All attack reports
EXPOSED: OnlyFans Hack Gone Wrong - How Cyber Criminals Turn into Victims Overnight
A sophisticated operation has been uncovered that turns aspiring OnlyFans hackers into victims. A user named Bilalkhanicom offered a tool to 'check' OnlyFans accounts on a hacking forum, which turned out to be a delivery system for Lummac stealer malware. This malware, developed by a threat actor k…
Downloadable IOCs 9
BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar
BlindEagle, an advanced persistent threat actor, has been observed targeting the Colombian insurance sector using the BlotchyQuasar Remote Access Trojan. The attack chain begins with phishing emails impersonating the Colombian tax authority, containing links to malware hosted on compromised Google …
Downloadable IOCs 16
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit
A cyber espionage campaign using the ToneShell backdoor, associated with Mustang Panda, has been detected targeting attendees of the 2024 IISS Defence Summit in Prague. The attack utilizes a malicious PIF file masquerading as summit documents, which drops SFFWallpaperCore.exe and libemb.dll. The ma…
Downloadable IOCs 4
Tropic Trooper spies on government entities in the Middle East
Tropic Trooper, a Chinese-speaking APT group active since 2011, has expanded its operations to target government entities in the Middle East. The group deployed a new variant of the China Chopper web shell on a compromised Umbraco CMS server, along with other post-exploitation tools and backdoor im…
Downloadable IOCs 7
Mallox ransomware: in-depth analysis and evolution
Mallox is a sophisticated ransomware family that emerged in 2021 and has since evolved into a Ransomware-as-a-Service (RaaS) operation. Initially targeting specific companies, it transitioned to a more generic approach, likely as part of its RaaS model. The malware employs complex encryption scheme…
Downloadable IOCs 7
Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
A new multiplatform backdoor named KTLVdoor, written in Golang with versions for Windows and Linux, has been discovered during monitoring of the Chinese-speaking threat actor Earth Lusca. This highly obfuscated malware impersonates system utilities and allows attackers to control infected systems, …
Downloadable IOCs 180
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Emansrepo Stealer: Multi-Vector Attack Chains
A Python infostealer named Emansrepo has been observed since November 2023, distributed via phishing emails containing fake purchase orders and invoices. The malware steals browser data, credit card information, and files, sending them to the attacker's email. The attack chain has evolved, becoming…
Downloadable IOCs 42
DarkCracks, an advanced malicious payload & upgrade framework utilizing hacked GLPI and WordPress sites as intermediaries
DarkCracks is a sophisticated malware framework that exploits compromised GLPI and WordPress sites as intermediaries for payload delivery and command and control. It collects sensitive information from infected devices, maintains long-term access, and uses them as nodes to control other devices or …
Downloadable IOCs 55
Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads
Multiple Microsoft Office documents generated by the MacroPack framework have been discovered, likely used by malicious actors to deploy various payloads. These documents, uploaded to VirusTotal between May and July 2024, originated from different countries including China, Pakistan, Russia, and th…
Downloadable IOCs 16
Zharkbot Strings
Zharkbot is a C++ downloader with extensive anti-analysis and anti-sandbox features. It uses in-line string encryption and API calls, making static and emulation analysis challenging. The malware performs sandbox detection by checking for specific usernames and hypervisors. It installs itself in th…
Downloadable IOCs 2