URSNIF’s LDR4 variant marks a shift from banking fraud to remote access capabilities, dropping banking modules in favor of enabling VNC and remote shell access on compromised machines. It introduces API call obfuscation, a redesigned configuration/storage stru…
Tag: SSO
Security researchers tie the Spyder Loader (Trojan.Spyload) to a long-running intelligence-gathering operation called Operation CuckooBees, active since at least 2019 and targeting intellectual property. The loader is a 64-bit PE DLL derived from sqlite3.dll, …
This fourth post in a four-part series examines the rarely used “helper” techniques wipers employ to augment data destruction, such as manipulating VSS, filling disk space, and altering boot configurations. It covers methods like shadow-copy deletion, space-fi…
Uptycs reports a new campaign where WSHRAT acts as a dropper for Agent Tesla through a multi-stage infection chain emphasizing evasion techniques like steganography and in-memory DLL loading. The campaign begins with phishing emails containing GZ and R00 archi…
Security researchers outline detection strategies for the Caffeine phishing service platform, including endpoint and network indicators. They provide YARA rules, domain infrastructure details, and defensive best practices to mitigate PhaaS-based phishing campa…
Cybersecurity analysts from CISA analyzed HyperBro malware samples linked to a Defense Industrial Base incident, detailing a backdoor capable of file transfer, keystroke logging, and remote command execution. The report covers four analyzed files, a C2 endpoin…
The article examines how Office CustomXMLParts can secretly store and execute a payload, using a hex-encoded DLL embedded in XML and retrieved via VBA in documents. It shows how a YARA rule and code structure detect and decode the payload, and notes that such …
FortiGuard Labs analyzed an Excel document delivering Redline malware via CVE-2017-11882. The loader uses in-memory techniques and persistence via Task Scheduler to exfiltrate sensitive data to a C2 server over HTTP using a WCF SOAP channel. Hashtags: #Redline…
BlackBerry Research & Intelligence uncovers a Mustang Panda operation targeting Myanmar that uses PlugX malware delivered via legitimate HP utilities embedded in RAR archives. The campaign employs DLL side-loading and domain-based C2 infrastructure masqueradin…
eSentire has observed a significant rise in SolarMarker infections delivered via drive-by download attacks that rely on social engineering to persuade users to execute malware disguised as document templates. SolarMarker is a modular information-stealing malwa…
CrowdStrike Falcon platform identified a supply chain attack tied to a trojanized Comm100 Live Chat installer, delivering a backdoor via a signed installer. The activity, with a suspected China nexus, involved a second-stage script, loader DLL, and multiple C2…
Fortinet FortiGuard Labs analyzed malicious Microsoft Office documents that abused legitimate sites MediaFire and Blogger to deliver two malware variants: Agent Tesla and njRat (Bladabindi). The operation uses a multi-stage chain—VBA macros, mshta, and PowerSh…
Operation In(ter)ception continues Lazarus’ macOS malware activity, using decoy job postings for Coinbase and Crypto.com to lure victims and install a multi-stage payload. The campaign features persistence via a LaunchAgent, staged download components, and har…
Threat actors increasingly rely on unsigned DLL loading to execute payloads, enabling stealthy operations by abusing signed processes. The investigation highlights Stately Taurus (PKPLUG/Mustang Panda) and Selective Pisces (Lazarus Group) and shows how unsigne…
Unit 42 reveals a polyglot CHM file used to deliver the IcedID information stealer, weaving deception to evade detection by showing a benign decoy window first and launching malicious activity on a second run. The threat chain includes phishing with a ZIP, an …