CyCraft’s first-hand investigation reveals a China-state-backed operation, dubbed “Operation Cache Panda,” targeting Taiwan’s financial sector through a broad supply-chain attack exploiting software vulnerabilities and deploying multi-stage, memory-resident ma…
Tag: LATERAL MOVEMENT
Cobalt Strike is being distributed to unsecured MS-SQL servers, leveraging brute force, dictionary attacks, and command execution to deploy a memory-based beacon. The campaign overlaps with other malware like Lemon Duck, Kingminer, and Vollgar that abuse port …
In a November 2021 intrusion, threat actors gained a foothold with Qbot (Quakbot) and used Zerologon to elevate to domain admin, enabling Cobalt Strike deployment and broader network compromise. They conducted AD discovery, exfiltrated sensitive documents, and…
SentinelLabs tracks TunnelVision, an Iranian-aligned threat actor cluster exploiting VMware Horizon and Log4j vulnerabilities to deploy backdoors, harvest credentials, and move laterally in the Middle East and the US. The operation heavily relies on tunneling …
Picus Security analyzes LockBit 2.0 ransomware, detailing its evolution as a RaaS operator, its anti-detection techniques, and its methods to disrupt victim recovery and logging. The post also lists IOCs and maps LockBit 2.0 behaviors to MITRE ATT&CK technique…
Lorenz ransomware has evolved with customized attacks against organizations worldwide, often demanding large ransom fees. Cybereason links Lorenz to ThunderCrypt and notes that while a No More Ransom decryptor exists, it is limited and often ineffective. #Lore…
Antlion, a Chinese APT, deployed a custom .NET loader called xPack to compromise Taiwanese targets, focusing on financial and manufacturing organizations and conducting extended credential dumping and data staging. The operation used a mix of custom loaders an…
Qbot (QakBot) campaigns spread rapidly by delivering a malicious Excel macro that loads a QBot DLL, then injects into msra.exe to harvest browser data and Outlook emails. The operation escalates privileges, moves laterally across all workstations, and uses mul…
A phishing campaign uses specially crafted CSV text files to install the BazarLoader/BazarBackdoor malware by abusing Excel’s Dynamic Data Exchange (DDE) feature. The attack chain pivots through WMIC and PowerShell to download and execute a DLL, enabling remot…
Cisco Talos links a campaign targeting Turkish private organizations and government bodies to MuddyWater, an Iran-linked APT group, using malicious PDFs, Excel files and Windows executables to drop PowerShell-based downloaders and establish footholds. The oper…
StellarParticle is CrowdStrike’s tracked campaign tied to COZY BEAR (APT29) and the SolarWinds incident, with activity continuing against multiple organizations. The operation employs novel techniques such as browser cookie theft and O365 service principal hij…
The Belarusian Cyber Partisans disclosed documents related to a railway-targeting incident and discussed that Curated Intelligence member SttyK would study the methods used. The published material outlines an incident aimed at hindering operations and details …
TrickBot’s operators have augmented injections with layered defenses to hinder researchers and improve theft during online banking fraud. IBM Trusteer details how TrickBot fetches per-target web injections, secures its communications, and relies on obfuscation…
Donot Team (also known as APT-C-35 and SectorE02) is a long-running South Asia-focused threat actor linked to Windows and Android malware, with Amnesty International alleging links to an Indian cybersecurity company that may sell spyware or hackers-for-hire se…
MoonBounce is a sophisticated UEFI firmware implant that persists in SPI flash and chains into a memory-resident, fileless malware deployment, attributed to APT41. The campaign also features ScrambleCross loaders (StealthVector and StealthMutant) and multiple …