FortiGuard Labs and PolySwarm analyzed UDPGangster, a UDP-based backdoor tied to the MuddyWater threat actor that targets users in Turkey, Israel, and Azerbaijan via phishing emails containing macro-enabled Word documents. The malware uses UDP C2 on port 1269, extensive anti-analysis checks, persistence via AppData and registry run keys, and supports commands for remote execution, file exfiltration, payload deployment, and C2 updates. #UDPGangster #MuddyWater
Tag: EDR
ClickFix pages hosted via compromised legitimate websites were used to trick victims into downloading and executing a batch file that installed NetSupport Manager (NetSupport RAT), which contacted a C2 server and delivered a sideloaded malicious DLL that executed StealC V2. Stolen credentials harvested by StealC were then leveraged to access a Fortinet VPN and ultimately enable Qilin ransomware deployment. #StealC #Qilin
CYFIRMA analyzed a targeted APT-36 campaign that used a malicious Windows shortcut masquerading as a government advisory PDF to retrieve an MSI installer which deployed a .NET loader, malicious DLLs (including wininet.dll), dropped a decoy PDF, and established registry-run persistence via an HTA. Although the C2 domain wmiprovider[.]com was inactive during analysis, the loader contains obfuscated HTTP endpoints that enable remote command execution and long-term access. #APT36 #NCERT_Whatsapp_Advisory
Zscaler Threat Hunting uncovered a targeted espionage campaign impersonating the Income Tax Department of India that uses URL shorteners and public file hosting to deliver a DLL side-loading implant linked to SideWinder activity. The campaign leverages signed Microsoft binaries (SenseCE.exe) to load a malicious MpGear.dll, performs timezone-based geofencing for India (UTC+5:30), and communicates with C2 servers to deploy a resident agent. #SideWinder #SenseCE
CRIL identified a commodity loader used by multiple threat actors in targeted email campaigns that primarily impacted Manufacturing and Government organizations in Italy, Finland, and Saudi Arabia. The multi-stage, fileless infection chain uses weaponized Office documents (CVE-2017-11882), steganographic PNGs hosted on Archive.org, trojanized TaskScheduler assemblies, reflective loading and process hollowing to deliver payloads such as PureLog Stealer to a C2 at 38.49.210[.]241. #PureLogStealer #TaskScheduler
Multiple threat actors are exploiting OAuth device code authentication to compromise Microsoft 365 accounts through sophisticated phishing attacks. These campaigns involve tricking users into authorizing malicious applications without stealing passwords or bypassing MFA, with attacks increasing since September. #TA2723 #Graphish
A Russia-aligned threat group, UNK_AcademicFlare, has been conducting a phishing campaign targeting Microsoft 365 credentials to facilitate account takeovers. The campaigns exploit device code authentication workflows and involve compromised emails from government and military sources. #UNK_AcademicFlare #DeviceCodePhishing…
ESET Research uncovered a new China-aligned threat group, LongNosedGoblin, exploiting Windows Group Policy for malware deployment and lateral movement in government networks. The group uses cloud services like OneDrive and Google Drive for command and control, deploying sophisticated surveillance tools to conduct long-term espionage. #LongNosedGoblin #GroupPolicy #EspionageTools…
ESET discovered a previously undocumented China-aligned APT group, LongNosedGoblin, using Group Policy and cloud services to deploy a diverse C#/.NET toolset for cyberespionage against governmental entities in Southeast Asia and Japan. The toolset includes NosyHistorian (browser-history collection), NosyDoor (OneDrive-based backdoor with AppDomainManager injection), NosyStealer, NosyDownloader, NosyLogger, and supporting utilities. #LongNosedGoblin #NosyDoor
Acronis TRU and Hunt.io collaborated to map DPRK-linked infrastructure, uncovering reused certificates, open directories staging credential-theft toolkits, FRP tunneling nodes, and a new Linux variant of the Badcall backdoor tied to Lazarus and Kimsuky activity. The report shows repeatable operational patterns—identical FRP deployments on port 9999, exposed HTTP staging directories, and certificate reuse across RDP/TLS hosts—that enable defenders to pivot on infrastructure indicators to reveal related DPRK campaigns. #Lazarus #Badcall
Proofpoint observed multiple state-aligned and financially motivated threat clusters abusing the OAuth 2.0 device authorization grant flow and social-engineering lures (embedded URLs and QR codes) to trick users into approving malicious applications and grant attackers access to Microsoft 365 accounts. These campaigns leveraged tools and kits such as SquarePhish2 and Graphish…
A new China-linked threat group called LongNosedGoblin has been targeting government agencies in Southeast Asia and Japan for cyber espionage since September 2023. The group employs advanced tools and techniques, including Group Policy, cloud services, and custom malware, to infiltrate and spy on victims. #LongNosedGoblin #CyberEspionage…
ClickFix social-engineering pages on compromised websites led victims to download and run a batch that installed NetSupport Manager (NetSupport RAT), which connected to a C2 and delivered a sideloaded StealC V2 infostealer. Stolen credentials harvested by StealC appear to have been used to access a Fortinet VPN and enable a subsequent Qilin ransomware deployment. #StealC_V2 #Qilin
pathfinding.cloud is an open-source knowledge base that documents over 60 AWS IAM privilege escalation paths with prerequisites, exploitation steps, remediation, and tooling coverage. It standardizes each path with unique IDs and machine-readable YAML so security teams and tool authors can identify detection gaps and contribute fixes. #pathfinding.cloud #AWS
A coordinated YouTube Ghost Network campaign used compromised accounts to distribute obfuscated Node.js malware (GachiLoader) that retrieves or drops a second-stage loader (Kidkadi) which employs a novel PE injection method abusing Vectored Exception Handling to load malicious payloads such as the Rhadamanthys infostealer. Check Point Research released a Node.js Tracer to defeat anti-analysis checks and reproduced the injection technique (Vectored Overloading) as a PoC for researchers. #GachiLoader #Rhadamanthys