EclecticIQ details a QakBot phishing campaign that bypasses Windows Mark of the Web (MoTW) using an unpatched vulnerability, enabling malware installation. The campaign leverages LOLBINS like Regsvr32 and WScript, delivers payloads via encrypted ZIP/ISO, and c…
Tag: INITIAL ACCESS
Rapid7 details how threat actors deploy Hive ransomware with a mix of known techniques and new methods to drop defenses, enable lateral movement, and encrypt across victim machines and network shares. The article also covers new Hive flags (-timer, -low-key) a…
Trend Micro analyzes Gootkit loader’s infection routine targeting Australian healthcare, showing SEO poisoning for initial access and abuse of VLC Media Player for DLL sideloading and Cobalt Strike usage. The campaign features obfuscated JavaScript, fake WordP…
SCATTERED SPIDER attempted a Bring-Your-Own-Vulnerable-Driver (BYOVD) operation to load a kernel driver via CVE-2015-2291 in the Intel Ethernet Diagnostics driver (iqvw64.sys) to gain kernel access and persistence. CrowdStrike detected and blocked the attempt,…
Cybereason’s Threat Analysis chronicles an IcedID (BokBot) campaign, detailing its use as a dropper and initial access tool, TTPs, and post-compromise activity across a Windows environment. The report notes a shift to ISO/LNK infection vectors, cross-group tec…
ASEC tracked phishing email threats for December 18–24, 2022, finding Infostealer attachments (AgentTesla, FormBook) as the top threat type, followed by FakePage and Worm Malware; attackers also used various file extensions and C2 payloads. The report highligh…
This weekly ASEC report analyzes phishing email threats from December 25–31, 2022, focusing on attachments used to deliver malware. It highlights Infostealer, FakePage, and Worm Malware as top attachment-based threats, detailing file extensions, distribution s…
Researchers identified a crypto-themed Magecart skimmer built on the Mr.SNIFFA toolkit that targets e-commerce sites, employing obfuscation and whitespace encoding to load its payload and exfiltrate payment data. The operation runs on Russian-hosted infrastruc…
Emotet has returned after four months of inactivity, reviving spam campaigns and leveraging its loader-as-a-service model to deploy other malware. The campaign shows evolving social engineering and obfuscation techniques, continuing to drop modules like IcedID…
Two sentences summarizing the Turla activity described: Turla leveraged USB spread to introduce legacy ANDROMEDA into Ukrainian and other targets, then deployed KOPILUWAK to profile victims and QUIETCANARY to exfiltrate data, with multiple stages delivered via…
Ursnif (Gozi/ISFB) was delivered via a malicious ISO containing a LNK file, leading to a complex execution flow that included a renamed rundll32 and later persistence. The attackers then deployed Cobalt Strike, performed manual discovery, dumped LSASS memory, …
Blind Eagle (APT-C-36) has intensified its Ecuador-focused campaign with an upgraded infection chain, delivering a QuasarRAT-based payload via a password‑protected LHA package and multiple stages. The operation combines geo-filtered phishing, a MediaFire drop,…
BlueNoroff group expanded its malware delivery methods to bypass Mark-of-the-Web (MOTW) protections by using ISO and VHD disk image formats, and began experimenting with Visual Basic Script, Windows Batch scripts, and a Windows executable. They also operated a…
Team Cymru analyzes IcedID’s BackConnect protocol and uncovers how operators repurpose infected hosts as proxies to support distributed C2 activity, including VPN/Starlink/Tor-based routing and remote-access channels. The post also highlights observed tools an…
Vice Society has adopted a new custom-branded ransomware payload named PolyVice that uses NTRUEncrypt and ChaCha20-Poly1305 for strong encryption. The analysis indicates the same developers are selling customized payloads to multiple groups, signaling an outso…