Trend Micro analyzes Earth Preta (Mustang Panda) activity in 2023, detailing new arrival vectors (MIROGO, QMAGENT, TONEDROP) and a TONESHELL variant with a custom C&C protocol. The report also exposes the threat actor’s download infrastructure (fake Google Dri…
Tag: EDR
eSentire’s Threat Response Unit (TRU) has tracked Aurora Stealer infections in the manufacturing sector since December 2022, distributed via fake Google Ads for Notepad++ and other installers. The malware exfiltrates browser data (cookies, autofill, encrypted …
FortiGuard Labs reports on two Big Head ransomware variants targeting Windows consumers, focusing on file encryption and ransom extortion. The campaign employs deception (fake Windows Update and counterfeit software), a PowerShell-based approach in one variant…
Lazarus threat group is actively exploiting multiple vulnerabilities in Korean software, including VestCert and TCO!Stream, as well as previously targeted INISAFE CrossWeb EX and MagicLine4NX, to deploy malware and propagate internally. Despite patches and adv…
Elastic Security Labs details the REF2754 intrusion set, introducing SPECTRALVIPER, P8LOADER, and POWERSEAL and describing how they’re used together to load PE files, impersonate tokens, exfiltrate data, and perform file system manipulation. The research attri…
This article documents how legitimate macOS binaries (LOOBins) such as dscl, osascript/pbpaste, xattr, and curl are abused for discovery, clipboard theft, Gatekeeper bypass, and C2. It provides command examples and detection queries customers can use with EDR/…
IBM X-Force assesses that ITG10 is targeting South Korean government, universities, think tanks, and dissidents with RokRAT delivered via LNK-based phishing. The operation uses decoy documents and multi-stage PowerShell payloads to download RokRAT from the clo…
RedLine Stealer is a credential-stealing malware distributed via phishing URLs, malicious Chrome extensions, and loader chains, with campaigns impacting healthcare and manufacturing sectors. Splunk’s Threat Research Team analyzes a RedLine Loader, its defense …
MOVEit Transfer suffered a critical vulnerability (CVE-2023-34362) that enables SQL injection with potential admin access, arbitrary code execution, and ransomware deployment. Huntress documents the full attack chain, including a persistent webshell (human2.as…
DUCKTAIL is a .NET-based infostealer from Vietnam that targets Social Media Business/Ads accounts to harvest cookies and hijack sessions for ad fraud. It concentrates on HR and Marketing professionals, uses social engineering and ZIP-delivery via file-sharing …
Volt Typhoon is a China-based state-sponsored actor targeting US critical infrastructure with stealthy post‑compromise credential access and network discovery. The campaign relies on living-off-the-land techniques and traffic proxying through compromised devic…
Trend Micro details a February 2023 BlackCat ransomware incident that leveraged a signed kernel driver for defense evasion, enabling attackers to target security tools and processes. The report also highlights how attackers obtained or abused code-signing cert…
Brute Ratel remains rare and targeted, with limited real-world use and far fewer detections than Cobalt Strike. Sophos notes that cracked versions and targeted deployments have kept it from becoming the widespread threat feared, while defenders continue to mon…
Two sentences summarizing: FBI, CISA, and ACSC describe BianLian ransomware and data-extortion group IOCs and TTPs identified through investigations as of March 2023, noting a shift from double-extortion to exfiltration-based extortion. The advisory covers ini…
Water Orthrus has launched two campaigns, CopperStealth (rootkit delivery) and CopperPhish (credit card phishing), expanding their toolkit with a new rootkit and phishing modules. The campaigns share code traits with CopperStealer and indicate a shift toward t…