In part one on North Korea’s UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970 utilized Bring Your Own Vulnerable Device (BYOVD) to further enable their operations.
During our investigation, Mandiant consultants…
Since June 2022, Mandiant has been tracking a campaign targeting Western Media and Technology companies from a suspected North Korean espionage group tracked as UNC2970. In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company. During this operation, Mandiant observed UNC2970 leverage…
Securonix Threat Labs highlights five persistent ransomware IOCs used to inhibit system recovery: vssadmin (shadow copy deletion), WMI/wmic (shadow copy deletion), wbadmin (delete backups), bcdedit (disable recovery), and PowerShell (shadow copy deletion). The…
Volexity describes how the AVBurner tool (attributed to the SnakeCharmer/Earth Longzhi actor) disables EDR/AV by patching Windows kernel process-creation callback entries so security drivers appear loaded but are neutered. The post shows how to detect this tam…
Lumen Black Lotus Labs discovered the “Hiatus” campaign that compromises business-grade DrayTek Vigor routers to deploy HiatusRAT and a tcpdump variant, enabling remote access, SOCKS5 proxying, and packet capture. Lumen observed ~100 infected routers (primaril…
Two sentences summarizing the content. Trellix researchers document Qakbot’s evolution to OneNote-based malware distribution, showing how OneNote attachments deliver a loader DLL and the main Qakbot payload across multiple campaigns. The report also covers how…
Fortinet’s FortiGuard Labs’ Ransomware Roundup highlights two notable variants, Sirattacker and ALC, detailing their execution methods, ransom notes, and observed activity, including Bitcoin wallet interactions associated with the Sirattacker actor. The report…
Older malware can still pose a threat, as FortiGuard Labs documents a renewed MyDoom campaign that uses aged tools in new phishing lures and C2 techniques. The campaign deploys UPX-packed payloads, masquerades as legitimate Windows processes, and relies on rot…
Trend Micro’s Managed XDR team uncovered a spear-phishing campaign targeting hospitality staff that delivers RedLine Stealer via oversized multi-stage payloads. The operation uses Dropbox/Bitly links, a PowerShell-based loader chain, and WMI-based data exfiltr…
CYFIRMA analyzes EXFILTRATOR-22, a new post-exploitation framework marketed via Telegram and YouTube with anti-analysis capabilities and an affiliate model. The actors use domain fronting and CDN infrastructure to conceal C2 traffic and promote a subscription-…
FortiGuard Labs describes a new LockBit ransomware campaign that uses a multi-stage, defense-evasion approach to bypass AV/EDR, including .img containers, UAC bypass, and auto-login persistence. The campaign targets Spanish-speaking firms in Mexico and Spain, …
Securonix Threat Labs details multiple PowerShell methods attackers use to hide invoke-expression (IEX) execution, including string splitting, character substitution, variable extraction, wildcard “globfuscation”, reordering, DNS TXT retrieval, and XOR-encoded…
FortiGuard Labs’ ransomware roundup analyzes CatB, detailing its Windows-focused dropper, DLL sideloading, anti-analysis checks, and a high ransom demand. It also covers infection methods, payload behavior, and Fortinet protections and guidance. #CatB #FortiGu…
Brute Ratel, a Red Team framework, has been abused by attackers including APT29 to conduct cyber intrusions, with methods such as ISO-delivered LNK files used for DLL sideloading of version.dll. The article also details the framework’s technical underpinnings,…
ASEC analyzed RedEyes (ScarCruft/APT37) activity in Korea, revealing the group’s use of the Hangul EPS vulnerability CVE-2017-8291 to spread malware via steganography and a new M2RAT backdoor that employs shared memory for C2. The operation combines persistenc…