Researchers describe ongoing ISO-based campaigns that deliver AsyncRAT, LimeRAT, and other commodity malware via obfuscated VBScript in a multi-stage infection chain. The campaigns appear tied to a new version of the 3LOSH crypter, which embeds payloads with g…
Category: Threat Research
CaddyWiper is a Windows wiper that destroys data and wipes drives on Ukrainian infrastructure. It is delivered via Group Policy after compromising Active Directory, and follows WhisperGate, HermeticWiper, and IsaacWiper as the fourth observed in the same perio…
Malicious Word documents impersonating AhnLab are being distributed to corporate users to trigger macros. The attack chain downloads a second Word file containing a VBA macro, uses Windows Media Player to auto-run the code, downloads additional payloads, and p…
Colibri Loader is a malware family that delivers and manages payloads onto infected PCs. A new campaign delivers Mars Stealer as the final payload, using a novel persistence technique that combines a scheduled task with PowerShell and a remote template injecti…
FIN7’s intrusion landscape evolves from LOADOUT and GRIFFON in 2020 to POWERPLANT as the main PowerShell-based backdoor in 2021, with BEACON acting as a secondary access path and extensive PowerShell tradecraft continuing to shape their operations. The report …
Symantec details Cicada (a China-linked APT) widening its espionage activity, targeting governments and NGOs across multiple regions with Exchange server exploits, custom loaders, and backdoors such as Sodamaster and Mimikatz loader, plus tools like VLC and Wi…
The diary documents a MetaStealer infection chain delivered via malicious Excel attachments that drop and persist a Windows EXE and DLL after macro execution and a VBScript loader. It also notes the malware abusing legitimate services like GitHub and transfer.…
Trend Micro’s Managed XDR team uncovered a campaign where SocGholish drops a BLISTER loader that in turn delivers the LockBit ransomware, highlighting layered evasion and loader-to-beacon chaining. The investigation details how these loaders operate together, …
Threat actors run a tax-season phishing campaign impersonating the IRS to trick targets into downloading malware. The attack chain uses an IRS-themed lure, a captcha step, an XLL file, and a ZIP payload that installs Netsupport Manager as a remote access Troja…
Beastmode, a Mirai-based DDoS campaign, rapidly expanded its exploit arsenal in early 2022 by adding multiple TOTOLINK-focused vulnerabilities, enabling broader device infections and botnet growth. The campaign leverages publicly released exploit code, uses shell scripts downloaded via wget, and culminates in a suite of DDoS capabilities; users are urged to update affected firmware. #Beastmode #Totolink
A Lazarus threat actor campaign used a Trojanized DeFi application to deliver a full-featured backdoor, targeting cryptocurrency and DeFi services through multi-stage C2 infrastructure hosted on South Korean servers. The backdoor communicates via HTTP with RC4…
The Stolen Images campaign used IcedID as the initial access vector to drop Cobalt Strike beacons, leading to Conti ransomware deployment across a domain. The operation blended off-the-shelf remote-access tools (Atera, Splashtop), multiple Cobalt Strike server…
VajraEleph is described as a South Asia-based threat actor linked to state-backed activity, carrying out a nine-month campaign targeting Pakistan and other regional interests. The article outlines the group’s organization, tactics, and multi-stage operations, …
Morphisec Labs detects a new Remcos Trojan infection chain delivered through financial-themed phishing emails that lure users to open a malicious Excel file. The multi-stage attack uses VBScript and PowerShell to fetch further payloads from a C2, employs persi…
Securonix Threat Labs analyzes a currently unpatched zero-day in Spring Core (Spring4Shell) and its potential for remote code execution, outlining exploit mechanics, scope, and defense. The report covers how the vulnerability differs from Log4j, mitigation/det…