Lazarus targeted Boeing job-seekers using a lure document, Boeing BDS MSE.docx, to deliver a DLL that mimics legitimate Notepad++ functionality. The malware exfiltrates system and process information to four C2 servers after compression, XOR encryption, and Ba…
Tag: SSO
Lazarus Group’s latest campaign rounds up a spearphishing effort using Lockheed Martin-themed doc lures to drop a multi-stage payload. The operation hijacks execution via KernelCallbackTable, uses Windows Update Client for malicious runtime, and employs GitHub…
StellarParticle is CrowdStrike’s tracked campaign tied to COZY BEAR (APT29) and the SolarWinds incident, with activity continuing against multiple organizations. The operation employs novel techniques such as browser cookie theft and O365 service principal hij…
BlackBerry researchers link the Prophet Spider Initial Access Broker (IAB) group to exploiting the Log4j (Log4Shell) vulnerabilities in VMware Horizon to break into organizations. The article outlines IoCs, observed post-exploitation payloads (cryptomining, Co…
KONNI RAT has evolved into a stealthier Remote Administration Tool under the Kimsuky umbrella, with ongoing development and updates to evade detection. The post highlights major changes (AES-protected strings and files, a move away from rundll, and enhanced ob…
A collaborative analysis by a Qianxin team examines a wave of mht/Web Archive-based attacks delivering malicious DLLs via Office macros on Glitch, noting overlaps with OceanLotus but also distinct traits. The operation uses VBA obfuscation, in-memory DLL loadi…
Fortinet FortiGuard Labs analyzes a phishing campaign that delivers a STRRAT variant as a direct attachment, bypassing the usual dropper stage. The campaign uses spoofed shipping-themed emails, obfuscated Java payloads, and a mix of C2 communications and crede…
Proofpoint details DTPacker, a two-stage .NET packer/downloader that uses Donald Trump-themed fixed keys to decrypt its second stage and deliver payloads such as Agent Tesla, Ave Maria, AsyncRAT, and FormBook. The campaigns blend varied encoding/obfuscation an…
ThreatLabz details a new Molerats APT espionage campaign targeting Middle East actors, delivering a .NET backdoor via macro-enabled Office documents and leveraging Dropbox as the C2 and data-exfiltration channel. The operation shows ties to Spark backdoor acti…
Donot Team (also known as APT-C-35 and SectorE02) is a long-running South Asia-focused threat actor linked to Windows and Android malware, with Amnesty International alleging links to an Indian cybersecurity company that may sell spyware or hackers-for-hire se…
INKY uncovered a large phishing campaign impersonating the U.S. Department of Labor, using spoofed senders and look-alike domains to target Google Workspace and Microsoft 365 users with fake bid invitations for nonexistent federal projects. Victims were led to…
Cofense PDC observed a mass phishing campaign that uses “missed voicemail” lures impersonating British Telecom to direct recipients to a spoofed BT sign-in page. Credentials entered on the fake page are exfiltrated to an external address and victims are then r…
Phishing is increasingly a preliminary step in multi-stage ransomware campaigns: attackers use phishing to gain initial access, then deploy loaders/RATs to perform reconnaissance, lateral movement, persistence and finally deliver ransomware. Detecting and bloc…
Kaspersky Lab experts discovered a targeted cyber espionage campaign, where attackers infect computers with malware that collects all recent documents on the victim’s device, archives them and passes them back to them.The UEFI program is loaded before the operating system and controls all proc…
Executive Summary Babuk ransomware is a new ransomware threat discovered in 2021 that has impacted at least five big enterprises,…
The post Babuk Ransomware appeared first on McAfee Blog….