IPFS is being exploited by threat actors to host phishing pages and malware payloads, leveraging its censorship-resistant hosting to resist takedowns. Cisco Talos observes multiple campaigns using IPFS to host and retrieve malicious content, complicating defen…
Tag: SSO
Cyble researchers uncovered a data-destructive ransomware tied to the pro-Russian Killnet group, rebranding Chaos ransomware to target adversaries. The analysis details Killnet ransomware’s execution flow, including privilege escalation, persistence, targeted …
IronNet analyzes how the Robin Banks phishing-as-a-service platform has evolved to evade takedowns, relocate infrastructure to a Russian provider, and add features like cookie-stealing to bypass MFA. The study highlights how open-source code and off-the-shelf …
SentinelLabs provides a comprehensive analysis of Black Basta’s operational TTPs, revealing custom tools, EDR-evasion capabilities, and a likely link to FIN7. The findings suggest FIN7 developers may have contributed to Black Basta’s toolset, with privilege es…
Surtr ransomware is being distributed in Korea, encrypting files and appending a unique Surtr extension to filenames. It also alters the infected system’s desktop, drops ransom notes SURTR_README.hta and SURTR_README.txt, and performs anti-analysis checks befo…
The article analyzes F-Automatical (FoxAuto) as Anonymous Fox’s seventh version of an automatic C2 script that runs post-exploitation tasks on compromised web servers. It covers how the script can persist, fetch remote modules, target multiple CMS, obfuscate i…
Unit 42 researchers analyzed a Guloader variant with an anti-analysis shellcode payload and provided a Python script to deobfuscate the sample, enabling faster malware analysis. The article details how the malware uses control flow obfuscation, a vectored exce…
CLDAP reflectors are rising as a multi-vector DDoS mechanism, leveraging UDP reflection to amplify traffic and complicate mitigation. Black Lotus Labs tracks open CLDAP reflectors, analyzes their behavior, and provides guidance on reducing exposure and blockin…
Microsoft’s analysis shows Raspberry Robin as part of a broader, interconnected malware ecosystem that enables pre-ransomware activity across thousands of devices, linking USB-driven infections to follow-on hands-on-keyboard attacks and ransomware deployments.…
LODEINFO underwent multiple upgrades in 2022, expanding its backdoor capabilities, encryption, and evasion techniques while continuing to target primarily Japanese entities. The article details complex C2 communications, 64-bit memory injection, and evolving b…
Brute Ratel’s config decoding update shows that Brute Ratel now uses a dynamic key to decrypt its onboard configuration, though the hardcoded key still exists for decrypting some strings. The article walks through RC4-based encryption, base64 decoding, and two…
Checkpoint’s Brand Phishing Report for Q3 2022 shows DHL as the brand most impersonated in phishing attempts (22%), with Microsoft (16%) and LinkedIn (11%) following; Instagram also enters the top ten due to a blue-badge phishing campaign. The report highlight…
Daixin Team is a ransomware and data extortion group focused on Healthcare and Public Health sector targets in the U.S., using VPN compromises and credential theft to deploy ransomware on ESXi servers and exfiltrate data. The FBI/CISA/HHS advisory details TTPs…
Palo Alto Networks analyzes trends in web threats by examining malicious landing and host URLs, including where they are hosted, their categories, and associated malware families, with a focus on cryptominers, JS downloaders, web skimmers, and redirects. The r…
Check Point Research analyzes Black Basta’s delivery and evasion techniques, highlighting how the dropper and payload are prepared to bypass analysis and encrypt data while moving laterally. The piece details the delivery stages, anti-debug/anti-analysis trick…