An unknown threat actor exploits CVE-2019-18935 in Telerik UI for ASP.NET AJAX to seize control of Windows servers, drop a Cobalt Strike beacon, and stage further malware via PowerShell commands. Sophos MTR links these campaigns to earlier Blue Mockingbird act…
Tag: LATERAL MOVEMENT
Two security researchers describe how crypto-mining operations leveraged Atlassian Confluence zero-day CVE-2022-26134 to drop and execute mining payloads on Linux and Windows hosts, using a multi-stage chain from initial exploitation to persistence and lateral…
Bumblebee is a sophisticated loader that replaces BazarLoader and delivers frameworks like Cobalt Strike, Shellcode, Sliver, and Meterpreter, while also dropping other malware such as ransomware. It is distributed via spear-phishing ISO downloads, employs exte…
Researchers document Black Basta’s observed TTPs during a recent incident response, detailing lateral movement, defense evasion, discovery, and encryption activities against Hyper-V environments and Veeam backups. The post also provides a technical breakdown o…
Palo Alto Networks’ analytics uncovered a sophisticated threat operation centered on the Popping Eagle malware family, with a Go-based second stage (Going Eagle) used for control and lateral movement. The campaign abused DLL hijacking to load a proxy DLL, esta…
Threat actors exploited CVE-2021-44077 to gain initial access to an internet-facing ManageEngine SupportCenter Plus instance, planted a web shell, and began days-long data exfiltration via web shell and RDP. The operation involved Plink-based SSH tunneling, LS…
Trend Micro’s Threat Hunting team analyzed a series of CMD-based ransomware variants, culminating in YourCyanide, a multi-stage malware that uses layered downloads and heavy obfuscation. The family evolves from GonnaCope through Kekpop and Kekware, employing D…
UNC2165 is analyzed as overlapping with Evil Corp activities and shifting toward ransomware deployments such as HADES and LOCKBIT, leveraging FAKEUPDATES, BEACON, and post-exploitation techniques to breach networks while evading sanctions. The report traces th…
A BlackBerry Research & Intelligence analysis traces the Chaos ransomware family from its Chaos v1.0 origins to Yashma (Chaos v6.0), showing how Onyx emerged from Chaos v4.0 and how Yashma expands capabilities. The piece also covers spear-phishing activity tar…
Cyble researchers found a threat actor distributing fake PoCs for CVE-2022-26809 and CVE-2022-24500 on GitHub, targeting the Infosec community. The culprit malware is a .NET binary packed with ConfuserEX that displays fake exploit messages and then calls Power…
Space Pirates is an Asia-rooted advanced threat group whose activities span several backdoors and loaders, targeting government and aerospace/energy sectors in Russia, Georgia, and Mongolia. The report ties Space Pirates to multiple other APTs and tooling exch…
Lazarus Group targeted Korea by exploiting the Log4j CVE-2021-44228 vulnerability on unpatched VMware Horizon to install NukeSped and related components. The operation includes NukeSped backdoors, INFOSTEALER, and Jin Miner modules, with data exfiltration and …
Quantum Locker is a fast, human-operated ransomware strain linked to MountLocker that encrypts data within hours of infection, often leaving defenders little time to respond. Cybereason Nocturnus classifies the threat as HIGH, notes a RansomOps playbook, and h…
Secureworks CTU researchers analyzed COBALT MIRAGE’s ransomware operations in the United States, spotting two intrusion clusters: Cluster A uses BitLocker/DiskCryptor for opportunistic ransomware, while Cluster B pursues targeted intrusions with some ransomwar…
North Korea-linked Lazarus continues its Dream Job espionage campaign targeting chemical sector organizations, using fake job offers, Trojanized tools, and a multi-stage payload chain to infiltrate networks and steal intellectual property. Symantec’s findings …