Cyble Research Labs identified an Android malware variant distributed via the Play Store that acts as a Hostile Downloader to fetch the Hydra Banking Trojan. The app masquerades as Document Manager, uses fake update prompts, and communicates with a TOR-enabled…
Tag: INITIAL ACCESS
An unknown threat actor exploits CVE-2019-18935 in Telerik UI for ASP.NET AJAX to seize control of Windows servers, drop a Cobalt Strike beacon, and stage further malware via PowerShell commands. Sophos MTR links these campaigns to earlier Blue Mockingbird act…
Follina (CVE-2022-30190) is a remote code execution vulnerability in Microsoft Office that can be exploited without macros by loading an external reference which ultimately invokes the MSDT tool to run PowerShell. The article outlines the attack flow, the tech…
An ISC guest diary analyzes the modern coin miner malware variant “redtail” and its capabilities across four CPU architectures, showing how attackers gain initial SSH access, upload payloads, and establish persistence on compromised hosts. The report traces tw…
Aoqin Dragon is a long-running Chinese-speaking APT tracked by SentinelLabs, active since 2013 and targeting government, education, and telecom organizations in Southeast Asia and Australia. The group uses document exploits, fake removable devices, DLL hijacki…
Bumblebee is a sophisticated loader that replaces BazarLoader and delivers frameworks like Cobalt Strike, Shellcode, Sliver, and Meterpreter, while also dropping other malware such as ransomware. It is distributed via spear-phishing ISO downloads, employs exte…
Researchers document Black Basta’s observed TTPs during a recent incident response, detailing lateral movement, defense evasion, discovery, and encryption activities against Hyper-V environments and Veeam backups. The post also provides a technical breakdown o…
WatchDog has evolved a multi-stage cryptojacking campaign that targets exposed Docker Engine API endpoints and Redis servers, repurposing TeamTNT payloads while attempting to foil attribution. The attack uses timestomping, process hiding, and worm-like propaga…
Threat actors exploited CVE-2021-44077 to gain initial access to an internet-facing ManageEngine SupportCenter Plus instance, planted a web shell, and began days-long data exfiltration via web shell and RDP. The operation involved Plink-based SSH tunneling, LS…
UNC2165 is analyzed as overlapping with Evil Corp activities and shifting toward ransomware deployments such as HADES and LOCKBIT, leveraging FAKEUPDATES, BEACON, and post-exploitation techniques to breach networks while evading sanctions. The report traces th…
The article analyzes SocGholish (aka FAKEUPDATES) campaigns and how they function as a major initial-access vector through fake updates, compromised sites, and phishing-style techniques, detailing loader chains and observed IOCs. It covers campaigns delivering…
Space Pirates is an Asia-rooted advanced threat group whose activities span several backdoors and loaders, targeting government and aerospace/energy sectors in Russia, Georgia, and Mongolia. The report ties Space Pirates to multiple other APTs and tooling exch…
Onyx is a ransomware observed in April 2022 that encrypts files, appends the .ampkcz extension, and leaves a readme.txt ransom note. It uses several evasion, persistence, and exfiltration techniques, including process checks, startup-folder modifications, and …
Quantum Locker is a fast, human-operated ransomware strain linked to MountLocker that encrypts data within hours of infection, often leaving defenders little time to respond. Cybereason Nocturnus classifies the threat as HIGH, notes a RansomOps playbook, and h…
Secureworks CTU researchers analyzed COBALT MIRAGE’s ransomware operations in the United States, spotting two intrusion clusters: Cluster A uses BitLocker/DiskCryptor for opportunistic ransomware, while Cluster B pursues targeted intrusions with some ransomwar…