Sekoia.io reviews cyber operations against past Olympic Games and assesses likely threats to Paris 2024, highlighting state-sponsored sabotage, espionage, hacktivism, and opportunistic cybercrime. Key technical concerns include destructive wiper malware (e.g.,…
Tag: EDR
Sea Turtle is a Turkey-based APT focused on espionage and information theft against European and Middle Eastern targets, including government, NGOs, telecoms, IT services, and Kurdish groups; their operations have evolved to evade detection and involve reverse…
UAC-0050’s Ukrainian-targeted operation leverages RemcosRAT with a Windows pipe-based interprocess communication channel to evade EDR/antivirus defenses and move data covertly. The campaign uses a multi-stage chain (LNK → HTA → VBScript → PowerShell) culminati…
FortiGuard Labs highlights 8base, a Windows-targeted ransomware variant likely based on Phobos, delivered via SmokeLoader and featuring data exfiltration and high ransom demands. The write-up covers infection vectors, victimology, encryption behavior, variant …
SOCRadar profiles the Cactus Ransomware Group, detailing its self-encrypting ransomware, evasion techniques, and double-extortion tactics used against organizations worldwide. The piece highlights VPN exploitation, a multi-layer infection chain, and a Tor-base…
Cyble Research and Intelligence Labs detail the QBit RaaS group’s Go-based ransomware and the freely released qBit Stealer source code, highlighting its selective exfiltration approach and use of Mega.nz for uploads, which could expand adoption among new threa…
Play (also known as Playcrypt) is a ransomware group that has targeted organizations across the Americas and Europe since mid-2022, using exploited internet-facing services, valid credentials, and remote access tools to gain access, move laterally, exfiltrate …
The FBI, CISA, and HHS published a joint Cybersecurity Advisory updating indicators of compromise and tactics used by the ALPHV/BlackCat RaaS, noting increased targeting of the healthcare sector and improvements in the ALPHV 2.0 Sphynx encryptor. The advisory …
Unit 42 researchers analyze malicious JavaScript used on phishing and skimming pages to steal passwords, credit card data, and other secrets via chat and survey APIs. The report details evasion tactics such as obfuscation, unusual DOM interactions, and selecti…
ReliaQuest analyzed a September 2023 double extortion incident where data was encrypted and threats were made to publish stolen data. The threat actor used sophisticated TTPs—DLL sideloading, BYOVD to evade EDR, Impacket-based lateral movement, and Rclone-base…
Threat actors are abusing an open-source anti-automation toolkit (Predator) to thwart bot-detection in phishing campaigns. They rely on compromised email accounts, frequent URL-pattern changes, and redirection to legitimate pages to evade security controls whi…
ESET researchers document a series of new OilRig downloaders, all relying on legitimate cloud service providers for C&C communications
Lumen Black Lotus Labs describes the KV‑botnet, a SOHO router and camera malware campaign that creates multi‑hop covert tunnels and in‑memory payloads to relay data for advanced threat actors. Operators remove competing malware, spawn ephemeral listeners and i…
Unit 42 researchers detail a cluster of related attacks in the Middle East, Africa and the U.S. involving three tools—Agent Racoon backdoor, Ntospy credential-stealing Network Provider DLL, and a Mimilite variant of Mimikatz—that enable credential theft, backd…
APT37 (ScarCruft/Red Eyes) is a North Korean state-sponsored cyber-espionage group active since 2012, primarily targeting South Korea but with operations in many other countries. It has moved to distributing RokRAT via LNK files containing PowerShell commands …