Trend Micro researchers attribute a new backdoor to the Earth Kitsune threat group, delivered via a watering hole operation and social engineering. The campaign blends patched installers, Chrome native messaging persistence, ECC-based cryptography for C2, and …
Tag: IOS
VSTO Add-Ins can be weaponized to deliver and execute code via Office documents, offering persistence across Office sessions. The article details local and remote VSTO attack flows, including user prompts to enable Add-Ins, encoded PowerShell payloads, and a r…
Infostealer was the leading malware category in the Jan 16–22, 2023 period, accounting for 43.0% of samples, followed by downloader (30.06%) and backdoor (19.9%). The report highlights BeamWinHTTP, AgentTesla, Formbook, SmokeLoader, and Pony as top families, w…
Emotet has returned after a period of dormancy, expanding its toolkit with new evasion and propagation methods and heavily leveraging phishing campaigns to drop multiple payloads. It now features an SMB spreader for lateral movement, a Chrome data-stealer modu…
HUMAN’s Satori Threat Intelligence and Research Team dismantled a sophisticated malvertising operation named VASTFLUX that injected JavaScript into ad creatives to stack multiple video players behind a single banner and fraudulently register views. The operati…
Mandiant tracks a suspected China-nexus operation that exploited Fortinet FortiOS SSL-VPN CVE-2022-42475 as a zero-day, deploying a backdoor named BOLDMOVE on Windows and Linux and targeting internet-facing devices. The campaign highlights how such devices ena…
Huntress shares their take on the ConnectWise Control vulnerability discussions, arguing there was no demonstrated exploit at the severity level claimed and advocating for responsible disclosure and collaboration. They emphasize social engineering and phishing…
Fortinet’s analysis details a targeted FortiOS SSL-VPN heap overflow (CVE-2022-42475) used to deploy a Linux implant masquerading as an IPS component. The write-up covers malware behavior, IoCs, C2 infrastructure, affected FortiGate models/versions, and recomm…
This weekly ASEC report analyzes phishing email threats from December 25–31, 2022, focusing on attachments used to deliver malware. It highlights Infostealer, FakePage, and Worm Malware as top attachment-based threats, detailing file extensions, distribution s…
BlueNoroff group expanded its malware delivery methods to bypass Mark-of-the-Web (MOTW) protections by using ISO and VHD disk image formats, and began experimenting with Visual Basic Script, Windows Batch scripts, and a Windows executable. They also operated a…
Threat Actors are exploiting FIFA World Cup buzz to run a range of scams, including crypto phishing with fake NFT drops, fake FIFA-themed domains, WhatsApp-led scams, and broad malware campaigns. Cyble Research & Intelligence Labs (CRIL) documents multiple lur…
Hive ransomware operates as a ransomware-as-a-service (RaaS) that has victimized thousands across sectors like Healthcare and Public Health, encrypting data and threatening leaks. The advisory inventories Hive’s TTPs, IOCs, and mitigations, including initial a…
Cyble researchers uncovered a phishing campaign targeting Bank Rakyat Indonesia (BRI) that escalates by distributing Android SMS stealers to harvest OTPs and bypass 2FA. The operation begins with credential- and OTP-phishing sites, then installs a custom SMS s…
Text4Shell (CVE-2022-42889) is a critical remote code execution vulnerability in Apache Commons Text (versions 1.5–1.9) that can be triggered by crafted input strings to run code on vulnerable hosts. The advisory covers exploitation methods, potential post-exp…
QAKBOT is observed using valid code signing certificates to sign malicious modules, enabling trusted-looking infections. The article reviews infection timelines, potential origins of abused certificates, and recommended countermeasures. #QAKBOT #Follina