BlackBerry researchers link the Prophet Spider Initial Access Broker (IAB) group to exploiting the Log4j (Log4Shell) vulnerabilities in VMware Horizon to break into organizations. The article outlines IoCs, observed post-exploitation payloads (cryptomining, Co…
Category: Threat Research
KONNI RAT has evolved into a stealthier Remote Administration Tool under the Kimsuky umbrella, with ongoing development and updates to evade detection. The post highlights major changes (AES-protected strings and files, a move away from rundll, and enhanced ob…
Chaes is a Brazil-only banking trojan that uses a multi-stage delivery chain to steal Chrome credentials and intercept logins to Brazilian banking sites. Avast found Chaes artifacts on over 800 compromised WordPress sites in Brazil (700+ with Brazilian TLDs), …
Morphisec identifies a new AsyncRAT delivery campaign that uses an HTML attachment to deliver a base64-encoded ISO file, constructed in-browser and mounted to execute staged loaders. The multi-stage chain includes HTML/JavaScript decoding, reflective .NET inje…
ESET analyzes a watering-hole campaign that delivers a new macOS backdoor named DazzleSpy via a WebKit/Safari exploit chain. Targets were Hong Kong pro-democracy individuals, with infection hosted on amnestyhk.org and other compromised sites like fightforhk.co…
Threat actors deliver multiple malware via malicious PowerPoint Add-Ins and a multi-stage chain that uses cloud services to host payloads. The operation blends phishing, LoLBins, VBS, and PowerShell to drop AgentTesla and a cryptocurrency stealer, with stages …
BRATA continues to evolve with new targets and features, including factory reset, GPS tracking, multi-channel C2 (HTTP and WebSocket), and ongoing monitoring via VNC and keylogging to facilitate unauthorized wire transfers. The report details BRATA variants A,…
A collaborative analysis by a Qianxin team examines a wave of mht/Web Archive-based attacks delivering malicious DLLs via Office macros on Glitch, noting overlaps with OceanLotus but also distinct traits. The operation uses VBA obfuscation, in-memory DLL loadi…
Earth Karkaddan (APT36) is analyzed through its use of CrimsonRAT on Windows and CapraRAT/ObliqueRAT on Android, detailing infection chains based on spear-phishing, USB worms, and malicious macros. The piece also covers C2 communications, persistence mechanism…
Fortinet FortiGuard Labs analyzes a phishing campaign that delivers a STRRAT variant as a direct attachment, bypassing the usual dropper stage. The campaign uses spoofed shipping-themed emails, obfuscated Java payloads, and a mix of C2 communications and crede…
Emotet spam campaigns are abusing hexadecimal and octal IP address formats to evade pattern-matching detection, delivering malware via Excel 4.0 Macros and HTA code. The operation leads to second-stage payloads like TrickBot and Cobalt Strike beacons, with gui…
Proofpoint details DTPacker, a two-stage .NET packer/downloader that uses Donald Trump-themed fixed keys to decrypt its second stage and deliver payloads such as Agent Tesla, Ave Maria, AsyncRAT, and FormBook. The campaigns blend varied encoding/obfuscation an…
Gemini Advisory analyzes FIN7’s use of trojanized USB devices (BadUSB) to deliver the IceBot Remote Access Trojan, enabling unauthorized remote access to victims’ networks. The report details the Arduino-based sketch used to infect USB devices, a network of pa…
Korean security researchers found DDoS IRC Bot strains masquerading as adult games, distributed via webhards, using a GoLang-based downloader alongside UDP Rat and Simple-IRC-Botnet. The malware installs through a downloader, persists via a scheduled task, inj…
ThreatLabz details a new Molerats APT espionage campaign targeting Middle East actors, delivering a .NET backdoor via macro-enabled Office documents and leveraging Dropbox as the C2 and data-exfiltration channel. The operation shows ties to Spark backdoor acti…