Proofpoint identifies WikiLoader, a sophisticated downloader used in multiple Italian-focused campaigns, notable for its evasion techniques and modular, multi-stage chain that culminates in Ursnif delivery. The malware is thought to be rentable to multiple cyb…
Tag: EDR
A new ongoing attack campaign tracked as STARK#MULE uses US military recruitment-themed documents to lure victims and runs malware staged from legitimate compromised Korean websites. The attack chain starts with a phishing zip/pdf lure, then PowerShell-based s…
Nitrogen is a new initial-access malware campaign identified by Sophos X-Ops that leverages malvertising and impersonation of legitimate software to drop trojanized installers. The operation targets North American tech and non-profit entities to deploy second-…
Space Pirates, a threat group active since 2017, is profiled by PT ESC with its evolving toolkit and novel attack vectors, including Deed RAT and Voidoor, plus a GitHub- and forum-based C2 approach. The report notes expanded targets in Russia and Serbia across…
Amadey Trojan Stealer is a MaaS-enabled malware that has persisted since 2018, delivering multiple payloads and plugins through a botnet. The post analyzes Amadey’s anti-sandbox behavior, persistence, defense evasion, C2 communications, and data collection cap…
FortiGuard Labs reviews the Cl0p ransomware group’s activities, noting a shift from encrypting victim data to data exfiltration and extortion, often tied to high-profile vulnerabilities like MOVEit Transfer (CVE-2023-34362). The report also highlights the grou…
Mallox is a ransomware operation targeting Windows systems, leveraging unsecured MS-SQL servers as an entry point and using brute-force techniques to gain access. It employs a double-extortion model, steals data before encryption, and is expanding via affiliat…
Fortinet’s FortiGuard Labs analyzes the Rancoz ransomware in its Ransomware Roundup, detailing its Windows-focused encryption, ransom notes, wallpaper change, and potential links to related variants like Buddy ransomware. The report also notes limited victim s…
Lumen Black Lotus Labs uncovered a multi-year campaign that infected SOHO routers with an ARM-targeted Linux RAT named AVrecon to build a covert residential proxy network used for activities like ad fraud and password spraying. The botnet employed a multi-stag…
Criminals are targeting Facebook business accounts by promoting fraudulent Ads Manager software through malicious Chrome extensions that steal login credentials and ad budgets. The campaign uses phishing pages, a disguised extension loaded locally, and data ex…
Two sentences summarizing the article: ASEC reports that the Kimsuky threat group weaponizes Chrome Remote Desktop along with AppleSeed and other remote-access tools to take control of infected machines. The campaign centers on spearphishing with disguised doc…
Microsoft ties a Storm-0978 phishing operation to defense and government targets in Europe and North America, abusing CVE-2023-36884 via Word docs to deliver a RomCom backdoor and related ransomware. The campaign blends espionage-focused credential gathering w…
A Trend Micro analysis uncovers a new signed rootkit loader cluster that acts as a universal kernel-driver loader, enabling second-stage unsigned modules to be loaded in the target system. The activity is linked to a China-based actor (associated with FiveSys)…
A batch-file malware campaign disguises itself as document viewers (Word/HWP) and uses email distribution to download scripts tailored to the target’s anti-malware software. The operation is attributed to the Kimsuky group, leveraging Google Drive/Docs, regist…
AhnLab’s ASEC reports NetSupport RAT distributed via spear phishing emails and phishing pages disguised as invoices, shipment documents, and purchase orders. The campaign uses a malicious JavaScript in a ZIP attachment that, once executed, downloads and runs a…