Trend Micro’s report details Iron Tiger’s update to SysUpdate, adding Linux-targeting capabilities and new C2 features, including DNS-based communication. It also notes hardened loading techniques, signed binaries abuse, and a lure using a chat application, in…
Tag: SSO
Microsoft OneNote is becoming a growing vector for malware delivery, as threat actors embed malicious payloads in OneNote documents distributed via phishing emails and other deceptive tactics. Across multiple case studies, attackers use obfuscation and scripti…
Blackfly (also known as APT41, Winnti Group, Bronze Atlas) continues targeting Asia, focusing on the materials and composites sector and hitting two subsidiaries of an Asian conglomerate to steal intellectual property. Researchers detail a late-2022 to early-2…
Team Cymru tracks infrastructure linked to the IcedID threat, revealing a Chilean IP involved in accessing IcedID BackConnect/C2 activity and related DNS services. The findings show a network of domains, VPN usage, and tools frequently associated with IcedID o…
Magniber has relaunched its campaign by delivering MSI installers through Edge and Chrome, after shifting away from the old IE vulnerability. It uses a loader that injects Magniber into user processes, persists via Run registry keys, and downloads a new instan…
ESET researchers analyzed Wslink and its WinorDLL64 payload, a backdoor that loads in-memory modules and communicates over an existing Wslink connection. The backdoor collects extensive system information, manipulates files, and executes commands, with Lazarus…
Bitdefender Labs observed a global wave of opportunistic attacks exploiting CVE-2022-47966 in ManageEngine products, with 2,000–4,000 internet-facing servers potentially vulnerable. The advisory documents four attack clusters (Initial Access Brokers, Buhti Ran…
HardBit 2.0 is a ransomware variant observed from late 2022 that encrypts data after stealing sensitive information, negotiating ransom rather than paying a fixed bitcoin amount. It combines data theft, encryption, and multiple defense-evading and persistence …
ASEC reports that the RedEyes group (ScarCruft/APT37) targeted individuals in Korea by exploiting the CVE-2017-8291 HWP EPS vulnerability and delivering malware via steganography. They reveal a new backdoor, M2RAT (Map2RAT), that uses a shared memory channel a…
Two office-document threat vectors are described: attackers are moving from VBA macros to malicious Microsoft Office Add-ins, specifically XLLs, to deliver payloads. The article details a Raccoon Stealer V2 campaign that uses obfuscated .NET installers loaded …
Redline Stealer has re-emerged with new TTPS-detection findings, detailing its infection chain, data-theft capabilities, and persistence mechanisms. The article outlines how the malware spreads, what data it targets, and the indicators that security teams can …
EclecticIQ analyzes three cases of cyberattacks likely linked to the Gamaredon APT group, targeting the Security Service of Ukraine, Culver Aviation, and Latvian/NATO allies with phishing, HTML smuggling, and CVE-2017-0199 Word exploits. The report notes overl…
SecurityScorecard’s STRIKE Team investigates a ransomware incident affecting a major U.S. city housing authority and concludes with moderate confidence that the event involved ransomware, despite past false claims by LockBit. The analysis ties activity to a kn…
Paradise ransomware is being distributed via exploitation of the AweSun vulnerability, with the same actors previously linked to Sunlogin-related BYOVD and Sliver C2 campaigns. The attackers use AweSun-generated cmd/PowerShell to install DP_Main.exe, encrypt f…
Huntress linked a February 2023 GoAnywhere MFT-related intrusion to a zero-day vulnerability and a Truebot-like post-exploitation activity, leading to a mitigation before a ransomware event could unfold. The effort highlighted how certutil and rundll32 were us…