TRU and BreakPoint Labs uncovered a Conti affiliate operating an automated Cobalt Strike infrastructure, exposing new domain names, IP addresses, and emails used for command-and-control. The findings link Conti operations to Trickbot, BazarLoader, IcedID, Five…
Tag: SSO
The article surveys how crypto phishing relies on malvertising, social media campaigns, and fake wallet prompts to steal seed phrases, wallets, and NFTs—from Ledger impersonations to Vitalik Buterin fakery and ApeCoin scams. It also highlights techniques like …
Avast Threat Labs connects Meris, TrickBot, and Glupteba campaigns to a single C2 that covertly controls roughly 230,000 MikroTik routers in a botnet-as-a-service. The research traces exploitation of CVE-2018-14847, wides…
ASEC uncovered malware distributed as Windows Help Files (.chm) aimed at Korean users, delivered via compressed email attachments. When opened, the CHM dropper spawns VBScript and PowerShell payloads, persists through a Run key, and downloads a second-stage do…
Threat researchers describe a first-stage spearphishing campaign targeting luxury hotels in Macao that used a password-protected Excel file with macros to drop and execute further payloads via scheduled tasks and PowerShell. The operation, attributed to DarkHo…
A Ukrainian-focused campaign linked to UNC1151 is analyzed, describing CHM-based loaders, obfuscated VBScript, and memory-resident backdoors that connect to C2 servers, echoing Ghostwriter/UNC1151 activity. The finding in…
DirtyMoe’s worming module autonomously spreads by exploiting several known vulnerabilities and by generating target IPs based on geolocation, enabling mass-scale infection and lateral movement. This Avast Threat Lab analysis details the worm’s kill chain, the …
A Windows host was infected with Qakbot (Qbot) on 2022-03-14, with Cobalt Strike and VNC remote-access activity appearing about 17 hours later. The incident highlights the obama166 distribution tag, the DLLs downloaded during infection, and notable changes in …
FBI and CISA warn that Russian state-sponsored cyber actors gained network access by exploiting default MFA configurations and the PrintNightmare vulnerability, enabling document exfiltration from an NGO via compromised credentials and MFA bypass. The advisory…
DanaBot is delivered via a VBS-based downloader that uses a distinctive obfuscation scheme and is associated with a social-engineering lure built around unclaimed property. The article also covers three methods to decode the VBS, noting DanaBot’s ties to the S…
FortiGuard Labs uncovered a phishing operation masquerading as a purchase order to a Ukrainian manufacturer, delivering Agent Tesla via a PPAM PowerPoint add-in. The campaign uses a multi-stage dropper with Bit.ly and MediaFire stages, ends with PowerShell-bas…
Microsoft Power BI is being impersonated in a credential-harvesting campaign that uses realistic-looking notification emails and fake sign-in pages to collect Microsoft account credentials. The campaign leverages stolen credentials to create believable notific…
Ukrainian banks and government websites were targeted by a moderate DDoS campaign attributed to the Katana botnet, a Mirai variant used to flood services. Preparation for the attack appears to have begun as early as February 13, with delivery through exploited…
Researchers link VBA-based samples to threat actors in South Asia, showing code reuse across groups such as Transparent Tribe, SideCopy, Donot, and Hangover through final payloads like CrimsonRAT and ObliqueRAT. The findings emphasize shared VBA patterns, cros…
Mandiant ties a campaign that uses SEO poisoning to distribute BATLOADER and ATERA Agent to techniques disclosed after a CONTI ransomware affiliate leak in August 2021. The report also provides extensive indicators, a YARA rule, and a MITRE ATT&CK mapping span…