TRU investigators at eSentire uncovered Gootloader using a new infection technique delivered via a compromised WordPress site, followed by a hands-on-keyboard phase with Cobalt Strike. The analysis tracks BloodHound usage, PsExec lateral movement, and PowerShe…
Tag: EDR
FortiGuard Labs’ Ransomware Roundup analyzes Monti, BlackHunt, and Putin ransomware, detailing distinct methods from Linux file encryption to RDP-driven intrusions and data-leak strategies. The piece also outlines Fortinet protections and defense recommendatio…
Trend Micro analyzes Gootkit loader’s infection routine targeting Australian healthcare, showing SEO poisoning for initial access and abuse of VLC Media Player for DLL sideloading and Cobalt Strike usage. The campaign features obfuscated JavaScript, fake WordP…
Cybereason’s Threat Analysis chronicles an IcedID (BokBot) campaign, detailing its use as a dropper and initial access tool, TTPs, and post-compromise activity across a Windows environment. The report notes a shift to ISO/LNK infection vectors, cross-group tec…
NeedleDropper is a multi-file dropper observed since October 2022 that uses a self-extracting archive to deliver and execute payloads, hiding activity with junk data and leveraging legitimate applications. It is sold as a service on hacking forums and has bloc…
The campaign targets Italy with phishing emails carrying a password-protected ZIP named “IT_Fattura_n99392.zip” to drop an infostealer payload. It uses a multi-stage chain (LNK and BAT files) and a PowerShell/MSHTA/Rundll32 sequence to download and execute com…
Threat actors misuse Google’s ad platform to push masquerAd sites that redirect users to phishing and malware pages, leveraging trusted ad traffic to gain credibility. Vermux leads mass campaigns targeting GPU users, distributing varying payloads via masquerAd…
BlueNoroff group expanded its malware delivery methods to bypass Mark-of-the-Web (MOTW) protections by using ISO and VHD disk image formats, and began experimenting with Visual Basic Script, Windows Batch scripts, and a Windows executable. They also operated a…
Executive Summary
Mandiant identified an operation focused on the Ukrainian government via trojanized Windows 10 Operating System installers. These were distributed via torrent sites in a supply chain attack.
Threat activity tracked as UNC4166 likely trojanized and distributed malicious Windows Operating system installers which drop malware that conducts reconnaissance and deploys additional capability…
Nokoyawa is a 64-bit Windows-based ransomware family that evolved from an earlier C version to a Rust-based 2.0, introducing a configurable command-line setup and faster encryption. The operation uses double extortion with a TOR-hosted ransom portal and data l…
CrowdStrike’s analysis reveals GuLoader’s new anti-analysis shellcode, VM-detection, and a redundant code-injection approach that helps ensure execution. The researchers also map all DJB2 hashes for GuLoader’s APIs, providing a complete view of its behavior to…
Attestation signing of drivers through the Windows Hardware Compatibility process is being abused to sign POORTRY and other malware samples with legitimate Microsoft certificates. The programName field in Authenticode data helps identify associated samples and…
SentinelOne observes threat actors abusing legitimately signed Microsoft drivers to intrude into telecom, BPO, MSSP, and financial services organizations. The activity centers on a two-component toolkit (STONESTOP and POORTRY) that terminates AV/EDR and can ev…
MuddyWater (aka Static Kitten, Mercury) is an Iran MOIS-linked cyber espionage group that has expanded its targeting with campaigns using spearphishing and legitimate remote administration tools. The latest campaign uses HTML attachments and hosted archives to…
Redline Stealer is a popular credential stealer distributed via fake software and advertising channels, featuring obfuscation, loader capabilities, and C2 over a non-standard channel. The threat actor uses an AutoIt wrapper, a configurable loader, and a robust…