Symantec’s Threat Hunter Team links the Redfly espionage group to a ShadowPad-based intrusion targeting a national grid in Asia, with credentials stolen and multiple hosts compromised over as long as six months. The campaign features a ShadowPad variant, Packe…
Tag: CRITICAL INFRASTRUCTURE
Scattered Spider (UNC3944, Scatter Swine, Muddled Libra) is a financially motivated threat actor active since May 2022, primarily targeting telecom and BPO sectors and expanding to critical infrastructure. The group relies on social engineering, signed kernel …
BlackBerry reports Cuba ransomware has rolled out new tools in campaigns targeting U.S. critical infrastructure and a Latin American IT integrator, including the first observed use of CVE-2023-27532 against Veeam. The findings detail evolving TTPs and toolsets…
Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure
A Chinese threat actor operated a modified Cobalt Strike variant, “Cobalt Strike Cat,” to attack Taiwanese government entities and critical infrastructure. The campaign covered recon, exploitation of remote code execution vulnerabilities, credential theft, and…
Volt Typhoon is a China-based state-sponsored actor targeting US critical infrastructure with stealthy post‑compromise credential access and network discovery. The campaign relies on living-off-the-land techniques and traffic proxying through compromised devic…
Two sentences summarizing: FBI, CISA, and ACSC describe BianLian ransomware and data-extortion group IOCs and TTPs identified through investigations as of March 2023, noting a shift from double-extortion to exfiltration-based extortion. The advisory covers ini…
Red Stinger is an Eastern Europe–focused APT active since 2020, tracked publicly by Malwarebytes and Kaspersky under different aliases, with campaigns targeting Ukraine’s military, transportation, and critical infrastructure. The operation used a repeatable in…
Royal ransomware is a private group formed by former Conti members that has targeted critical infrastructure, notably healthcare, since September 2022. It uses BATLOADER to drop a Cobalt Strike beacon and has expanded to a Linux/ESXi variant, with public extor…
Symantec’s Threat Hunter Team links a broader X_Trader software supply chain attack to multiple victims, including two critical infrastructure organizations in the energy sector in the U.S. and Europe, plus two other financial trading firms. The operation uses…
Sygnia analyzes RagnarLocker, detailing its double-extortion operations against critical infrastructure and the group’s TTPs, including the use of RMS and AnyDesk for C2 and data exfiltration. The report also offers mitigations and hunting guidance to help org…
The advisory outlines ongoing DPRK state-sponsored ransomware activity targeting Healthcare and Public Health Sector organizations and other critical infrastructure, detailing TTPs, IOCs, and cryptocurrency ransom payments. It also describes how actors acquire…
NoName057(16) is a pro-Russian hacktivist group conducting DDoS campaigns targeting Ukraine, NATO, and other entities, leveraging Telegram, a volunteer-driven DDoS program, and a GitHub-hosted toolkit. The group has impacted several sectors including governmen…
Mallox ransomware activity has surged, driven by a .NET-based loader that downloads encrypted payloads and decrypts them in memory before encryption. The operation targets critical infrastructure, stops GPS-related services, and uses a private chat and leak si…
Microsoft researchers warn that vulnerable Boa web servers embedded in IoT SDKs create supply-chain risk across critical infrastructure by enabling attackers to silently access networks and gather information. The post highlights Boa prevalence, CVEs in RealTe…
Fortinet’s Ragnar Locker Ransomware Roundup explains that Ragnar Locker encrypts files, exfiltrates data, and uses double extortion to pressure victims, including negotiations via a Tor-based site and leaking stolen information on a “Wall of Shame.” It also no…