All attack reports
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
Banking trojan unleashed: Observing emerging global campaigns
IBM's X-Force has been tracking large-scale phishing campaigns distributing the Grandoreiro banking trojan, likely operated as a Malware-as-a-Service. The malware targets over 1500 global banks, enabling banking fraud in over 60 countries. The latest variant features major updates, including string…
Downloadable IOCs 18
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Payload Trends in Malicious OneNote Samples
This analysis examines the types of malicious payloads that attackers embed within Microsoft OneNote files to deceive users into executing malicious code. By analyzing approximately 6,000 malicious OneNote samples, it reveals that attackers frequently employ images resembling buttons to lure victim…
Downloadable IOCs 550
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
SugarGh0st RAT Used to Target American Artificial Intelligence Experts
This intelligence report provides details about a SugarGh0st RAT campaign conducted by an unattributed threat actor, tracked as UNK_SweetSpecter, targeting organizations in the United States involved in artificial intelligence (AI) efforts across academia, private industry, and government. The camp…
Downloadable IOCs 9
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
The report describes a recent campaign by the threat actor Storm-1811, a financially motivated cybercriminal group known for deploying Black Basta ransomware. The campaign begins with social engineering tactics like voice phishing (vishing) and email bombing to trick users into granting remote acce…
Downloadable IOCs 12
Ebury is alive but unseen: 400k Linux servers compromised for cryptotheft and financial gain
The Ebury malware gang is continuing to expand, with hundreds of thousands of servers compromised and used to steal cryptocurrency and credit card data, according to a paper published by ESET Research on 14 May 2024.
Downloadable IOCs 141