SentinelLABS released the open-source sentinelone-validin Synapse power-up to combine Validin DNS, HTTP crawler, TLS certificate, and WHOIS data for time-aware, cross-source infrastructure analysis. Case studies on LaundryBear (Void Blizzard) and FreeDrain show how HTTP body/favicons/certificate pivots and WHOIS enrichment expand small indicator sets into broad campaign infrastructure. #LaundryBear #FreeDrain
Tag: EDR
Akira ransomware has caused significant financial loss, with over $244 million in proceeds since late September 2025, and has demonstrated advanced tactics including data exfiltration in just over two hours. The ransomware exploits vulnerabilities in SonicWall, Veeam, and SSH, using various methods such as tunneling tools and remote access to breach…
Cybersecurity researchers have uncovered malware campaigns using ClickFix social engineering tactics to deploy Amatera Stealer and NetSupport RAT, tracked under the name EVALUSION. These campaigns involve sophisticated evasion techniques and targeted phishing methods to steal sensitive data and remote control systems. #Amatera #ClickFix #EVALUSION #NetSupport…
The Dragon Breath threat actor uses sophisticated multi-stage loaders and Trojanized installers to deliver Gh0st RAT targeting Chinese-speaking users. Their campaigns evolve by employing complex infection chains and legitimate software to evade security defenses. #DragonBreath #Gh0stRAT #APTQ27 #MiuutiGroup…
This article discusses how MDR providers must evolve with AI and distributed architectures to stay relevant in cybersecurity. It highlights the shift towards a control plane approach, integrating detection and response within customer environments, and the growing role of AI SOC platforms. #MDRScaling #AIInSecurity
This investigation uncovered Curly COMrades’ novel use of Hyper-V on compromised Windows 10 hosts to run a hidden Alpine Linux VM that housed custom implants CurlyShell and CurlCat, enabling covert, persistent remote access and proxying. Collaborative forensic work with the Georgian CERT revealed deployment commands, PowerShell ticket-injection and persistence scripts, and C2 infrastructure details including SSH-over-HTTP tunneling via a compromised site. #CurlyShell #CurlCat
Five individuals have pleaded guilty to aiding North Korea’s IT worker fraud schemes, which involved hacking, identity theft, and fraudulent employment across the U.S. These schemes have generated over $2.2 million for North Korea and impacted more than 136 U.S. companies. #NorthKorea #APT38 #Cybercriminals…
The Justice Department uncovered a North Korean scam involving IT workers, identity theft, and cryptocurrency thefts, seizing over $15 million. This operation impacted numerous U.S. companies and involved multiple U.S. nationals aiding North Korean hackers. #North Korea #APT38 #CryptocurrencyTheft…
Two interconnected 2025 campaigns used large-scale brand impersonation to deliver Gh0st RAT variants to Chinese-speaking users, evolving from simple droppers to multi-stage chains that misuse signed software and cloud-hosted payloads for evasion. The campaigns registered thousands of disposable domains, hosted payloads on specific IPs and cloud buckets, and employed DLL side-loading…
A coalition of civil society groups and trade unions is protesting the European Commission’s proposed changes to key digital laws, including GDPR and the EU AI Act, which threaten data privacy and protection standards. The proposed amendments aim to streamline regulations but are criticized for weakening protections, increasing data processing, and…
The Cybersecurity and Infrastructure Security Agency (CISA) and partners released an updated advisory on Akira ransomware, highlighting new tactics, techniques, and indicators of compromise. The threat actors continue to target various sectors, exploiting vulnerabilities in edge devices, backup servers, and using advanced evasion and lateral movement strategies. #AkiraRansomware #Storm1567 #VulnerabilityExploitation…
The Akira ransomware group has amassed over $244 million through its cyberattacks, targeting critical infrastructure and business systems worldwide. They utilize sophisticated methods, including vulnerability exploitation and credential theft, to gain access and deploy ransomware on vulnerable systems. #AkiraRansomware #CVE202440766…
Elastic Security Labs uncovered a Chinese-language targeted campaign by Dragon Breath APT (APT-Q-27) distributing a modified gh0st RAT via trojanized NSIS installers and a unique loader dubbed RONINGLOADER. The multi-stage chain uses a signed kernel driver, WDAC policy tampering, PPL abuse of ClipUp to disable Microsoft Defender, and thread-pool based remote injection to terminate and bypass popular Chinese endpoint products. #DragonBreath #RONINGLOADER
Researchers observed AI-integrated malware families that query large language models at runtime to generate code, obfuscate payloads, and adapt behavior, with notable families including PROMPTFLUX, PROMPTSTEAL, PROMPTLOCK, FRUITSHELL, and QUIETVAULT. These tools were used for persistence, reconnaissance, data exfiltration, and cross-platform encryption, with APT28 (LAMEHUG) deploying PROMPTSTEAL against Ukrainian targets. #PROMPTFLUX #PROMPTSTEAL
eSentire’s TRU discovered campaigns using ClickFix for initial access to deploy Amatera Stealer (a rebranded ACR/AcridRain) and NetSupport RAT, with Amatera leveraging advanced evasion (WoW64 syscalls, AMSI bypass) and extensive crypto-wallet/password manager theft capabilities. eSentire published decryption helpers and detection guidance, and recommends mitigations including disabling mshta.exe, removing the Run prompt, PSAT, and partnering with 24/7 MDR services. #Amatera #NetSupport