BlackCat (ALPHV) is a Rust-based ransomware-as-a-service operation linked to BlackMatter and REvil lineage, notable for cross-platform samples and a sophisticated exfiltration workflow using Fendr/ExMatter. Telemetry suggests a close tie to past BlackMatter ac…
Tag: LATERAL MOVEMENT
SystemBC is a proxy malware that has been used by various attackers for years, functioning as both a proxy bot and a downloader for additional payloads. It has recently been distributed through SmokeLoader and Emotet and has featured in ransomware campaigns, i…
Trend Micro’s Managed XDR team uncovered a campaign where SocGholish drops a BLISTER loader that in turn delivers the LockBit ransomware, highlighting layered evasion and loader-to-beacon chaining. The investigation details how these loaders operate together, …
The Stolen Images campaign used IcedID as the initial access vector to drop Cobalt Strike beacons, leading to Conti ransomware deployment across a domain. The operation blended off-the-shelf remote-access tools (Atera, Splashtop), multiple Cobalt Strike server…
SentinelLabs describes AcidRain, an ELF MIPS wiper that targets modems and routers to overwrite flash storage, in the context of the KA-SAT outage tied to the Russia-Ukraine conflict. The report also notes potential overlaps with VPNFilter/Sandworm activity an…
A SentinelOne analysis examines Hive Ransomware’s IPfuscation technique, which hides a shellcode payload by encoding ASCII IP addresses that are translated into binary to form the shellcode. The write-up covers IPfuscated, UUIDfuscation, and MACfuscation varia…
UNC2891 uses in-memory droppers like STEELCORGI and STEELHOUND to decrypt or encrypt payloads via environment-keying, and operates a broad Unix/Linux toolkit (SUN4ME) for recon, enumeration, and exploitation. The group also deployed Linux/Unix keyloggers (WING…
Dragos reports sustained network chatter between Emotet C2 servers and multiple auto manufacturers, with the Emotet infrastructure suspected to be controlled by the Conti ransomware group. No confirmed initial access or encryption has been observed yet, and ac…
DirtyMoe’s worming module autonomously spreads by exploiting several known vulnerabilities and by generating target IPs based on geolocation, enabling mass-scale infection and lateral movement. This Avast Threat Lab analysis details the worm’s kill chain, the …
Talos analyzes how BlackCat/ALPHV operates as a growing ransomware-as-a-service with affiliates linked to prior groups like BlackMatter and DarkSide, outlining how the affiliates evolved the operation and used shared infrastructure. The piece details attack fl…
FBI and CISA warn that Russian state-sponsored cyber actors gained network access by exploiting default MFA configurations and the PrintNightmare vulnerability, enabling document exfiltration from an NGO via compromised credentials and MFA bypass. The advisory…
eSentire documented a TunnelVision-linked intrusion into a VMware Horizon server, exploiting Log4Shell to harvest credentials and establish access. The operation included a backdoor DomainAdmin, PSExec/RDP lateral movement, C2 via activate-microsoft.cf, and Ng…
Black Lotus Labs notes Emotet’s resurgence since November 2021, with about 130,000 unique bots across 179 countries and evolving infrastructure that could serve as footholds or proxy C2s. The report highlights changes in encryption, process-list handling, and …
Trend Micro researchers present evidence that Nokoyawa ransomware is likely connected to Hive, sharing parts of the attack chain, tools, and even infrastructure, with most Nokoyawa targets in Argentina. The analysis also highlights similarities and key differe…
TeamTNT is a prolific cryptomining threat actor that has targeted Linux servers for years, evolving from Redis to Docker and now Kubernetes-focused campaigns, with some Windows artifacts observed. The analysis details their TTPs, tools (including Tsunami, Rath…