Uptycs researchers uncovered Poseidon, a Linux backdoor tied to APT-36 (Transparent Tribe), delivered via a tainted Kavach 2FA tool to compromise Indian government-related systems. Poseidon functions as a versatile backdoor offering keystroke logging, screen c…
Tag: EDR
The in2al5d p3in4er loader is a highly evasive component that powers Aurora’s delivery chain. Morphisec explains its anti-VM checks, runtime payload decryption, process hollowing, and decoy-website/social-engineering techniques that rely on YouTube distributio…
Mint Sandstorm (PHOSPHORUS) has refined its tradecraft, weaponizing new-day vulnerabilities and conducting targeted phishing to access high-value targets in energy and transportation sectors. The group develops bespoke tooling (Drokbk, Soldier, CharmPower) and…
Trigona is a Delphi-based ransomware that encrypts files using RSA and AES with a novel residual block termination, adds a multi-step decryption workflow, and recently gained a data wiper capability. ThreatLabz notes overlap in tactics with BlackCat/ALPHV, but…
Uptycs researchers identified Zaraza bot, a credential-stealing malware that uses Telegram as its command-and-control channel to collect browser credentials and other sensitive data. It targets 38 web browsers and transmits stolen information to a Telegram ser…
RTM Locker operates as a ransomware-as-a-service with affiliates under strict governance, aiming to stay under the radar and monetize rather than seek headlines. The article provides a technical deep dive into their Windows ransomware, including panel operatio…
ASEC’s RAPIT weekly analysis (Apr 3–9, 2023) shows backdoors as the dominant category (61.1%), followed by infostealers (20.8%), downloaders (16.9%), and ransomware (1.1%). RedLine leads the threat list with over half of detections, with AgentTesla, GuLoader, …
TEHTRIS Threat Hunters document illicit cryptomining activity targeting Linux-based machines, observed on a France-hosted honeypot in January. The campaign, named Color1337, toggles between full-capacity cryptomining using diicot and rebound reconnaissance via…
Two paragraphs summarize ongoing Chinese APT activity against EU governments and businesses, highlighting groups, tools, and defensive recommendations. The report details APT27, APT31, APT15, and Mustang Panda campaigns, including Linux and Windows backdoors a…
Trustwave SpiderLabs uncovered Rilide, a new malware strain that hijacks Chromium-based browsers by disguising itself as a Google Drive extension and performing a wide range of actions such as monitoring history, taking screenshots, and injecting scripts to st…
Unit 42 uncovered CryptoClippy, a cryptocurrency clipper that targets Portuguese speakers by watching the clipboard for wallet addresses and replacing them with attacker-controlled addresses. The campaign delivers multi-stage PowerShell loaders via malvertisin…
Genesis Market, a major underground marketplace for stolen credentials, browser fingerprints, and cookies, was disrupted by a multinational law enforcement operation spanning 17 countries, leading to takedown notices and arrests or contacts with users. The pos…
Volexity analyzed a supply-chain compromise of the 3CX Desktop App in which a malicious ffmpeg library inserted into signed installers decoded encrypted blobs, fetched staged payloads, and reflectively loaded a 64-bit information-stealer dubbed ICONIC/ICONICST…
Fortinet FortiGuard Labs’ bi-weekly Ransomware Roundup highlights Dark Power and PayME100USD, outlining their file-encrypting behavior on Windows and the actor’s apparent data-leak threats, with Fortinet-provided protections and best practices. The report note…
ASEC reports a CHM-based APT technique where threat actors use Compiled HTML Help Files to execute malware via hh.exe, download a PowerShell script, and run it through mshta.exe. The operation culminates in persistence via the Run registry key and C2 communica…