ApolloRAT is a Python-based Remote Access Trojan that uses Discord as its C&C server. Cyble researchers note that the RAT is compiled with Nuitka to increase evasion and that threat actors are selling it for a low price on Telegram and their site. #ApolloRAT #…
Tag: SSO
This joint Cybersecurity Advisory explains that Maui ransomware has been used by North Korean state-sponsored actors since May 2021 to target Healthcare and Public Health sector organizations, detailing TTPs and IOCs. It urges mitigations and reporting, and wa…
An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. McAfee Labs has seen a rise in malware being delivered using LNK…
DarkComet RAT has re-emerged with new TTPS-based detection and response coverage, highlighting its capabilities as a stealthy remote access Trojan that can spy on systems, steal credentials, and add infected machines to a botnet. The article outlines a multi-s…
Cyble Research Labs uncovered PennyWise, a new evasive infostealer that targets 30+ Chrome-based and 5+ Mozilla-based browsers as well as crypto wallets, with updated version 1.3.4 already observed in the wild. The malware is distributed via YouTube campaigns …
ReversingLabs reports AstraLocker 2.0 is distributed directly from Microsoft Word phishing documents, leveraging leaked Babuk code and a “smash and grab” approach for rapid impact. The campaign uses an old packer, anti-analysis checks, and Monero/BTC wallets f…
On 2022-06-16, researchers observed a malspam wave delivering Matanbuchus via a ZIP that contains an HTML page which decodes and downloads payloads, ultimately triggering Cobalt Strike beacons. The operation uses a signed MSI, base64-encoded payloads, and HTTP…
Raccoon Stealer has returned with a new V2 version, resuming activity after a pause linked to a key developer’s death. The update introduces a more automated, faster builder/admin panel, and a Cracked Software distribution approach, with ongoing monitoring adv…
IceXLoader is a Nim-based commercial loader promoted in malware forums to download and deploy additional payloads on Windows machines, with ties to NimzaLoader used by the TrickBot group. The article outlines IceXLoader v3.0’s technical behavior, potential del…
ASEC’s analysis identifies active distribution of malicious HWP files that exploit an OLE object insertion feature to run a batch file, with PowerShell injecting shellcode into a normal process. The campaigns target national defense, North Korea–related materi…
Cerber2021 ransomware has resurfaced, delivered via exploitation of patched/unpatched vulnerabilities to target Confluence and Gitlab servers, then encrypts files on Windows and Linux with a Tor-based ransom site. The analysis details file encryption behavior,…
Volexity details a targeted Sophos Firewall breach that leveraged a zero-day remote code execution vulnerability (CVE-2022-1040) to install a webshell, establish persistence, and conduct MITM activity that extended to external systems such as CMS websites. Sop…
Two sentences summarizing: Check Point Research exposes an Iranian-backed spear-phishing operation targeting former Israeli officials and other high-ranking figures, leveraging a custom phishing infrastructure and inbox takeovers to steal credentials and ident…
Two security researchers describe how crypto-mining operations leveraged Atlassian Confluence zero-day CVE-2022-26134 to drop and execute mining payloads on Linux and Windows hosts, using a multi-stage chain from initial exploitation to persistence and lateral…
HelloXD is a ransomware family performing double extortion on Windows and Linux, with negotiations conducted via TOX chat and onion-based services instead of a leak site. Unit 42’s analysis links HelloXD to x4k and reveals details on its packers, memory-based …