All attack reports
DISGOMOJI Malware Used to Target Indian Government
Volexity identified a cyber-espionage campaign by a suspected Pakistan-based threat actor tracked as UTA0137 targeting government entities in India. The campaign leveraged the DISGOMOJI malware, a Golang-based Linux trojan that uses Discord for command and control via emojis. Key capabilities inclu…
Downloadable IOCs 149
Bondnet Using High-Performance Bots For C2 Server
Security researchers at ASEC have discovered that a threat actor is using high-performance bots to turn compromised systems into their central server (C2) servers, using tools such as the Cloudflare tunneling client.
Downloadable IOCs 27
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
Analysis of Attack Case Installing VPN on Korean ERP Server
This analysis examines an attack where a threat actor compromised a Korean company's ERP server, initially accessing it through a poorly secured MS-SQL service. The actor installed a web shell, stole credentials, and ultimately set up SoftEther VPN on the server, likely to use it as part of a comma…
Downloadable IOCs 11
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
DERO cryptojacking adopts new techniques to evade detection
This report examines the threat actors behind a 2023 cryptojacking campaign targeting misconfigured Kubernetes clusters, focusing on their evolving techniques to avoid detection. It analyzes the malicious Docker images they deployed, the hardcoded wallet and pool information in the DERO miner binar…
Downloadable IOCs 18
Operation Celestial Force employs mobile and desktop malware to target Indian entities
Cisco Talos is disclosing a new malware campaign called 'Operation Celestial Force' conducted by a Pakistani nexus of threat actors called 'Cosmic Leopard'. This multi-year operation has been targeting Indian entities and individuals since at least 2018, employing the use of GravityRAT (an Android …
Downloadable IOCs 142
Arid Viper poisons Android apps with AridSpy
ESET researchers identified five campaigns targeting Android users with trojanized apps that deploy multistage Android spyware called AridSpy. This malware, attributed with medium confidence to the Arid Viper APT group, focuses on user data espionage. AridSpy downloads additional payloads from its …
Downloadable IOCs 37
Botnet Installing NiceRAT Malware
This analysis discusses the proliferation of botnets constructed through the distribution of malware disguised as legitimate software. These botnets are subsequently leveraged to install additional malware strains, including NiceRAT, a Python-based Remote Access Tool (RAT) capable of collecting sys…
Downloadable IOCs 24
Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)
This technical analysis examines a campaign by the Kimsuky threat group that exploited a vulnerability (CVE-2017-11882) in the Microsoft Office Equation Editor to distribute malware. The attackers used mshta.exe to run a malicious script that downloads additional components, including a keylogger. …
Downloadable IOCs 0
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day
Recent analysis by a cybersecurity firm suggests that a ransomware group might have exploited a Windows privilege escalation vulnerability, CVE-2024-26169, before it was patched. The vulnerability, which was addressed in March 2024, could allow attackers to elevate their privileges. Evidence from a…
Downloadable IOCs 5
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6