Netskope analyzed a malicious Word document delivering a backdoor named Menorah attributed to APT34, distributed via spear-phishing and obfuscated VBA. The payload drops a .NET executable, persists via a scheduled task, and communicates with a C2 server over H…
Tag: EDR
In early September 2022, we discovered several new malware samples belonging to the MATA cluster. The campaign had been launched in mid-August 2022 and targeted over a dozen corporations in Eastern Europe from the oil and gas sector and defense industry.
Threat hunting today blends structured methodologies, real-time data analysis, and adaptive automation to uncover anomalies, threats, and attacker activity across logs, networks, and endpoints. The article showcases traditional approaches, a modern futuristic …
Threat actors leveraged malvertising and a Punycode-based domain to impersonate KeePass, directing users to a lookalike site. The campaign delivers a malicious MSIX installer signed to look legitimate, which runs PowerShell code linked to the FakeBat family an…
Vietnamese threat actor clusters are using Malware as a Service infostealers and RATs (DarkGate, Ducktail, Lobshot, Redline stealer) to hit the digital marketing sector, with a strong focus on Facebook Business accounts. The campaigns show heavy overlap in lur…
An under-the-radar malvertising campaign targets Notepad++ users via compromised ad accounts, delivering time-sensitive .hta payloads and decoy Notepad++ pages. It fingerprint VM environments, uses a unique per-user ID, and communicates with a remote C2 domain…
Void Rabisu continues to evolve its ROMCOM backdoor family, delivering a slimmed-down variant (PEAPOD) via a fake Women Political Leaders (WPL) Summit website that lures victims to a OneDrive-hosted SFX downloader signed by Elbor LLC. The installer performs in…
ToddyCat is an advanced APT actor whose latest activity expands its loader and post-exploitation toolkit, detailing how it compromised public-facing servers, loaded a Ninja Trojan, and moved to data collection and exfiltration using multiple loaders and droppe…
ASEC observed the AgentTesla Infostealer being distributed via a spam email that delivers a malicious BAT file. The campaign uses a fileless technique to run AgentTesla in memory, loading a DLL through PowerShell and ultimately stealing browser credentials bef…
APT34 used a malicious spear-phishing document (“MyCv.doc”) that drops a .NET backdoor named Menorah.exe and creates a scheduled task for persistence, then communicates with a hardcoded C2 over HTTP. The malware fingerprints hosts (MD5-based ID), executes shel…
In this report, we share our latest crimeware findings: the ASMCrypt cryptor/loader related to DoubleFinger, a new Lumma stealer and a new version of Zanubis Android banking trojan.
Attackers exploited Bing Chat ads to push users toward malware-laden sites, combining malvertising with phishing-style landing pages. The campaign used a malicious MSI installer and a remote C2 to deliver and fetch payloads after users attempted to download so…
Huntress’ analysis of September 2023 intrusions shows a converging adversary tradecraft across multiple victims, emphasizing LOLBins, evasion, and social engineering tied to Netscaler-related activity. The campaign involved obfuscated PowerShell, credential ha…
NSFOCUS Security Labs uncovered AtlasCross, a newly identified APT actor conducting targeted phishing to compromise specific targets. The operation deploys two Trojan horses, DangerAds and AtlasAgent, with strong defense evasion and a standby C2 network. #Atla…
AhnLab’s ASEC reports a malicious LNK file that impersonates the National Tax Service and is being distributed to Korean users via a URL in emails. The dropped payload delivers a multi-stage downloader using PowerShell and VBScript, leading to data collection …