All attack reports
Threat actor impersonates Google via fake ad for Authenticator
An unknown threat actor created a deceptive advertisement that appeared as if it was from a reputable company, enticing users to click on it and visit a malicious website. The site hosted a digitally signed malicious file disguised as a popular multi-factor authentication application. Upon executio…
Downloadable IOCs 5
Mint Stealer: A Comprehensive Study of a Python-Based Information Stealer
At Cyfirma, this report offers a comprehensive analysis of Mint Stealer, an information-stealing malware operating within a malware-as-a-service (MaaS) framework. Mint Stealer targets sensitive data and uses sophisticated techniques to evade detection. This in-depth study explores Mint Stealer's ev…
Downloadable IOCs 10
Analysis of Golang Payload and Information Theft Campaign
The report details a recent cyber attack campaign attributed to the APT-C-09 (Mozambique) threat group, which has historically targeted Pakistan and surrounding nations. The campaign employed a novel Golang malware payload and Quasar RAT to gather sensitive information. The analysis covers the tech…
Downloadable IOCs 8
Secret Message: Steganography Tricks of TA558 Group in Cyber Attacks on Enterprises in Russia and Belarus
F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishi…
Downloadable IOCs 74
Cryptomining Campaign Exploiting Grid Services
Wiz researchers discovered an ongoing threat campaign, dubbed 'SeleniumGreed', that exploits exposed Selenium Grid services for cryptomining. The campaign targets publicly accessible instances of Selenium Grid, an integral component of the widely used Selenium testing framework. By leveraging featu…
Downloadable IOCs 14
SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea
BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and …
Downloadable IOCs 47
Mid-year Doppelganger information operations in Europe and the US
This investigation delves into information operations conducted by Russian actors known as Doppelgänger, focusing on their activities from early June to late-July 2024. It examines their tactics, associated infrastructure, and motivations, particularly in relation to the unexpected snap general ele…
Downloadable IOCs 700
New Mandrake Android spyware version discovered on Google Play
n April 2024, Securelist discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any …
Downloadable IOCs 9
Likely eCrime Actor Capitalizing on Falcon Sensor Issues
A cybercrime group has leveraged a content update issue with the CrowdStrike Falcon sensor to distribute malicious files targeting Latin American customers. The campaign involves a ZIP archive named 'crowdstrike-hotfix.zip' containing a HijackLoader payload that loads RemCos malware, using Spanish …
Downloadable IOCs 14
GXC Team Unmasked: The cybercriminal group targeting Spanish bank users with AI-powered phishing tools and Android malware
Group-IB discovered a Spanish-speaking criminal group, GXC Team, offering a sophisticated AI-powered phishing-as-a-service platform targeting Spanish bank customers. The group specialized in developing phishing kits, Android malware, and AI-powered scam tools. Their malicious Android app, disguised…
Downloadable IOCs 161
Malware Distributed Using Falcon Sensor Update Phishing Lure
CrowdStrike Intelligence uncovered a phishing campaign impersonating CrowdStrike and distributing malicious files containing a Microsoft Installer (MSI) loader. The loader executes the commodity stealer 'Lumma Stealer' packed with 'CypherIt'. This campaign is likely linked to a previous 'Lumma Stea…
Downloadable IOCs 32
Threat Actor Distributes Python-Based Info Stealer Using Fake Update
An unidentified threat actor exploited the July 19, 2024 Falcon sensor content issue to distribute a Python-based information stealer named Connecio. The malware was delivered via a malicious ZIP file masquerading as a Falcon update. Connecio collects system information, browser data, and exfiltrat…
Downloadable IOCs 30