Bitdefender Labs observed a global wave of opportunistic attacks exploiting CVE-2022-47966 in ManageEngine products, with 2,000–4,000 internet-facing servers potentially vulnerable. The advisory documents four attack clusters (Initial Access Brokers, Buhti Ran…
Tag: INITIAL ACCESS
HardBit 2.0 is a ransomware variant observed from late 2022 that encrypts data after stealing sensitive information, negotiating ransom rather than paying a fixed bitcoin amount. It combines data theft, encryption, and multiple defense-evading and persistence …
Qakbot (QBot) is spread through multiple OneNote- and script-based channels, including OneNote attachments, WSF/JS/JSE/HTA paths, and HTML applications, each delivering a DLL payload that is executed via Rundll32 and often injected into processes. The campaign…
ASEC reports that the RedEyes group (ScarCruft/APT37) targeted individuals in Korea by exploiting the CVE-2017-8291 HWP EPS vulnerability and delivering malware via steganography. They reveal a new backdoor, M2RAT (Map2RAT), that uses a shared memory channel a…
DarkCloud Stealer is a multi-stage information-stealer that can exfiltrate data via SMTP, Telegram, Web Panel, and FTP, and is distributed through spam campaigns with a customizable builder for grabber and clipper features. Researchers observed a rise in DarkC…
Two office-document threat vectors are described: attackers are moving from VBA macros to malicious Microsoft Office Add-ins, specifically XLLs, to deliver payloads. The article details a Raccoon Stealer V2 campaign that uses obfuscated .NET installers loaded …
Hydrochasma targets medical laboratories and shipping organizations in Asia in an intelligence-gathering campaign that relies on publicly available tools and living-off-the-land techniques. The operation, active since October 2022, appears focused on informati…
Security researchers report that the BlackCat ransomware group briefly claimed an attack on a major U.S. electronic health record (EHR) vendor, but the entry disappeared within days. STRIKE analysis links possible BlackCat activity to its ExMatter/Fendr exfilt…
EclecticIQ analyzes three cases of cyberattacks likely linked to the Gamaredon APT group, targeting the Security Service of Ukraine, Culver Aviation, and Latvian/NATO allies with phishing, HTML smuggling, and CVE-2017-0199 Word exploits. The report notes overl…
Earth Yako is an intrusion set linked to Operation RestyLink/EneLink, with newly observed TTPs and infrastructure for cyberespionage against Japanese researchers and think tanks (also some Taiwan targets). The campaign features multiple malware families (Mirro…
ASEC analyzed RedEyes (ScarCruft/APT37) activity in Korea, revealing the group’s use of the Hangul EPS vulnerability CVE-2017-8291 to spread malware via steganography and a new M2RAT backdoor that employs shared memory for C2. The operation combines persistenc…
The ESXiArgs ransomware campaign exploited CVE-2021-21974 via the OpenSLP service to remotely execute code on exposed ESXi servers. VMware patched the vulnerability in early 2021, while Trellix details how attackers probe the internet for unpatched systems, en…
Morphisec identifies a highly evasive ProxyShellMiner campaign that leverages ProxyShell flaws to gain access to Windows Exchange servers and deploys a multi-stage coin-mining operation across an organization. The campaign uses domain-wide persistence, obfusca…
Bitdefender researchers describe opportunistic threat actors abusing CVE-2021-21974 to target VMware ESXi, leveraging OpenSLP (port 427) for pre-auth remote code execution and deploying ESXiArgs ransomware against VM files. The advisory covers attack patterns,…
Huntress linked a February 2023 GoAnywhere MFT-related intrusion to a zero-day vulnerability and a Truebot-like post-exploitation activity, leading to a mitigation before a ransomware event could unfold. The effort highlighted how certutil and rundll32 were us…