All attack reports
WebDAV-as-a-Service: Uncovering the infrastructure behind Emmenhtal loader distribution - Sekoia.io Blog
The Emmenhtal loader, also known as PeakLight, operates in a memory-only manner, making it difficult to detect and analyse. It is primarily used to distribute other malicious payloads, including well-known infostealers that target sensitive information.
Downloadable IOCs 120
SambaSpy – a new RAT targeting Italian users
A campaign exclusively targeting Italian users was detected in May 2024, delivering a new Remote Access Trojan (RAT) dubbed SambaSpy. The infection chain involves phishing emails impersonating a legitimate Italian real estate company, redirecting victims to a malicious website. The campaign employs…
Downloadable IOCs 24
Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors
Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining acce…
Downloadable IOCs 16
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Chinese APT abuses MSC files with GrimResource vulnerability
A Chinese Advanced Persistent Threat (APT) group has been exploiting MSC files using a new diskless shellcode technique. The campaign primarily targets government agencies and critical infrastructure in Southeast Asia, focusing on the Philippines, Vietnam, and Taiwan. The attack chain involves down…
Downloadable IOCs 30
Credential Phishing Pages Mimicking Legitimate Webmail Login Portals
Since August 2024, an India-linked threat actor has been targeting entities in China and South Asia using credential phishing pages that mimic legitimate webmail login portals. The campaign primarily focuses on government and defense sectors. The phishing domains share common characteristics, inclu…
Downloadable IOCs 20
Phishing Pages Delivered Through Refresh HTTP Response Header
Unit 42 researchers observed large-scale phishing campaigns in 2024 using a refresh entry in the HTTP response header. This technique, unlike traditional HTML-based phishing, occurs before HTML content processing and automatically refreshes webpages without user interaction. Attackers distribute ma…
Downloadable IOCs 7
Agent Tesla Indicators of Compromise (IOC) Feed
Agent Tesla is a sophisticated malware functioning primarily as a keylogger, capable of capturing sensitive data like usernames and passwords from infected computers. It can also take screenshots, extract credentials from various software, and act as a remote access tool. The malware's versatility …
Downloadable IOCs 9
Medusa Ransomware: A Growing Threat with a Bold Online Presence
Medusa is a prominent ransomware group that emerged in 2023, targeting sectors such as healthcare, manufacturing, and education across multiple countries. Unlike typical ransomware operators, Medusa maintains a presence on both the dark web and surface web, including social media platforms. The gro…
Downloadable IOCs 11
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30. These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16. The timeline suggests that some organi…
Downloadable IOCs 8
Binary Managed Object File (BMOF) Distributing XMRig CoinMiner
This analysis explores the use of Binary Managed Object Files (BMOFs) in distributing XMRig CoinMiner. BMOFs, compiled versions of Managed Object Files, are not inherently malicious but can be exploited due to their ability to execute scripts. The report details how threat actors utilize BMOFs with…
Downloadable IOCs 5
Marko Polo Navigates Uncharted Waters with Infostealer Empire
An analysis has uncovered a highly adaptable cybercriminal group, codenamed 'Marko Polo', that operates sophisticated scams employing information-stealing malware to target individuals and organizations globally. They primarily operate through social media, impersonating legitimate brands in sector…
Downloadable IOCs 47