Joint FBI/CISA/MS-ISAC advisory details Vice Society’s ransomware operations, highlighting their methods, IOCs, and recommended mitigations for education-sector defenders. It notes that Vice Society uses variants such as Hello Kitty/Five Hands and Zeppelin and…
Tag: INITIAL ACCESS
DangerousSavanna is a two-year campaign targeting financial institutions in French-speaking Africa, employing spear-phishing and a diverse set of infection chains to deploy PoshC2 and AsyncRAT. The operation features evolving lures, modular payloads, and exten…
Play is a new ransomware family that mirrors Hive and Nokoyawa, suggesting shared operators and attack infrastructure. It differentiates itself with AdFind-based Active Directory discovery and a blend of LOLBins, GPO-based deployment, and double-extortion tech…
SafeBreach Labs uncovered a new targeted remote access Trojan named CodeRAT that targets Farsi-speaking developers using a Word document with a DDE exploit. It features a versatile command set, uses Telegram bot API for C2 and public file-upload services for e…
BianLian emerged as a relatively new ransomware actor deploying Go-based malware and using LOL (Living off the Land) techniques to move laterally while evading EDR during encryption. They exploited initial access vectors like ProxyShell and SonicWall VPNs, rap…
IBM X-Force/MDR analysis connects Raspberry Robin infections with the Dridex malware and the Russia-based Evil Corp, revealing shared loader structures, anti-analysis techniques, and a workflow that leverages USB-based initial access. The report traces the inf…
Bitdefender’s deep-dive analyzes a corporate espionage operation targeting a small U.S. technology company, detailing how initial access was gained through an unpatched internet-facing vulnerability and how attackers staged months of data exfiltration. The ope…
Securonix Threat Labs uncovered a Golang-based GO#WEBBFUSCATOR campaign that leverages a James Webb image and obfuscated Go payloads to infect targets. The attack chain starts with a phishing Office attachment, downloads a malicious template, and uses DNS-base…
BlueSky ransomware is an emerging threat observed since mid-2022 that spreads through trojanized downloads and phishing emails, with rapid encryption and outbound lateral movement in Windows environments. It uses multi-stage PowerShell droppers, SMB-based prop…
Mitiga uncovered an advanced business email compromise (BEC) campaign that targets executives via Office 365, combining high-end spear-phishing with adversary-in-the-middle (AiTM) techniques to bypass MFA and achieve persistence. Attackers monitor significant …
IronDefense documented a unique Black Hat NOC environment where real malware activity and classroom demos co-exist, revealing notable infections like SHARPEXT, Shlayer, and NetSupport RAT. The findings highlight the challenges of defending a highly segmented, …
Qbot (QakBot) infections surged in 2022, with Trellix SecOps documenting its evolving delivery vectors and detection strategies to outpace defenses. The post details Qbot’s infection chain, MITRE technique mappings, IOCs, and Trellix detection/hunting guidance…
Researchers analyze mhyprot2.sys, a vulnerable Genshin Impact anti-cheat driver, showing how a ransomware actor weaponizes it to bypass privileges and terminate antivirus processes. The case highlights how legitimate drivers can be abused for privilege escalat…
Fortinet FortiGuard Labs analyzes a spearphishing campaign against a South Asian telecommunications agency, weaponizing an RTF document with Royal Road to exploit CVE-2018-0798 and drop a DLL chain leading to PoisonIvy (PivNoxy/Chinoxy) backdoors. The report o…
Cybereason GSOC analyzes a Bumblebee Loader infection, detailing the attack chain from initial lure to full network compromise and Active Directory takeover, with notes on post-exploitation actions, credential theft, and data exfiltration. The report also high…