All attack reports
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Excel File Deploys Cobalt Strike at Ukraine
A sophisticated multi-stage cyberattack was identified, utilizing an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker employed various evasion techniques and a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload, establishing communication w…
Downloadable IOCs 10
The Pumpkin Eclipse - Chalubo Malware
Chalubo is a commodity remote access trojan (RAT). First identified in 2018, employed savvy tradecraft to obfuscate its activity; it removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and contr…
Downloadable IOCs 176
Vidar Stealer: An In-depth Analysis of an Information-Stealing Malware
Vidar Stealer is a potent malware written in C++, capable of stealing a wide range of data from the compromised system. Vidar Stealer targets user’s personal data, web-browser data, cryptocurrency wallets, financial data, sensitive files within user directories, communication applications, process …
Downloadable IOCs 6
Snowflake Detecting and Preventing Unauthorized User Access
Snowflake is providing these IOCs as a result of an ongoing investigation into what they believe to be industry-wide, identity-based attacks with the intent to obtain customer data. Snowflake's research indicates that these types of attacks are performed with Snowflake customers’ user credentials t…
Downloadable IOCs 63