Orion Threat Research Team uncovered BumbleBee, a new loader used by Initial Access Brokers to deploy campaigns and inject Cobalt Strike into victims’ memory. The operation leverages spoofed identities and ISO-based delivery via TransferXL to lure users, with …
Category: Threat Research
Fodcha is a rapidly spreading DDoS botnet tracked by CNCERT and 360Netlab, with thousands of live bots and hundreds of victims, using ChaCha20 encryption and a dual C2 infrastructure. The malware propagates via NDay vulnerabilities and Telnet/SSH brute-force, …
Emotet has evolved into a modular botnet capable of downloading up to 16 modules for credential theft, email harvesting, and spam delivery. The analysis covers its infection chain, module types (Process List, Mail PassView, WebBrowser PassView, Outlook/Thunder…
BlackCat (ALPHV) is a Rust-based ransomware-as-a-service operation linked to BlackMatter and REvil lineage, notable for cross-platform samples and a sophisticated exfiltration workflow using Fendr/ExMatter. Telemetry suggests a close tie to past BlackMatter ac…
The ASEC analysis details Excel-based malware campaigns that infect normal Excel files via VBA and can also act as downloaders or perform DNS spoofing. The malware drops components into the Excel startup path to auto-execute on Excel launch, enabling additiona…
FortiGuard Labs observed a new DDoS botnet named Enemybot, attributed to Keksec, that borrows code from Gafgyt and Mirai while using obfuscation and a Tor-hidden C2 to complicate takedowns. It targets routers from Seowon Intech and D-Link and leverages a wide …
A Cofense Phishing Defense Center report details a COVID-19 themed phishing campaign where threat actors impersonate companies to deploy fake COVID-19 forms and harvest credentials via online form builders. The campaign includes compromised sender addresses an…
SolarMarker has evolved into a multi-stage threat delivering backdoors and infostealers, primarily via SEO-driven campaigns that lure users to download malicious documents. Itexfiltrates browser data, can transfer files, and executes commands from a C2, while …
SystemBC is a proxy malware that has been used by various attackers for years, functioning as both a proxy bot and a downloader for additional payloads. It has recently been distributed through SmokeLoader and Emotet and has featured in ransomware campaigns, i…
Trend Micro Threat Research observed active exploitation of CVE-2022-22965 (Spring4Shell) enabling threat actors to weaponize and execute the Mirai botnet. The exploit chain drops Mirai in /tmp, changes permissions, and deploys a JSP web shell to execute comma…
FFDroider is a Windows-based credential and cookie stealer that targets social media platforms by harvesting browser data and using stolen cookies to access accounts. ThreatLabz (Zscaler) details its delivery, obfuscation, registry persistence, C2 communicatio…
Cado Labs documents the first publicly-known malware designed to run specifically inside an AWS Lambda environment, named Denonia, which uses DNS over HTTPS for its command-and-control lookups and mines Monero via an embedded XMRig variant. This cloud-focused …
Cybereason Nocturnus details a new espionage campaign by APT-C-23 targeting Israeli officials, featuring upgraded malware (Barb(ie) Downloader, BarbWire Backdoor, and VolatileVenom Android implant) and sophisticated social engineering to gain initial access. T…
Parrot TDS is a pervasive traffic direction system that hijacks compromised web servers to deliver malicious campaigns such as FakeUpdate, reaching users worldwide. Avast Threat Labs notes it has been active since October 2021, with hundreds of thousands of us…
Fortinet FortiGuard Labs analyzes a phishing-driven Remcos RAT campaign that delivers a malicious Excel macro to Windows users, initiating a multi-stage VBS/PowerShell payload chain. The malware uses a decrypted configuration block, process hollowing into RegA…