Unit 42 analyzes PlugX variants hidden on USB devices, detailing novel USB infection and hiding techniques as part of a broader Black Basta-related investigation. The findings show USB-based persistence, stealthy file hiding, and multiple PlugX variants linked…
Tag: SSO
Rapid7 analyzes exploitation activity surrounding CVE-2022-47966, a pre-authentication RCE in ManageEngine on-premise products, noting public PoC code and ongoing compromises since January 2023. Organizations using affected products should patch and monitor fo…
Analyst1 presents a human-centric examination of the LockBit operation, tracing its evolution from ABCD to LockBit Red/Black and detailing the personalities, inter-gang dynamics, and operational innovations behind one of the world’s most prolific ransomware or…
The article explains how attackers exploit jQuery and JavaScript to inject malicious code into legitimate websites, including disguising malware as legitimate jQuery plugins and stealing credentials through deceptive login forms. It also outlines an incident r…
A CYFIRMA report details a phishing campaign that delivers GuLoader to download Remcos RAT via a heavily obfuscated VBScript loader. The operation uses PowerShell, LNK shortcuts, and in-memory process injection to establish C2 and persistence. #GuLoader #Remco…
Cisco Talos analyzed LNK file metadata to track threat actors like Qakbot, Gamaredon, Bumblebee, and IcedID, showing how metadata can reveal campaign connections. As macros were blocked and actors shifted to LNK-based attachments, the article demonstrates how …
This report analyzes Batloader campaigns observed in Q4 2022 linked to the Water Minyades intrusion set, highlighting its use of obfuscated JavaScript, MSI/JS payloads, and abuse of legitimate tools to evade defenses. It details how Batloader can drop multiple…
Attackers use Google ads to lure users to fake Notepad++ download pages that install Aurora Stealer. The article traces the infection chain from the ad-driven page to the downloaded malware and its post-infection C2 traffic, and lists the associated IOCs.
CircleCI disclosed a security incident involving unauthorized access via a compromised engineer’s laptop, enabling theft of session cookies and keys across production environments. The company rotated secrets, expanded security measures, and shared new tooling…
Trend Micro details an active Earth Bogle campaign targeting the Middle East and North Africa that uses geopolitical-themed lures to distribute NjRAT (Bladabindi). Attackers host payloads on public cloud storage and compromised web servers, distributing them v…
Unit 42 researchers examine Automated Libra, the cloud threat actor behind PurpleUrchin, which freejacks cloud resources to mine cryptocurrency. They reveal CI/CD automation, massive GitHub and cloud account creation, CAPTCHA exploitation, and a Play and Run t…
EclecticIQ details a QakBot phishing campaign that bypasses Windows Mark of the Web (MoTW) using an unpatched vulnerability, enabling malware installation. The campaign leverages LOLBINS like Regsvr32 and WScript, delivers payloads via encrypted ZIP/ISO, and c…
Orcus RAT is being distributed on file-sharing sites disguised as a cracked Hangul Word Processor, linked to the same actor who previously pushed BitRAT and XMRig under a Windows license verifier guise. The campaign employs a multi-stage delivery chain with ob…
NoName057(16) is a pro-Russian hacktivist group conducting DDoS campaigns targeting Ukraine, NATO, and other entities, leveraging Telegram, a volunteer-driven DDoS program, and a GitHub-hosted toolkit. The group has impacted several sectors including governmen…
CRIL researchers uncovered LummaC2 Stealer, a 32-bit GUI malware targeting Chromium and Mozilla browsers to exfiltrate crypto wallets, browser extensions, and 2FA data. The campaign includes a Russian-language seller site, Telegram channels, and active C2 serv…