Ursnif is a long-running banking trojan that steals credentials, downloads other malware, and acts as a keylogger. It is primarily delivered via spear-phishing emails that impersonate authorities and exploit current events, using macro-enabled attachments and …
Tag: INITIAL ACCESS
Black Basta’s infection routine is dissected, revealing how the ransomware relies on credential access, privilege escalation, and careful system manipulation to achieve encryption and extortion. The analysis also covers its methods for disabling recovery, alte…
Orion Threat Research Team uncovered BumbleBee, a new loader used by Initial Access Brokers to deploy campaigns and inject Cobalt Strike into victims’ memory. The operation leverages spoofed identities and ISO-based delivery via TransferXL to lure users, with …
BlackCat (ALPHV) is a Rust-based ransomware-as-a-service operation linked to BlackMatter and REvil lineage, notable for cross-platform samples and a sophisticated exfiltration workflow using Fendr/ExMatter. Telemetry suggests a close tie to past BlackMatter ac…
FortiGuard Labs observed a new DDoS botnet named Enemybot, attributed to Keksec, that borrows code from Gafgyt and Mirai while using obfuscation and a Tor-hidden C2 to complicate takedowns. It targets routers from Seowon Intech and D-Link and leverages a wide …
SystemBC is a proxy malware that has been used by various attackers for years, functioning as both a proxy bot and a downloader for additional payloads. It has recently been distributed through SmokeLoader and Emotet and has featured in ransomware campaigns, i…
Trend Micro Threat Research observed active exploitation of CVE-2022-22965 (Spring4Shell) enabling threat actors to weaponize and execute the Mirai botnet. The exploit chain drops Mirai in /tmp, changes permissions, and deploys a JSP web shell to execute comma…
Cybereason Nocturnus details a new espionage campaign by APT-C-23 targeting Israeli officials, featuring upgraded malware (Barb(ie) Downloader, BarbWire Backdoor, and VolatileVenom Android implant) and sophisticated social engineering to gain initial access. T…
FIN7’s intrusion landscape evolves from LOADOUT and GRIFFON in 2020 to POWERPLANT as the main PowerShell-based backdoor in 2021, with BEACON acting as a secondary access path and extensive PowerShell tradecraft continuing to shape their operations. The report …
Symantec details Cicada (a China-linked APT) widening its espionage activity, targeting governments and NGOs across multiple regions with Exchange server exploits, custom loaders, and backdoors such as Sodamaster and Mimikatz loader, plus tools like VLC and Wi…
The diary documents a MetaStealer infection chain delivered via malicious Excel attachments that drop and persist a Windows EXE and DLL after macro execution and a VBScript loader. It also notes the malware abusing legitimate services like GitHub and transfer.…
The Stolen Images campaign used IcedID as the initial access vector to drop Cobalt Strike beacons, leading to Conti ransomware deployment across a domain. The operation blended off-the-shelf remote-access tools (Atera, Splashtop), multiple Cobalt Strike server…
Mars Stealer is a modern infostealer derived from Oski, sold on underground forums with ongoing development and it targets browser credentials and cryptocurrency wallets. The Morphisec report details its delivery methods, compromised infrastructure, and expose…
A new IcedID campaign uses conversation hijacking in phishing emails delivered from compromised Microsoft Exchange accounts to drop the IcedID loader. The operation shifts from office documents to ISO attachments, uses regsvr32 to proxy-run a DLL, and targets …
Ukraine CERT (CERT-UA) ties the Chinese threat actor Scarab to UAC-0026, marking one of the first publicly reported Ukraine-targeted operations by a non-Russian APT. The campaign centers on a HeaderTip backdoor delivered via macro-enabled lure documents and a …