Cyble Research Labs uncovered a new Qakbot playbook that uses DLL sideloading and a multi-stage delivery chain, including HTML-embedded ZIPs and an ISO with a disguised LNK file to trigger execution. The campaign evolves with legitimate apps loading malicious …
Tag: INITIAL ACCESS
Threat researchers observed a new attack campaign named STIFF#BIZON targeting high-value targets in the Czech Republic, Poland, and other countries, with artifacts possibly linked to North Korea’s APT37 (Konni). The campaign uses a multi-stage infection chain …
NukeSped RAT is a Windows-based remote access trojan attributed to the Lazarus Group that uses phishing Word documents with malicious macros to drop staged payloads. It exfiltrates data, captures keystrokes and screenshots, and downloads additional payloads, e…
Cyber threat actors, including state-sponsored APT groups, continue to exploit CVE-2021-44228 (Log4Shell) in unpatched VMware Horizon and Unified Access Gateway (UAG) servers to gain initial access and move laterally within organizations. They deploy loader ma…
Unit 42 describes a campaign targeting Elastix/Digium phones where a PHP web shell is implanted to exfiltrate data and fetch additional payloads. The activity links to a Rest Phone Apps RCE (CVE-2021-45461) and is mitigated by Palo Alto Networks WildFire and T…
Confucius, an Indian APT group, has targeted Pakistan’s government and military since 2021 using spearphishing attachments and counterfeit government portals to deliver multi-stage loaders. The operation leverages QuasarRAT and bespoke C++/C# backdoors, delive…
NCC Group analyzes Everest ransomware operations and argues a link to Black-Byte, detailing how Everest-related activity deployed during an incident response used TTPs such as RDP-based lateral movement, credential dumping, and C2 via remote tools. The report …
This joint Cybersecurity Advisory explains that Maui ransomware has been used by North Korean state-sponsored actors since May 2021 to target Healthcare and Public Health sector organizations, detailing TTPs and IOCs. It urges mitigations and reporting, and wa…
Bitter (T-APT-17) continues to target Bangladesh, employing a multi-stage infection chain beginning with an Excel Maldoc that exploits CVE-2018-0798 to drop additional payloads. The operation culminates in Almond RAT, a .NET-based backdoor that uses AES-CBC en…
Cyble Research Labs analyzed Xloader’s updated infection technique, detailing a multi-stage chain that starts with a phishing email delivering a PDF attachment, then traverses through embedded XLSX and an RTF-triggered dropper to load a final Xloader payload. …
SessionManager is an IIS backdoor tied to the GELSEMIUM activity cluster that persists on compromised servers by loading a malicious IIS module after ProxyLogon-type exploits. It enables reading/writing files, remote command execution, and HTTP-based command-a…
Cyble Research Labs highlights a rise in using Windows .lnk shortcut files to deliver payloads via LOLBins like PowerShell and mshta, including a new “Quantum Builder” tool that can create .lnk, .hta, and .iso-based payloads. The report also notes potential La…
Talos observed a month-long AvosLocker campaign leveraging Sliver, Cobalt Strike, and network scanners to move laterally after exploiting Log4Shell on exposed VMware Horizon UAG appliances. The incident underscores the importance of properly configured securit…
QBot (QakBot) is a long-standing banking trojan that steals credentials and is spread via spam emails with macro-enabled Office documents. The article highlights two recent distribution methods (XLSB with hidden payload sheets and XLTM macro templates), detail…
Volexity details a targeted Sophos Firewall breach that leveraged a zero-day remote code execution vulnerability (CVE-2022-1040) to install a webshell, establish persistence, and conduct MITM activity that extended to external systems such as CMS websites. Sop…