Cobalt Strike Beacon communicates with an external TeamServer to emulate long-term C2 activity, while using multiple encoding schemes to hide metadata in HTTP traffic. The post analyzes five encoding methods (Base64, Base64URL, NetBIOS, NetBIOSU, and Mask), ho…
Tag: IOS
FortiEDR detected a Deep Panda operation exploiting the Log4Shell flaw in VMware Horizon servers, resulting in opportunistic infections across multiple sectors and countries. The campaign introduced a backdoor called Milestone and a novel kernel rootkit named …
Avast Threat Labs identify Operation Dragon Castling, a Chinese-speaking APT campaign targeting betting companies in Southeast Asia (Taiwan, the Philippines, and Hong Kong). The operation uses a modular toolkit (MulCom backdoor, Proto8 CoreX/Core Module, and W…
Deep Instinct’s Threat Research team uncovered a new Go-written Micropsia variant named Arid Gopher attributed to APT-C-23 (Arid Viper), with additional unseen second-stage payloads. The discovery highlights Go-based malware by Arid Viper and its evolving seco…
Arkei, a flexible information stealer, now expands to pilfer MFA data in addition to crypto-wallet information, using SmokeLoader as a deployment vector. Its configurable setup and use of legitimate components help it evade detection while exfiltrating data ba…
SentinelLabs tracks TunnelVision, an Iranian-aligned threat actor cluster exploiting VMware Horizon and Log4j vulnerabilities to deploy backdoors, harvest credentials, and move laterally in the Middle East and the US. The operation heavily relies on tunneling …
Lazarus targeted Boeing job-seekers using a lure document, Boeing BDS MSE.docx, to deliver a DLL that mimics legitimate Notepad++ functionality. The malware exfiltrates system and process information to four C2 servers after compression, XOR encryption, and Ba…
Cisco Talos identifies a new wave of the Delphi-based Micropsia implant operated by Arid Viper, targeting Palestinian entities and activists with politically themed decoys. The latest implants add multiple RAT and information-gathering capabilities, persistenc…
ESET analyzes a watering-hole campaign that delivers a new macOS backdoor named DazzleSpy via a WebKit/Safari exploit chain. Targets were Hong Kong pro-democracy individuals, with infection hosted on amnestyhk.org and other compromised sites like fightforhk.co…
Earth Karkaddan (APT36) is analyzed through its use of CrimsonRAT on Windows and CapraRAT/ObliqueRAT on Android, detailing infection chains based on spear-phishing, USB worms, and malicious macros. The piece also covers C2 communications, persistence mechanism…
Researcher from Palo Alto Networks, a computer security firm, have found out that hackers, who have targeting jail-broken iPhones, have raided more than 225,000 Apple accounts, using them for app buying sprees or to hold phones for ransom. The jailbreak is a tool in iPhones to use additional iThing…