The article explains how red teamers perform full post-exploitation operations by “living off the land” — abusing built-in Windows utilities (PowerShell, WMI, certutil, regsvr32, mshta, MSBuild, netsh, etc.) for reconnaissance, credential harvesting, lateral movement, persistence, and exfiltration without uploading custom binaries. It also stresses that by 2025 many classic LOLBin techniques…
Tag: INITIAL ACCESS
Predator is a modular, stealthy mercenary spyware developed by Cytrox and distributed via an Intellexa-linked corporate web, enabling full access to microphones, cameras, and all device data on Android and iPhone devices. The report maps Intellexa’s fragmented corporate infrastructure, documents delivery methods including “1-click” and ad-based (“Aladdin”) vectors, and details observed deployments across multiple countries alongside mitigations and ongoing investigations. #Predator #Intellexa
Marquis Software Solutions experienced a ransomware attack that compromised the personal data of over 400,000 customers across multiple US banks and credit unions. The breach exploited vulnerabilities in SonicWall firewalls and involved the Akira ransomware gang, highlighting the importance of robust cybersecurity measures. #SonicWall #AkiraRansomware
SeedSnatcher (distributed as the “Coin” APK com.pureabuladon.auxes/Coin.apk) is an Android crypto-mnemonic stealer that uses WebView overlays, dynamic class loading, integer-based WebSocket C2 commands, and broad permission abuse to harvest seed phrases, SMS, call logs, contacts, screenshots, and other device data. The campaign is distributed via affiliate links on social platforms (notably Telegram), tracks installs with agent identifiers, and communicates with C2 apivbe685jf829jf[.]a2decxd8syw7k[.]top to exfiltrate stolen assets and control infected devices. #SeedSnatcher #TrustWallet
Huntress investigated three incidents between September and November where threat actors leveraged SharePoint ToolShell and other vulnerabilities to install Velociraptor and establish tunneled C2 using legitimate tools like Visual Studio Code and Cloudflare. One incident culminated in a Warlock ransomware compromise and showed overlapping IOCs (for example royal-boat-bf05.qgtxtebl.workers[.]dev) and technique reuse that links some activity to Storm-2603. #Velociraptor #Warlock
Cyble Research & Intelligence Labs (CRIL) uncovered an active Linux campaign delivering a Mirai-derived V3G4 botnet that performs raw-socket SSH scanning, C2 DNS resolution, and process masquerading before deploying a runtime-configured XMRig Monero miner. The campaign uses an architecture-aware downloader, tmpfs staging, UPX-packed binaries, and fileless miner configuration fetched from C2 to maximize stealth and evasion. #V3G4 #XMRig
Matanbuchus is a C++ malicious downloader/backdoor offered as MaaS since 2020 that downloads and executes second-stage payloads and supports hands-on-keyboard activity, often observed in ransomware-linked operations. Version 3.0 introduced Protobuf-based serialized network communication and extensive ChaCha20-based encryption and obfuscation methods. #Matanbuchus #Rhadamanthys
SEQRITE researchers uncovered a targeted campaign against Russian corporate HR and payroll teams using spear-phishing ZIPs with a malicious LNK that downloads a C++ implant named DUPERUNNER which injects and executes an AdaptixC2 beacon. The operation leverages a remote host at 46[.]149[.]71[.]230 to stage multiple files and host C2 services, producing observable artifacts including SHA-256 hashes, filenames, and ASN hosting details. #DUPERUNNER #AdaptixC2
ESET reports that MuddyWater (TA450) conducted a focused cyberespionage campaign primarily against organizations in Israel and one confirmed target in Egypt using new custom tools including the Fooder loader and the MuddyViper backdoor to improve evasion and persistence. The campaign also deployed credential stealers (CE-Notes, LP-Notes), browser stealers (Blub), go‑socks5 reverse tunnels, and adopted the CNG API for encryption to exfiltrate credentials and browser data. #MuddyWater #MuddyViper
Cybercrime has shifted to a subscription-based model, offering scalable and versatile hacking services like phishing-as-a-service, social engineering bots, and advanced malware rentals. This evolution makes cyberattacks more accessible to inexperienced criminals, raising the need for proactive cybersecurity measures. #SpamGPT #Varonis #AtroposiaRAT
Threat actors exploited the high volume of legitimate Black Friday marketing to run convincing phishing campaigns impersonating retailers like Amazon and Louis Vuitton, using newly registered domains, redirects, and cloud-hosted links to harvest credentials or deliver payloads. Darktrace / EMAIL detected and blocked multiple such campaigns in November 2025 by identifying anomalous senders, short-lived domains, and hidden malicious links #Amazon #Darktrace
TAG-150 is a growing Malware-as-a-Service operator active since March 2025 that uses two custom families, CastleLoader (a loader) and CastleRAT (a RAT), to run large-scale, modular, multi-stage campaigns primarily targeting the United States. Darktrace observed and contained an early-stage CastleLoader infection that connected to C2 infrastructure at 173.44.141[.]89 by using Autonomous Response to block external connections and enforce a group pattern of life. #TAG-150 #CastleLoader
DragonForce-linked RaaS activity in a manufacturing case began with internal network scanning and brute-force attempts against administrator accounts, progressed through privileged Kerberos and SMB usage, and included SSH data exfiltration to 45.135.232[.]229 (ASN AS198953 Proton66 OOO) before culminating in SMB-based file encryption with a .df_win extension and a ‘readme.txt’ ransom note. Darktrace observed OpenVAS user-agent strings, suspicious Windows Registry changes affecting WMI and scheduled tasks, and NetScan-associated ‘delete.me’ files but the absence of Autonomous Response allowed the intrusion to advance. #DragonForce #Proton66
The 2025 Cyber Threat Intelligence Report provides a detailed analysis of global malicious infrastructure, highlighting increased use of Sliver and Brute Ratel frameworks and ongoing dominance of Cobalt Strike. It also covers significant trends in information stealers and ransomware ecosystems, emphasizing evolving adversary tactics and geographic hosting distributions. #CobaltStrike #Sliver #BruteRatel #LummaStealer #RedlineStealer #FogRansomware
North Korean threat actors are actively expanding their malicious operations within the npm ecosystem to distribute OtterCookie malware, targeting developers in the crypto and Web3 sectors. The campaign employs fake job offers, typosquatted packages, and a sophisticated infrastructure involving GitHub, Vercel, and C2 servers. #OtterCookie #ContagiousInterview…