All attack reports
Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server
This report examines a malware strain distributed to web servers in South Korea that redirects users to an illegal gambling site. The threat actor installed a Meterpreter backdoor, a port forwarding tool, and an IIS module malware on a compromised web server. The IIS module inspects HTTP headers an…
Downloadable IOCs 8
RemcosRAT Distributed Using Steganography
Security researchers have discovered a campaign distributing RemcosRAT through a sophisticated infection chain involving steganography techniques. The attack starts with a malicious Word document exploiting template injection, leading to the download of an RTF file that leverages an equation editor…
Downloadable IOCs 4
HijackLoader Updates
HijackLoader, also known as IDAT Loader, is a modular malware loader capable of executing multiple payloads. It utilizes a variety of modules for code injection, execution, and evasion techniques. This report analyzes the updated version of HijackLoader, which includes new modules for bypassing Win…
Downloadable IOCs 11
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
New Pakistan-based Cyber Espionage Group’s Year-Long Campaign Targeting Indian Defense Forces with Android Malware
CYFIRMA researchers identified an Android malware campaign, active for over a year, targeting Indian defense personnel by an unidentified Pakistan-based cyber espionage group. The threat actor utilized Spynote or a modified version called Craxs Rat, obfuscating the app with high complexity. Through…
Downloadable IOCs 3
Smart-sex-toy users targeted by clicker trojan
Virus analysts at Doctor Web uncovered an Android application containing a clicker trojan that silently opens advertising sites and clicks on webpages. Such trojans can be used to stealthily display ads, generate click fraud, sign up unsuspecting victims for paid subscriptions or launch DDoS attack…
Downloadable IOCs 13
SecretCalls: A Formidable App of Notorious Korean Financial Fraudster
Voice phishing groups in South Korea build phishing pages and apps like SecretCalls to trick victims into installing malware and accessing phishing sites for financial fraud. Detailed analysis of SecretCalls Loader reveals anti-analysis techniques like DEX encryption, emulator detection, and instal…
Downloadable IOCs 23
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
Malware: Behaves Like Cross Between Infostealer and Spyware
On April 24, 2024, we found a previously undetected malicious Mach-O binary programmed to behave like a cross between spyware and an infostealer. We have named the malware Cuckoo, after the bird that lays its eggs in the nests of other birds and steals the host's resources for the gain of its young.
Downloadable IOCs 18
Untangling Iran's APT42 Operations
APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists.
Downloadable IOCs 160
New Goldoon Botnet Targeting D-Link Devices
In April 2024, FortiGuard Labs observed a new botnet exploiting a nearly decade-old D-Link vulnerability to take control of devices and incorporate them into a botnet used to launch attacks. The malware, named Goldoon, establishes persistence and connects to a C2 server to receive commands, includi…
Downloadable IOCs 24
Graph: Growing number of threats leveraging Microsoft API
An increasing number of cyber threats have adopted the use of the Microsoft Graph API to facilitate covert communications with command-and-control infrastructure hosted on Microsoft cloud services. This technique helps attackers blend in with legitimate traffic to cloud platforms and obtain infrast…
Downloadable IOCs 10