TRU and BreakPoint Labs uncovered a Conti affiliate operating an automated Cobalt Strike infrastructure, exposing new domain names, IP addresses, and emails used for command-and-control. The findings link Conti operations to Trickbot, BazarLoader, IcedID, Five…
Tag: INITIAL ACCESS
Avast Threat Labs connects Meris, TrickBot, and Glupteba campaigns to a single C2 that covertly controls roughly 230,000 MikroTik routers in a botnet-as-a-service. The research traces exploitation of CVE-2018-14847, wides…
AvD crypto stealer is a disguise for a Clipper variant that reads and edits clipboard content to swap crypto wallet addresses. The actor offers one month of free access to attract more users, with targets including other threat actors and six supported chains.…
Researchers at ESET uncovered an ongoing Mustang Panda operation using a new Korplug variant, Hodur, noted for its aggressive anti-analysis and memory-only loading chain. The campaign uses European-current-events decoys to target diplomatic missions, research …
APT35 (PHOSPHORUS/UNC2448) leveraged Microsoft Exchange ProxyShell vulnerabilities to gain initial access, deploy web shells, and perform post-exploitation tasks, including credential dumping and payload deployment. The activity appears scripted and automated,…
Dragos reports sustained network chatter between Emotet C2 servers and multiple auto manufacturers, with the Emotet infrastructure suspected to be controlled by the Conti ransomware group. No confirmed initial access or encryption has been observed yet, and ac…
Talos analyzes how BlackCat/ALPHV operates as a growing ransomware-as-a-service with affiliates linked to prior groups like BlackMatter and DarkSide, outlining how the affiliates evolved the operation and used shared infrastructure. The piece details attack fl…
FBI and CISA warn that Russian state-sponsored cyber actors gained network access by exploiting default MFA configurations and the PrintNightmare vulnerability, enabling document exfiltration from an NGO via compromised credentials and MFA bypass. The advisory…
Researchers tracked a LazyScripter campaign in 2021 targeting European entities, revealing a double-compromise chain involving H-Worm and njRAT delivered via obfuscated scripts. They also uncovered use of a free online obfuscation service and a waterhole-style…
Black Lotus Labs notes Emotet’s resurgence since November 2021, with about 130,000 unique bots across 179 countries and evolving infrastructure that could serve as footholds or proxy C2s. The report highlights changes in encryption, process-list handling, and …
APT41’s operations against U.S. state governments leveraged multiple, overlapping campaigns: initial access via a USAHerds web app vulnerability (CVE-2021-44207) followed by Log4Shell (CVE-2021-44228) deserialization to deploy backdoors, including KEYPLUG.LINU…
FortiGuard Labs uncovered a phishing operation masquerading as a purchase order to a Ukrainian manufacturer, delivering Agent Tesla via a PPAM PowerPoint add-in. The campaign uses a multi-stage dropper with Bit.ly and MediaFire stages, ends with PowerShell-bas…
Trend Micro researchers present evidence that Nokoyawa ransomware is likely connected to Hive, sharing parts of the attack chain, tools, and even infrastructure, with most Nokoyawa targets in Argentina. The analysis also highlights similarities and key differe…
CyCraft’s first-hand investigation reveals a China-state-backed operation, dubbed “Operation Cache Panda,” targeting Taiwan’s financial sector through a broad supply-chain attack exploiting software vulnerabilities and deploying multi-stage, memory-resident ma…
In a November 2021 intrusion, threat actors gained a foothold with Qbot (Quakbot) and used Zerologon to elevate to domain admin, enabling Cobalt Strike deployment and broader network compromise. They conducted AD discovery, exfiltrated sensitive documents, and…