Trend Micro’s honeypots detected cryptocurrency mining activity targeting cloud and container environments, with actors using Docker API abuse and worm-like propagation that resembles TeamTNT’s arsenal, though WatchDog may be mimicking or behind the campaign. …
Tag: INITIAL ACCESS
ESET researchers uncovered a Lazarus campaign in fall 2021 that targeted a Netherlands aerospace employee and a Belgian political journalist via spearphishing attachments, leading to a multi-tool intrusion set. Notably, it marked the first publicized real-worl…
Ransom Cartel emerged as a ransomware-as-a-service operation around late 2021, showing double-extortion techniques and notable overlaps with REvil, including possible ties to REvil’s code and infrastructure. The report analyzes Ransom Cartel’s TTPs, comparison…
Threat researchers reverse-engineered Brute Ratel C4 (BRC4) and its Badger agents, building a defender-focused analysis and an Atomic-C2 simulator to test detections. The study maps BRC4 behaviors to MITRE techniques, highlighting an ISO-based initial access c…
BianLian ransomware, written in Go, encrypts files at high speed using concurrent processes and targets a wide range of industries across several countries. The operation includes a ransom note with contacts via Tox or email and hints at manual deployment with…
Uptycs reports a new campaign where WSHRAT acts as a dropper for Agent Tesla through a multi-stage infection chain emphasizing evasion techniques like steganography and in-memory DLL loading. The campaign begins with phishing emails containing GZ and R00 archi…
Budworm is resurfacing in the U.S. targeting high-value entities with a mix of malware and openly available tools, including DLL side-loading via legitimate processes and C2 infrastructure hosted on VPS services. The campaign centers on HyperBro, with occasion…
Trend Micro researchers document a QAKBOT-driven intrusion that escalates to Brute Ratel C4 and Cobalt Strike payloads attributed to Black Basta operators, highlighting a shift toward commercial C2/attack emulation tools in real-world ransomware campaigns. The…
As endpoint detection and response (EDR) solutions improve malware detection efficacy on Windows systems, certain state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers.Earlier this year, Mandiant identified a novel malware ecosystem…
Black Lotus Labs analyzed ~100 Go-based Chaos samples and found a cross‑platform, multi‑architecture botnet that persists, beacons to TLS C2s, steals or brute‑forces SSH credentials, exploits CVEs to propagate, and can run additional modules for DDoS and crypt…
ESET researchers uncovered Lazarus APT campaigns in autumn 2021 that used Amazon-themed documents to target a Netherlands aerospace employee and a Belgian journalist, with data exfiltration as the goal. The operation combined multiple tools, including the BLIN…
Fortinet FortiGuard Labs analyzed malicious Microsoft Office documents that abused legitimate sites MediaFire and Blogger to deliver two malware variants: Agent Tesla and njRat (Bladabindi). The operation uses a multi-stage chain—VBA macros, mshta, and PowerSh…
DeftTorero (Lebanese Cedar/Volatile Cedar) activity from late 2019 to mid-2021 shows a shift toward fileless/LOLBIN techniques and the use of public/offensive tooling to blend in with normal activity. The report details initial access via web shells (Caterpill…
Sygnia attributes Cheerscrypt and Night Sky to the same actor, Emperor Dragonfly, a China-based group that rebrands payloads across campaigns. The investigation shows Emperor Dragonfly deploys Windows and ESXi ransomware, uses open-source Go tools, and conduct…
Securonix Threat Labs uncovered a covert campaign targeting military contractors, leveraging sophisticated PowerShell-based stagers, multi-layer obfuscation, and robust C2 infrastructure. The attackers used spearphishing with a .lnk shortcut, extensive anti-an…