Threat actors impersonate Atomic Wallet with a phishing site to deliver Mars Stealer, a credential-theft malware. The campaign uses a staged download chain, PowerShell, AES decryption, and a Discord-hosted payload that exfiltrates data to a C2 server. #MarsSte…
Tag: IOS
Threat actors are leveraging DLL sideloading in legitimate Microsoft applications to deliver a Cobalt-Strike beacon. The dropped DLL is loaded from application folders and communicates with a C2 URL hosted on CloudFront to enable beacon operations. #QakBot #Co…
Threat actors abuse DLL sideloading to run malicious code through legitimate Microsoft applications (Teams and OneDrive), dropping and loading a malicious DLL that communicates with a remote C2 and leverages Cobalt Strike Beacon for post‑exploitation. The camp…
CosmicStrand is a sophisticated UEFI firmware rootkit attributed to a Chinese-speaking threat actor, designed to persist from the earliest boot stages and deploy kernel- and user-mode payloads. It achieves durable persistence by implanting in firmware (CSMCORE…
Lightning Framework is a modular, undetected Linux malware framework with a downloader, core, and multiple plugins, including rootkit-capable components, that can communicate with a threat actor via a malleable C2 configuration. It leverages typosquatting, per…
CloudMensis is a macOS backdoor that spies on victims by exfiltrating documents, keystrokes, and screen captures, and communicates with its operators exclusively via public cloud storage services. It uses a two-stage architecture where the first stage download…
Pegasus spyware was used against Thailand’s pro-democracy movement, with at least 30 civil society victims infected between October 2020 and November 2021, triggering Apple security notifications in November 2021 and a collaborative forensic investigation. The…
Two sentences summarizing the content: ReversingLabs uncovered a widespread npm software supply chain attack where malicious JavaScript packages were published to steal form data from apps and websites. The campaign used typosquatting to impersonate legitimate…
Phishing content is increasingly delivered via Azure Front Door, with attackers using lookalike domains to harvest credentials from multiple major services. They rely on compromised email accounts to spread targeted phishing, impersonating brands like SendGrid…
IceXLoader is a Nim-based commercial loader promoted in malware forums to download and deploy additional payloads on Windows machines, with ties to NimzaLoader used by the TrickBot group. The article outlines IceXLoader v3.0’s technical behavior, potential del…
Cyble Research Labs identified an Android malware variant distributed via the Play Store that acts as a Hostile Downloader to fetch the Hydra Banking Trojan. The app masquerades as Document Manager, uses fake update prompts, and communicates with a TOR-enabled…
SeaFlower is a highly sophisticated intrusion set that targets web3 wallets by delivering backdoored iOS/Android apps, injecting covert code to exfiltrate seed phrases and balances. It uses provisioning-based sideloading, dylib injections, React Native bundle …
PureCrypter is a fully featured loader sold since 2021 that distributes a range of remote access trojans and information stealers. It uses a .NET-based, obfuscated, and encrypted delivery chain with protobuf-configured options for persistence, injection, and d…
Lazarus Group targeted Korea by exploiting the Log4j CVE-2021-44228 vulnerability on unpatched VMware Horizon to install NukeSped and related components. The operation includes NukeSped backdoors, INFOSTEALER, and Jin Miner modules, with data exfiltration and …
Secureworks CTU researchers analyzed COBALT MIRAGE’s ransomware operations in the United States, spotting two intrusion clusters: Cluster A uses BitLocker/DiskCryptor for opportunistic ransomware, while Cluster B pursues targeted intrusions with some ransomwar…