Part 2 of the wiper series explains how threat actors exploit legitimate third-party kernel drivers to bypass detection and perform disk wiping in kernel space, focusing on ElRawDisk and EPMNTDRV. It also covers how these drivers are loaded (via Service Contro…
Tag: SSO
Today’s diary describes a Brazilian malspam campaign delivering Astaroth (Guildma) malware via a Boleto-themed email pretending to be from Grupo Solução & CIA. The malicious ZIP contains a Windows shortcut and a batch file used to infect a Windows host and exf…
Fortinet FortiGuard Labs analyzes a spearphishing campaign against a South Asian telecommunications agency, weaponizing an RTF document with Royal Road to exploit CVE-2018-0798 and drop a DLL chain leading to PoisonIvy (PivNoxy/Chinoxy) backdoors. The report o…
Cyble researchers exposed a dark web post by a malware developer selling a powerful Windows RAT suite, including XWorm with ransomware and HVNC capabilities. The article details the toolset, persistence and anti-analysis techniques, data exfiltration, and the …
Cybereason GSOC analyzes a Bumblebee Loader infection, detailing the attack chain from initial lure to full network compromise and Active Directory takeover, with notes on post-exploitation actions, credential theft, and data exfiltration. The report also high…
DarkTortilla is a highly configurable .NET-based crypter that delivers commodity information stealers and RATs, with targeted payloads such as Cobalt Strike and Metasploit. It uses a two-component architecture (initial loader and core processor) with strong an…
Raccoon is an info-stealer malware offered as malware-as-a-service since 2019, capable of stealing passwords, cookies, autofill data, and cryptocurrency wallet data from browsers. The campaign uses phishing campaigns and trusted Windows components to drop, exe…
Shuckworm (also known as Gamaredon or Armageddon) is a Russia-linked group that has focused on Ukraine since 2014, conducting espionage and information-stealing campaigns. Symantec’s observations detail the infection chain, malware families, and IOCs tied to a…
Sonatype uncovered secretslib, a PyPI package that masquerades as a secrets-management library but secretly runs an in-memory Linux cryptominer, a technique used by fileless malware. The incident also involved identity impersonation of a real Argonne National …
Cyble Research Labs uncovered MikuBot, a new Windows botnet that steals data and runs hidden HVNC sessions for remote access, with USB propagation and the ability to download and execute additional malware. The actor markets MikuBot with a panel, uses encrypti…
The article compiles a large set of file hash indicators tied to Zeppelin ransomware activity as described in the CISA alert AA22-223a, associated with the StopRansomware campaign. It presents these indicators in a purely IOC-focused format without narrative d…
BlueSky ransomware is an emerging Windows-focused family employing multithreading to speed up file encryption and evade defenses. The analysis ties BlueSky to Conti v3 in structure and network behavior, while its cryptography resembles Babuk (ChaCha20 with Cur…
Cisco Talos and CSIRT describe a May 2022 compromise in which a Cisco employee’s Google account credentials (synced from a personal browser) enabled initial VPN access after MFA bypass via vishing and MFA fatigue. The investigation links the actors to an initi…
SmokeLoader (Dofoil) continues to leverage aging vulnerabilities to deliver its payload via a crafted phishing email chain, decrypt an embedded OLE stream, and drop a final DLL payload that is associated with zgRAT. The campaign demonstrates how attackers rely…
SharpExt is a browser-extension malware used by Kimsuky to steal emails and attachments, as detailed by Volexity and related researchers. The campaign maps to older activity, leverages a large network of domains for delivery and C2, and targets US, Europe, and…