The article compiles a large set of file hash indicators tied to Zeppelin ransomware activity as described in the CISA alert AA22-223a, associated with the StopRansomware campaign. It presents these indicators in a purely IOC-focused format without narrative dā¦
Tag: EDR
Unit 42 analyzes Tropical Scorpius (UNC2596) activity, detailing Cuba Ransomwareās evolution with new tools like ROMCOM RAT, KerberCache, and a kernel driver to defeat defenses, plus its connection to the Industrial Spy marketplace. The report covers ransomwarā¦
Researchers analyze CrowdStrikeās Adversary Quest 2022 CATAPULT SPIDER track, which centers on a Dogecoin-driven ransomware campaign leveraging CHM phishing, encoded PowerShell, and a Dogecoin-based C2. The storyline uncovers multi-stage payloads, a vulnerableā¦
LockBit operators have been observed abusing legitimate security tools to load Cobalt Strike beacons, deploying a living-off-the-land approach to evade defenses. The campaign pivots on using MpCmdRun.exe to decrypt and load a weaponized DLL, following prior siā¦
BPFDoor is a Linux/Unix backdoor that uses Berkeley Packet Filters (BPF) to filter data through sockets and support multiple C2 protocols (TCP, UDP, ICMP), enabling stealthy remote access. The BPFDoor campaign is attributed to the Chinese threat actor Red Mensā¦
Two-sentence summary: An in-depth analysis shows how the Follina exploit (CVE-2022-30190) is weaponized to achieve remote code execution via MSDT and to enable persistent, live-off-the-land attacker activity using native Windows tools. The report details threeā¦
Threat actors are leveraging DLL sideloading in legitimate Microsoft applications to deliver a Cobalt-Strike beacon. The dropped DLL is loaded from application folders and communicates with a C2 URL hosted on CloudFront to enable beacon operations. #QakBot #Coā¦
Threat actors abuse DLL sideloading to run malicious code through legitimate Microsoft applications (Teams and OneDrive), dropping and loading a malicious DLL that communicates with a remote C2 and leverages Cobalt Strike Beacon for postāexploitation. The campā¦
Gootloader is a Malware-as-a-Service (MaaS) offering that is spread through SEO poisoning to distribute malicious payloads, such as IcedID. Threat actors have begun using IcedID, a former banking trojan, since itās a stealthier option compared to Cobalt Strikeā¦
TA4563 is a threat actor using the EvilNum backdoor to target European DeFi, cryptocurrency, and forex entities, with campaigns evolving in how they deliver the malware and evade defenses. EvilNum functions as a backdoor for data theft and loading additional pā¦
Fortinetās FortiGuard Labs documented a phishing campaign delivering a new QakBot variant via an attached HTML file that auto-executes to drop a ZIP, load a loader, and ultimately run QakBot within a Windows process. The analysis details the infection chain frā¦
Researchers document Cloaked Ursa (APT29) campaigns that weaponize trusted cloud storage services to hide malware delivery, notably Dropbox and Google Drive. The campaigns deploy EnvyScout HTML droppers to fetch Agenda.iso payloads and use Google Drive-based eā¦
Unit 42 analyzes Brute Ratel C4 (BRc4) activity tied to a Roshan_CV ISO, showing how a red-teaming tool can evade modern defenses and operate with nation-state-like tradecraft. The post covers the toolās packaging, delivery via a LNK lure, in-memory execution,ā¦
BumbleBee is a new loader actively used to deliver payloads via phishing campaigns and to establish an initial foothold in target networks. The analysis highlights its living-off-the-land techniques, notably using a Microsoft-signed odbcconf.exe to indirectly ā¦
eSentireās TRU team uncovered Socgholish, a drive-by social engineering threat that delivers a fake software update, leading to quick Cobalt Strike deployment and persistence. The case highlights how drive-by infections can escalate to hands-on-keyboard intrusā¦