In a November 2021 intrusion, threat actors gained a foothold with Qbot (Quakbot) and used Zerologon to elevate to domain admin, enabling Cobalt Strike deployment and broader network compromise. They conducted AD discovery, exfiltrated sensitive documents, and…
Tag: INITIAL ACCESS
Fortinet FortiEDR uncovered a Moses Staff campaign targeting Israeli organizations, leveraging ProxyShell exploits to deploy web shells and a multi-component backdoor for espionage, data exfiltration, and payload delivery. The operation includes a loader that …
Picus Security analyzes LockBit 2.0 ransomware, detailing its evolution as a RaaS operator, its anti-detection techniques, and its methods to disrupt victim recovery and logging. The post also lists IOCs and maps LockBit 2.0 behaviors to MITRE ATT&CK technique…
TA402, a Palestinian-aligned APT, has deployed NimbleMamba, a new implant intended to replace LastConn, in targeted Middle East campaigns. The operation blends geofenced links, actor-controlled domains, and Dropbox-based C2/exfiltration with redirects to legit…
Mandiant ties a campaign that uses SEO poisoning to distribute BATLOADER and ATERA Agent to techniques disclosed after a CONTI ransomware affiliate leak in August 2021. The report also provides extensive indicators, a YARA rule, and a MITRE ATT&CK mapping span…
Antlion, a Chinese APT, deployed a custom .NET loader called xPack to compromise Taiwanese targets, focusing on financial and manufacturing organizations and conducting extended credential dumping and data staging. The operation used a mix of custom loaders an…
Qbot (QakBot) campaigns spread rapidly by delivering a malicious Excel macro that loads a QBot DLL, then injects into msra.exe to harvest browser data and Outlook emails. The operation escalates privileges, moves laterally across all workstations, and uses mul…
Cisco Talos identifies a new wave of the Delphi-based Micropsia implant operated by Arid Viper, targeting Palestinian entities and activists with politically themed decoys. The latest implants add multiple RAT and information-gathering capabilities, persistenc…
The Belarusian Cyber Partisans disclosed documents related to a railway-targeting incident and discussed that Curated Intelligence member SttyK would study the methods used. The published material outlines an incident aimed at hindering operations and details …
BlackBerry researchers link the Prophet Spider Initial Access Broker (IAB) group to exploiting the Log4j (Log4Shell) vulnerabilities in VMware Horizon to break into organizations. The article outlines IoCs, observed post-exploitation payloads (cryptomining, Co…
ESET analyzes a watering-hole campaign that delivers a new macOS backdoor named DazzleSpy via a WebKit/Safari exploit chain. Targets were Hong Kong pro-democracy individuals, with infection hosted on amnestyhk.org and other compromised sites like fightforhk.co…
Donot Team (also known as APT-C-35 and SectorE02) is a long-running South Asia-focused threat actor linked to Windows and Android malware, with Amnesty International alleging links to an Indian cybersecurity company that may sell spyware or hackers-for-hire se…
By Sriram P & Lakshya Mathur Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as…
The post HANCITOR DOC drops via CLIPBOARD appeared first on McAfee Blog….
Phishing is increasingly a preliminary step in multi-stage ransomware campaigns: attackers use phishing to gain initial access, then deploy loaders/RATs to perform reconnaissance, lateral movement, persistence and finally deliver ransomware. Detecting and bloc…
Executive Summary Ryuk is a ransomware that encrypts a victim’s files and requests payment in Bitcoin cryptocurrency to release the…
The post New Ryuk Ransomware Sample Targets Webservers appeared first on McAfee Blog….