ASEC documents renewed campaigns distributing SparkRAT through a VPN installer, aided by GoLang-based droppers and MeshAgent to enable remote control via MeshCentral. The operation mirrors past activity but shifts to GoLang malware while expanding remote-deskt…
Tag: SUPPLY CHAIN
Researchers from ReversingLabs uncovered malicious npm packages that masquerade as legitimate dependencies, embedding a TurkoRat-based PE and enabling data theft. The attacks leverage typosquatting and deceptive naming to spread, and when the pieces are analyz…
ASEC reports SparkRAT was found distributed inside a VPN installer, indicating a supply-chain style compromise. The dropper creates SparkRAT in a local path, registers it for persistence, and enables remote control, information theft, and other malicious actio…
A malicious PyPI package named termcolour reappeared in March as a three-stage downloader, illustrating how repurposing an abandoned package name can seed a supply-chain attack. The incident shows how PyPI’s name-reuse policy and lack of visibility into who re…
Symantec’s Threat Hunter Team links a broader X_Trader software supply chain attack to multiple victims, including two critical infrastructure organizations in the energy sector in the U.S. and Europe, plus two other financial trading firms. The operation uses…
The Lazarus group’s DeathNote cluster uses weaponized Word documents with decoys related to cryptocurrency to drop multi-stage payloads, evolving to target defense contractors and supply chains with new infection methods like remote template injection and Troj…
JFrog Security analyzes a NuGet supply-chain attack delivering Impala Stealer, a custom crypto stealer used against Exodus Wallet via typosquatting NuGet packages. The campaign uses a two-stage payload: a PowerShell init.ps1 that downloads and runs a Windows e…
Malicious campaigns targeting open-source npm ecosystems trigger a flood of spam, SEO poisoning, and malware infections, leading to npm instability and service outages. The operations span malware drops, referral scams tied to AliExpress, and crypto scams, und…
Security researchers анализed a 3CX supply-chain attack and found that manipulated MSI installers of 3CXDesktopApp deliver a malicious DLL which decrypts and executes shellcode, dropping a backdoor named Gopuram along with an infostealer. Attribution points to…
Sysdig’s Threat Research Team (TRT) uncovered proxyjacking, where attackers leverage the Log4j vulnerability to gain access to a container and then turn compromised pods into proxy servers to monetize IP addresses via proxyware services such as Pawns.app, IPRo…
Volexity analyzed a supply-chain compromise of the 3CX Desktop App in which a malicious ffmpeg library inserted into signed installers decoded encrypted blobs, fetched staged payloads, and reflectively loaded a 64-bit information-stealer dubbed ICONIC/ICONICST…
JFrog Security Research uncovered a sophisticated NuGet-based campaign targeting .NET developers, employing typosquatting and deceptive metadata to push a PowerShell-based dropper that downloads a second-stage Impala payload. The attack demonstrates how NuGet …
ESET linked a campaign to the Tick APT group targeting an East Asian data-loss prevention (DLP) software developer, where attackers trojanized installers and compromised update servers to spread malware to the company’s customers. The operation involved Shadow…
Checkmarx researchers uncovered a mass-spam campaign in the NPM ecosystem where automated processes published thousands of malicious packages that link to phishing campaigns. The operation involved automated package creation, masquerading as legitimate entries…
Researchers from ReversingLabs found a surge of malicious PyPI packages masquerading as HTTP libraries, using typosquatting and deceptive naming to distribute downloaders and info stealers. The campaign shows how open-source repositories continue to be abused …