StellarParticle is CrowdStrike’s tracked campaign tied to COZY BEAR (APT29) and the SolarWinds incident, with activity continuing against multiple organizations. The operation employs novel techniques such as browser cookie theft and O365 service principal hij…
Category: Threat Research
The Belarusian Cyber Partisans disclosed documents related to a railway-targeting incident and discussed that Curated Intelligence member SttyK would study the methods used. The published material outlines an incident aimed at hindering operations and details …
BlackBerry researchers link the Prophet Spider Initial Access Broker (IAB) group to exploiting the Log4j (Log4Shell) vulnerabilities in VMware Horizon to break into organizations. The article outlines IoCs, observed post-exploitation payloads (cryptomining, Co…
KONNI RAT has evolved into a stealthier Remote Administration Tool under the Kimsuky umbrella, with ongoing development and updates to evade detection. The post highlights major changes (AES-protected strings and files, a move away from rundll, and enhanced ob…
Chaes is a Brazil-only banking trojan that uses a multi-stage delivery chain to steal Chrome credentials and intercept logins to Brazilian banking sites. Avast found Chaes artifacts on over 800 compromised WordPress sites in Brazil (700+ with Brazilian TLDs), …
Morphisec identifies a new AsyncRAT delivery campaign that uses an HTML attachment to deliver a base64-encoded ISO file, constructed in-browser and mounted to execute staged loaders. The multi-stage chain includes HTML/JavaScript decoding, reflective .NET inje…
ESET analyzes a watering-hole campaign that delivers a new macOS backdoor named DazzleSpy via a WebKit/Safari exploit chain. Targets were Hong Kong pro-democracy individuals, with infection hosted on amnestyhk.org and other compromised sites like fightforhk.co…
Threat actors deliver multiple malware via malicious PowerPoint Add-Ins and a multi-stage chain that uses cloud services to host payloads. The operation blends phishing, LoLBins, VBS, and PowerShell to drop AgentTesla and a cryptocurrency stealer, with stages …
BRATA continues to evolve with new targets and features, including factory reset, GPS tracking, multi-channel C2 (HTTP and WebSocket), and ongoing monitoring via VNC and keylogging to facilitate unauthorized wire transfers. The report details BRATA variants A,…
A collaborative analysis by a Qianxin team examines a wave of mht/Web Archive-based attacks delivering malicious DLLs via Office macros on Glitch, noting overlaps with OceanLotus but also distinct traits. The operation uses VBA obfuscation, in-memory DLL loadi…
Earth Karkaddan (APT36) is analyzed through its use of CrimsonRAT on Windows and CapraRAT/ObliqueRAT on Android, detailing infection chains based on spear-phishing, USB worms, and malicious macros. The piece also covers C2 communications, persistence mechanism…
Fortinet FortiGuard Labs analyzes a phishing campaign that delivers a STRRAT variant as a direct attachment, bypassing the usual dropper stage. The campaign uses spoofed shipping-themed emails, obfuscated Java payloads, and a mix of C2 communications and crede…
Proofpoint details DTPacker, a two-stage .NET packer/downloader that uses Donald Trump-themed fixed keys to decrypt its second stage and deliver payloads such as Agent Tesla, Ave Maria, AsyncRAT, and FormBook. The campaigns blend varied encoding/obfuscation an…
Gemini Advisory analyzes FIN7’s use of trojanized USB devices (BadUSB) to deliver the IceBot Remote Access Trojan, enabling unauthorized remote access to victims’ networks. The report details the Arduino-based sketch used to infect USB devices, a network of pa…
Korean security researchers found DDoS IRC Bot strains masquerading as adult games, distributed via webhards, using a GoLang-based downloader alongside UDP Rat and Simple-IRC-Botnet. The malware installs through a downloader, persists via a scheduled task, inj…