AsyncRAT is explored through a widely used OneNote spearphishing campaign that delivers an HTA downloader to load a PowerShell-based loader and decrypts/loads AsyncRAT payloads. The post also details AsyncRAT’s capabilities, persistence, defense evasion, scrip…
Tag: EDR
Securonix Threat Research documented the STARK#VORTEX campaign that uses Ukrainian-themed .chm (Microsoft Help) lure files to execute obfuscated JavaScript and PowerShell which download and deploy MerlinAgent payloads. The chain establishes persistence via a r…
TACTICAL#OCTOPUS targets US entities with tax-themed phishing, delivering GuLoader/CloudEyE to drop additional payloads. The campaign uses heavily obfuscated VBScript and PowerShell, process hollowing, and multiple C2 channels (notably rebrand.ly) to evade det…
Microsoft’s guidance explains how CVE-2023-23397 enables a secret Net-NTLMv2 hash leak via Outlook reminders and outlines Forest Blizzard (STRONTIUM), a Russian state-sponsored group linked to GRU Unit 26165, as an actor exploiting this vulnerability to access…
Magecart campaigns are exploiting client-side obfuscation to load skimmers during checkout, using Hunter to conceal JavaScript code and inject malicious forms. The techniques culminate in encoded credit card data stored in a cookie and exfiltrated via POST, al…
MacStealer is a macOS stealer distributed via DMG that is controlled over Telegram, marking a new platform for stealer operations. It exfiltrates browser credentials, Keychain data, and files, sending stolen data via HTTP POST to a C2 and to Telegram channels/…
SentinelLabs and QGroup describe attacks in Q1 2023 against Middle East telecoms, linked to the Operation Soft Cell activity and likely conducted by a Chinese cyberespionage group in the Gallium/APT41 nexus. The operation centers on mim221, a maintained creden…
Cyber espionage threat actors continue to target technologies that do not support endpoint detection and response (EDR) solutions such as firewalls, IoT devices, hypervisors and VPN technologies (e.g. Fortinet, SonicWall, Pulse Secure, and others). Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over…
Two sentences summarizing the content: A new Magecart skimmer family named Kritec has been discovered on Magento stores, appearing alongside a separate skimming campaign and sharing indicators of compromise with older campaigns. Kritec loads its malicious Java…
Trigona is a newly observed ransomware strain that security researchers first noted in Oct 2022 and was highly active in Dec 2022 with at least 15 victims across multiple industries. The operation uses HTML Application ransom notes with embedded JavaScript con…
CrowdStrike observed eCrime adversaries shifting from macro-based delivery to OneNote attachments, embedding HTA, CMD, and JSE payloads to drop second-stage loaders. After Microsoft patched the MOTW vulnerability in ISO files (CVE-2022-41091) in November 2022,…
Bad Magic is a Russo-Ukrainian conflict–related APT campaign delivering a modular malware stack starting with a ZIP delivered via a phishing-like lure, then a malicious LNK that leads to an MSI dropper. The operation unfolds as PowerShell-based loaders and a P…
Lazarus’ FudModule subverts kernel protections by leveraging a vulnerable Dell driver to elevate to ring 0 and tamper with telemetry data streams to hide its activities. The article also outlines practical, detection-focused strategies such as monitoring ETW d…
Uptycs Threat Research Team uncovered HookSpoofer, a new C#-based infostealer spread via bundlers that includes keylogging and clipper capabilities and exfiltrates stolen data to a Telegram bot. It’s inspired by StormKitty and uses in-memory loading of a hidde…
CatB ransomware uses MSDTC DLL hijacking to drop and load its payload, then encrypts files while attempting to steal browser data and credentials. It employs sandbox evasion, DLL injection, and service abuse to survive analysis and deliver its ransom demands, …