All attack reports
Threat actors ride the hype for newly released Arc browser
The release of the Arc browser for Windows sparked interest among cyber criminals who quickly launched a malvertising campaign impersonating the new software. The scheme uses Google search ads to lure potential victims with fake Arc installers. These installers employ various techniques, including …
Downloadable IOCs 9
Static Unpacking for the Widespread NSIS-based Malicious Packer
This article examines a malicious packer family based on the Nullsoft Scriptable Install System (NSIS) used by cybercriminals to protect various malware from detection. It describes the structure of packed samples, and presents an approach for creating a tool that automatically unpacks the encrypte…
Downloadable IOCs 11
Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling
Netskope Threat Labs has been tracking an increase in phishing campaigns hosted on Cloudflare Workers. The campaigns use techniques like HTML smuggling and transparent phishing to evade detections. The phishing pages target Microsoft and Google credentials. Netskope recommends inspecting web traffi…
Downloadable IOCs 134
Hellhounds: Operation Lahat
A group called Hellhounds has continued attacking Russian organizations into 2024 using various techniques to compromise infrastructure. Research shows malware toolkit development began in 2019. The group maintains presence inside critical organizations for years. Although based on open-source proj…
Downloadable IOCs 73
Android Banking Malware Distributed via Google Play Store
Threat actors are distributing the Anatsa Android banking malware through the Google Play store by disguising it as legitimate applications like PDF readers and QR code scanners. Once installed, Anatsa downloads its payload and steals sensitive banking credentials through the use of overlays. Anats…
Downloadable IOCs 4
Technical Analysis of Anatsa Campaigns: An Android Banking Malware Active in the Google Play Store
Threat actors are distributing the Anatsa Android banking malware through the Google Play store by disguising it as legitimate applications like PDF readers and QR code scanners. Once installed, Anatsa downloads its payload and steals sensitive banking credentials through the use of overlays. Anats…
Downloadable IOCs 0
Files with TXZ extension used as malspam attachments
A recent report describes a malspam campaign distributing malware payloads in attachments with TXZ file extensions. The attachments were RAR archives with renamed extensions, likely attempting to exploit native TXZ support in Windows 11. Two campaigns distributed the payloads, one with GuLoader mal…
Downloadable IOCs 2
A Catalog of Hazardous AV Sites – A Tale of Malware Hosting
In mid-April 2024, Trellix Advanced Research Center team members observed multiple fake AV sites hosting highly sophisticated malicious files such as APK, EXE and Inno setup installer that includes Spy and Stealer capabilities.
Downloadable IOCs 30
UAC-0188: Targeted cyberattacks using SuperOps RMM (CERT-UA#9797)
The joint efforts of CSIRT-NBU and CERT-UA recorded and analyzed a cyber attack aimed at gaining unauthorized remote access to computers of Ukrainian organizations using a legitimate program for remote computer management SuperOps RMM.
Downloadable IOCs 28
Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion
This report details a sophisticated cyber intrusion targeting MITRE's research network (NERVE) through the exploitation of Ivanti Connect Secure zero-day vulnerabilities. The threat actor, suspected to be UNC5221, initiated the attack by gaining unauthorized access and subsequently deploying variou…
Downloadable IOCs 4
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
CatDDoS-Related Gangs Have Seen a Recent Surge in Activity
CatDDoS-related gangs remain active and have exploited over 80 vulnerabilities over the last three months, with the maximum number of targets exceeding 300+ per day.
Downloadable IOCs 63