UNC2891 uses in-memory droppers like STEELCORGI and STEELHOUND to decrypt or encrypt payloads via environment-keying, and operates a broad Unix/Linux toolkit (SUN4ME) for recon, enumeration, and exploitation. The group also deployed Linux/Unix keyloggers (WING…
Tag: PRIVILEGE
Dragos reports sustained network chatter between Emotet C2 servers and multiple auto manufacturers, with the Emotet infrastructure suspected to be controlled by the Conti ransomware group. No confirmed initial access or encryption has been observed yet, and ac…
DirtyMoe’s worming module autonomously spreads by exploiting several known vulnerabilities and by generating target IPs based on geolocation, enabling mass-scale infection and lateral movement. This Avast Threat Lab analysis details the worm’s kill chain, the …
Cyble’s deep-dive into Pandora ransomware unveils its encryption behavior, links to ROOK-like TTPs, and notable anti-analysis and cleanup techniques. The analysis details a UPX-packed, C++-compiled payload that uses mutexes, privilege escalation, ETW/AMSI evas…
FBI and CISA warn that Russian state-sponsored cyber actors gained network access by exploiting default MFA configurations and the PrintNightmare vulnerability, enabling document exfiltration from an NGO via compromised credentials and MFA bypass. The advisory…
RURansom is a wiper targeting Russia, not a ransomware variant, as encryption is irreversible. It spreads like a worm via removable disks and mapped network shares, encrypting files and dropping a wiper note, while some versions exhibit geo-targeting and obfus…
APT41’s operations against U.S. state governments leveraged multiple, overlapping campaigns: initial access via a USAHerds web app vulnerability (CVE-2021-44207) followed by Log4Shell (CVE-2021-44228) deserialization to deploy backdoors, including KEYPLUG.LINU…
FortiGuard Labs uncovered a phishing operation masquerading as a purchase order to a Ukrainian manufacturer, delivering Agent Tesla via a PPAM PowerPoint add-in. The campaign uses a multi-stage dropper with Bit.ly and MediaFire stages, ends with PowerShell-bas…
In a November 2021 intrusion, threat actors gained a foothold with Qbot (Quakbot) and used Zerologon to elevate to domain admin, enabling Cobalt Strike deployment and broader network compromise. They conducted AD discovery, exfiltrated sensitive documents, and…
A Check Point Research analysis uncovers a coordinated IRIB cyberattack (Jan 2022) that hijacked state TV/radio playout, deployed backdoors, and used a wiper to disrupt broadcasting. The report details tools like SimplePlayout, Winscreeny, HttpCallbackService,…
Picus Security analyzes LockBit 2.0 ransomware, detailing its evolution as a RaaS operator, its anti-detection techniques, and its methods to disrupt victim recovery and logging. The post also lists IOCs and maps LockBit 2.0 behaviors to MITRE ATT&CK technique…
Researchers from Cado Security uncovered CoinStomp, a Linux-based malware family targeting Asian Cloud Service Providers to mine cryptocurrency using a shell-script campaign. It employs timestomping, removal of cryptographic policies, and a /dev/tcp reverse sh…
Antlion, a Chinese APT, deployed a custom .NET loader called xPack to compromise Taiwanese targets, focusing on financial and manufacturing organizations and conducting extended credential dumping and data staging. The operation used a mix of custom loaders an…
PrivateLoader is used as a delivery framework to host Smokeloader payloads and other malware via PPI services, spanning multiple campaigns and payload families. It has facilitated deliveries of Qbot, Kronos, Trickbot, Dridex, Danabot, Vidar, and even Conti ran…
Mandiant ties a campaign that uses SEO poisoning to distribute BATLOADER and ATERA Agent to techniques disclosed after a CONTI ransomware affiliate leak in August 2021. The report also provides extensive indicators, a YARA rule, and a MITRE ATT&CK mapping span…