FortiGuard Labs’ Ransomware Roundup highlights Maori, a Linux-targeting ransomware written in Go that encrypts files in the home directory and demands payment for decryption. The report notes ransom notes, contact methods via Tox and onionmail, and Fortinet pr…
Tag: EDR
An unusual phishing campaign known as MEME#4CHAN delivers XWorm payloads through meme-filled PowerShell and obfuscated JavaScript, persisting for months and evolving with new payloads and obfuscation methods. The attack chain starts with phishing Word document…
Red Stinger is an Eastern Europe–focused APT active since 2020, tracked publicly by Malwarebytes and Kaspersky under different aliases, with campaigns targeting Ukraine’s military, transportation, and critical infrastructure. The operation used a repeatable in…
GuLoader (GULoader) campaigns deploy a highly evasive shellcode-based loader using NSIS-based installers delivered via malspam, incorporating XOR-encoded payloads and anti-analysis tricks. The article outlines a three-stage infection chain—shellcode deployment…
ASEC’s RAPIT weekly analysis covers malware statistics from May 1–7, 2023, showing infostealers as the top category and AgentTesla leading the threat landscape. It details the main families (AgentTesla, Formbook, Amadey, GuLoader, Lokibot), their distribution,…
Royal ransomware is a private group formed by former Conti members that has targeted critical infrastructure, notably healthcare, since September 2022. It uses BATLOADER to drop a Cobalt Strike beacon and has expanded to a Linux/ESXi variant, with public extor…
SentinelLabs reports ongoing Kimsuky operations using a new ReconShark component, delivered via targeted spear-phishing, OneDrive-hosted documents, and malicious macros. ReconShark functions as a reconnaissance tool that exfiltrates system and defense-detectio…
Two sentences summarizing the content here. EclecticIQ links a spearphishing campaign against Poland’s healthcare sector to Vidar Infostealer, with overlaps to Djvu and LockBit 2.0 ransomware activity, and describes how Vidar collects sensitive data and exfilt…
Checkpoint Research tracks how ROKRAT’s deployment has evolved into LNK-based, multi-stage infection chains that bypass macro restrictions, showing a shift from documents with macros to oversized LNK loaders. The campaigns target South Korean affairs, link to …
FortiGuard Labs analyzes the UNIZA ransomware, a Windows-targeting variant that encrypts user files and displays its ransom message via the Command Prompt. It also notes the likely phishing-based infection vector, limited current spread, and Fortinet protectio…
BellaCiao is a highly customized dropper linked to Charming Kitten (APT35) that targets US, European, Middle Eastern, and Indian victims with victim-specific data and C2 communication. The implant combines a tailored payload, a DNS-based command channel, and m…
RedEyes (ScarCruft/APT37) has expanded its toolkit by distributing RokRAT via LNK files. The LNKs trigger PowerShell to create and execute payloads in the Temp folder, download encoded data from cloud storage, and deploy RokRAT to harvest credentials. Hashtags…
Infoblox identifies a rare DNS-based toolkit named Decoy Dog, built around the Pupy RAT, observed in enterprise networks through DNS beacons and encrypted DNS traffic. The report links possible Earth Berberoka activity and outlines three infrastructure models …
OCX#HARVESTER is a threat campaign by Securonix Threat Labs leveraging the More_eggs malware suite to target financial-sector victims, with activity observed from late 2022 through early 2023 and new C2 infrastructure shifts. The campaign uses image-based LNK …
AuKill is a defense-evasion tool that exploits an outdated Microsoft Process Explorer driver to disable EDR protections and then deploys ransomware, with multiple variants observed since 2023. The technique, a BYOVD (bring-your-own vulnerable driver) approach,…