MS-SQL servers are commonly targeted by attackers who gain control and install malware, including coin miners and ransomware. The article details a case where attackers deploy Cobalt Strike and Meterpreter on vulnerable MS-SQL servers to install AnyDesk for re…
Tag: PRIVILEGE
Black Basta expanded its repertoire by employing QakBot as an entry point and using the PrintNightmare flaw to perform privileged file operations. It also leveraged the Coroxy backdoor and Netcat for lateral movement across networks. #BlackBasta #QakBot
Talos observed a month-long AvosLocker campaign leveraging Sliver, Cobalt Strike, and network scanners to move laterally after exploiting Log4Shell on exposed VMware Horizon UAG appliances. The incident underscores the importance of properly configured securit…
QBot (QakBot) is a long-standing banking trojan that steals credentials and is spread via spam emails with macro-enabled Office documents. The article highlights two recent distribution methods (XLSB with hidden payload sheets and XLTM macro templates), detail…
Volexity details a targeted Sophos Firewall breach that leveraged a zero-day remote code execution vulnerability (CVE-2022-1040) to install a webshell, establish persistence, and conduct MITM activity that extended to external systems such as CMS websites. Sop…
An unknown threat actor exploits CVE-2019-18935 in Telerik UI for ASP.NET AJAX to seize control of Windows servers, drop a Cobalt Strike beacon, and stage further malware via PowerShell commands. Sophos MTR links these campaigns to earlier Blue Mockingbird act…
Purple Fox malware evolved from an exploit kit used by RIG EK into an independent threat that deploys a multi-stage, stealthy infection chain featuring a rootkit, LOLBIN abuse, and privilege escalation via public CVEs. The analysis maps observed behaviors to M…
Avast researchers document Syslogk, a Linux kernel rootkit under development in the wild that leverages Adore-Ng foundations to hide itself and a Rekoobe backdoor embedded in a fake SMTP server. The malware can be revealed, loaded, and controlled via on-demand…
Symbiote is a highly evasive Linux threat that infects running processes by loading as a shared object via LD_PRELOAD to gain rootkit capabilities and remote access. Researchers describe its stealthy behavior—hiding itself and other malware, evading live foren…
Aoqin Dragon is a long-running Chinese-speaking APT tracked by SentinelLabs, active since 2013 and targeting government, education, and telecom organizations in Southeast Asia and Australia. The group uses document exploits, fake removable devices, DLL hijacki…
Threat actors exploited CVE-2021-44077 to gain initial access to an internet-facing ManageEngine SupportCenter Plus instance, planted a web shell, and began days-long data exfiltration via web shell and RDP. The operation involved Plink-based SSH tunneling, LS…
An in-depth look at AsyncRAT campaigns tied to APT-C-36 and related RATs, focusing on evolving TTPs and how the Colombian distribution behaves in practice. The analyzed sample (Stub.exe) reveals anti-analysis checks, persistence via scheduled tasks and Run key…
UNC2165 is analyzed as overlapping with Evil Corp activities and shifting toward ransomware deployments such as HADES and LOCKBIT, leveraging FAKEUPDATES, BEACON, and post-exploitation techniques to breach networks while evading sanctions. The report traces th…
Fortinet’s FortiGuard Labs documented a phishing campaign that delivers three fileless malware to Windows hosts, enabling attacker control and data theft via a C2 channel. The payloads AveMariaRAT, PandorahVNC RAT, and BitRat steal credentials, capture screens…
Nokoyawa is a Windows ransomware variant that traces its lineage to Karma/Nemty and increasingly reuses publicly available code to expand its capabilities. FortiGuard Labs reports new features such as Babuk-derived process and volume-enumeration code, a TOR-ba…