Citrine Sleet (formerly DEV-0139) targeted cryptocurrency investment companies, leveraging social pretexting on Telegram and a weaponized Excel document to deliver a backdoor via DLL proxying. The campaign shows sophisticated industry knowledge, multiple deliv…
Tag: INITIAL ACCESS
North Korea-linked Lazarus APT ran a campaign distributing fake cryptocurrency apps under the BloxHolder brand to push the AppleJeus malware and gain initial access to crypto users. The operation, active June–October 2022, used a cloned HaasOnline site and mul…
Erbium Stealer is an information-stealing malware distributed as MaaS, observed by CYFIRMA in Aug-2022 and advertised on Russian-speaking forums. It decrypts obfuscated code, drops a DLL in %temp%, loads it via LoadLibraryA, and communicates with a C2 panel an…
Lazarus is analyzed as a financially focused APT group with suspected Northeast Asian origins, noted for multi-stage VHD-based attacks that bypass common defenses and target financial institutions and crypto exchanges. The operation includes spearphishing bait…
CRIL from Cyble analyzed phishing campaigns that impersonate ExpressVPN to distribute the Redline Stealer, delivered through fake ExpressVPN sites. Attackers use shortened URLs with valid SSL to lure users, download a malicious ZIP, and then the payload is inj…
ESET researchers analyzed Dolphin, a previously unreported backdoor used by ScarCruft (APT37) that operatives deploy on select targets to exfiltrate files, log keystrokes, take screenshots, and steal browser credentials, using Google Drive for C2. The Dolphin …
The aviation sector in Southeast Asia faced multiple ransomware incidents targeting airlines in Malaysia, Thailand, Portugal, and Kuwait, linked to several threat actors including Daixin Team, ALPHVM (BlackCat), Ragnar Locker, and LockBit. The report outlines …
An Emotet-driven intrusion led to domain-wide deployment of Quantum ransomware after eight days, leveraging Cobalt Strike for discovery and lateral movement and remote-access tools for persistence. The operation included initial access via LNK, PowerShell-base…
Cybereason’s Global SOC is tracking a wide Black Basta ransomware campaign that leverages QakBot (QakBot) to gain entry and move laterally in U.S.-based organizations. The campaign ties QakBot infections to rapid deployment of Black Basta, including DNS disrup…
Recorded Future’s Insikt Group analyzes the threat landscape around the 2022 FIFA World Cup in Qatar, covering state-sponsored cyber operations, cybercrime, influence operations, and physical security threats. The assessment finds no imminent disruptive cyber …
Hive ransomware operates as a ransomware-as-a-service (RaaS) that has victimized thousands across sectors like Healthcare and Public Health, encrypting data and threatening leaks. The advisory inventories Hive’s TTPs, IOCs, and mitigations, including initial a…
Researchers at Cado Labs report the re-emergence of WatchDog, a threat actor known for cryptojacking cloud resources. The new campaign targets East Asian Cloud Service Providers using a shell script and a Monero wallet, revealing defense evasion, competitive m…
ARCrypter is a previously unknown ransomware family that emerged in Latin America (notably Chile, with Invima involvement) and has expanded to victims in China and Canada, featuring a two-stage dropper and payload and a ransom note delivered before encryption.…
Venus ransomware, also known as Goodgame, operates as a standalone legacy package with links to Zeoticus and has been encrypting files globally since August 2022. It relies on publicly exposed RDP and common attack techniques rather than sophisticated malware,…
Symantec links a state-sponsored activity to Billbug (aka Thrip/Lotus Blossom), targeting a certificate authority and government/defense agencies across Asia since March 2022. The operation employs dual-use tools and backdoors (Hannotog and Sagerunex), uses St…