An NCC Group incident response analysis dives into Medusa ransomware activities, detailing initial access via an external web server, web shells, PowerShell abuse, credential dumping, defense evasion, data exfiltration, and the deployment of Medusa ransomware.…
Tag: DARK WEB
Researchers identified a fresh Gootloader variant named “GootBot” that adds lateral movement and stealth to post-infection activity. It uses hardcoded C2 servers on compromised WordPress sites and avoids common off-the-shelf tools to deploy additional payloads…
CYFIRMA highlights Good Day ransomware, an ARCrypter family member that disguises as a Microsoft Windows Update and employs stealthy techniques (like VSS deletion and debug-detection) while encrypting files and exfiltrating data. The report also covers related…
In this report, we share our latest crimeware findings: GoPIX targeting PIX payment system; Lumar stealing files and passwords; Rhysida ransomware supporting old Windows.
ExelaStealer is a new Python-based infostealer distributed as both an open-source project and a paid, customizable build that targets Windows to harvest browser credentials, cookies, clipboard contents, screenshots, and keystrokes. FortiGuard Labs’ analysis sh…
Threat hunting today blends structured methodologies, real-time data analysis, and adaptive automation to uncover anomalies, threats, and attacker activity across logs, networks, and endpoints. The article showcases traditional approaches, a modern futuristic …
Threat actors behind the “ClearFake” campaign have shifted from Cloudflare Workers to hosting malicious JavaScript payloads inside Binance Smart Chain (BSC) smart contracts, allowing read-only eth_call requests from compromised WordPress sites to retrieve and …
Cyble CRIL identifies a spear-phishing campaign against a Russian semiconductor supplier that exploits the WinRAR CVE-2023-38831 vulnerability to drop the Mythic Athena agent. Athena, a Mythic C2 agent, provides a broad set of post-exploitation commands for re…
Talos reports that Qakbot-affiliated actors have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails since early August 2023, continuing despite the FBI’s late August 2023 infrastructure seizure. The operation suggests the de…
Menlo Labs uncovered a targeted phishing campaign using the EvilProxy kit to impersonate Microsoft via Indeed open redirects, enabling session cookie theft and MFA bypass. The operation targeted US executives across financial services, property management/real…
Ransomed.vc has shifted from an underground forum to a high‑velocity ransomware operation, announcing an extortion target on Japan’s NTT Docomo after leaking Sony data. The group leans on supply‑chain perceptions, GDPR‑pressure rhetoric, and a growing affiliat…
Smishing Triad has expanded its UAE-focused operations, using domain registrations via Gname.com to host fake Emirates Post lures and geo-targeted delivery of smishing pages. The group hijacks iCloud accounts to send iMessages, leverages Dark Web data for geo-…
NoEscape Ransomware emerged in 2023 as a RaaS, closely tying to Avaddon through similar encryption and deployment tactics, while expanding to Windows and Linux payloads and leveraging a TOR-based platform for victim disclosure. It combines multi-extortion with…
CyberCX DFIR describes Akira ransomware leveraging Hyper-V to deploy on new, unmonitored VMs to bypass EDR, causing widespread damage to attached VMs. The piece also covers attacker methods from initial access to post-exploitation, defense evasion with BYOVD t…
eSentire intercepted three LockBit affiliate ransomware attacks aimed at an MSP and two manufacturers, halting them before widespread impact. The report highlights how attackers used RMM tools and remote-access software—and even brought their own tools—to prop…