Two Ukrainian targets were hit by emails delivering malicious documents that leveraged a Follina-like vulnerability and malicious macros to drop a DCRat variant. FortiGuard Labs notes the campaign revolves around Dark Crystal RAT (DCRat) with multi-stage infec…
Tag: ZERO-DAY
Cyble Research Labs highlights a rise in using Windows .lnk shortcut files to deliver payloads via LOLBins like PowerShell and mshta, including a new “Quantum Builder” tool that can create .lnk, .hta, and .iso-based payloads. The report also notes potential La…
Cerber2021 ransomware has resurfaced, delivered via exploitation of patched/unpatched vulnerabilities to target Confluence and Gitlab servers, then encrypts files on Windows and Linux with a Tor-based ransom site. The analysis details file encryption behavior,…
Volexity details a targeted Sophos Firewall breach that leveraged a zero-day remote code execution vulnerability (CVE-2022-1040) to install a webshell, establish persistence, and conduct MITM activity that extended to external systems such as CMS websites. Sop…
Two security researchers describe how crypto-mining operations leveraged Atlassian Confluence zero-day CVE-2022-26134 to drop and execute mining payloads on Linux and Windows hosts, using a multi-stage chain from initial exploitation to persistence and lateral…
Microsoft disclosed a new zero-day vulnerability in MSDT (CVE-2022-30190) that enables remote code execution. The exploit chain uses a malicious Word document to load a remote HTML file that runs PowerShell via the ms-msdt schema, with workarounds and indicato…
Checkpoint researchers analyze the evolution of XLoader, focusing on how the botnet camouflages its real C2 servers among 64 decoy domains and how later versions smarterly rotate domains to evade analysis. The article details 2.5 and 2.6 updates that use proba…
Cisco Talos detects an ongoing Bitter APT operation targeting Bangladesh since August 2021, featuring a new Trojan called ZxxZ with remote file execution capabilities. The campaign employs spear-phishing with Office exploits and a C2 infrastructure that uses A…
CaddyWiper is a Windows wiper that destroys data and wipes drives on Ukrainian infrastructure. It is delivered via Group Policy after compromising Active Directory, and follows WhisperGate, HermeticWiper, and IsaacWiper as the fourth observed in the same perio…
Morphisec Labs detects a new Remcos Trojan infection chain delivered through financial-themed phishing emails that lure users to open a malicious Excel file. The multi-stage attack uses VBScript and PowerShell to fetch further payloads from a C2, employs persi…
Mars Stealer is a modern infostealer derived from Oski, sold on underground forums with ongoing development and it targets browser credentials and cryptocurrency wallets. The Morphisec report details its delivery methods, compromised infrastructure, and expose…
Securonix Threat Labs analyzes a currently unpatched zero-day in Spring Core (Spring4Shell) and its potential for remote code execution, outlining exploit mechanics, scope, and defense. The report covers how the vulnerability differs from Log4j, mitigation/det…
Morphisec Labs reports a new JSSLoader variant delivered via unsigned XLL Excel add-ins, leveraging Excel’s add-in loading to fetch a payload. The campaign highlights evasion tactics (obfuscation and varying user-agents) and notes FIN7 as the historical threat…
Deep Instinct’s Threat Research team uncovered a new Go-written Micropsia variant named Arid Gopher attributed to APT-C-23 (Arid Viper), with additional unseen second-stage payloads. The discovery highlights Go-based malware by Arid Viper and its evolving seco…
OverWatch tracked a widespread intrusion campaign that used bundled .msi installers masquerading as legitimate software to download and execute NIGHT SPIDER’s Zloader trojan (and in some cases, Cobalt Strike). The defenders focused on anomalous behavior, low-p…