NET loader called xPack to compromise Taiwanese targets, focusing on financial and manufacturing organizations and conducting extended credential dumping and data staging. The operation used a mix of custom loaders an…
Category: Threat Research
Qbot (QakBot) campaigns spread rapidly by delivering a malicious Excel macro that loads a QBot DLL, then injects into msra.exe to harvest browser data and Outlook emails. The operation escalates privileges, moves laterally across all workstations, and uses mul…
Lazarus targeted Boeing job-seekers using a lure document, Boeing BDS MSE.docx, to deliver a DLL that mimics legitimate Notepad++ functionality. The malware exfiltrates system and process information to four C2 servers after compression, XOR encryption, and Ba…
Volexity uncovered a zero-day cross-site scripting (XSS) vulnerability in Zimbra (CVE-2022-24682) that TEMP_Heretic targeted through spear-phishing campaigns to access and exfiltrate mail data. The attackers could load JavaScript in the victim’s Zimbra webmail…
A phishing campaign uses specially crafted CSV text files to install the BazarLoader/BazarBackdoor malware by abusing Excel’s Dynamic Data Exchange (DDE) feature. The attack chain pivots through WMIC and PowerShell to download and execute a DLL, enabling remot…
Mars Stealer is an upgraded variant of Oski Stealer with added anti-analysis and credential theft capabilities, including browser and crypto wallet data harvesting, plus a modular downloader and self-removal mechanism. It uses encrypted strings, runtime API re…
Cisco Talos identifies a new wave of the Delphi-based Micropsia implant operated by Arid Viper, targeting Palestinian entities and activists with politically themed decoys. The latest implants add multiple RAT and information-gathering capabilities, persistenc…
Cybereason Nocturnus tracks the Iranian APT Moses Staff, which has added a novel Remote Access Trojan named StrifeWater to its ransomware operations and uses it in the initial infection stage. StrifeWater provides capabilities like file listing, shell command …
Sugar RaaS describes a new ransomware-as-a-service model focusing on individual machines and reusing components from other ransomware families. The article details the crypter, a Delphi-based ransomware sample, ransom notes, and IOCs including domains, an onio…
PowerCybereason Nocturnus researchers uncover a new PowerShell backdoor named PowerLess Backdoor used by Phosphorus (APT35) to espionage operations, featuring modular loaders and staged payloads including a keylogger and information stealer. The findings tie P…
Cisco Talos links a campaign targeting Turkish private organizations and government bodies to MuddyWater, an Iran-linked APT group, using malicious PDFs, Excel files and Windows executables to drop PowerShell-based downloaders and establish footholds. The oper…
Shuckworm (Gamaredon) continues its Ukraine-focused cyber-espionage campaigns, using phishing and living-off-the-land techniques to deploy backdoors and remote-access tools. Symantec’s investigation documents a multi-stage July–August 2021 operation in Ukraine…
Lazarus Group’s latest campaign rounds up a spearphishing effort using Lockheed Martin-themed doc lures to drop a multi-stage payload. The operation hijacks execution via KernelCallbackTable, uses Windows Update Client for malicious runtime, and employs GitHub…
StellarParticle is CrowdStrike’s tracked campaign tied to COZY BEAR (APT29) and the SolarWinds incident, with activity continuing against multiple organizations. The operation employs novel techniques such as browser cookie theft and O365 service principal hij…
The Belarusian Cyber Partisans disclosed documents related to a railway-targeting incident and discussed that Curated Intelligence member SttyK would study the methods used. The published material outlines an incident aimed at hindering operations and details …