Google Threat Intelligence Group (GTIG) details a three-year espionage campaign by PRC‑nexus actor APT24 that deploys a highly obfuscated first‑stage downloader called BADAUDIO to establish persistent access via strategic web compromises, supply‑chain abuse of a Taiwanese digital marketing firm, and targeted phishing. The report analyzes BADAUDIO’s control‑flow flattening, DLL sideloading, AES‑encrypted payload delivery (including Cobalt Strike Beacon instances), advanced browser fingerprinting for tailored targeting, and shares IOCs and YARA rules to aid detection and mitigation. #APT24 #BADAUDIO
Tag: EDR
This article details how Huntress analysts investigated a Qilin ransomware incident using limited post-attack data sources, emphasizing the importance of correlating multiple clues to understand the attack. It highlights the challenges of delayed agent deployment and the value of cross-referencing logs, threat intelligence, and endpoint artifacts. #QilinRansomware #HuntressLabs
APT31, a China-linked cyber espionage group, has targeted Russian IT companies using cloud services and stealthy techniques from 2024 to 2025. Their operations involve sophisticated toolsets, social media command channels, and data exfiltration, posing serious threats to government, financial, and tech sectors. #APT31 #CloudServices…
The leaked October 2025 APT35 corpus documents a quota-driven, bureaucratic IRGC cyber-intelligence apparatus that weaponized Exchange (ProxyShell, Autodiscover, EWS) and Ivanti vulnerabilities, ran HERV-style phishing seeded from harvested Global Address Lists, and maintained persistent mailbox monitoring backed by centralized KPI reporting and on-premises operator attendance logs. #APT35 #ProxyShell
Splunk Threat Research Team analyzed a new .NET steganographic loader variant that decrypts and loads a container module at runtime to hide two image-embedded stagers, one of which yielded a Lokibot payload. The report details the loader’s steganography, extraction attempts with PixDig, Lokibot capabilities (credential theft, injection, scheduled task persistence, downloading additional payloads) and mapped MITRE techniques to support detection development. #Lokibot #QuasarRAT
Huntress observed threat actors exploit a recently patched WSUS RCE vulnerability (CVE-2025-59287) to gain initial access and then install Velociraptor to establish command-and-control on the endpoint. The actors retrieved a malicious MSI from s3.wasabisys[.]com and configured Velociraptor to communicate with update[.]githubtestbak[.]workers[.]dev. #CVE-2025-59287 #Velociraptor
NotDoor is an Outlook VBA macro backdoor tied to APT28 that uses OneDrive DLL sideloading, encoded PowerShell, and registry modifications to persist, monitor incoming emails for C2 triggers, exfiltrate data, and execute commands. The Splunk Threat Research Team provides detection guidance and Splunk analytic content for identifying indicators like SSPICLI.dll and VbaProject.OTM manipulation. #NotDoor #APT28
K7 Labs uncovered a Water-Saci campaign targeting Brazil that spreads a banking trojan and SorvePotel-related components by abusing WhatsApp Web via a Python/Selenium-based automation script and in-memory payload delivery. The attack chain begins with a phishing ZIP containing an obfuscated VBS that downloads an MSI and VBS to install Python, ChromeDriver, and a whats.py script that harvests contacts, sends in-memory payloads through WhatsApp Web, and reports results to PHP C2s. #SorvePotel #Water-Saci
ToddyCat APT expanded and refined tools to extract browser credentials, DPAPI keys, Outlook OST files, and Microsoft 365 access tokens from compromised environments, using SMB-based collection, a PowerShell TomBerBil variant, a sector-copying tool (TCSectorCopy/xCopy), SharpTokenFinder/ProcDump memory dumps, and XstReader-based extraction. #TomBerBil #TCSectorCopy
A China-linked threat actor known as APT24 has been using sophisticated malware called BADAUDIO to maintain persistent access to compromised networks through a campaign spanning nearly three years. The campaign includes supply chain attacks, web compromises, and spear-phishing, primarily targeting organizations in Taiwan and Southeast Asia. #APT24 #BADAUDIO…
.png "Predictive Threat Intelligence")
Predictive threat intelligence uses AI and behavioral analytics to anticipate attacks before they occur, shifting from reactive to proactive defense. It contrasts with traditional threat intelligence by focusing on Indicators of Attack (IOAs) rather than Indicators of Compromise (IOCs), enabling earlier detection and action.
#IOAs #MITRE ATTACK #SentinelOne #Mandiant #ATT&CK…
The Gentlemen emerged around July 2025 as an advanced Ransomware-as-a-Service group using dual‑extortion to encrypt and exfiltrate data, publishing dozens of victims on a darknet leak site within months. Their cross‑platform lockers (Windows/Linux/ESXi), modular features (self‑restart, run‑on‑boot, WMI/PowerShell propagation), and affiliate support make them a rapidly evolving threat. #TheGentlemen #XChaCha20
Google Threat Intelligence Group (GTIG) reports that PRC‑nexus threat actor APT24 has run a three‑year espionage campaign delivering a heavily obfuscated first‑stage downloader named BADAUDIO—often using strategic web compromises, supply‑chain compromise of a Taiwanese marketing firm, and targeted phishing to deploy AES‑encrypted payloads such as Cobalt Strike Beacon. The report details BADAUDIO’s control‑flow flattening, DLL sideloading execution chain, fingerprinting‑based targeting, extensive infrastructure churn, and provides IOCs and YARA rules for detection. #BADAUDIO #APT24 #CobaltStrikeBeacon #twisinbeth.com
The article explains Windows’ SEH and VEH mechanisms, focusing on x64 implementations and how exception tables, unwind info, and the Windows NT layer orchestrate exception dispatch and stack unwinding. It also contrasts SEH with VEH and demonstrates how these mechanisms complicate reverse engineering and tracing control…
The article shows how privileged attackers can manipulate the Linux /proc filesystem to spoof process identities by substituting /proc//cmdline and distort timelines by editing /proc//stat starttime. It demonstrates a practical workflow using bind mounts and e……