SlowMist analyzes a North Korean APT operation that carried out a large-scale phishing campaign targeting NFT users, exposing how hundreds of fake NFT domains and decoy mint sites were used to harvest wallet approvals and data. The findings tie this campaign t…
Tag: BLOCKCHAIN
BlueNoroff group expanded its malware delivery methods to bypass Mark-of-the-Web (MOTW) protections by using ISO and VHD disk image formats, and began experimenting with Visual Basic Script, Windows Batch scripts, and a Windows executable. They also operated a…
After nearly a year of being disrupted by Google, the Glupteba malware botnet has again become active, infecting devices worldwide. As a result of Google’s efforts, the blockchain-enabled botnet could be seriously disrupted in December 2021 by securing court orders for control of its infrastructure…
Threat actors are increasingly using blockchain to hide and distribute malicious data and C2 instructions. Nozomi Networks researchers track Glupteba activity on the Bitcoin blockchain, showing how OP_RETURN data, XOR encryption, and Tor-based C2 are used, wit…
ThreatFabric researchers describe a multi-platform campaign that binds malicious payloads to legitimate apps via a darknet service called Zombinder, delivering Android banking trojan Ermac alongside Windows desktop malware (Erbium, Aurora, Laplas, and Xenomorp…
ViperSoftX is a long-running information stealer that hides inside large system log files and uses multi-stage PowerShell payloads to drop VenomSoftX, a browser extension that performs man-in-the-browser attacks to steal cryptocurrency. The campaign spreads ma…
Water Labbu is a threat actor that parasitically hijacks scam DApp websites by injecting malicious JavaScript to steal cryptocurrency. The campaign uses injected payloads and delivery servers to obtain wallet permissions and drain USDT balances, disguising act…
NFT-001 is a crypto/NFT malware campaign that evolved into a more evasive staged downloader delivering Remcos RAT, with phishing used to lure victims and a multi-stage payload chain designed to bypass defenses. The threat actor relies on private messages, DLL …
Trend Micro tracks CopperStealer’s new campaign, which distributes a malicious Chromium-based browser extension to steal cryptocurrencies and wallet keys. The operation uses a multi-stage dropper, heavy JavaScript obfuscation, and browser-configuration manipul…
Orchard is a botnet family that uses DGA technology to generate C2 domains, incorporating Bitcoin wallet transaction data as inputs to the DGA to increase unpredictability. It has evolved across three versions since 2021, combining hardcoded DuckDNS domains wi…
Researchers analyze CrowdStrike’s Adversary Quest 2022 CATAPULT SPIDER track, which centers on a Dogecoin-driven ransomware campaign leveraging CHM phishing, encoded PowerShell, and a Dogecoin-based C2. The storyline uncovers multi-stage payloads, a vulnerable…
IPFS is being used as a new platform for phishing, hosting content across a decentralized network and complicating takedowns. The article surveys IPFS phishing URLs, highlighting the services attackers abuse (Infura IPFS, Filebase/IPFS, NFT Storage, Surge.sh) …
The FakeCrack campaign lures users with fake cracked software and delivers a crypto-stealing malware that collects browser data, crypto wallets, and other sensitive information. It relies on a broad delivery infrastructure, password-protected ZIP payloads, and…
DeadBolt ransomware targeted NAS devices (notably QNAP and ASUSTOR) with a multitiered extortion scheme that includes both victim and vendor payout options and a web-based ransom interface. The report highlights DeadBolt’s configuration-driven, automated appro…
A Lazarus threat actor campaign used a Trojanized DeFi application to deliver a full-featured backdoor, targeting cryptocurrency and DeFi services through multi-stage C2 infrastructure hosted on South Korean servers. The backdoor communicates via HTTP with RC4…