ESET linked a campaign to the Tick APT group targeting an East Asian data-loss prevention (DLP) software developer, where attackers trojanized installers and compromised update servers to spread malware to the company’s customers. The operation involved Shadow…
Tag: INITIAL ACCESS
Lumen Black Lotus Labs discovered the “Hiatus” campaign that compromises business-grade DrayTek Vigor routers to deploy HiatusRAT and a tcpdump variant, enabling remote access, SOCKS5 proxying, and packet capture. Lumen observed ~100 infected routers (primaril…
IceFire re-emerges with a Linux variant that targeted enterprise networks, expanding beyond its previous Windows focus. It exploits a deserialization vulnerability in IBM Aspera Faspex (CVE-2022-47986) to drop and execute a Linux payload that encrypts files an…
Fortinet FortiGuard Labs tracked the 8220 Gang’s use of ScrubCrypt to obfuscate and encrypt payloads and deliver a Monero-mining operation via a WebLogic vulnerability. The operation combines PowerShell-based loading, in-memory execution, registry-based persis…
Two sentences summarizing the content. Trellix researchers document Qakbot’s evolution to OneNote-based malware distribution, showing how OneNote attachments deliver a loader DLL and the main Qakbot payload across multiple campaigns. The report also covers how…
GlobeImposter ransomware is being distributed by MedusaLocker actors, with evidence suggesting the RDP vector facilitates initial access. The operation deploys Mimikatz and port scanners among other tools to map networks, exfiltrate credentials, and extend the…
Check Point Research traces the evolution of Sharp Panda tools into a newer Soul malware framework used against Southeast Asian government entities, culminating in late-2022 activity that loaded the Soul modular backdoor. The report links these campaigns to a …
Two sentences: Trellix researchers warn that job-themed phishing and malware campaigns surge in economic downturns, targeting job seekers and employers with fake resumes, fake documents, and malicious links. The campaigns leverage typosquatted domains and well…
Sysdig’s Threat Research Team uncovered SCARLETEEL, a sophisticated cloud-attack operation that started in a Kubernetes pod and escalated into AWS to steal proprietary software and credentials. The operation leveraged Terraform state and AWS services to move l…
MQsTTang is a new Mustang Panda backdoor that uses MQTT for C2 and operates as a single-stage, minimally obfuscated tool. The campaign targets government and diplomatic entities, employs spearphishing distribution with decoy filenames, and includes anti-analys…
Microsoft OneNote is becoming a growing vector for malware delivery, as threat actors embed malicious payloads in OneNote documents distributed via phishing emails and other deceptive tactics. Across multiple case studies, attackers use obfuscation and scripti…
Microsoft OneNote is increasingly used as a carrier to deliver malware via phishing attachments, exploiting benign file formats to bypass defenses. The piece traces its evolution, highlights sample campaigns and loader stages, and outlines layered defenses org…
Blind Eagle (APT-C-36) targeted Colombia and nearby Latin American entities with spear-phishing PDFs impersonating the DIAN tax authority to deploy a multi-stage infection chain, culminating in AsyncRAT payloads hosted via Discord. The campaign uses in-memory …
TA569 operates a prolific injection-based operation delivering SocGholish and other payloads, functioning as an initial access broker and potentially a pay-per-install service. The campaigns rely on diverse injections, Traffic Distribution Services, and reinfe…
A hitherto unknown attack group named Clasiopa was observed targeting a materials research organization in Asia, wielding a distinct toolset that includes a custom backdoor (Atharvan). The operation exhibits multiple defense-evading and data-exfiltrating techn…