Threat actors exploit timely events with phishing emails to harvest PII and establish footholds, using Emotet delivered through Excel 4.0 macros in tax-season and Ukraine-related scams. Fortinet FortiGuard Labs observed these campaigns and highlights defenses …
Category: Threat Research
Avast Threat Labs identify Operation Dragon Castling, a Chinese-speaking APT campaign targeting betting companies in Southeast Asia (Taiwan, the Philippines, and Hong Kong). The operation uses a modular toolkit (MulCom backdoor, Proto8 CoreX/Core Module, and W…
ThreatLabz analyzes Thanos-based ransomware variants (Prometheus, Haron, Spook, and Midas) to show how operators shifted tactics in 2021, using RaaS builders, double extortion, and variant revamps to extend campaigns. The Midas variant encrypts files with Sals…
Ukraine CERT (CERT-UA) ties the Chinese threat actor Scarab to UAC-0026, marking one of the first publicly reported Ukraine-targeted operations by a non-Russian APT. The campaign centers on a HeaderTip backdoor delivered via macro-enabled lure documents and a …
TRU and BreakPoint Labs uncovered a Conti affiliate operating an automated Cobalt Strike infrastructure, exposing new domain names, IP addresses, and emails used for command-and-control. The findings link Conti operations to Trickbot, BazarLoader, IcedID, Five…
Deep Instinct’s Threat Research team uncovered a new Go-written Micropsia variant named Arid Gopher attributed to APT-C-23 (Arid Viper), with additional unseen second-stage payloads. The discovery highlights Go-based malware by Arid Viper and its evolving seco…
Phishing email delivers an ISO attached as request.doc that unpacks a CHM loader and Vidar payload. Vidar collects system and browser data, downloads dependencies from Mastodon-based C2, and can fetch additional malware from the same infrastructure. #Vidar #CH…
The article surveys how crypto phishing relies on malvertising, social media campaigns, and fake wallet prompts to steal seed phrases, wallets, and NFTs—from Ledger impersonations to Vitalik Buterin fakery and ApeCoin scams. It also highlights techniques like …
Vidar emerged in 2018 as a copycat of Arkei and has spawned Oski Stealer and Mars Stealer variants. The diary traces how these families rely on legitimate DLLs hosted on their C2 servers and exfiltrate data as zip archives via HTTP POST. #Vidar #OskiStealer #M…
Avast Threat Labs connects Meris, TrickBot, and Glupteba campaigns to a single C2 that covertly controls roughly 230,000 MikroTik routers in a botnet-as-a-service. The research traces exploitation of CVE-2018-14847, wides…
Avast researchers uncovered a password stealer disguised as a private Fortnite server, distributed primarily via Discord with TikTok tutorials guiding victims to download it. The campaign targets Russian gamers, stealing credentials and other information saved…
AvD crypto stealer is a disguise for a Clipper variant that reads and edits clipboard content to swap crypto wallet addresses. The actor offers one month of free access to attract more users, with targets including other threat actors and six supported chains.…
AhnLab ASEC reports ClipBanker being distributed as a malware-creation tool on a site called “Russia black hat,” with attackers bundling both malware and the tool (Quasar RAT builder). The dropper uses crack.exe to launch ClipBanker, which then runs in the bac…
Researchers at ESET uncovered an ongoing Mustang Panda operation using a new Korplug variant, Hodur, noted for its aggressive anti-analysis and memory-only loading chain. The campaign uses European-current-events decoys to target diplomatic missions, research …
ASEC uncovered malware distributed as Windows Help Files (.chm) aimed at Korean users, delivered via compressed email attachments. When opened, the CHM dropper spawns VBScript and PowerShell payloads, persists through a Run key, and downloads a second-stage do…