Talos observed a month-long AvosLocker campaign leveraging Sliver, Cobalt Strike, and network scanners to move laterally after exploiting Log4Shell on exposed VMware Horizon UAG appliances. The incident underscores the importance of properly configured securit…
Tag: EDR
On 2022-06-16, researchers observed a malspam wave delivering Matanbuchus via a ZIP that contains an HTML page which decodes and downloads payloads, ultimately triggering Cobalt Strike beacons. The operation uses a signed MSI, base64-encoded payloads, and HTTP…
Volexity details a targeted Sophos Firewall breach that leveraged a zero-day remote code execution vulnerability (CVE-2022-1040) to install a webshell, establish persistence, and conduct MITM activity that extended to external systems such as CMS websites. Sop…
Follina (CVE-2022-30190) is a remote code execution vulnerability in Microsoft Office that can be exploited without macros by loading an external reference which ultimately invokes the MSDT tool to run PowerShell. The article outlines the attack flow, the tech…
Symbiote is a highly evasive Linux threat that infects running processes by loading as a shared object via LD_PRELOAD to gain rootkit capabilities and remote access. Researchers describe its stealthy behavior—hiding itself and other malware, evading live foren…
Bumblebee is a sophisticated loader that replaces BazarLoader and delivers frameworks like Cobalt Strike, Shellcode, Sliver, and Meterpreter, while also dropping other malware such as ransomware. It is distributed via spear-phishing ISO downloads, employs exte…
Fortinet’s FortiGuard Labs documented a phishing campaign that delivers three fileless malware to Windows hosts, enabling attacker control and data theft via a C2 channel. The payloads AveMariaRAT, PandorahVNC RAT, and BitRat steal credentials, capture screens…
Fortinet FortiGuard Labs analyzed a phishing email spoofing a Saudi Arabian oil company that lures a Ukrainian coffee company into downloading a GuLoader ISO via OneDrive. The static analysis shows the ISO contains a GuLoader NSIS installer with decoys and obf…
Space Pirates is an Asia-rooted advanced threat group whose activities span several backdoors and loaders, targeting government and aerospace/energy sectors in Russia, Georgia, and Mongolia. The report ties Space Pirates to multiple other APTs and tooling exch…
Threat actors lure Germans with updates about the Ukraine crisis via a decoy Baden-Württemberg site, delivering a PowerShell-based RAT that can steal data and execute commands. The operation uses AMSI bypass, creates a persistent scheduled task, and exfiltrate…
KurayStealer is a Python-based malware builder that harvests passwords and screenshots and exfiltrates them to Discord via webhooks. The tool is offered in free and VIP versions, with OSINT linking the author to Spain and a presence on YouTube and Discord. #Ku…
Secureworks CTU researchers analyzed COBALT MIRAGE’s ransomware operations in the United States, spotting two intrusion clusters: Cluster A uses BitLocker/DiskCryptor for opportunistic ransomware, while Cluster B pursues targeted intrusions with some ransomwar…
Fortinet FortiGuard Labs analyzes a phishing-driven Remcos RAT campaign that delivers a malicious Excel macro to Windows users, initiating a multi-stage VBS/PowerShell payload chain. The malware uses a decrypted configuration block, process hollowing into RegA…
CaddyWiper is a Windows wiper that destroys data and wipes drives on Ukrainian infrastructure. It is delivered via Group Policy after compromising Active Directory, and follows WhisperGate, HermeticWiper, and IsaacWiper as the fourth observed in the same perio…
Morphisec Labs detects a new Remcos Trojan infection chain delivered through financial-themed phishing emails that lure users to open a malicious Excel file. The multi-stage attack uses VBScript and PowerShell to fetch further payloads from a C2, employs persi…