Trigona is a Delphi-based ransomware that encrypts files using RSA and AES with a novel residual block termination, adds a multi-step decryption workflow, and recently gained a data wiper capability. ThreatLabz notes overlap in tactics with BlackCat/ALPHV, but…
Tag: SSO
RTM Locker operates as a ransomware-as-a-service with affiliates under strict governance, aiming to stay under the radar and monetize rather than seek headlines. The article provides a technical deep dive into their Windows ransomware, including panel operatio…
eSentire observed a surge in Qakbot information-stealing malware incidents across multiple industries in early April 2023, with phishing emails delivering zip archives containing a Windows script (.wsf), a PDF, or an HTML file via HTML smuggling. The campaign …
Security researchers анализed a 3CX supply-chain attack and found that manipulated MSI installers of 3CXDesktopApp deliver a malicious DLL which decrypts and executes shellcode, dropping a backdoor named Gopuram along with an infostealer. Attribution points to…
Trustwave SpiderLabs analyzes Emotet Epoch 4 resuming spam campaigns, including a shift to OneNote attachments and heavy obfuscation to evade scanners. The post details padding tricks, a highly obfuscated VBA macro (AutoOpen) and a decode routine, plus the ass…
Genesis Market, a major underground marketplace for stolen credentials, browser fingerprints, and cookies, was disrupted by a multinational law enforcement operation spanning 17 countries, leading to takedown notices and arrests or contacts with users. The pos…
Typhon Reborn V2 is a rebuilt information stealer with significantly enhanced anti-analysis, anti-VM, and obfuscation capabilities, designed to evade security researchers and detections. It exfiltrates collected data via Telegram and is sold cheaply on undergr…
A sophisticated new toolset is being used to harvest credentials from multiple cloud service providers, including AWS SES and Microsoft Office 365.
The Mantis threat group (Arid Viper/Desert Falcon) continues targeting Palestinian organizations with a refreshed toolset and a persistent presence across networks. The campaign centers on updated Micropsia and Arid Gopher backdoors, credential theft, and data…
The Royal Ransomware encrypts files across all volumes, including network shares, using .Royal, .Royal_w, or .royal_u extensions and a tor-based README.TXT for attacker contact. It combines AES with a RSA public key embedded in the executable, deletes shadow c…
Securonix Threat Research documented the STARK#VORTEX campaign that uses Ukrainian-themed .chm (Microsoft Help) lure files to execute obfuscated JavaScript and PowerShell which download and deploy MerlinAgent payloads. The chain establishes persistence via a r…
Researchers uncovered Mélofée, a Linux-targeted implant with a kernel-mode rootkit tied to Winnti and Chinese state-sponsored actors, featuring evolving capabilities such as a SelfForwardServer. The analysis traces multiple samples, their infrastructure, and l…
Microsoft’s guidance explains how CVE-2023-23397 enables a secret Net-NTLMv2 hash leak via Outlook reminders and outlines Forest Blizzard (STRONTIUM), a Russian state-sponsored group linked to GRU Unit 26165, as an actor exploiting this vulnerability to access…
Magecart campaigns are exploiting client-side obfuscation to load skimmers during checkout, using Hunter to conceal JavaScript code and inject malicious forms. The techniques culminate in encoded credit card data stored in a cookie and exfiltrated via POST, al…
Earth Preta orchestrates a long-running cyberespionage operation involving multiple APT subgroups (724, 1358, 5171) with a centralized development unit, targeting a range of sectors and regions and expanding to maritime and government entities. The study highl…