Magento 2 template attacks now deploy backdoors via injected template code to install a Linux RAT and web backdoors, enabling persistent access and remote command control across potentially multi-node clusters. Variants include 223sam.jpg attack, health_check.…
Tag: SSO
I found a simple batch file (2.bat) that drops a Remcos RAT using an old fodhelper UAC bypass to gain high privileges. The dropper decodes embedded Base64 with certutil, then downloads and launches the malware chain, including a PowerShell-based stage that att…
PUP.Optional.AdMax is Malwarebytes’ detection name for a family of browser extensions that are promoted in a deceptive way as ad blockers. Malwarebytes blocks the sites promoting them and provides remediation steps to detect and remove the PUP. #PUP.Optional.A…
Fortinet’s FortiGuard Labs uncovered a Russian-language phishing email designed to deploy the Konni RAT linked to APT37, with persistence and C2 communications. The attack uses a Donbass.zip attachment containing decoy PowerPoint files and a malicious macro ch…
Monster is a Delphi-based ransomware-as-a-service (RaaS) that hides its capabilities and uses configurable features to customize encryption and evasion, raising the risk of attribution confusion. The BlackBerry analysis details its encryption methods, use of I…
Threat actors run credential-phishing campaigns that spoof U.S. government departments (DoL, DoC, DoT) to lure victims into submitting credentials via multi-step, convincingly branded PDFs and pages. The campaigns have evolved since 2019, improving email conte…
FortiGuard Labs analyzed an Excel document that embeds a randomized payload and exploits CVE-2017-11882 to drop malware on Windows. The analysis traces how the document loads the embedded file, uses a vulnerability to execute code, downloads Formbook/Redline p…
The blog analyzes three recent honeypot infections attributed to TeamTNT, suggesting renewed activity after their 2021 farewell. It details multiple campaigns (Kangaroo, Cronb, What Will Be) that reuse familiar TeamTNT tools and techniques, including misconfig…
Publicly available Slam Ransomware Builder lowers the barrier to entry for cybercriminals by offering free tooling, while presenting credible threats to enterprises. The article details Slam’s features, capabilities, and indicators of compromise to help defend…
Insikt Group profiles UAC-0113 infrastructure linked with Sandworm, highlighting ongoing Ukrainian targeting and the use of dynamic DNS masquerades as Ukrainian telecom providers to host C2 and payload delivery. The analysis shows a shift from DarkCrystal to C…
SEKOIA analysts document PrivateLoader as a modular downloader that operatess within the ruzki Pay-Per-Install (PPI) service to download and execute multiple payloads, enabling broad distribution of malware. The report links PrivateLoader to ruzki’s PPI ecosys…
Malvertising on the Microsoft Edge News Feed redirects users to tech support scam pages via the Taboola ad network. The operation uses a cloud-based infrastructure and fingerprinting to target victims while avoiding bots or blocks. #Taboola #EdgeNewsFeed #brow…
IRGC-affiliated cyber actors exploited known Fortinet FortiOS and Microsoft Exchange vulnerabilities, plus VMware Horizon Log4j flaws, to gain initial access and conduct ransomware-like operations involving data encryption and data extortion. The advisory outl…
OriginLogger is a variant of the Agent Tesla keylogger and represents its successor with new configuration handling and deployment methods. The analysis covers its builder, string obfuscation, dropper workflow, and multi-channel exfiltration infrastructure, ty…
Symantec details a new espionage campaign targeting Asian governments that uses DLL side-loading of legitimate software to load payloads, followed by credential theft and network-wide movement with a wide toolkit. The activity, spanning April–July 2022, hit a …