Two Zscaler ThreatLabz reports reveal WarHawk, a new backdoor used by the SideWinder APT to target Pakistan, delivering Cobalt Strike via a multi-module loader that includes KernelCallBackTable injection and a Pakistan Standard Time check. The campaign leverag…
Tag: EDR
FortiGuard Labs’ Ransomware Roundup analyzes Royal ransomware, detailing its Windows-based encryption, command-line operation, shadow-copy deletion, and ransom workflow via Tor, along with Fortinet protection and defender guidance. It notes the potential for a…
Ransom Cartel emerged as a ransomware-as-a-service operation around late 2021, showing double-extortion techniques and notable overlaps with REvil, including possible ties to REvil’s code and infrastructure. The report analyzes Ransom Cartel’s TTPs, comparison…
Threat researchers reverse-engineered Brute Ratel C4 (BRC4) and its Badger agents, building a defender-focused analysis and an Atomic-C2 simulator to test detections. The study maps BRC4 behaviors to MITRE techniques, highlighting an ISO-based initial access c…
This fourth post in a four-part series examines the rarely used “helper” techniques wipers employ to augment data destruction, such as manipulating VSS, filling disk space, and altering boot configurations. It covers methods like shadow-copy deletion, space-fi…
Uptycs reports a new campaign where WSHRAT acts as a dropper for Agent Tesla through a multi-stage infection chain emphasizing evasion techniques like steganography and in-memory DLL loading. The campaign begins with phishing emails containing GZ and R00 archi…
Malware is increasingly distributed via ISO files, with multiple families adopting the method. Qakbot has shifted from Excel macros to ISO-based delivery, alongside AsyncRAT, IcedID, and BumbleBee. #Qakbot #ISOFiles
CISA’s Malware Analysis Report examines CovalentStealer, a data-exfiltration malware used against a Defense Industrial Base (DIB) organization by suspected APT actors, detailing its file-enumeration, targeting, and upload workflow. The malware leverages embedd…
Fortinet FortiGuard Labs analyzes phishing-driven malware campaigns in Q3 2022, highlighting the use of HTML Smuggling, Excel 4.0 macros, Word VBA macros, and ISO image delivery to drop Emotet, Qbot, and Icedid. The report details multiple delivery chains and …
Researchers analyzed a Go-based BlackByte variant and uncovered an advanced technique to bypass security products by abusing a legitimate but vulnerable driver (RTCore64.sys) to disable protection. The technique, a “Bring Your Own [Vulnerable] Driver” approach…
eSentire has observed a significant rise in SolarMarker infections delivered via drive-by download attacks that rely on social engineering to persuade users to execute malware disguised as document templates. SolarMarker is a modular information-stealing malwa…
As endpoint detection and response (EDR) solutions improve malware detection efficacy on Windows systems, certain state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers.Earlier this year, Mandiant identified a novel malware ecosystem…
Black Lotus Labs analyzed ~100 Go-based Chaos samples and found a cross‑platform, multi‑architecture botnet that persists, beacons to TLS C2s, steals or brute‑forces SSH credentials, exploits CVEs to propagate, and can run additional modules for DDoS and crypt…
Securonix Threat Labs uncovered a covert campaign targeting military contractors, leveraging sophisticated PowerShell-based stagers, multi-layer obfuscation, and robust C2 infrastructure. The attackers used spearphishing with a .lnk shortcut, extensive anti-an…
eSentire’s Threat Response Unit details a Redline Stealer campaign against a manufacturing customer, delivered via a malicious Mozilla Thunderbird setup hosted on a lookalike thunderbiird[.]com and distributed in an ISO. The attacker uses an obfuscated AutoIT …