All attack reports
SilentSelfie: Revealing a major campaign against Kurdish websites
A large-scale cyber espionage campaign targeting Kurdish websites was uncovered, involving 25 compromised sites using four variants of malicious scripts. The attacks ranged from simple location tracking to prompting users to install malicious Android apps. Despite lacking sophisticated techniques, …
Downloadable IOCs 0
European Banks Already Under Attack by New Malware Variant
A new version of the Octo malware, named Octo2, has emerged as a significant threat to European banks. This variant builds upon the capabilities of its predecessor, which was already a dominant force in mobile malware. Octo2 features improved remote access capabilities, sophisticated obfuscation te…
Downloadable IOCs 0
Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale
A new cryptojacking campaign targeting Docker Engine API has been discovered, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers. The attackers exploit exposed Docker API endpoints to deploy cryptocurrency miners and additional malicious payloads. They utilize Docker Hu…
Downloadable IOCs 41
Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz
Unit42 explores Sniper Dz, a popular phishing-as-a-service (PhaaS) platform targeting social media and online services. Over 140,000 phishing websites associated with Sniper Dz were identified in the past year. The platform offers an admin panel with phishing page catalogs, allowing users to host o…
Downloadable IOCs 7
Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware
A threat actor is targeting transportation and logistics companies in North America with malware campaigns. The actor uses compromised email accounts to inject malicious content into existing conversations, making messages appear legitimate. Campaigns primarily deliver Lumma Stealer, StealC, NetSup…
Downloadable IOCs 23
Analysis of APT-C-00 (OceanLotus) Double Loader and Related VMP Loader
The report discusses recent attacks by APT-C-00 (OceanLotus), a state-sponsored hacking group. It analyzes two types of loaders used in their 2024 campaigns: a double loader and a VMP-protected version. The double loader consists of two modules: an MSVC DLL for initial information gathering and a G…
Downloadable IOCs 1
Kryptina RaaS - From Unsellable Cast-Off to Enterprise Ransomware
This analysis examines the evolution of Kryptina, a ransomware-as-a-service platform, from a free tool on public forums to being actively used in enterprise attacks under the Mallox ransomware family. In May 2024, a Mallox affiliate leaked staging server data, revealing their Linux ransomware was b…
Downloadable IOCs 21
How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections
The RansomHub ransomware, attributed to a group tracked as Water Bakunawa, employs sophisticated anti-EDR techniques to evade security solutions. Its attack chain includes exploiting vulnerabilities like Zerologon, using EDRKillShifter to disable endpoint protection, and employing various evasion s…
Downloadable IOCs 9
ReadText34 Ransomware Incident
A ransomware attack was observed in September 2024, targeting an endpoint with limited visibility. The threat actor used stolen Administrator credentials to enable RDP and deploy malicious executables. They installed a vulnerable driver, TrueSight RogueKiller Antirootkit, to disable security applic…
Downloadable IOCs 6
Uncovering ICICI Phishing Campaign: New Fraud App Found
A malicious host mimicking ICICI Bank has been discovered, along with a fraudulent app disguised as ICICI Helpdesk. The phishing domain, cppcccare.com, is hosted on an ASN known for various malicious activities. The fraudulent app, named 'ICICI.apk', is detected as a Trojan Banker, Keylogger, and S…
Downloadable IOCs 3
Behind the CAPTCHA: A Clever Gateway of Malware
A sophisticated infection chain dubbed ClickFix has been observed using fake CAPTCHA pages to distribute Lumma Stealer malware. The campaign targets multiple countries through two main vectors: cracked game download URLs and phishing emails impersonating GitHub. Users are tricked into executing mal…
Downloadable IOCs 7
Unmasking MuddyWater's Multiple RMM Software Attacks
MuddyWater, a threat group active since 2017, has been utilizing various Remote Monitoring and Management (RMM) software for attacks, particularly in the Middle East. Their tactics include spear-phishing emails with malicious attachments or links, leading to the installation of RMM tools like Atera…
Downloadable IOCs 49