Tag: 2024-09-27

The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …

This report provides a comprehensive analysis of the toolset used by the Russia-aligned Gamaredon APT group to conduct cyberespionage activities against Ukraine in 2022 and 2023. The group has been active since 2013 and is currently the most prolific threat actor targeting Ukrainian governmental in…

F.A.C.C.T. Threat Intelligence discovered a malicious file targeting Russian defense industry enterprises. Initially thought to be the work of Sticky Werewolf, further analysis revealed a new threat actor named MimiStick. The attack used a PDF lure mimicking a letter from the Russian Ministry of La…

An investigation reveals SloppyLemming, an advanced threat actor targeting South and East Asian countries, particularly Pakistan. The group uses multiple cloud services for credential harvesting, malware delivery, and command and control. Their operations focus on government, law enforcement, energ…

In this blog, Group-IB delves into the inner workings of the DragonForce ransomware group. Discovered in August 2023, DragonForce has been targeting companies in critical sectors using a variant of a leaked LockBit3.0 builder, and more recently in July 2024 with their own variant of ransomware. Dr…

This analysis investigates PandorahVNC, a sophisticated Hidden Virtual Network Computing tool, and its connections to a new service called AnonVNC. The report explores the online presence of the tool's creator, known as 'All_father', and examines the infrastructure used for both PandorahVNC and Ano…

This analysis examines a control flow obfuscation technique used by recent LummaC2 stealer samples. The malware employs customized control flow indirection to manipulate execution, hindering reverse engineering and automated analysis. The obfuscation transforms functions into 'dispatcher blocks' th…

A malicious app on Google Play, posing as WalletConnect, targeted mobile users to steal cryptocurrency. The app evaded detection for five months, achieving over 10,000 downloads. It used advanced social engineering and modern crypto drainer toolkit, stealing approximately $70,000 from victims. The …