All attack reports

APT-C-53 (Gamaredon), also known as Primitive Bear, Winterflounder, and BlueAlpha, is an active APT group since 2013 targeting government, defense, diplomacy, and media sectors. The analysis reveals their use of complex techniques including malicious LNK files, XHTML files, and sophisticated phishi…

Between August and October 2024, two new malware families, RevC2 and Venom Loader, were deployed using Venom Spider's Malware-as-a-Service tools. RevC2 uses WebSockets for C2 communication and can steal cookies and passwords, proxy network traffic, and enable remote code execution. Venom Loader is …

A malicious campaign targeting users of unlicensed corporate business automation software has been discovered. The attackers are distributing malicious activators on accounting forums that contain the RedLine stealer hidden in an unusual way. The activator library is obfuscated using .NET Reactor, …

A critical vulnerability in Cleo's LexiCom, VLTransfer, and Harmony software, used for file transfer management, is being actively exploited. The flaw allows unauthenticated remote code execution, affecting all versions up to and including 5.8.0.21. Attackers are exploiting this vulnerability to dr…

A resurgence of activity related to the Black Basta ransomware campaign has been observed since early October. The threat actors have refined their tactics, introducing new malware payloads, improved delivery methods, and enhanced defense evasion techniques. The attacks begin with email bombing of …

DroidBot is an advanced Android Remote Access Trojan combining hidden VNC and overlay capabilities with spyware features. It uses dual-channel communication, transmitting data via MQTT and receiving commands through HTTPS. The malware targets 77 entities, including banks and cryptocurrency exchange…

A malicious botnet called Socks5Systemz is operating a proxy service named PROXY.AM, utilizing over 85,000 compromised devices. The botnet, active since 2013, aims to turn infected systems into proxy exit nodes for cybercriminals seeking to obscure their attack sources. Initially boasting around 25…

An analysis of honeypot activity reveals a pattern of repeated curl commands targeting various websites, primarily originating from a single IP address. The commands, executed on multiple honeypots, focus on cryptocurrency-related sites, bot construction platforms, and communication services. The a…

A sophisticated scam targeting Web3 professionals has been identified, involving the Realst crypto stealer malware with variants for both macOS and Windows. The threat actors have created fake companies using AI-generated content to appear legitimate, cycling through various names like Meetio, Clus…

A malicious version of the popular AI library ultralytics was published on PyPI, containing downloader code for the XMRig coinminer. The compromise was achieved by exploiting a known GitHub Actions script injection. Two versions, 8.3.41 and 8.3.42, were affected before a clean version 8.3.43 was re…

The Termite ransomware, a rebranded version of Babuk, recently targeted supply chain management platform Blue Yonder. This new strain employs advanced tactics, including double extortion, to maximize its impact. Upon execution, it terminates services, deletes shadow copies, empties the recycle bin,…

Threat actors exploit high-profile events like global sporting championships to launch attacks through phishing and scams. The analysis focuses on trends in domain registrations, DNS traffic, URL traffic, active domains, verdict change requests, and domain textual patterns. Case studies include obs…