May 2022 intrusion used BumbleBee as the initial access vector to deploy Cobalt Strike and Meterpreter across the network. The actors delivered a hidden DLL via an ISO/LNK chain, then moved laterally with RDP/SMB and remote access tools before being evicted; t…
Tag: INITIAL ACCESS
Recorded Future analyzes TA413, a Chinese state-sponsored group, detailing campaigns against the Tibetan community and the adoption of new capabilities, including the LOWZERO backdoor and exploitation of zero-days such as CVE-2022-1040 and Follina. The report …
The FBI and CISA release a Cybersecurity Advisory detailing Iranian state actors, operating as HomeLand Justice, conducting destructive cyber operations against the Government of Albania in July and September 2022, including a year-long intrusion, ransomware-s…
In July 2022, during proactive threat hunting activities at a company in the media industry, Mandiant Managed Defense identified a novel spear phish methodology employed by the threat cluster tracked as UNC4034. Mandiant has identified several overlaps between this group and those we suspect have a North Korea nexus.
UNC4034 established communication…
Cyble researchers uncovered a campaign that uses fake Zoom sites to spread Vidar Stealer to Zoom users. The malware drops binaries, injects into MSBuild, and communicates with C2 infrastructure via GitHub-hosted payloads and hardcoded addresses. #VidarStealer …
Monster is a Delphi-based ransomware-as-a-service (RaaS) that hides its capabilities and uses configurable features to customize encryption and evasion, raising the risk of attribution confusion. The BlackBerry analysis details its encryption methods, use of I…
Fortinet’s Ragnar Locker Ransomware Roundup explains that Ragnar Locker encrypts files, exfiltrates data, and uses double extortion to pressure victims, including negotiations via a Tor-based site and leaking stolen information on a “Wall of Shame.” It also no…
Cisco Talos reports a new Gamaredon APT campaign targeting Ukrainian government entities, leveraging spear-phishing with Russian invasion-themed Office documents and malicious VBScript macros to seed infection. The operation uses a multi-stage chain (LNK in RA…
IRGC-affiliated cyber actors exploited known Fortinet FortiOS and Microsoft Exchange vulnerabilities, plus VMware Horizon Log4j flaws, to gain initial access and conduct ransomware-like operations involving data encryption and data extortion. The advisory outl…
Arctic Wolf Labs analyzed a Lorenz ransomware intrusion that exploited CVE-2022-29499 on a Mitel MiVoice Connect appliance to gain initial access and deploy encryption with BitLocker. The attackers used LOLBins, Chisel tunneling, and FileZilla for data exfiltr…
Symantec details a new espionage campaign targeting Asian governments that uses DLL side-loading of legitimate software to load payloads, followed by credential theft and network-wide movement with a wide toolkit. The activity, spanning April–July 2022, hit a …
May 2022 saw an Emotet-driven intrusion that began with a phishing Excel document and culminated in a domain-wide compromise, Cobalt Strike beaconing, lateral movement, and data exfiltration via Rclone. Emotet has since resurfaced (with TrickBot support) and r…
Cisco Talos reports Lazarus Group’s global campaign exploiting VMware Horizon vulnerabilities to gain long-term access to energy-sector targets, deploying VSingle, YamaBot, and the newly described MagicRAT implants. The activity shows post-exploitation, latera…
Cisco Talos identifies a new Lazarus Group remote access trojan named MagicRAT, deployed after exploiting publicly exposed VMware Horizon platforms. The malware, linked to TigerRAT and Lazarus infrastructure, includes persistence, reconnaissance, and the hosti…
Unit 42 researchers describe MooBot, a Mirai variant, that leverages four D-Link vulnerabilities to seize control of exposed devices and deploy a botnet for DDoS attacks. The campaign downloads MooBot from a remote host, communicates with a C2 server, and incl…