Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. This analysis focuses on a Brute Ratel badger/agent that uses API hashing, a configurable C2 with a user-agent, password, and encryption key, a…
Tag: EDR
Two recent campaigns show DarkGate Loader being spread via phishing emails, using MSI and VBScript payloads to eventually deliver the DarkGate malware, with automated analysis identifying the actor behind it and the MaaS-style affiliate model. The campaign com…
Scattered Spider (UNC3944, Scatter Swine, Muddled Libra) is a financially motivated threat actor active since May 2022, primarily targeting telecom and BPO sectors and expanding to critical infrastructure. The group relies on social engineering, signed kernel …
Microsoft identifies Flax Typhoon as a China-based state actor targeting Taiwanese organizations for espionage, emphasizing long-term access with minimal malware and reliance on built-in OS tools and legitimate software. The activity aims to quietly persist in…
Fortinet’s FortiGuard Labs’ Ransomware Roundup highlights Trash Panda and a new minor NoCry variant, describing infection details and defenses. Trash Panda encrypts files on Windows, replaces the desktop wallpaper, and drops a politically themed ransom note. #…
QwixxRAT is a new remote access trojan distributed via Telegram and Discord that silently infiltrates Windows devices to steal data and enable remote control. It combines broad data exfiltration, keylogging, screen and clipboard capture, and extensive anti-ana…
YAMA is a memory-analysis tool from JPCERT/CC that detects hidden malware by scanning the live memory of Windows machines using custom YARA rules, addressing obfuscated and fileless threats. It is easy to deploy across devices and can export results in text or…
FortiGuard Labs identified a Rust injector chain that loads XWorm and Remcos via SYK Crypter, delivered through a phishing workflow starting with a malicious PDF. The operation leverages the Red Team tool Freeze.rs, Base64/LZMA encoding, and PowerShell to bypa…
ASEC reports the distribution of malware disguised as coin exchange and investment content, delivered as self-extracting executables and Word documents. The operation is attributed to the Kimsuky group, and it uses macros, scripting, and URL-based commands to …
FortiGuard Labs’ bi-weekly Ransomware Roundup covers the DoDo and Proton variants, detailing their infection vectors, encryption behavior, and observed indicators, along with Fortinet protections and recommended defenses. The report highlights DoDo as a Chaos …
Three crimeware families—DarkGate, LokiBot, and Emotet—are described with their infection chains and capabilities, including a four-stage DarkGate loader, a LokiBot phishing campaign, and an Emotet resurgence via OneNote attachments. The report highlights memo…
Cado Security Labs describe P2Pinfect, a Rust-based botnet targeting publicly-accessible Redis deployments with cross‑platform Linux and Windows payloads. The malware propagates via Redis replication and module loading, then uses a peer‑to‑peer C2 network, def…
Avast Threat Labs examines how the newly popular .zip top-level domain is being abused to mislead users into thinking they are downloading files, with many examples mimicking major brands like Microsoft, Google, and Amazon. The piece also details how attackers…
Two sentences: Cyber threat actors use multistage attacks and LOLBins to evade detection while delivering XWorm via WebDAV-enabled infrastructure, with BATLoader and VBScript stages helping drop and execute payloads. The campaign centers on XWorm’s versatility…
Proofpoint identifies WikiLoader, a sophisticated downloader used in multiple Italian-focused campaigns, notable for its evasion techniques and modular, multi-stage chain that culminates in Ursnif delivery. The malware is thought to be rentable to multiple cyb…