Aoqin Dragon is a long-running Chinese-speaking APT tracked by SentinelLabs, active since 2013 and targeting government, education, and telecom organizations in Southeast Asia and Australia. The group uses document exploits, fake removable devices, DLL hijacki…
Tag: DEFENSE EVASION
Researchers document Black Basta’s observed TTPs during a recent incident response, detailing lateral movement, defense evasion, discovery, and encryption activities against Hyper-V environments and Veeam backups. The post also provides a technical breakdown o…
Threat actors exploited CVE-2021-44077 to gain initial access to an internet-facing ManageEngine SupportCenter Plus instance, planted a web shell, and began days-long data exfiltration via web shell and RDP. The operation involved Plink-based SSH tunneling, LS…
Mindware is a ransomware operation active since March 2022, likely a rebrand of SFile, with attacks across healthcare and other sectors. It leverages Reflective DLL Injection, encrypts targeted files, and uses a public leaks site to pressure victims, including…
UNC2165 is analyzed as overlapping with Evil Corp activities and shifting toward ransomware deployments such as HADES and LOCKBIT, leveraging FAKEUPDATES, BEACON, and post-exploitation techniques to breach networks while evading sanctions. The report traces th…
Cyble researchers found a threat actor distributing fake PoCs for CVE-2022-26809 and CVE-2022-24500 on GitHub, targeting the Infosec community. The culprit malware is a .NET binary packed with ConfuserEX that displays fake exploit messages and then calls Power…
Space Pirates is an Asia-rooted advanced threat group whose activities span several backdoors and loaders, targeting government and aerospace/energy sectors in Russia, Georgia, and Mongolia. The report ties Space Pirates to multiple other APTs and tooling exch…
CISA warns that malicious actors linked to APT activity are exploiting CVE-2022-22954 and CVE-2022-22960 in VMware Workspace ONE Access and related products to achieve remote code execution and root-level access, chaining vulnerabilities for full system contro…
FortiGuard Labs reports a Chaos ransomware variant that appears to side with Russia, delivering destructive payloads and offering no decryption option. The malware encrypts small files with AES-256 (RSA-wrapped keys) and fills larger files with random data, wh…
Onyx is a ransomware observed in April 2022 that encrypts files, appends the .ampkcz extension, and leaves a readme.txt ransom note. It uses several evasion, persistence, and exfiltration techniques, including process checks, startup-folder modifications, and …
Threat actors lure Germans with updates about the Ukraine crisis via a decoy Baden-Württemberg site, delivering a PowerShell-based RAT that can steal data and execute commands. The operation uses AMSI bypass, creates a persistent scheduled task, and exfiltrate…
Cisco Talos detects an ongoing Bitter APT operation targeting Bangladesh since August 2021, featuring a new Trojan called ZxxZ with remote file execution capabilities. The campaign employs spear-phishing with Office exploits and a C2 infrastructure that uses A…
Orion Threat Research Team uncovered BumbleBee, a new loader used by Initial Access Brokers to deploy campaigns and inject Cobalt Strike into victims’ memory. The operation leverages spoofed identities and ISO-based delivery via TransferXL to lure users, with …
SolarMarker has evolved into a multi-stage threat delivering backdoors and infostealers, primarily via SEO-driven campaigns that lure users to download malicious documents. Itexfiltrates browser data, can transfer files, and executes commands from a C2, while …
Trend Micro’s Managed XDR team uncovered a campaign where SocGholish drops a BLISTER loader that in turn delivers the LockBit ransomware, highlighting layered evasion and loader-to-beacon chaining. The investigation details how these loaders operate together, …