Insikt Group profiles TAG-53 infrastructure that overlaps with Callisto Group, COLDRIVER, and SEABORGIUM, detailing patterns in domain naming, TLS certificates from Let’s Encrypt, hosting clusters, and a small set of autonomous systems, suggesting long-running…
Tag: SSO
Cyble Research and Intelligence Labs reports a new Malware-as-a-Service strain, DuckLogs, that bundles stealer, keylogger, clipper, and remote access capabilities for threat actors. It features a sophisticated web panel for building, monitoring, and deploying …
IoT botnets are increasingly evading detection as attackers modify malware to hide from analysts, using UPX packing, ELF header changes, and other anti-analysis tricks. The study of 728 IoT samples collected from honeypots over 15 days also shows how attackers…
Malware disguised as Word documents is being distributed via KakaoTalk group chats, using Template Injection to pull remote content from cleverly disguised URLs. Users are urged to verify sources and keep Office updated to avoid infection. #Kimsuky #TemplateIn…
An ASEC analysis highlights a password-protected Word document disguised as a CNA Singapore interview (filename CNA[Q].doc) used to target North Korea-related information and leak credentials via FTP. The embedded VBA macro auto-executes, creates and runs a VB…
FortiGuard Labs analyzes Cryptonite, an open-source, Python-based ransomware kit that encrypts Windows files and uses NGROK as a reverse proxy for C2. The report details how Cryptonite operates, its encryption method, IoCs, and Fortinet’s protective guidance a…
Cybereason’s Global SOC is tracking a wide Black Basta ransomware campaign that leverages QakBot (QakBot) to gain entry and move laterally in U.S.-based organizations. The campaign ties QakBot infections to rapid deployment of Black Basta, including DNS disrup…
Zscaler ThreatLabz documents four under-documented groups carrying out payment card skimming against Magento and PrestaShop e-commerce stores, with activity since mid-2022 and a spike during the holiday season. The campaigns rely on heavily obfuscated JavaScri…
Recorded Future’s Insikt Group analyzes the threat landscape around the 2022 FIFA World Cup in Qatar, covering state-sponsored cyber operations, cybercrime, influence operations, and physical security threats. The assessment finds no imminent disruptive cyber …
Aurora began as a Golang MaaS botnet advertised by Cheshire and Zelizzard, and evolved into an infostealer adopted by multiple traffers, with activity that later slowed and then resurged in different forms. Sekoia.io’s analysis shows multifaceted data collecti…
AXLocker, Octocrypt, and Alice ransomware families are analyzed, detailing AXLocker’s file encryption alongside its Discord token theft, and presenting Octocrypt and Alice as RaaS-style offerings with builder tools and wallet-based ransom models. The piece emp…
Earth Preta spear-phishing campaigns targeted governments, academia, and research sectors worldwide, distributing TONEINS, TONESHELL, and PUBLOAD through Google Drive links. The activity is attributed to Earth Preta (Mustang Panda/Bronze President), with new i…
DAGON Locker ransomware is being distributed in Korea, often via phishing emails, and operates as a ransomware-as-a-service with variable distribution strategies. It uses a memory-resident 64-bit EXE and employs strong encryption with ChaCha20 and RSA-2048, wh…
DTrack is a Lazarus group backdoor used across a wide range of targets, including financial environments, a nuclear power plant, and targeted ransomware campaigns. The analysis highlights a multi-stage deployment with decryption and obfuscation, plus expanding…
Symantec links a state-sponsored activity to Billbug (aka Thrip/Lotus Blossom), targeting a certificate authority and government/defense agencies across Asia since March 2022. The operation employs dual-use tools and backdoors (Hannotog and Sagerunex), uses St…