All attack reports

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red f…

A large U.S. entity with significant operations in China faced a four-month-long cyber intrusion, likely conducted by a China-based threat actor. The attackers obtained persistent network access, laterally moved across systems, compromised Exchange servers to harvest emails, and deployed exfiltrati…

The article describes the experiences of a Senior Security Strategist at Talos, highlighting the unique blend of technical expertise and communication skills required for the role. It emphasizes the importance of supporting NGOs in cybersecurity, detailing the author's involvement with the NGO-ISAC…

A joint investigation by The First Department and The Citizen Lab uncovered spyware covertly implanted on a Russian programmer's phone after it was confiscated by authorities. The individual, accused of sending money to Ukraine, was subjected to beatings and recruitment attempts by the FSB during h…

BlueAlpha, a Russian state-sponsored cyber threat group, has evolved its malware delivery tactics by exploiting Cloudflare Tunnels to conceal GammaDrop staging infrastructure. The group employs HTML smuggling with sophisticated modifications to bypass email security systems and uses DNS fast-fluxin…

BlueAlpha, a Russian state-sponsored cyber threat group, has evolved its malware delivery tactics by exploiting Cloudflare Tunnels to conceal GammaDrop staging infrastructure. The group employs HTML smuggling with sophisticated modifications to bypass email security systems and uses DNS fast-fluxin…

A sophisticated cyberattack campaign targeting the manufacturing industry has been identified, utilizing a deceptive LNK file disguised as a PDF document. The attack leverages multiple Living-off-the-Land Binaries and Google Accelerated Mobile Pages to evade detection. The threat actor employs vari…

Earth Minotaur, a threat actor targeting Tibetan and Uyghur communities, utilizes the MOONSHINE exploit kit to compromise Android devices and install the DarkNimbus backdoor. The exploit kit targets vulnerabilities in instant messaging apps, particularly WeChat, and has been updated with new exploi…

A Russian-based threat actor, Secret Blizzard, has infiltrated 33 command-and-control nodes of a Pakistani-based actor, Storm-0156. Over two years, Secret Blizzard leveraged this access to deploy malware into Afghan government networks and potentially acquired data from Pakistani operators' worksta…

The Russian state-sponsored threat actor Secret Blizzard has been observed compromising the infrastructure of Storm-0156, a Pakistan-based espionage group, to conduct their own espionage operations. Since November 2022, Secret Blizzard has used Storm-0156's backdoors to deploy their own malware on …

A new malware called Pronsis Loader has been discovered, with similarities to D3F@ck Loader. Both use JPHP-compiled executables, but Pronsis uses NSIS for installation instead of Inno Setup. Pronsis Loader typically delivers Lumma Stealer and Latrodectus payloads. It employs defense evasion techniq…

This analysis explores the Rockstar 2FA phishing-as-a-service kit, focusing on real-world email campaign examples. It highlights various techniques used by attackers, including the abuse of legitimate services for FUD (Fully Undetectable) links, such as Microsoft OneDrive, OneNote, Dynamics 365, At…