Cyble researchers exposed a dark web post by a malware developer selling a powerful Windows RAT suite, including XWorm with ransomware and HVNC capabilities. The article details the toolset, persistence and anti-analysis techniques, data exfiltration, and the …
Tag: DEFENSE EVASION
Cyble researchers uncovered a phishing site impersonating Lindesbergs Kommun that delivers Typhon Stealer via a crafted .lnk file and PowerShell to download the payload. The stealer harvests data from browsers, wallets, gaming apps, and messaging tools, with e…
Morphisec Labs details DoNot Team (APT-C-35) updates to their Windows framework (YTY/Jaca), including new modules, a shellcode loader, and an upgraded browser stealer, with a focus on modular delivery and evasion techniques. The post also highlights infection …
Unit 42 analyzes Tropical Scorpius (UNC2596) activity, detailing Cuba Ransomware’s evolution with new tools like ROMCOM RAT, KerberCache, and a kernel driver to defeat defenses, plus its connection to the Industrial Spy marketplace. The report covers ransomwar…
APT31 renewed its attacks on Russian media and energy companies by leveraging a malicious document that loads a VMProtect-packed payload, linking the activity to the APT31 toolkit. The campaign uses cloud storage services (notably Yandex.Disk) as C2 to blend i…
Avast Threat Labs uncovered a targeted zero-day in Google Chrome (CVE-2022-2294) used in the wild to attack Avast users in the Middle East, including Lebanese journalists. The campaign combined watering hole attacks, a Chrome WebRTC exploit chain, and a BYOVD …
Threat researchers observed a new attack campaign named STIFF#BIZON targeting high-value targets in the Czech Republic, Poland, and other countries, with artifacts possibly linked to North Korea’s APT37 (Konni). The campaign uses a multi-stage infection chain …
CloudMensis is a macOS backdoor that spies on victims by exfiltrating documents, keystrokes, and screen captures, and communicates with its operators exclusively via public cloud storage services. It uses a two-stage architecture where the first stage download…
NukeSped RAT is a Windows-based remote access trojan attributed to the Lazarus Group that uses phishing Word documents with malicious macros to drop staged payloads. It exfiltrates data, captures keystrokes and screenshots, and downloads additional payloads, e…
Cyber threat actors, including state-sponsored APT groups, continue to exploit CVE-2021-44228 (Log4Shell) in unpatched VMware Horizon and Unified Access Gateway (UAG) servers to gain initial access and move laterally within organizations. They deploy loader ma…
Bitter (T-APT-17) continues to target Bangladesh, employing a multi-stage infection chain beginning with an Excel Maldoc that exploits CVE-2018-0798 to drop additional payloads. The operation culminates in Almond RAT, a .NET-based backdoor that uses AES-CBC en…
Raccoon Stealer v2 marks a notable revival of the information stealer brand, with early signs of life detected in 2022 as servers and administration panels surfaced. SEKOIA.IO documents a refreshed build, renewed distribution, and a plan to scale behind a rede…
QBot (QakBot) is a long-standing banking trojan that steals credentials and is spread via spam emails with macro-enabled Office documents. The article highlights two recent distribution methods (XLSB with hidden payload sheets and XLTM macro templates), detail…
Cyble Research Labs identified an Android malware variant distributed via the Play Store that acts as a Hostile Downloader to fetch the Hydra Banking Trojan. The app masquerades as Document Manager, uses fake update prompts, and communicates with a TOR-enabled…
PureCrypter is a fully featured loader sold since 2021 that distributes a range of remote access trojans and information stealers. It uses a .NET-based, obfuscated, and encrypted delivery chain with protobuf-configured options for persistence, injection, and d…