Morphisec identifies a highly evasive ProxyShellMiner campaign that leverages ProxyShell flaws to gain access to Windows Exchange servers and deploys a multi-stage coin-mining operation across an organization. The campaign uses domain-wide persistence, obfuscaā¦
Tag: EDR
Huntress linked a February 2023 GoAnywhere MFT-related intrusion to a zero-day vulnerability and a Truebot-like post-exploitation activity, leading to a mitigation before a ransomware event could unfold. The effort highlighted how certutil and rundll32 were usā¦
Malicious Google Ads were used to promote AWS credential phishing pages, delivered through a multi-hop redirection chain that ends at a legitimate AWS login page. The operation includes a proxy Blogspot page, anti-analysis JavaScript, and Brazil-linked infrastā¦
ASEC reports Magniber distribution in Korea disguised as MSI Windows installers, using MOTW bypass and base64-encoded links to evade blocking. The campaign leverages MSI Custom Actions to execute a Magniber DLL, deletes volume shadow copies to hinder recovery,ā¦
Fortinetās FortiGuard Labs highlights the Trigona ransomware in its bi-weekly Ransomware Roundup, detailing its double-extortion approach of encrypting endpoints and threatening to leak exfiltrated data. The report covers suspected infection vectors (emails, Rā¦
IcedID has shifted from email-based delivery to drive-by infections delivered via Google Search Ads that target common enterprise applications. The TRU team explains how ads, cloaking, and a Cobalt Strike foothold are used to compromise endpoints and deliver Iā¦
FortiGuard Labs tracked a campaign using malicious Excel VBA macros (OLE Compound File) to cryptojack Windows systems for Monero. The attackers deliver a .NET payload, load a miner via process hollowing, and maintain persistence through Task Scheduler while exā¦
TrickGate is a transformative, shellcode-based packer-as-a-service used to conceal malware from security tools since 2016 and has wrapped a wide range of threats including Cerber, Trickbot, Maze, and Emotet. The packerās core building blocksāshellcode loader, ā¦
TA444 is a North Koreaāsponsored threat actor that has tested a wide range of infection methods in 2022 and remains financially motivated, with a strong shift toward cryptocurrency-related theft. The group blends traditional APT techniques with a startup-like ā¦
Researchers from Uptycs detail a Titan Stealer campaign sold via a Telegram channel, featuring a configurable builder to tailor data theft. The malware targets browser credentials, crypto wallets, FTP client data, screenshots, system information, and other filā¦
eSentireās TRU analyzes Raspberry Robinās multi-stage infection chain, starting with infected USB drives and fetching DLL payloads from compromised QNAP servers before delivering SocGholish and triggering C2 communications. Analysts foresee potential future usā¦
Mandiant tracks a suspected China-nexus operation that exploited Fortinet FortiOS SSL-VPN CVE-2022-42475 as a zero-day, deploying a backdoor named BOLDMOVE on Windows and Linux and targeting internet-facing devices. The campaign highlights how such devices enaā¦
FortiGuard Labs’ ransomware roundup analyzes CrySIS/Dharma variants and their ongoing evolution, highlighting how new versions continue to appear under different operators. It outlines infection vectors (exposed RDP and phishing), execution details (startup peā¦
Researchers report a NetSupport RAT campaign that uses a Pokemon-themed lure to trick targets into installing a trojanized NetSupport RAT client, granting attackers full control of the compromised device. The operation relies on ISO droppers masquerading as leā¦
Trend Micro details an active Earth Bogle campaign targeting the Middle East and North Africa that uses geopolitical-themed lures to distribute NjRAT (Bladabindi). Attackers host payloads on public cloud storage and compromised web servers, distributing them vā¦