Meduza Stealer is a Windows-targeted data thief designed to exfiltrate browser data, wallet extensions, and other sensitive artifacts while using country exclusions and a server check to stay stealthy. Uptycs analyzes its marketing, distribution, workflow, and…
Tag: DARK WEB
Check Point Research identified ongoing phishing campaigns that abuse legitimate form services to harvest credentials and exfiltrate data, helping attackers evade detection. The attackers rely on HTML attachments masquerading as login pages and employ services…
XeGroup is a long-running threat actor whose re-emergence involves opportunistic operations such as credit-card skimming, fake websites, and data sale on the dark web. The group exploits public-facing applications (notably CVE-2019-18935 on IIS), deploys ASPXS…
AceCryptor is a long-running cryptor that packs tens of malware families and uses extensive obfuscation and anti-analysis techniques to hide its payload. ESET researchers describe its three-layer architecture, diverse distribution, and the scale of its impact …
Brute Ratel remains rare and targeted, with limited real-world use and far fewer detections than Cobalt Strike. Sophos notes that cracked versions and targeted deployments have kept it from becoming the widespread threat feared, while defenders continue to mon…
Akira is a newly observed ransomware strain that uses double-extortion by exfiltrating data before encryption and threatening publication or sale of stolen information. Cyble CRIL documents its behavior, including drive enumeration, file targeting, ransom note…
The article analyzes BlackByte, a Russian-based ransomware operation operating as a RaaS that uses double-extortion and has evolved its techniques since 2021, including a shift from C# to GoLang and the use of legitimate tools. It also highlights notable incid…
RTM Locker marks the RTM group’s first Linux ransomware binary, targeting Linux, NAS, and ESXi hosts, and appears inspired by Babuk’s leaked source code, using ECDH Curve25519 and ChaCha20 for file encryption. Uptycs provides detection guidance with XDR and YA…
Unit 42 observed a rapid shift toward using IPFS as a vehicle for malicious activity in 2022, spanning phishing, credential theft, C2 communications, and payload delivery. The decentralized, bullet-proof hosting nature of IPFS makes takedowns difficult, enabli…
CrossLock is a Go-based ransomware that encrypts victims’ data and exfiltrates it for double-extortion. It uses ETW event tracing bypass, extensive cleanup of backups and logs, and service disruption to hinder recovery and pressure victims to pay. #CrossLock #…
Two former Conti and FIN7 affiliates are linked to a new backdoor family named Minodo, delivered alongside Dave Loader and other ITG14/ITG23-aligned tooling, with Nemesis infostealer as a key payload. The campaign chain shows cross-group collaboration, overlap…
Typhon Reborn V2 is a rebuilt information stealer with significantly enhanced anti-analysis, anti-VM, and obfuscation capabilities, designed to evade security researchers and detections. It exfiltrates collected data via Telegram and is sold cheaply on undergr…
Fortinet FortiGuard Labs’ bi-weekly Ransomware Roundup highlights Dark Power and PayME100USD, outlining their file-encrypting behavior on Windows and the actor’s apparent data-leak threats, with Fortinet-provided protections and best practices. The report note…
Rhadamanthys is a feature-rich infostealer that debuted on the dark web and has drawn attention for its expansive, “everything on a bagel” design. The Check Point Research analysis covers its multi-stage loader, forensic methods to resolve in-memory API calls,…
Cyble detailed Cl0p Ransomware’s global activity, highlighting its shift to a Ransomware-as-a-Service model, double extortion, and multi-vector infection techniques across industries and regions. It also notes Linux variants and a public leak site, with techni…