Space Pirates is an Asia-rooted advanced threat group whose activities span several backdoors and loaders, targeting government and aerospace/energy sectors in Russia, Georgia, and Mongolia. The report ties Space Pirates to multiple other APTs and tooling exch…
Tag: PRIVILEGE
CISA warns that malicious actors linked to APT activity are exploiting CVE-2022-22954 and CVE-2022-22960 in VMware Workspace ONE Access and related products to achieve remote code execution and root-level access, chaining vulnerabilities for full system contro…
Secureworks CTU researchers analyzed COBALT MIRAGE’s ransomware operations in the United States, spotting two intrusion clusters: Cluster A uses BitLocker/DiskCryptor for opportunistic ransomware, while Cluster B pursues targeted intrusions with some ransomwar…
Black Basta’s infection routine is dissected, revealing how the ransomware relies on credential access, privilege escalation, and careful system manipulation to achieve encryption and extortion. The analysis also covers its methods for disabling recovery, alte…
BlackCat (ALPHV) is a Rust-based ransomware-as-a-service operation linked to BlackMatter and REvil lineage, notable for cross-platform samples and a sophisticated exfiltration workflow using Fendr/ExMatter. Telemetry suggests a close tie to past BlackMatter ac…
SystemBC is a proxy malware that has been used by various attackers for years, functioning as both a proxy bot and a downloader for additional payloads. It has recently been distributed through SmokeLoader and Emotet and has featured in ransomware campaigns, i…
The diary documents a MetaStealer infection chain delivered via malicious Excel attachments that drop and persist a Windows EXE and DLL after macro execution and a VBScript loader. It also notes the malware abusing legitimate services like GitHub and transfer.…
CaddyWiper is a Windows wiper that destroys data and wipes drives on Ukrainian infrastructure. It is delivered via Group Policy after compromising Active Directory, and follows WhisperGate, HermeticWiper, and IsaacWiper as the fourth observed in the same perio…
Trend Micro’s Managed XDR team uncovered a campaign where SocGholish drops a BLISTER loader that in turn delivers the LockBit ransomware, highlighting layered evasion and loader-to-beacon chaining. The investigation details how these loaders operate together, …
The Stolen Images campaign used IcedID as the initial access vector to drop Cobalt Strike beacons, leading to Conti ransomware deployment across a domain. The operation blended off-the-shelf remote-access tools (Atera, Splashtop), multiple Cobalt Strike server…
Talisman is a PlugX variant that loads a modified DLL via a signed benign binary to decrypt and execute a backdoored payload with plug-in capabilities. The campaign is attributed with medium confidence to the Chinese state-backed RedFoxtrot group, targeting So…
Avast Threat Labs identify Operation Dragon Castling, a Chinese-speaking APT campaign targeting betting companies in Southeast Asia (Taiwan, the Philippines, and Hong Kong). The operation uses a modular toolkit (MulCom backdoor, Proto8 CoreX/Core Module, and W…
TRU and BreakPoint Labs uncovered a Conti affiliate operating an automated Cobalt Strike infrastructure, exposing new domain names, IP addresses, and emails used for command-and-control. The findings link Conti operations to Trickbot, BazarLoader, IcedID, Five…
APT35 (PHOSPHORUS/UNC2448) leveraged Microsoft Exchange ProxyShell vulnerabilities to gain initial access, deploy web shells, and perform post-exploitation tasks, including credential dumping and payload deployment. The activity appears scripted and automated,…
Threat researchers describe a first-stage spearphishing campaign targeting luxury hotels in Macao that used a password-protected Excel file with macros to drop and execute further payloads via scheduled tasks and PowerShell. The operation, attributed to DarkHo…