AsyncRAT is being distributed through Windows CHM (CHM) files, with a multi-stage chain that downloads and executes payloads via mshta, VBScript, and HTA. The campaign culminates in a fileless AsyncRAT deployment featuring anti-VM, keylogging, and screenshot c…
Tag: SSO
The advisory outlines ongoing DPRK state-sponsored ransomware activity targeting Healthcare and Public Health Sector organizations and other critical infrastructure, detailing TTPs, IOCs, and cryptocurrency ransom payments. It also describes how actors acquire…
ASEC’s analysis reveals Quasar RAT being distributed via a private Home Trading System (HTS) called HPlus, used by illicit investment groups to lure victims and install malware. The campaign shows HTS masquerading as legitimate investment services, delivering …
Two sentences summarizing the intrusion: An August 2022 incident began with a malicious Word document carrying a VBA macro that installed a PowerShell-based implant, established persistence via scheduled tasks, and used a renamed AutoHotkey-based keylogger to …
FortiGuard Labs detected a zero-day in a PyPI package named “web3-essential,” published by a newly joined user known as ‘Trexon’ on January 26, 2023. The package downloads and executes a Go-based binary to steal sensitive data and exfiltrate it via a Discord w…
IceBreaker APT is a newly tracked threat targeting the gambling/gaming sector in the run-up to ICE London, employing social-engineering to lure a customer-service agent and delivering a two-stage payload chain. Researchers describe a modular Node.js-based back…
Cyble Research & Intelligence Labs details a new BAT loader used to disseminate RATs and stealers via OneNote attachments delivered through spam emails. The article walks through the infection chain, the obfuscated BAT loader, in-memory .NET payload loading (Q…
Unit 42 researchers describe a machine learning pipeline that analyzes memory-based artifacts from a hypervisor-based sandbox to detect evasive malware like GuLoader. The article discusses limitations of static and sandbox analysis and demonstrates how memory-…
Rapid7 observed attackers using Microsoft OneNote to deliver base64-encoded payloads that decrypt to Redline Infostealer or AsyncRat, via a multi-stage chain starting with a phishing OneNote attachment. The analysis details how a hidden batch script launches a…
VectorStealer is an information-stealer capable of harvesting data from browsers, chat apps, and .rdp session files, enabling threat actors to perform RDP hijacking and remote access. It is sold via a web panel and Telegram channel, uses the KGB Crypter and Ko…
INKY uncovered a widespread Southwest Airlines credential harvesting phishing campaign that uses newly created domains to lure victims via a fake survey and gift-card offer. The scam escalates from impersonation and enticing branding to a credential-harvesting…
TrickGate is a transformative, shellcode-based packer-as-a-service used to conceal malware from security tools since 2016 and has wrapped a wide range of threats including Cerber, Trickbot, Maze, and Emotet. The packer’s core building blocks—shellcode loader, …
The article explains how to reconstruct Gootloader registry payloads using off-host Python scripts and CyberChef workflows, as well as on-host PowerShell decoding. It also catalogs technical indicators, network signals, and YARA rules related to GOOTLOADER, FO…
ASEC’s weekly briefing analyzes phishing email threats from January 8–14, 2023, highlighting attachments as the main delivery method for Infostealer, FakePage, and other malware families, including OneNote (.ONE) extensions. It also outlines case distributions…
Threat actors are increasingly using Go (Golang) to develop cross‑platform information stealers, with Titan Stealer highlighted as a recent example. The article covers Titan Stealer’s Go-based builder, its C2 infrastructure and dashboards, the data it collects…