Insikt Group tracks BlueCharlie, a Russia-nexus threat group that’s evolving operations, with 94 new domains since March 2023.
Tag: SSO
An e-mail-based malspam campaign delivered a small LNK dropper that pretends to be a Purchase Order PDF. The LNK ultimately downloads a PDF lure, a BAT file, and two obfuscated .NET binaries that are loaded reflectively in memory, with low VirusTotal detection…
Two sentences summarizing the content: The article references a CISA advisory about threat actors exploiting Ivanti EPMM vulnerabilities. It notes the presence of IOCs (file hashes) associated with the activity and suggests mitigation guidance from CISA. Hasht…
This report is a summary of threat activity linked to the Russian advanced persistent threat (APT) group BlueBravo (APT29, Midnight Blizzard) uncovered since January 2023.
Nitrogen is a new initial-access malware campaign identified by Sophos X-Ops that leverages malvertising and impersonation of legitimate software to drop trojanized installers. The operation targets North American tech and non-profit entities to deploy second-…
RomCom RAT campaigns—likely a nation-state or linked actor—have been highly active since early 2022, targeting Ukraine-related figures and NATO-related events while evolving tactics to evade detection. The report provides behavioral detection tips, Sigma rules…
Akira’s Linux ransomware variant is a 64-bit build that supports configurable command-line options, forks processes, encrypts roughly 190 file extensions (appending .akira), and implements multiple symmetric ciphers (AES, Camellia, IDEA, DES, ChaCha20) along w…
Cyble researchers highlight a trojanized Visual Studio installer that bundles a cookie-stealing malware, enabling attackers to harvest browser cookies and other data. The stolen information is compressed and exfiltrated via Telegram, while the attacker attempt…
FortiGuard Labs reviews the Cl0p ransomware group’s activities, noting a shift from encrypting victim data to data exfiltration and extortion, often tied to high-profile vulnerabilities like MOVEit Transfer (CVE-2023-34362). The report also highlights the grou…
In July 2023, Mandiant Consulting responded to a supply chain compromise affecting a US-based software solutions entity. We believe the compromise ultimately began as a result of a sophisticated spear phishing campaign aimed at JumpCloud, a zero-trust directory platform service used for identity and access management. JumpCloud reported this unauthorized access…
The CYFIRMA report identifies Blank Grabber as an open-source infostealer builder (reintroduced with high evasiveness) that targets Windows and constantly evolves with new features. It emphasizes its data-exfiltration capabilities, evasion techniques, and use …
DomainNetworks runs a snail-mail scam that dresses up as a bill for domain-related services to chill people into paying for non-existent offerings. The investigation traces a web of front entities, domain registrations, and aliases (including Sammy Sam Alon and UBSagency) used to obfuscate the operation. #DomainNetworks #USDomainAuthority #TheDomainsVault #UBSagency #SammySam_Alon #ShmuelOritAlon #EliranBenz #Houzz #WebListingsInc
In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both…
Wordfence Threat Intelligence tracked a targeted exploit campaign against WooCommerce Payments CVE-2023-28121, which allowed unauthenticated attackers to obtain administrative privileges on vulnerable sites. The attackers used a multi-stage workflow including …
Cloaked Ursa (APT29) expanded its diplomatic-target espionage with novel, individual-focused phishing lures, including a Kyiv BMW-for-sale campaign that targeted embassies. The operation uses dual C2 channels (Microsoft Graph API and Dropbox) and sophisticated…