Proofpoint catalogs three IcedID variantsāStandard, Lite, and Forkedāand notes a shift from banking-focused activity to payload delivery, including ransomware. It links the Forked variant to Emotet infections and multiple threat actors (TA581, TA578, TA551, TAā¦
Tag: SSO
MacOS threat actors are increasingly focusing on data theft rather than ransom, exfiltrating session cookies, keychains, SSH keys, and other sensitive data to monetize or enable espionage. The article outlines where these data assets reside, how attackers acceā¦
InQuest Labs analyzed a credential phishing campaign targeting a municipal government, tracing a sequence from a compromised sender to a cloud-hosted phishing infrastructure. The attacker used Raven cloud hosting and Microsoft Azure blob storage to lure victimā¦
Bad Magic is a Russo-Ukrainian conflictārelated APT campaign delivering a modular malware stack starting with a ZIP delivered via a phishing-like lure, then a malicious LNK that leads to an MSI dropper. The operation unfolds as PowerShell-based loaders and a Pā¦
Winter Vivern is investigated by SentinelLabs with observations from the Polish CBZC and Ukraine CERT, revealing a new wave of espionage campaigns linked to pro-Russian objectives. The APT targets governments and private entities globally, using tailored luresā¦
Check Point Research provides an in-depth analysis of the dotRunpeX injector and its evolution, detailing both the old and new versions and how they are protected by virtualization (KoiVM) and obfuscation (ConfuserEx). The report explains how dotRunpeX acts asā¦
In part one on North Korea’s UNC2970, we covered UNC2970ās tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970 utilized Bring Your Own Vulnerable Device (BYOVD) to further enable their operations.
During our investigation, Mandiant consultants…
Lumen Black Lotus Labs discovered the “Hiatus” campaign that compromises business-grade DrayTek Vigor routers to deploy HiatusRAT and a tcpdump variant, enabling remote access, SOCKS5 proxying, and packet capture. Lumen observed ~100 infected routers (primarilā¦
Fortinetās FortiGuard Labsā Ransomware Roundup highlights two notable variants, Sirattacker and ALC, detailing their execution methods, ransom notes, and observed activity, including Bitcoin wallet interactions associated with the Sirattacker actor. The reportā¦
Threat actors are abusing OneNote’s embedded files feature in phishing campaigns by hiding and executing payloads behind embedded pictures. The article explains how this technique works, how to detect it with YARA rules, and how Microsoft blocks many of these ā¦
Sysdigās Threat Research Team uncovered SCARLETEEL, a sophisticated cloud-attack operation that started in a Kubernetes pod and escalated into AWS to steal proprietary software and credentials. The operation leveraged Terraform state and AWS services to move lā¦
Older malware can still pose a threat, as FortiGuard Labs documents a renewed MyDoom campaign that uses aged tools in new phishing lures and C2 techniques. The campaign deploys UPX-packed payloads, masquerades as legitimate Windows processes, and relies on rotā¦
Microsoft OneNote is becoming a growing vector for malware delivery, as threat actors embed malicious payloads in OneNote documents distributed via phishing emails and other deceptive tactics. Across multiple case studies, attackers use obfuscation and scriptiā¦
Unidentified threat actor(s) have deployed MortalKombat ransomware alongside a GO variant of Laplas Clipper in a financially motivated campaign since December 2022, using phishing and an automated loader to drop payloads. The operation also leverages RDP scannā¦
CYFIRMA analyzes EXFILTRATOR-22, a new post-exploitation framework marketed via Telegram and YouTube with anti-analysis capabilities and an affiliate model. The actors use domain fronting and CDN infrastructure to conceal C2 traffic and promote a subscription-ā¦