Tag: anti-analysis

38 Attack Reports | 0 Vulnerabilities

Attack reports

Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C

The Water Saci campaign has evolved, now utilizing an email-based command and control infrastructure and multi-vector persistence for resilience. The new attack chain employs script-based techniques, including VBS downloaders and PowerShell scripts, to hijack WhatsApp Web sessions and automate malw…
anti-analysis
banking trojan
vbs
sorvepotel
2025-10-27
coyote
Published: October 27, 2025
Downloadable IOCs: 37

New Stealit Campaign Abuses Node.js Single Executable Application

A new Stealit malware campaign has been discovered that utilizes Node.js' Single Executable Application feature to distribute payloads. The campaign bundles malicious scripts into standalone binaries, allowing execution without requiring a pre-installed Node.js runtime. The malware is distributed a…
obfuscation
rat
cryptocurrency
anti-analysis
node.js
information theft
2025-10-11
single executable application
stealit
Published: October 11, 2025
Downloadable IOCs: 12

New LockBit 5.0 Targets Windows, Linux, ESXi

Trend Research analyzed the latest version of LockBit ransomware, LockBit 5.0, which exhibits advanced obfuscation, anti-analysis techniques, and cross-platform capabilities for Windows, Linux, and ESXi systems. The Windows variant uses heavy obfuscation and packing, loading its payload through DLL…
obfuscation
ransomware
anti-analysis
encryption
cross-platform
esxi
virtualization
2025-09-29
dll reflection
lockbit 5.0
Published: September 29, 2025
Downloadable IOCs: 5

Beyond Signatures: Detecting Lumma Stealer with an ML-Powered Sandbox

This analysis focuses on a new variant of Lumma Stealer, a malware that reemerged after a brief hiatus following a law enforcement operation. The article details the malware's code obfuscation, evasion techniques, and persistence mechanisms. It describes Netskope's machine learning-based detection …
persistence
anti-analysis
lumma stealer
autoit
nsis
evasion techniques
machine learning
sandbox
2025-09-25
Published: September 25, 2025
Downloadable IOCs: 1

Technical Analysis of Zloader Updates

Recent versions of Zloader, a Zeus-based modular trojan, have introduced significant enhancements to its functionality. These updates include improved obfuscation techniques, anti-analysis strategies, and network communication methods. The malware now supports WebSockets and has modified its DNS tu…
obfuscation
ransomware
evasion
anti-analysis
zloader
zeus
trojan
banking
websockets
2025-09-22
dns-tunneling
zeus-based
ldap
Published: September 22, 2025
Downloadable IOCs: 0

Technical Analysis of SmokeLoader Version 2025

SmokeLoader, a modular malware loader active since 2011, has resurfaced with new versions in 2025 after Operation Endgame suppressed its activity. The latest variants, 2025 alpha and 2025, include bug fixes and improvements to evade detection. Key changes include a new mutex check in the stager, mo…
persistence
anti-analysis
malware loader
smokeloader
evasion techniques
dofoil
2025-09-16
smoke
version 2025
network protocol
bug fixes
Published: September 16, 2025
Downloadable IOCs: 24

GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe

A sophisticated malware campaign dubbed 'GPUGate' has been uncovered, targeting Western European IT professionals through malicious Google Ads mimicking GitHub Desktop. The attack leverages GitHub's repository structure and a GPU-gated decryption mechanism to evade analysis. The malware, a 128 MB M…
malvertising
anti-analysis
amos stealer
2025-09-08
gpugate
gpu-gated decryption
opencl
western europe
Published: September 8, 2025
Linked vulnerabilities : CVE-2025-20265 (CVSS 10.0), CVE-2025-7775 (CVSS 9.2)
Downloadable IOCs: 42

Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers

Proofpoint researchers have observed an increase in cybercriminals using Stealerium-based malware, an open-source infostealer available on GitHub. Multiple stealers share code with Stealerium, including Phantom Stealer. Campaigns delivering Stealerium have used various lures and file types, targeti…
infostealer
anti-analysis
cybercrime
data exfiltration
snake keylogger
stealerium
2025-09-04
warp stealer
phantom stealer
Published: September 4, 2025
Downloadable IOCs: 8

CTI Analysis: Malicious Email Campaign

An Iran-nexus spear-phishing campaign masquerading as the Omani Ministry of Foreign Affairs targeted global governments in August 2025. Attributed to Iranian-aligned operators linked to the Homeland Justice group and MOIS, the campaign used compromised mailboxes to send emails with malicious Micros…
anti-analysis
reconnaissance
spear-phishing
2025-09-02
vba macro
diplomatic targets
iran-nexus
oman mfa
Published: September 2, 2025
Downloadable IOCs: 15

Phishing Campaign Targeting Companies via UpCrypter

A sophisticated phishing campaign has been identified, utilizing carefully crafted emails to deliver malicious URLs linked to convincing phishing pages. These pages entice recipients to download JavaScript files that act as droppers for UpCrypter, a malware that ultimately deploys various remote ac…
obfuscation
phishing
persistence
anti-analysis
dcrat
purehvnc
remote access tools
anti-vm
global campaign
2025-08-26
upcrypter
babylon rat
Published: August 26, 2025
Downloadable IOCs: 29

New Variant of ACRStealer Actively Distributed with Modifications

A modified version of the ACRStealer infostealer is being actively distributed, featuring enhanced detection evasion and analysis obstruction techniques. The malware uses the Heaven's Gate technique for executing x64 code in WoW64 processes and implements low-level NT functions for C2 communication…
infostealer
anti-analysis
c2 communication
heaven's gate
acrstealer
2025-08-21
data encryption
detection evasion
amaterastealer
Published: August 21, 2025
Downloadable IOCs: 0

Unveiling a New Variant of the DarkCloud Campaign

A new DarkCloud campaign was observed in July 2025, targeting Windows users with a sophisticated infection chain. The attack begins with a phishing email containing a RAR archive, which leads to the execution of obfuscated JavaScript and PowerShell code. This code downloads and deploys a fileless .…
powershell
credential-theft
anti-analysis
process-hollowing
fileless
information-stealer
2025-08-08
darkcloud
Published: August 8, 2025
Downloadable IOCs: 2

New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer

Unit 42 researchers have observed changes in the distribution and obfuscation techniques of DarkCloud Stealer. The new infection chain, first seen in April 2025, involves ConfuserEx obfuscation and a final payload written in Visual Basic 6. The attack begins with a phishing email containing an arch…
obfuscation
infostealer
anti-analysis
infection chain
process hollowing
confuserex
darkcloud stealer
2025-08-07
visual basic 6
runpe
2025-08-08
Published: August 8, 2025
Downloadable IOCs: 10

SLOW#TEMPEST Cobalt Strike Loader

An ISO image containing a malicious Cobalt Strike loader was discovered, targeting Chinese-speaking users. The infection chain involves a deceptive LNK file, which executes a legitimate Alibaba executable to sideload a malicious DLL. The loader implements anti-analysis techniques, decrypts an embed…
cobalt strike
anti-analysis
dll-sideloading
2025-08-07
beacon
entry-point-patching
chinese-targets
cobalt-strike
iso-image
Published: August 7, 2025
Downloadable IOCs: 9

MaaS Appeal: An Infostealer Rises From The Ashes

NOVABLIGHT is a NodeJS-based Malware-as-a-Service (MaaS) information stealer developed by a French-speaking threat group. It's sold as an educational tool but used for credential theft and cryptowallet compromise. The malware features heavy obfuscation, multiple anti-analysis techniques, and variou…
obfuscation
infostealer
anti-analysis
electron
credential theft
data exfiltration
maas
nodejs
2025-07-31
nova sentinel
malicord
novablight
Published: July 31, 2025
Downloadable IOCs: 8

XWorm V6: Advanced Evasion and AMSI Bypass Capabilities Revealed

A new version of XWorm malware (version 6.0) has been discovered, showcasing advanced features for persistence and evasion. The infection chain begins with a VBScript that downloads and executes a PowerShell script. This script implements an AMSI bypass by modifying CLR.DLL in memory, then download…
malware
xworm
evasion
persistence
anti-analysis
in-memory execution
2025-07-30
amsi bypass
Published: July 30, 2025
Downloadable IOCs: 4

Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques

In late 2024, a new variant of the SLOW#TEMPEST malware campaign was discovered, employing sophisticated obfuscation techniques. The malware is distributed as an ISO file containing multiple files, including a malicious loader DLL and a payload embedded in another DLL. The loader uses DLL side-load…
obfuscation
anti-analysis
emulation
dll sideloading
dll side-loading
anti-sandbox
2025-07-11
dynamic jumps
obfuscated function calls
slow#tempest
cfg obfuscation
2025-07-16
cfg
Published: July 16, 2025
Downloadable IOCs: 0

Understanding CyberEYE RAT Builder: Capabilities and Implications

CyberEye is a modular, .NET-based Remote Access Trojan that utilizes Telegram for Command and Control, eliminating the need for attackers to maintain their own infrastructure. It offers a wide array of surveillance and data theft capabilities, including keylogging, file grabbing, and clipboard hija…
rat
persistence
anti-analysis
credential theft
data exfiltration
telegram
2025-06-13
cybereye
windows defender evasion
telegramrat
Published: June 13, 2025
Downloadable IOCs: 0

Technical Analysis of TransferLoader

TransferLoader is a newly identified malware loader active since February 2025. It comprises multiple components including a downloader, backdoor, and specialized loader. The malware employs various anti-analysis techniques and code obfuscation to hinder reverse engineering. TransferLoader has been…
backdoor
obfuscation
ransomware
anti-analysis
c2
downloader
morpheus
2025-05-15
ipfs
transferloader
Published: May 15, 2025
Downloadable IOCs: 7

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins wi…
obfuscation
phishing
infostealer
anti-analysis
credential theft
autoit
information stealing
2025-05-14
multi-stage payload
darkcloud stealer
Published: May 14, 2025
Linked vulnerabilities : CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 4

Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer

Cybercriminals are exploiting the US tax season to deploy Stealerium malware, targeting citizens through sophisticated phishing campaigns. The attack utilizes deceptive email attachments with malicious LNK files, leading to the execution of PowerShell scripts and the download of a PyInstaller-packa…
powershell
anti-analysis
information stealing
process injection
2025-04-30
tax-season phishing
stealerium
Published: April 30, 2025
Downloadable IOCs: 0

How Lumma Stealer sneaks into organizations

Lumma Stealer, a sophisticated information-stealing malware, has gained prominence in cybercriminal circles since 2022. It employs various distribution methods, with fake CAPTCHA pages being a notable vector. These pages mimic legitimate services and trick users into executing malicious commands. T…
obfuscation
powershell
anti-analysis
lumma stealer
autoit
information stealer
cryptocurrency theft
fake captcha
2025-04-21
Published: April 21, 2025
Downloadable IOCs: 15

Beware! Fake 'NextGen mParivahan' Malware Returns

A new variant of the fake NextGen mParivahan malware has emerged, exhibiting enhanced stealth and data theft capabilities. The malware, disguised as a government traffic notification system, tricks users into downloading a malicious app that requests extensive permissions. This latest version targe…
android
anti-analysis
firebase
2025-04-09
malformed apk
sms theft
notification stealer
dropper-payload
c2 extraction
nextgen mparivahan
Published: April 9, 2025
Downloadable IOCs: 0

NEPTUNE RAT: An advanced Windows RAT with System Destruction Capabilities and Password Exfiltration from 270+ Applications

Neptune RAT, a sophisticated Windows-based remote access trojan, has emerged with advanced capabilities including system destruction and password exfiltration from over 270 applications. It employs PowerShell commands for deployment, leveraging catbox.moe for hosting malicious scripts. The malware …
anti-analysis
remote access trojan
2025-04-09
neptune rat
Published: April 9, 2025
Downloadable IOCs: 24

Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques

Konni RAT, a sophisticated remote access Trojan targeting Windows systems, employs a multi-stage attack process using batch files, PowerShell scripts, and VBScript. It exploits Windows Explorer limitations, obfuscates file paths, dynamically generates URLs, and uses temporary files to erase activit…
windows
persistence
anti-analysis
data exfiltration
multi-stage attack
stealth techniques
remote access trojan
2025-04-01
konni rat
Published: April 1, 2025
Downloadable IOCs: 0

Recent Cases of Watering Hole Attacks, Part 1

This analysis focuses on a watering hole attack targeting a Japanese university research laboratory website in 2023. The attack used social engineering to trick users into downloading and executing malware disguised as an Adobe Flash Player update. The malware, identified as a modified Cobalt Strik…
social engineering
cobalt strike
cobalt strike beacon
anti-analysis
cloudflare workers
watering hole
japan
2024-12-20
tips.exe
malware injection
system32.dll
flashupdateinstall.exe
university
Published: December 20, 2024
Linked vulnerabilities : CVE-2022-1388
Downloadable IOCs: 10

Raspberry Robin Analysis

Raspberry Robin, a malicious downloader discovered in 2021, has been circulating for years, primarily spreading through infected USB devices. It stands out due to its unique binary-obfuscation techniques, extensive use of anti-analysis methods, and privilege escalation exploits. The malware uses mu…
obfuscation
privilege-escalation
anti-analysis
tor
2024-11-19
raspberry robin
usb-spreading
network-propagation
CVE-2024-26229
CVE-2021-31969
Published: November 19, 2024
Linked vulnerabilities : CVE-2021-31969, CVE-2024-26229
Downloadable IOCs: 126

Recent Keylogger Attributed to North Korean Group Andariel

A new keylogger, attributed to the North Korean group Andariel (APT45), has been linked to targeted attacks against U.S. organizations. The malware captures keystrokes and mouse activity, storing data in an encrypted archive. It employs anti-analysis techniques like code obfuscation through junk co…
persistence
anti-analysis
keylogger
apt45
2024-11-04
andariel keylogger
hook procedures
clipboard theft
Published: November 4, 2024
Downloadable IOCs: 1

CoreWarrior Spreader Malware Surge

This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
backdoor
evasion
anti-analysis
trojan
2024-10-15
propagation
corewarrior
Published: October 15, 2024
Downloadable IOCs: 3

VILSA STEALER

A new malware called Vilsa Stealer has emerged on GitHub, notable for its speed and efficiency in extracting sensitive data. This sophisticated tool targets browser credentials, tokens, and various application data. It supports major browsers and over 40 crypto wallets, using Python as its programm…
cryptocurrency
data theft
exfiltration
persistence
anti-analysis
2024-10-07
vilsa stealer
browser credentials
Published: October 7, 2024
Downloadable IOCs: 3

Zharkbot Strings

Zharkbot is a C++ downloader with extensive anti-analysis and anti-sandbox features. It uses in-line string encryption and API calls, making static and emulation analysis challenging. The malware performs sandbox detection by checking for specific usernames and hypervisors. It installs itself in th…
persistence
anti-analysis
amadey
downloader
2024-09-03
anti-sandbox
string encryption
c2 communication
zharkbot
Published: September 3, 2024
Downloadable IOCs: 2

REPLAY: Revisiting Play Ransomware Anti-Analysis Techniques

This analysis revisits the anti-analysis techniques employed by recent variants of the Play ransomware, which is known for targeting industries like healthcare and telecommunications across various regions. The report explains how the ransomware utilizes techniques like return-oriented programming …
ransomware
anti-analysis
2024-08-09
playcrypt
Published: August 9, 2024
Downloadable IOCs: 4

DarkGate: Dancing the Samba With Alluring Excel Files

This analysis delves into a DarkGate malware campaign from March-April 2024 that exploits Microsoft Excel files to retrieve malicious payloads hosted on public-facing SMB file shares. It sheds light on the evolving tactics of this threat, which creatively abuses legitimate tools and services for di…
anti-analysis
autohotkey
darkgate
excel
sideloading
2024-07-11
Published: July 11, 2024
Linked vulnerabilities : CVE-2024-3400
Downloadable IOCs: 37

Dissecting GootLoader With Node.js

This article demonstrates how to circumvent anti-analysis techniques employed by GootLoader malware while utilizing Node.js debugging in Visual Studio Code. GootLoader JavaScript files employ an evasion technique that can pose a formidable challenge for sandboxes attempting to analyze the malware. …
evasion
anti-analysis
javascript
gootloader
2024-07-04
deobfuscation
Published: July 4, 2024
Downloadable IOCs: 2

Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear

This comprehensive analysis delves into the continuous evolution and refinement of sophisticated malware entities employed by a persistent cyberespionage group targeting organizations in the Asia-Pacific region. The malware, known as Waterbear and its latest iteration, Deuterbear, have undergone si…
malware
evasion
anti-analysis
encryption
2024-05-21
cyberespionage
deuterbear
waterbear
Published: May 21, 2024
Downloadable IOCs: 29

Stealer Distributed via Crafted Minecraft Source Pack

This report details the operation of the zEus stealer malware, which is distributed through a crafted Minecraft source pack. The malware collects sensitive information from victims' systems, including login credentials, browser data, and cryptocurrency wallets. It employs anti-analysis techniques a…
stealer
persistence
anti-analysis
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
screenshots
zeus panda
minecraft
Published: May 8, 2024
Downloadable IOCs: 23

Zloader Learns Old Tricks

Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
python
anti-analysis
windows registry
zloader
zeus
Published: April 30, 2024
Downloadable IOCs: 8

Fletchen Stealer: An Information Stealer with Sophisticated Anti-Analysis Measures

This in-depth analysis examines Fletchen stealer, an advanced information-stealing malware featuring potent anti-analysis capabilities. It explores the malware's tactics for data harvesting from compromised systems, exfiltration methods, and measures to evade detection. The report emphasizes the dy…
stealer
exfiltration
persistence
anti-analysis
data-theft
fletchen stealer
Published: April 29, 2024
Downloadable IOCs: 13
Click here to see more Attack Reports