Trend Micro researchers present evidence that Nokoyawa ransomware is likely connected to Hive, sharing parts of the attack chain, tools, and even infrastructure, with most Nokoyawa targets in Argentina. The analysis also highlights similarities and key differe…
Category: Threat Research
Fortinet FortiGuard Labs analyzed a campaign that uses an MS Office Excel macro to deliver the Emotet Trojan, detailing how the macro writes and executes VBScript and PowerShell components to download and run a DLL payload. The research also covers anti-analys…
Proofpoint researchers link TA416 to ongoing European-targeted campaigns using web bugs to profile victims before delivering PlugX payloads, with recent activity showing updates to the PlugX variant and its delivery chain. The operator impersonates diplomatic …
Microsoft Power BI is being impersonated in a credential-harvesting campaign that uses realistic-looking notification emails and fake sign-in pages to collect Microsoft account credentials. The campaign leverages stolen credentials to create believable notific…
TeamTNT is a prolific cryptomining threat actor that has targeted Linux servers for years, evolving from Redis to Docker and now Kubernetes-focused campaigns, with some Windows artifacts observed. The analysis details their TTPs, tools (including Tsunami, Rath…
CyCraft’s first-hand investigation reveals a China-state-backed operation, dubbed “Operation Cache Panda,” targeting Taiwan’s financial sector through a broad supply-chain attack exploiting software vulnerabilities and deploying multi-stage, memory-resident ma…
CryptBot’s latest version is distributed via deceptive crack/tool pages with redirect-heavy delivery, increasing infection risk. The update consolidates C2 communications, removes several infostealing features, and expands Chrome data theft to support newer br…
ASEC researchers trace PseudoManuscrypt distribution in Korea since May 2021, noting it masquerades as a Cryptbot-like installer and is spread via malicious sites surfaced in top search results for illegal software (Crack/Keygen). The malware uses NSIS to drop…
Arkei, a flexible information stealer, now expands to pilfer MFA data in addition to crypto-wallet information, using SmokeLoader as a deployment vector. Its configurable setup and use of legitimate components help it evade detection while exfiltrating data ba…
Cobalt Strike is being distributed to unsecured MS-SQL servers, leveraging brute force, dictionary attacks, and command execution to deploy a memory-based beacon. The campaign overlaps with other malware like Lemon Duck, Kingminer, and Vollgar that abuse port …
Ukrainian banks and government websites were targeted by a moderate DDoS campaign attributed to the Katana botnet, a Mirai variant used to flood services. Preparation for the attack appears to have begun as early as February 13, with delivery through exploited…
In a November 2021 intrusion, threat actors gained a foothold with Qbot (Quakbot) and used Zerologon to elevate to domain admin, enabling Cobalt Strike deployment and broader network compromise. They conducted AD discovery, exfiltrated sensitive documents, and…
A Check Point Research analysis uncovers a coordinated IRIB cyberattack (Jan 2022) that hijacked state TV/radio playout, deployed backdoors, and used a wiper to disrupt broadcasting. The report details tools like SimplePlayout, Winscreeny, HttpCallbackService,…
SentinelLabs tracks TunnelVision, an Iranian-aligned threat actor cluster exploiting VMware Horizon and Log4j vulnerabilities to deploy backdoors, harvest credentials, and move laterally in the Middle East and the US. The operation heavily relies on tunneling …
Remcos RAT was delivered via a phishing email that attached a double-compressed archive, then unpacked to reveal an obfuscated VBScript dropper. The dropper uses a COM object (MSXML2.XMLHTTP.3.0) to fetch a Powershell-based payload and culminates in a Remcos p…