All attack reports

APT-C-01, known as Poison Ivy, is a persistent threat group targeting defense, government, technology, and education sectors since 2007. They specialize in phishing attacks, including watering hole and spear-phishing, using personalized bait content. Recent observations show the group creating fake…

APT-C-48 (CNC), a South Asian government-backed APT group, has been targeting government, military, education, research, healthcare, and media sectors. They use spear-phishing emails with resume-related topics to deliver malicious payloads. The group modifies executable file icons to resemble PDF f…

A sophisticated threat group named TaxOff has been discovered targeting Russian government agencies. The group uses phishing emails with legal and financial themes to deliver the Trinper backdoor, a multithreaded C++ malware with advanced features. Trinper employs STL containers, custom serializati…

The Interlock ransomware is a new variant targeting Microsoft Windows and FreeBSD systems. It encrypts files and demands ransom for decryption. The malware has both Windows and FreeBSD versions, using AES-CBC encryption and adding a '.interlock' extension to encrypted files. It excludes certain fil…

Earth Estries, a Chinese APT group, has been aggressively targeting critical sectors globally since 2023. The group employs advanced techniques and multiple backdoors, including GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, to compromise organizations in telecommunications, government, and other industrie…

The Horns&Hooves campaign, active since March 2023, targets Russian businesses with malicious email attachments containing scripts that install NetSupport RAT or BurnsRAT. The campaign evolved through several versions, improving obfuscation and delivery methods. It uses decoy documents and legitima…

The Horns&Hooves campaign, active since March 2023, targets Russian businesses with malicious email attachments containing scripts that install NetSupport RAT or BurnsRAT. The campaign evolved through several versions, improving obfuscation and delivery methods. It uses decoy documents and legitima…

This analysis explores a sophisticated cyberattack attempt involving multiple Remote Access Tools (RATs) and a stealer. The attack chain begins with an email containing an exploit for CVE-2024-38213, bypassing Windows' Mark of the Web security feature. The malware uses WebDav directories and Cloudf…

ReversingLabs detected a malicious package named 'aiocpa' on PyPI, engineered to compromise cryptocurrency wallets. Unlike typical attacks, the actors published their own crypto client tool to attract users before compromising them through a malicious update. The package appeared legitimate, with m…

A groundbreaking discovery has been made in the realm of cybersecurity: the first UEFI bootkit specifically targeting Linux systems. Named 'Bootkitty,' this proof-of-concept malware marks a significant evolution in stealthy and hard-to-remove bootkit threats. Although currently limited to certain U…

The APT-C-60 group targeted organizations in Japan and East Asia with a sophisticated attack campaign. The attack begins with a phishing email containing a Google Drive link to download a VHDX file. This file includes an LNK file that executes a downloader, which then retrieves a backdoor called Sp…

A spear-phishing campaign targeting Japan since June 2024 has been identified, featuring the reemergence of the ANEL backdoor, previously used by APT10 until 2018. The campaign, attributed to Earth Kasha, targets individuals in political organizations, research institutions, and international relat…