Tag: 2024-06-06
15 attack reports | 94 vulnerabilities
Attack reports
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Malware Targets Message Queuing Services Applications
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
Downloadable IOCs 21
Operation ControlPlug: Targeted attack campaign using MSC files
An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
Downloadable IOCs 14
Malicious Python Script with a "Best Before" Date | Cobalt Strike Beacon
This post details analysis of a malicious Python script, which yielded a hash for a Cobalt Strike beacon.
Downloadable IOCs 1
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
TargetCompany’s Linux Variant Targets ESXi Environments
Since its discovery in 2021, TargetCompany has been evolving its techniques to circumvent security defenses employed by organizations; one such technique its use of a PowerShell script to bypass Antimalware Scan Interface (AMSI) and abuse of fully undetectable (FUD) obfuscator packers. A new varian…
Downloadable IOCs 3
DarkGate again but... Improved?
The report details the latest developments surrounding the DarkGate remote access trojan, including its enhanced capabilities in version 6, the activities of its developer RastaFarEye, and an in-depth analysis of the malware's new features, execution chain, and supported commands. It highlights Dar…
Downloadable IOCs 313
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine
This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
Downloadable IOCs 14
Operation Crimson Palace: A Technical Deep Dive
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
Downloadable IOCs 138
RansomHub: New Ransomware with Origins in Older Knight
A rapidly emerging operation called RansomHub has rapidly grown into one of the largest ransomware threats currently active. Analysis reveals RansomHub is likely an updated and rebranded version of the older Knight ransomware, suggesting the developers bought Knight's source code after its develope…
Downloadable IOCs 14
Suspicious DNS Probing Operation Amplified
This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open D…
Downloadable IOCs 17
Malware botnet installing NiceRAT
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
Downloadable IOCs 24
DarkGate switches up its tactics with new payload, email templates
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
Downloadable IOCs 12
Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors
This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
Downloadable IOCs 34
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15