Dormant Colors describes a widespread campaign of malicious browser extensions that infect millions of users via malvertising, then covertly load and update weaponized code to harvest data and enable targeted fraud. The investigation exposes a robust, globally…
Tag: IOS
Water Labbu is a threat actor that parasitically hijacks scam DApp websites by injecting malicious JavaScript to steal cryptocurrency. The campaign uses injected payloads and delivery servers to obtain wallet permissions and drain USDT balances, disguising act…
CRIL researchers uncovered a fake Telegram download site that leads Windows users to a malicious MSI installer, which abuses Windows Defender components to operate a remote-access Trojan. The malware uses DLL side-loading, memory injection, and a C2 channel to…
Attackers continue to abuse Google Sites and Microsoft Azure Web Apps to host cryptocurrency phishing campaigns targeting major wallets and exchanges, with new pages and targets emerging over time. The operation relies on two stages—SEO-driven first pages and …
IRGC-affiliated cyber actors exploited known Fortinet FortiOS and Microsoft Exchange vulnerabilities, plus VMware Horizon Log4j flaws, to gain initial access and conduct ransomware-like operations involving data encryption and data extortion. The advisory outl…
Cyble researchers uncovered a phishing campaign impersonating Japan’s National Tax Agency to steal V-Preca card details from Japanese taxpayers, combining fake NTA sites, smishing, and Android malware (FakeCop) with extensive C2 infrastructure. The operation e…
Secureworks CTU analyzed a June 2022 ransomware incident involving the Iranian COBALT MIRAGE group, highlighting continued use of known TTPs. The operation deployed ProxyShell exploits, web shells, and TunnelFish, encrypted servers with BitLocker, and left tra…
Cyble Research and Intelligence Labs (CRIL) detected active PowerShell Empire infrastructure being used in the wild, including multiple infections and post-exploitation activities leveraging the Empire framework. The article details Empire’s listener/stager/ag…
Play is a new ransomware family that mirrors Hive and Nokoyawa, suggesting shared operators and attack infrastructure. It differentiates itself with AdFind-based Active Directory discovery and a blend of LOLBins, GPO-based deployment, and double-extortion tech…
ChromeLoader, also known as Choziosi Loader, has evolved through multiple versions since late 2021, complicating atomic indicator-based detections. The analysis tracks its execution chain from obfuscated PowerShell to a Chrome/Edge/Firefox extension, detailing…
XCSSET, a macOS malware family, updated in 2022 to adapt to macOS Monterey and to prepare for a future without Python by removing Python-based components and shifting toward SHC-compiled droppers and run-only AppleScripts. The analysis outlines infection refin…
Cyble researchers exposed a dark web post by a malware developer selling a powerful Windows RAT suite, including XWorm with ransomware and HVNC capabilities. The article details the toolset, persistence and anti-analysis techniques, data exfiltration, and the …
Iron Tiger’s operation against Mimi chat installers shows a supply chain compromise delivering HyperBro on Windows and rshell on macOS/Linux across multiple targets. The campaign spans three major platforms, uses code obfuscation, and establishes C2 communicat…
FortiGuard Labs tracks RapperBot, a rapidly evolving IoT malware family that borrows heavily from Mirai but switches from Telnet to SSH brute forcing for initial access on Linux devices. The campaign shows notable persistence and credential-access capabilities…
VirusTotal’s Deception at scale report analyzes how malware abuses trust by hiding in legitimate installers, signing certificates, and masquerading as popular applications to deliver malicious payloads. It highlights social engineering trends and practical tec…