Two sentences summarizing the article: ReversingLabs details a malicious npm package masquerading as Material Tailwind that installs via a postinstall script to download a password-protected ZIP containing a Windows executable. The campaign employs obfuscated …
Tag: EDR
Fortinet’s Ragnar Locker Ransomware Roundup explains that Ragnar Locker encrypts files, exfiltrates data, and uses double extortion to pressure victims, including negotiations via a Tor-based site and leaking stolen information on a “Wall of Shame.” It also no…
Publicly available Slam Ransomware Builder lowers the barrier to entry for cybercriminals by offering free tooling, while presenting credible threats to enterprises. The article details Slam’s features, capabilities, and indicators of compromise to help defend…
TA453, an Iran-aligned actor, expanded its social engineering with Multi-Persona Impersonation (MPI), using multiple actor-controlled personas within a single email thread to boost campaign credibility. The technique targets researchers and nuclear security do…
Monti ransomware gang emerged during a July 2022 incident, encrypting 21 servers after exploiting Log4Shell in a VMware Horizon setup and leveraging both traditional Conti-like TTPs and new tooling. The operation highlighted Monti’s mimicry of Conti, its use o…
Cisco Talos identifies a new Lazarus Group remote access trojan named MagicRAT, deployed after exploiting publicly exposed VMware Horizon platforms. The malware, linked to TigerRAT and Lazarus infrastructure, includes persistence, reconnaissance, and the hosti…
Joint FBI/CISA/MS-ISAC advisory details Vice Society’s ransomware operations, highlighting their methods, IOCs, and recommended mitigations for education-sector defenders. It notes that Vice Society uses variants such as Hello Kitty/Five Hands and Zeppelin and…
DangerousSavanna is a two-year campaign targeting financial institutions in French-speaking Africa, employing spear-phishing and a diverse set of infection chains to deploy PoshC2 and AsyncRAT. The operation features evolving lures, modular payloads, and exten…
BianLian emerged as a relatively new ransomware actor deploying Go-based malware and using LOL (Living off the Land) techniques to move laterally while evading EDR during encryption. They exploited initial access vectors like ProxyShell and SonicWall VPNs, rap…
IBM X-Force/MDR analysis connects Raspberry Robin infections with the Dridex malware and the Russia-based Evil Corp, revealing shared loader structures, anti-analysis techniques, and a workflow that leverages USB-based initial access. The report traces the inf…
Securonix Threat Labs uncovered a Golang-based GO#WEBBFUSCATOR campaign that leverages a James Webb image and obfuscated Go payloads to infect targets. The attack chain starts with a phishing Office attachment, downloads a malicious template, and uses DNS-base…
BlueSky ransomware is an emerging threat observed since mid-2022 that spreads through trojanized downloads and phishing emails, with rapid encryption and outbound lateral movement in Windows environments. It uses multi-stage PowerShell droppers, SMB-based prop…
Kimsuky’s GoldDragon cluster is a multi-stage operation targeting Korea-related entities, evolving rapidly with new infection chains and a layered C2 network. The campaign starts with spear-phishing and uses HTML Application (HTA), VBScript, and mshta to fetch…
DeathStalker’s VileRAT campaign targets foreign exchange and cryptocurrency venues with a multi-stage infection chain, involving spearphishing, DOTM remote templates, VBA macro stomping, VileDropper and VileLoader loaders, and a Python-based VileRAT. The repor…
Morphisec Labs details DoNot Team (APT-C-35) updates to their Windows framework (YTY/Jaca), including new modules, a shellcode loader, and an upgraded browser stealer, with a focus on modular delivery and evasion techniques. The post also highlights infection …