BlackGuard is a .NET information stealer advertised as malware-as-a-service on underground forums, capable of stealing credentials from crypto wallets, VPNs, messengers, FTP, saved browser data, and email clients, with ongoing development and obfuscation to ev…
Category: Threat Research
Mars Stealer is a modern infostealer derived from Oski, sold on underground forums with ongoing development and it targets browser credentials and cryptocurrency wallets. The Morphisec report details its delivery methods, compromised infrastructure, and expose…
A SentinelOne analysis examines Hive Ransomware’s IPfuscation technique, which hides a shellcode payload by encoding ASCII IP addresses that are translated into binary to form the shellcode. The write-up covers IPfuscated, UUIDfuscation, and MACfuscation varia…
Talisman is a PlugX variant that loads a modified DLL via a signed benign binary to decrypt and execute a backdoored payload with plug-in capabilities. The campaign is attributed with medium confidence to the Chinese state-backed RedFoxtrot group, targeting So…
Check Point Research shows how state-sponsored APT groups are exploiting the Russia-Ukraine war to run cyber-espionage campaigns worldwide, using war-themed spear-phishing, decoy documents, and multi-stage payloads against financial, governmental, and energy s…
Securonix Threat Labs analyzes a currently unpatched zero-day in Spring Core (Spring4Shell) and its potential for remote code execution, outlining exploit mechanics, scope, and defense. The report covers how the vulnerability differs from Log4j, mitigation/det…
FortiGuard Labs uncovered a spearphishing operation targeting a Kyiv fuel company that used a spoofed invoice to entice a recipient to open a zipped attachment containing an ISO image that drops the IcedID banking Trojan. The actors use a LNK shortcut and Regs…
FortiEDR detected a Deep Panda operation exploiting the Log4Shell flaw in VMware Horizon servers, resulting in opportunistic infections across multiple sectors and countries. The campaign introduced a backdoor called Milestone and a novel kernel rootkit named …
Cisco Talos reports a new Transparent Tribe campaign targeting Indian government and military entities, deploying CrimsonRAT alongside bespoke stagers and implants. The operation uses fake domains mimicking legitimate government sites and multiple delivery met…
Emotet—a modular banking trojan that can download other malware such as TrickBot and IcedID—has re-emerged, with Cisco GTA enhancing detection coverage for its latest wave. The article details its infection flow, PowerShell payload chain, observable IOCs, and …
Purple Fox is a long-standing threat that has evolved with a new arrival vector and early access loaders, distributing trojanized installers masquerading as legitimate apps. This campaign expands the botnet by introducing new payloads, including a FatalRAT var…
A new IcedID campaign uses conversation hijacking in phishing emails delivered from compromised Microsoft Exchange accounts to drop the IcedID loader. The operation shifts from office documents to ISO attachments, uses regsvr32 to proxy-run a DLL, and targets …
ThreatLabz analyzed Conti ransomware’s January 2022 update, noting it appeared before the February 2022 leaks but continued attacks afterward and added encryption and evasion improvements. The update introduced Safe Mode boot encryption, new command-line optio…
Juniper Threat Labs uncovered a Muhstik-bot variant that targets Redis Servers via CVE-2022-0543 in Redis Debian packages, enabling code execution through Lua sandboxing. The campaign ties Muhstik activity to prior Confluence and Log4j attacks, deploying a dow…
Ukraine CERT (CERT-UA) ties the Chinese threat actor Scarab to UAC-0026, marking one of the first publicly reported Ukraine-targeted operations by a non-Russian APT. The campaign centers on a HeaderTip backdoor delivered via macro-enabled lure documents and a …