Check Point Research details how Azov ransomware functions as a polymorphic wiper, including its ability to backdoor 64-bit executables and leverage the SmokeLoader botnet for distribution. The analysis notes an advanced, assembly-built payload with anti-analy…
Tag: ZERO-DAY
Cloud compute credentials attacks target misconfigured cloud compute services to steal credentials and access cloud infrastructure, causing costly resource usage and remediation work. The article presents two real-world cases—one in AWS Lambda and one in Googl…
Magniber has evolved to bypass Mark of the Web (MOTW) protections by using script-based delivery and a digital signature, while continuing to adapt delivery methods such as typosquatting. The analysis highlights how MOTW, UAC bypass via fodhelper, and registry…
Two zero-day Exchange vulnerabilities, CVE-2022-41040 and CVE-2022-41082 (ProxyNotShell), are being actively exploited in the wild, with over 1.6 million exploit attempts observed across 4 million protected websites. The activity shows GET-based probing agains…
Researchers analyzed a Go-based BlackByte variant and uncovered an advanced technique to bypass security products by abusing a legitimate but vulnerable driver (RTCore64.sys) to disable protection. The technique, a “Bring Your Own [Vulnerable] Driver” approach…
As endpoint detection and response (EDR) solutions improve malware detection efficacy on Windows systems, certain state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers.Earlier this year, Mandiant identified a novel malware ecosystem…
Recorded Future analyzes TA413, a Chinese state-sponsored group, detailing campaigns against the Tibetan community and the adoption of new capabilities, including the LOWZERO backdoor and exploitation of zero-days such as CVE-2022-1040 and Follina. The report …
Symantec observes Webworm using customized versions of three older RATs (Trochilus, Gh0st RAT, and 9002 RAT) with decoy documents and loaders, in attacks linked to the Space Pirates group and aimed at government and IT/service targets across Asia. The activity…
Wordfence alerted to an actively exploited zero-day vulnerability in BackupBuddy that allowed unauthenticated file downloads from WordPress sites. Nearly 5 million attacks were blocked since August 26, 2022, and a patched version 8.7.5 was released on Septembe…
Check Point Research uncovered Nitrokod, a Turkish-based crypto-miner campaign that hides malware in legitimate-looking apps like Google Translate Desktop and has infected machines across 11 countries. The operation uses a multi-stage infection chain with long…
BPFDoor is a Linux/Unix backdoor that uses Berkeley Packet Filters (BPF) to filter data through sockets and support multiple C2 protocols (TCP, UDP, ICMP), enabling stealthy remote access. The BPFDoor campaign is attributed to the Chinese threat actor Red Mens…
Avast Threat Labs uncovered a targeted zero-day in Google Chrome (CVE-2022-2294) used in the wild to attack Avast users in the Middle East, including Lebanese journalists. The campaign combined watering hole attacks, a Chrome WebRTC exploit chain, and a BYOVD …
Pegasus spyware was used against Thailand’s pro-democracy movement, with at least 30 civil society victims infected between October 2020 and November 2021, triggering Apple security notifications in November 2021 and a collaborative forensic investigation. The…
Resecurity reports attackers are increasingly using tools to generate malicious shortcut files (.LNK) for payload delivery, with MLNK Builder 4.2 adding AV evasion and icon masquerading. Campaigns by APT groups and cybercriminals—including Bumblebee Loader and…
Black Basta expanded its repertoire by employing QakBot as an entry point and using the PrintNightmare flaw to perform privileged file operations. It also leveraged the Coroxy backdoor and Netcat for lateral movement across networks. #BlackBasta #QakBot