Mandiant outlines a chain where a tampered LNK shortcut launches a legitimate Chromium-based browser, loading a malicious extension to achieve persistence. The research tracks multiple malware families—RILIDE, BRAINFOG, BRAINSTORM, and BRAINLINK—and details th…
Tag: SSO
BlackBit is a LokiLocker ransomware variant that operates under a RaaS model and shows signs of being in early development with targeted persistence and evasion capabilities. The strain deploys multiple defense-evasion techniques, persistence mechanisms, and u…
ASEC reports ongoing campaigns where XMRig CoinMiner is installed on poorly managed Linux SSH servers, using SHC-built malware and creating backdoor SSH accounts for persistence. The attacks, attributed to the KONO DIO DA threat actor, involve dictionary/dicti…
CRIL researchers describe AresLoader, a multiclass loader used to spread LummaStealer and IcedID via a disguised GitLab repo, targeting Citrix users. The malware uses multi-stage delivery, dynamic API resolution, and various anti-analysis techniques to evade d…
Elastic Security Labs uncovers LOBSHOT, a stealthy hVNC-capable malware tied to TA505, spread via malvertising campaigns that impersonate legitimate software. The analysis provides a YARA signature and a configuration extractor, detailing infection, persistenc…
Researchers detail a Magecart campaign in which a threat actor uses a custom fraudulent modal to hijack checkout and steal credit card data from compromised Prestashop stores. The skimmer relies on a well-crafted modal, dynamic HTML, obfuscated code, and a red…
Infoblox identifies a rare DNS-based toolkit named Decoy Dog, built around the Pupy RAT, observed in enterprise networks through DNS beacons and encrypted DNS traffic. The report links possible Earth Berberoka activity and outlines three infrastructure models …
A malicious PyPI package named termcolour reappeared in March as a three-stage downloader, illustrating how repurposing an abandoned package name can seed a supply-chain attack. The incident shows how PyPI’s name-reuse policy and lack of visibility into who re…
JPCERT/CC documented an attack around February 2023 that targeted a crypto asset exchanger with Parallax RAT delivered via spam emails directing victims to a Google Drive link. The operation used OneNote files with embedded VBS, a PowerShell payload, Windows s…
Identifying Connected Infrastructure and Management Activities Introduction This blog post seeks to build on recent public reporting on…
OCX#HARVESTER is a threat campaign by Securonix Threat Labs leveraging the More_eggs malware suite to target financial-sector victims, with activity observed from late 2022 through early 2023 and new C2 infrastructure shifts. The campaign uses image-based LNK …
Symantec Threat Hunter details Daggerfly/MgBot activity targeting telecoms in Africa and Asia, highlighting a modular malware framework used for extensive information gathering. The campaign shows ongoing tool development, credential dumping, AD enumeration, a…
Two sentences summarizing the article. Bumblebee malware was distributed via trojanized installers for Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace, using a malicious Google Ad chain and a compromised WordPress site to drive victims to fake download p…
Trigona ransomware campaigns target poorly managed MS-SQL servers, leveraging a CLR SqlShell dropper and service-based execution to escalate privileges and encrypt data. The operation includes credential abuse, registry and Run key persistence, and a ransom no…
Trigona is a Delphi-based ransomware that encrypts files using RSA and AES with a novel residual block termination, adds a multi-step decryption workflow, and recently gained a data wiper capability. ThreatLabz notes overlap in tactics with BlackCat/ALPHV, but…