Redline Stealer is a popular credential stealer distributed via fake software and advertising channels, featuring obfuscation, loader capabilities, and C2 over a non-standard channel. The threat actor uses an AutoIt wrapper, a configurable loader, and a robust…
Tag: DARK WEB
The Cuba Ransomware group Tropical Scorpius is analyzed in relation to its Cuba variant, including attack simulations added by Picus Threat Library. The report maps out a wide set of TTPs from initial access to impact, and notes connections to the Industrial S…
Erbium Stealer is an information-stealing malware distributed as MaaS, observed by CYFIRMA in Aug-2022 and advertised on Russian-speaking forums. It decrypts obfuscated code, drops a DLL in %temp%, loads it via LoadLibraryA, and communicates with a C2 panel an…
Aurora began as a Golang MaaS botnet advertised by Cheshire and Zelizzard, and evolved into an infostealer adopted by multiple traffers, with activity that later slowed and then resurged in different forms. Sekoia.io’s analysis shows multifaceted data collecti…
Recorded Future’s Insikt Group analyzes the threat landscape around the 2022 FIFA World Cup in Qatar, covering state-sponsored cyber operations, cybercrime, influence operations, and physical security threats. The assessment finds no imminent disruptive cyber …
AXLocker, Octocrypt, and Alice ransomware families are analyzed, detailing AXLocker’s file encryption alongside its Discord token theft, and presenting Octocrypt and Alice as RaaS-style offerings with builder tools and wallet-based ransom models. The piece emp…
LNK (Shell Link) files are Windows shortcuts that threat actors increasingly abuse to execute binaries and stage attacks, including delivering payloads via PowerShell, VBScript, or MSHTA. The article explains the LNK file format, how attackers leverage it in s…
Cyble Research and Intelligence Labs tracks SmokeLoader campaigns that carry SystemBC and Raccoon Stealer 2.0 (RecordBreaker) alongside a new clipper named Laplas Clipper targeting cryptocurrency users. Laplas Clipper uses clipboard hijacking to swap wallet ad…
Cyble researchers describe Temp Loader and Temp Stealer, malicious tools advertised on the Dark Web that bundle with cracked software to drop a loader and an information stealer. The malware targets crypto wallets and various data sources, uses anti-VM and Run…
Ransom Cartel emerged as a ransomware-as-a-service operation around late 2021, showing double-extortion techniques and notable overlaps with REvil, including possible ties to REvil’s code and infrastructure. The report analyzes Ransom Cartel’s TTPs, comparison…
FortiGuard Labs analyzed an Excel document delivering Redline malware via CVE-2017-11882. The loader uses in-memory techniques and persistence via Task Scheduler to exfiltrate sensitive data to a C2 server over HTTP using a WCF SOAP channel. Hashtags: #Redline…
Fortinet FortiGuard Labs analyzes phishing-driven malware campaigns in Q3 2022, highlighting the use of HTML Smuggling, Excel 4.0 macros, Word VBA macros, and ISO image delivery to drop Emotet, Qbot, and Icedid. The report details multiple delivery chains and …
Sygnia attributes Cheerscrypt and Night Sky to the same actor, Emperor Dragonfly, a China-based group that rebrands payloads across campaigns. The investigation shows Emperor Dragonfly deploys Windows and ESXi ransomware, uses open-source Go tools, and conduct…
ThreatLabz details a campaign delivering Agent Tesla via a configurable “Quantum Builder,” which creates LNK, HTA, and ISO payloads to execute a multi-stage infection. The campaign uses obfuscated PowerShell, LOLBins, and UAC bypass techniques to obtain admin …
Void Balaur is a prolific cyber mercenary group expanding its hack-for-hire campaigns globally through 2022, continuing to adapt its operations despite disruptions to its advertising personas. The group targets a broad mix of individuals and organizations, foc…