Lampion, a banking Trojan, was analyzed as delivered through a phishing email that directs victims to a cloud-based link to obtain a ZIP file. The campaign uses a VBScript loader and WScript to fetch DLL payloads, which are injected into memory to steal bankin…
Tag: SSO
The article examines how third-party software can store credentials insecurely and how attackers can retrieve them to broaden access, with concrete examples across WinSCP, Git, RDCMan, OpenVPN, and various browsers. It also discusses protections in Cortex XDR …
TA453, an Iran-aligned actor, expanded its social engineering with Multi-Persona Impersonation (MPI), using multiple actor-controlled personas within a single email thread to boost campaign credibility. The technique targets researchers and nuclear security do…
Bronze President targeted government officials using PlugX payloads across multiple documents and delivery methods. The campaign involved malicious archives, shortcuts, DLLs, and encrypted payloads linked to PlugX, with identified C2 servers associated to the …
Joint FBI/CISA/MS-ISAC advisory details Vice Society’s ransomware operations, highlighting their methods, IOCs, and recommended mitigations for education-sector defenders. It notes that Vice Society uses variants such as Hello Kitty/Five Hands and Zeppelin and…
Avast Threat Labs details Bobik, a .NET Remote Access Trojan that now functions as a DDoS module within a botnet used by the pro-Russian group NoName057(16) to target Ukraine and nearby countries. The report maps the botnet’s C2 infrastructure, the multi-stage…
BumbleBee is described as a refactored, modular backdoor evolved from BookWorm, featuring a two-app architecture (server/controller and client/slave) with layered deployment and a loader chain that uses a legitimate executable to run shellcode. The campaign ap…
ASEC researchers identified a malicious HWP document that exploits OLE objects and a Flash vulnerability (CVE-2018-15982), using embedded links to trigger execution. The attack drops files in %TEMP%, hides OLE objects, and can download and run additional paylo…
The ASEC analysis team reports the ongoing distribution of malicious Word documents targeting individuals tied to national defense and North Korea, with filenames referencing real people. The embedded macros download PowerShell scripts, collect host informatio…
Securonix Threat Labs uncovered a Golang-based GO#WEBBFUSCATOR campaign that leverages a James Webb image and obfuscated Go payloads to infect targets. The attack chain starts with a phishing Office attachment, downloads a malicious template, and uses DNS-base…
Cyble researchers report a threat actor began releasing MiniStealer’s builder and panel for free, with Parrot Stealer allegedly based on MiniStealer. The campaign targets Windows systems and steals data from Chromium-based browsers and FTP applications, signal…
Mitiga uncovered an advanced business email compromise (BEC) campaign that targets executives via Office 365, combining high-end spear-phishing with adversary-in-the-middle (AiTM) techniques to bypass MFA and achieve persistence. Attackers monitor significant …
Qbot (QakBot) infections surged in 2022, with Trellix SecOps documenting its evolving delivery vectors and detection strategies to outpace defenses. The post details Qbot’s infection chain, MITRE technique mappings, IOCs, and Trellix detection/hunting guidance…
Security researchers describe a phishing campaign attributed to 0ktapus that targets Okta identity credentials, using a large set of look-alike domains to harvest user data. The article catalogs hundreds of IPs and domains used in the campaign’s infrastructure…
Kimsuky’s GoldDragon cluster is a multi-stage operation targeting Korea-related entities, evolving rapidly with new infection chains and a layered C2 network. The campaign starts with spear-phishing and uses HTML Application (HTA), VBScript, and mshta to fetch…