All attack reports
BlackSuit Ransomware: Insights and Defense Strategies
This report provides an in-depth analysis of the BlackSuit ransomware, a threat that has been actively targeting various sectors since May 2023. It presents statistics from incident response engagements, explores the ransomware's behavior and technical analysis, and offers insights into the potenti…
Downloadable IOCs 8
Exposing Attack Operations Utilizing PyPI Against Windows, Linux and macOS Platforms
The report details the APT-C-26 (Lazarus) group's recent attack campaign utilizing malicious Python packages hosted on the PyPI repository to deliver payloads targeting multiple platforms including Windows, Linux, and macOS. It analyzes the attack flow, delivery methods, and malware components invo…
Downloadable IOCs 28
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
The Hidden Danger of PDF Files with Embedded QR Codes
The report describes how malware authors are abusing PDF files with embedded QR codes to deceive users into visiting malicious phishing URLs disguised as legitimate services. The QR codes redirect users to fake Microsoft login pages designed to harvest credentials and potentially gain unauthorized …
Downloadable IOCs 1
New Threat: A Deep Dive Into the Zergeca Botnet
An analysis of a newly discovered botnet named Zergeca, implemented in Go language, with capabilities for DDoS attacks, proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information. The report delves into the botnet's unique features, in…
Downloadable IOCs 13
Turning Jenkins Into a Cryptomining Machine From an Attacker's Perspective
This report analyzes how threat actors can exploit misconfigured Jenkins servers to execute malicious Groovy scripts, leading to activities like deploying cryptocurrency miners. Misconfigurations exposing the /script endpoint allow remote code execution, enabling attackers to run scripts that downl…
Downloadable IOCs 4
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Exploring the Infection Chain: ScreenConnect's Link to AsyncRAT Deployment
In June 2024, eSentire's Threat Response Unit observed several incidents involving users downloading the ScreenConnect remote access client, potentially facilitated through drive-by downloads. Threat actors exploited ScreenConnect to establish unauthorized remote sessions, ultimately deploying the …
Downloadable IOCs 77
Death Stealer forked from PowerShell Token Grabber
The report analyzes Kematian Stealer, a sophisticated PowerShell-based malware that exfiltrates sensitive data from infected systems. It is a forked version of PowerShell Token Grabber, with added capabilities like GUI builder, anti-analysis features, and stealing WiFi passwords, screenshots, and s…
Downloadable IOCs 0
Mekotio Banking Trojan Threatens Financial Systems in Latin America
The Mekotio banking trojan, active since 2015, primarily targets Latin American countries to steal sensitive banking credentials through phishing emails containing malicious links or attachments. Upon execution, it gathers system information, connects to a command-and-control server, and performs c…
Downloadable IOCs 15
Mallox Ransomware: Linux Variant Decryptor Found
The report analyzes the Mallox ransomware, which has been active since mid-2021 and focuses on multi-extortion by encrypting victims' data and threatening to post it on public TOR sites. Initially targeting Windows systems, Mallox has now developed Linux variants using custom Python scripts for pay…
Downloadable IOCs 5
Dissecting GootLoader With Node.js
This article demonstrates how to circumvent anti-analysis techniques employed by GootLoader malware while utilizing Node.js debugging in Visual Studio Code. GootLoader JavaScript files employ an evasion technique that can pose a formidable challenge for sandboxes attempting to analyze the malware. …
Downloadable IOCs 2