Dalbit (Moonlight) is a threat group tracked by AhnLab’s ASEC, which has conducted 50+ attacks against Korean companies since 2022 using open-source tools, WebShells, and proxy-based C2 infrastructure through *.m00nlight.top. The operation progresses from init…
Tag: INITIAL ACCESS
The advisory outlines ongoing DPRK state-sponsored ransomware activity targeting Healthcare and Public Health Sector organizations and other critical infrastructure, detailing TTPs, IOCs, and cryptocurrency ransom payments. It also describes how actors acquire…
HTML smuggling is a rising method used by criminals to deliver malware via HTML attachments and archives masquerading as legitimate brands. The Trustwave SpiderLabs piece catalogs campaigns by Qakbot, IcedID, Cobalt Strike, and Xworm that abuse HTML smuggling …
NewsPenguin, a previously unknown threat actor, targeted organizations in Pakistan using spear-phishing tied to the Pakistan International Maritime Expo & Conference (PIMEC-2023) and delivered a multi-stage payload. The final espionage tool is XOR-encrypted wi…
ESXiArgs is a ransomware variant that targeted exposed ESXi hypervisors by exploiting CVE-2021-21974 via OpenSLP to deploy a Python-based backdoor and a web shell. The campaign encrypts virtual machine data using RSA and Sosemanuk, overwrites ransom notes on t…
Proofpoint tracks a new financially motivated threat actor cluster, TA866, linked to the Screentime activity that uses custom tools WasabiSeed and Screenshotter to gather victim information via screenshots before deploying additional payloads. The operation le…
IceBreaker APT is a newly tracked threat targeting the gambling/gaming sector in the run-up to ICE London, employing social-engineering to lure a customer-service agent and delivering a two-stage payload chain. Researchers describe a modular Node.js-based back…
Two sentences summarizing the intrusion: An August 2022 incident began with a malicious Word document carrying a VBA macro that installed a PowerShell-based implant, established persistence via scheduled tasks, and used a renamed AutoHotkey-based keylogger to …
Fortinet’s FortiGuard Labs highlights the Trigona ransomware in its bi-weekly Ransomware Roundup, detailing its double-extortion approach of encrypting endpoints and threatening to leak exfiltrated data. The report covers suspected infection vectors (emails, R…
HeadCrab is a novel, memory-resident Redis malware that has quietly compromised Redis servers worldwide since 2021, forming a botnet of at least 1,200 servers. It loads a custom Redis module via SLAVEOF/master replication, operates entirely in memory to evade …
Proofpoint researchers report a rising trend of malware delivery via OneNote attachments in email campaigns from December 2022 to January 2023, spanning multiple threat actors and broad targets. End users must interact with embedded OneNote content to execute …
Rapid7 observed attackers using Microsoft OneNote to deliver base64-encoded payloads that decrypt to Redline Infostealer or AsyncRat, via a multi-stage chain starting with a phishing OneNote attachment. The analysis details how a hidden batch script launches a…
VectorStealer is an information-stealer capable of harvesting data from browsers, chat apps, and .rdp session files, enabling threat actors to perform RDP hijacking and remote access. It is sold via a web panel and Telegram channel, uses the KGB Crypter and Ko…
IcedID has shifted from email-based delivery to drive-by infections delivered via Google Search Ads that target common enterprise applications. The TRU team explains how ads, cloaking, and a Cobalt Strike foothold are used to compromise endpoints and deliver I…
LockBit 3.0, also known as LockBit Black, demonstrates advanced anti-forensic and rapid encryption tactics, including log clearing, service deletion, and Windows Defender evasion. The campaign gains initial access via SMB brute-forcing from various IPs and use…