A May 2022 intrusion used BumbleBee as the initial access vector via a Contact Forms campaign, delivering an ISO containing an LNK and a DLL to load Meterpreter and Cobalt Strike Beacons. The attackers conducted multi-stage post-exploitation including UAC bypa…
Tag: INITIAL ACCESS
Cyble researchers uncovered a phishing campaign targeting Bank Rakyat Indonesia (BRI) that escalates by distributing Android SMS stealers to harvest OTPs and bypass 2FA. The operation begins with credential- and OTP-phishing sites, then installs a custom SMS s…
Raccoon is an information stealer malware distributed as a service with a user-friendly dashboard and frequent updates, enabling attackers to steal data from infected machines. It collects browser passwords, Outlook data, system information, and more, archives…
SocGholish operators have significantly expanded and diversified their malware staging infrastructure since mid-2022, adding about 18 new second-stage servers per month to counter defenders and scale operations. The majority of these new servers are in Europe …
IronNet analyzes how the Robin Banks phishing-as-a-service platform has evolved to evade takedowns, relocate infrastructure to a Russian provider, and add features like cookie-stealing to bypass MFA. The study highlights how open-source code and off-the-shelf …
SentinelLabs provides a comprehensive analysis of Black Basta’s operational TTPs, revealing custom tools, EDR-evasion capabilities, and a likely link to FIN7. The findings suggest FIN7 developers may have contributed to Black Basta’s toolset, with privilege es…
Text4Shell (CVE-2022-42889) is a critical remote code execution vulnerability in Apache Commons Text (versions 1.5–1.9) that can be triggered by crafted input strings to run code on vulnerable hosts. The advisory covers exploitation methods, potential post-exp…
An intrusion in early June 2022 leveraged the Follina CVE-2022-30190 vulnerability embedded in a malicious Word document to install Qbot (Qakbot/Pinksliplot) and pivot through the network toward a domain compromise. Attackers used Cobalt Strike, NetSupport Man…
Microsoft’s analysis shows Raspberry Robin as part of a broader, interconnected malware ecosystem that enables pre-ransomware activity across thousands of devices, linking USB-driven infections to follow-on hands-on-keyboard attacks and ransomware deployments.…
BlackCat (ALPHV) ransomware has risen to prominence with a Rust-based framework, triple extortion tactics, and a growing affiliate network that leverages diverse attack vectors. Trend Micro highlights evolving TTPs—from Emotet-assisted initial access to privat…
Trend Micro analyzed an LV ransomware intrusion tied to ProxyShell and ProxyLogon exploits affecting a Jordan-based company, highlighting double-extortion and expanding affiliate activity. The report details the infection chain—from Exchange vulnerabilities an…
RDP is commonly used for initial compromise and lateral movement, including via wrappers when native remote desktop support is unavailable. The article also covers how attackers add user accounts, drop RDP-related malware, and employ credential theft and sessi…
Two Zscaler ThreatLabz reports reveal WarHawk, a new backdoor used by the SideWinder APT to target Pakistan, delivering Cobalt Strike via a multi-module loader that includes KernelCallBackTable injection and a Pakistan Standard Time check. The campaign leverag…
Daixin Team is a ransomware and data extortion group focused on Healthcare and Public Health sector targets in the U.S., using VPN compromises and credential theft to deploy ransomware on ESXi servers and exfiltrate data. The FBI/CISA/HHS advisory details TTPs…
In April, VMware patched CVE-2022-22954, but attacks exploiting remote code execution via server-side template injection persisted, delivering Mirai variants, RAR1Ransom, and GuardMiner payloads to exposed VMware Workspace ONE Access and Identity Manager insta…