Researchers analyze CrowdStrike’s Adversary Quest 2022 CATAPULT SPIDER track, which centers on a Dogecoin-driven ransomware campaign leveraging CHM phishing, encoded PowerShell, and a Dogecoin-based C2. The storyline uncovers multi-stage payloads, a vulnerable…
Tag: SSO
GwisinLocker.Linux is a Linux-based ransomware variant linked to the Gwisin threat actor, targeting South Korean industrial and pharmaceutical firms. It encrypts files using per-file AES keys (with RSA-wrapped keys), stores keys in .mcrgnx0 files, appends .mcr…
LOLI Stealer is a Golang-based infostealer sold via a MaaS model, capable of stealing passwords, cookies, wallet data, and screenshots from infected machines. Cyble Research Labs tracked LOLI Stealer and its evolving capabilities, including data exfiltration t…
This analysis details how Emotet intrusion employs obfuscated Excel macros to download and run an Emotet loader, which is then executed via regsvr32 for payload deployment. It highlights how the loader stores an encrypted payload in its resources, uses a Windo…
RedLine Stealer is a data-collection malware distributed as cracked software that harvests browser data, cryptocurrency wallet credentials, and other applications, then exfiltrates the results via SOAP to a hard-coded C2 server. The report details its deployme…
SHARPEXT is a clever post-exploitation browser extension used by SharpTongue (often associated with Kimsuky) to inspect and exfiltrate data from a victim’s webmail (Gmail and AOL) as users browse. The attackers deploy SHARPEXT by modifying browser preferences …
Gootkit loader now employs more advanced fileless techniques to drop Cobalt Strike, using SEO-poisoned compromised websites and legal document templates to lure victims. The attack chain involves registry stuffing, memory-only execution via PowerShell, and a C…
Threat actors abuse DLL sideloading to run malicious code through legitimate Microsoft applications (Teams and OneDrive), dropping and loading a malicious DLL that communicates with a remote C2 and leverages Cobalt Strike Beacon for post‑exploitation. The camp…
Gootloader is a Malware-as-a-Service (MaaS) offering that is spread through SEO poisoning to distribute malicious payloads, such as IcedID. Threat actors have begun using IcedID, a former banking trojan, since it’s a stealthier option compared to Cobalt Strike…
Fraudsters abused Google’s ad network to redirect users searching for popular brands to a network of tech-support scam pages, effectively hijacking browser sessions through malvertising. The operation used cloaking, multi-stage redirects, and iframe-based brow…
YamaBot, linked to Lazarus, targets both Linux and Windows with HTTP-based C2 communication and RC4-based encoding for configuration and commands. The report details Linux and Windows variants, their C2 interactions, commands, and the infrastructure and hashes…
Lightning Framework is a modular, undetected Linux malware framework with a downloader, core, and multiple plugins, including rootkit-capable components, that can communicate with a threat actor via a malleable C2 configuration. It leverages typosquatting, per…
Fortinet’s FortiGuard Labs documented a phishing campaign delivering a new QakBot variant via an attached HTML file that auto-executes to drop a ZIP, load a loader, and ultimately run QakBot within a Windows process. The analysis details the infection chain fr…
Over the last month a crimeware group best known as 8220 Gang has expanded their botnet to roughly 30,000 hosts globally through Linux vulnerabilities and poorly secured configurations. The infection script, IRC botnet, and updated PwnRig cryptocurrency miner …
NCC Group analyzes Everest ransomware operations and argues a link to Black-Byte, detailing how Everest-related activity deployed during an incident response used TTPs such as RDP-based lateral movement, credential dumping, and C2 via remote tools. The report …