Artificial intelligence (AI) and large language models (LLMs) can help threat intelligence teams to detect and understand novel threats at scale, reduce burnout-inducing toil, and grow their existing talent by democratizing access to subject matter expertise. However, broad access to foundational Open Source Intelligence (OSINT) data and AI/ML technologies has quickly…
Tag: SSO
QR codes are being exploited in phishing to hide malicious URLs and bypass filters, with threat actors using QR codes in emails and PDFs to lure victims into credential harvest pages. The campaigns increasingly impersonate MFA/SSO flows and rely on chained red…
An analysis of how researchers uncover and trace ransomware campaigns through shared code, IOCs, and evolution across variants, using ADHUBLLKA and its descendants as a case study. It highlights rebranding tactics, TOR-based communication, and the use of a Fre…
Scattered Spider (UNC3944, Scatter Swine, Muddled Libra) is a financially motivated threat actor active since May 2022, primarily targeting telecom and BPO sectors and expanding to critical infrastructure. The group relies on social engineering, signed kernel …
Lumen Black Lotus Labs observed a renewed HiatusRAT campaign (mid‑June–August 2023) in which the actor recompiled binaries for multiple CPU architectures and hosted payloads on shifting VPS infrastructure. Telemetry linked the campaign to heavy targeting of Ta…
Threat actors abuse Adobe Creative Cloud, Edge, and other executables vulnerable to DLL hijacking in campaign targeting the Southeast Asian gambling sector.
Threat actors delivered StealC infostealer via a deceptive Google Sheets lure, loading a downloader after users encounter a fake warning and a malicious page. The campaign uses obfuscated JavaScript, anti-VM checks, and a Rust-compiled final payload that exfil…
In May 2023, Cofense researchers observed a large phishing campaign that used QR codes to harvest Microsoft credentials across multiple industries. The energy sector was a notable target, with Bing redirect URLs and domains such as krxd.com and cf-ipfs.com inv…
FortiGuard Labs detected malicious PyPI packages in early July and leveraged an AI-powered OSS threats-hunting system to identify threats in near real-time. The campaigns reuse multiple PyPI IDs across two package sets, include encrypted payloads that execute …
Two sentences summarizing the SugarCRM CVE-2023-22952 zero-day’s impact on cloud environments and the defender-focused insights. The post maps the attacks to MITRE ATT&CK techniques and outlines concrete mitigations like IAM least privilege, key management, an…
A Data-Driven Approach Based on Analysis of Network Telemetry In this blog post, we will provide an update on our high-level analysis of…
North Korean threat actors attempt to further missile program by compromising sanctioned Russian defense company with OpenCarrot backdoor.
CrowdStrike Falcon Complete observed a still-unknown zero-day vulnerability affecting Windows Error Reporting (WER) that was exploited in the wild and later disclosed as CVE-2023-36874. The write-up details how the vulnerability was discovered, the exploit cha…
Magniber continues to spread at high volumes by masquerading as Windows security updates and injecting into running processes to encrypt files. It then establishes persistence via the Task Scheduler and deletes volume shadow copies to hinder recovery, while le…
Cyble researchers describe a Tech Scam that leverages leaked ransomware builders to distribute a multi-stage downloader and multiple ransomware payloads as part of fraud campaigns. The operation ties phishing, typosquatting, and Dark Web activity to fake antiv…