A Lazarus threat actor campaign used a Trojanized DeFi application to deliver a full-featured backdoor, targeting cryptocurrency and DeFi services through multi-stage C2 infrastructure hosted on South Korean servers. The backdoor communicates via HTTP with RC4…
Tag: DEFENSE EVASION
The Stolen Images campaign used IcedID as the initial access vector to drop Cobalt Strike beacons, leading to Conti ransomware deployment across a domain. The operation blended off-the-shelf remote-access tools (Atera, Splashtop), multiple Cobalt Strike server…
Morphisec Labs detects a new Remcos Trojan infection chain delivered through financial-themed phishing emails that lure users to open a malicious Excel file. The multi-stage attack uses VBScript and PowerShell to fetch further payloads from a C2, employs persi…
A new IcedID campaign uses conversation hijacking in phishing emails delivered from compromised Microsoft Exchange accounts to drop the IcedID loader. The operation shifts from office documents to ISO attachments, uses regsvr32 to proxy-run a DLL, and targets …
Researchers at ESET uncovered an ongoing Mustang Panda operation using a new Korplug variant, Hodur, noted for its aggressive anti-analysis and memory-only loading chain. The campaign uses European-current-events decoys to target diplomatic missions, research …
APT35 (PHOSPHORUS/UNC2448) leveraged Microsoft Exchange ProxyShell vulnerabilities to gain initial access, deploy web shells, and perform post-exploitation tasks, including credential dumping and payload deployment. The activity appears scripted and automated,…
UNC2891 uses in-memory droppers like STEELCORGI and STEELHOUND to decrypt or encrypt payloads via environment-keying, and operates a broad Unix/Linux toolkit (SUN4ME) for recon, enumeration, and exploitation. The group also deployed Linux/Unix keyloggers (WING…
Talos analyzes how BlackCat/ALPHV operates as a growing ransomware-as-a-service with affiliates linked to prior groups like BlackMatter and DarkSide, outlining how the affiliates evolved the operation and used shared infrastructure. The piece details attack fl…
FBI and CISA warn that Russian state-sponsored cyber actors gained network access by exploiting default MFA configurations and the PrintNightmare vulnerability, enabling document exfiltration from an NGO via compromised credentials and MFA bypass. The advisory…
OverWatch tracked a widespread intrusion campaign that used bundled .msi installers masquerading as legitimate software to download and execute NIGHT SPIDER’s Zloader trojan (and in some cases, Cobalt Strike). The defenders focused on anomalous behavior, low-p…
FortiGuard Labs uncovered a phishing operation masquerading as a purchase order to a Ukrainian manufacturer, delivering Agent Tesla via a PPAM PowerPoint add-in. The campaign uses a multi-stage dropper with Bit.ly and MediaFire stages, ends with PowerShell-bas…
Trend Micro researchers present evidence that Nokoyawa ransomware is likely connected to Hive, sharing parts of the attack chain, tools, and even infrastructure, with most Nokoyawa targets in Argentina. The analysis also highlights similarities and key differe…
CyCraft’s first-hand investigation reveals a China-state-backed operation, dubbed “Operation Cache Panda,” targeting Taiwan’s financial sector through a broad supply-chain attack exploiting software vulnerabilities and deploying multi-stage, memory-resident ma…
In a November 2021 intrusion, threat actors gained a foothold with Qbot (Quakbot) and used Zerologon to elevate to domain admin, enabling Cobalt Strike deployment and broader network compromise. They conducted AD discovery, exfiltrated sensitive documents, and…
Picus Security analyzes LockBit 2.0 ransomware, detailing its evolution as a RaaS operator, its anti-detection techniques, and its methods to disrupt victim recovery and logging. The post also lists IOCs and maps LockBit 2.0 behaviors to MITRE ATT&CK technique…