Threat actors behind a Magecart skimmer use in-browser virtual-machine detection via WebGL to distinguish real victims from researchers or sandboxes. If the machine passes the check, the skimmer exfiltrates sensitive data by a single POST while employing obfus…
Tag: SSO
An ISC guest diary analyzes the modern coin miner malware variant “redtail” and its capabilities across four CPU architectures, showing how attackers gain initial SSH access, upload payloads, and establish persistence on compromised hosts. The report traces tw…
Researchers document Black Basta’s observed TTPs during a recent incident response, detailing lateral movement, defense evasion, discovery, and encryption activities against Hyper-V environments and Veeam backups. The post also provides a technical breakdown o…
The report analyzes how the MangLingHua group (APT-Q-37) has updated its phishing and delivery techniques, including CHM attachments and DDE automation, to target defense contractors such as the Bangladesh Navy. It also covers related activity from APT-Q-41 (M…
WatchDog has evolved a multi-stage cryptojacking campaign that targets exposed Docker Engine API endpoints and Redis servers, repurposing TeamTNT payloads while attempting to foil attribution. The attack uses timestomping, process hiding, and worm-like propaga…
Trend Micro’s Threat Hunting team analyzed a series of CMD-based ransomware variants, culminating in YourCyanide, a multi-stage malware that uses layered downloads and heavy obfuscation. The family evolves from GonnaCope through Kekpop and Kekware, employing D…
An in-depth look at AsyncRAT campaigns tied to APT-C-36 and related RATs, focusing on evolving TTPs and how the Colombian distribution behaves in practice. The analyzed sample (Stub.exe) reveals anti-analysis checks, persistence via scheduled tasks and Run key…
UNC2165 is analyzed as overlapping with Evil Corp activities and shifting toward ransomware deployments such as HADES and LOCKBIT, leveraging FAKEUPDATES, BEACON, and post-exploitation techniques to breach networks while evading sanctions. The report traces th…
A new Browser-in-the-Browser (BITB) sextortion campaign impersonates the Indian government to coerce victims into paying a fine with their credit card. The attack uses a full-screen fake browser window, browser fingerprinting, and a fraudulent payment flow to …
Trustwave SpiderLabs observed a Grandoreiro campaign targeting bank users in Brazil, Spain, and Mexico during tax season, delivered via Portuguese-language phishing emails that link to a malicious PDF. The campaign uses a multifaceted payload chain—including a…
Checkpoint researchers analyze the evolution of XLoader, focusing on how the botnet camouflages its real C2 servers among 64 decoy domains and how later versions smarterly rotate domains to evade analysis. The article details 2.5 and 2.6 updates that use proba…
CrowdStrike data show Mirai variants built for Intel-powered Linux systems more than doubling in Q1 2022 versus Q1 2021, with 32-bit x86 builds rising the most. Mirai continues to expand across Linux devices—from IoT to servers—by exploiting unpatched flaws su…
SEKOIA.IO Threat & Detection Research uncovers a Turla-led reconnaissance campaign targeting Eastern Europe, including the Baltic Defense College and the Austrian Economic Chamber. The operation relies on legitimate-looking Word documents that pull an external…
Sonatype researchers detected a malicious Python package named “pymafka” on PyPI that typosquats the popular library PyKafka and delivers a Cobalt Strike beacon across Windows, macOS, and Linux. The package downloads platform-specific payloads from external IP…
EXOTIC LILY is observed distributing Bumblebee malware through TransferXL by sharing ZIP archives that contain ISO disk images. The infection chain includes mounting the ISO, running a Windows shortcut that launches a hidden DLL via rundll32, followed by Bumbl…