Tag: backdoor
37 attack reports | 0 vulnerabilities
Attack reports
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98
CoreWarrior Spreader Malware Surge
This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
Downloadable IOCs 3
Rhysida Ransomware: Multi-Tiered Infrastructure and Early Detection Analysis
Insikt Group unveiled Rhysida's complex infrastructure, comprising typo-squatted domains for SEO poisoning, payload servers, CleanUpLoader C2 infrastructure, and higher-tier components including an admin panel and Zabbix monitoring server. This multi-tiered setup enables early victim identification…
Downloadable IOCs 106
MDR in Action: Preventing The More_eggs Backdoor From Hatching
A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
Downloadable IOCs 10
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
Downloadable IOCs 14
Analyzing the Newest Turla Backdoor
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using …
Downloadable IOCs 5
An Offer You Can Refuse: Backdoor Deployment Using Trojanized PDF Reader
UNC2970, a suspected North Korean cyber espionage group, targeted critical infrastructure sectors using job-themed phishing lures. The group employed a trojanized version of SumatraPDF to deliver the MISTPEN backdoor via the BURNBOOK launcher. The infection chain involved a password-protected ZIP a…
Downloadable IOCs 14
Observes Targeted Attacks Amid FBI Warnings
The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
Downloadable IOCs 8
New macOS malware gives attackers backdoor access to Macs
A new remote access Trojan (RAT) targeting macOS systems, dubbed HZ RAT, grants remote attackers complete control over infected Macs. The malware collects sensitive data, such as installed apps, user information from WeChat and DingTalk, and Google Password Manager credentials. It's suspected of sp…
Downloadable IOCs 25
Hadooken Malware Targets Weblogic Applications
Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
Downloadable IOCs 4
Targeted Iranian Attacks Against Iraqi Government Infrastructure
Check Point Research uncovered a new malware campaign targeting Iraqi government entities, employing custom tools named Veaty and Spearal. The attack utilizes various techniques including passive IIS backdoors, DNS tunneling, and C2 communication via compromised email accounts. The malware shows co…
Downloadable IOCs 16
Loki: a new private agent for the popular Mythic framework
Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
Downloadable IOCs 7
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders
A long-term intrusion targeting a Vietnamese human rights non-profit organization has been discovered, likely spanning at least four years. The attack shows significant overlaps with techniques used by APT32/OceanLotus, a threat actor known for targeting Vietnamese activists. The intrusion involved…
Downloadable IOCs 46
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandsto…
Downloadable IOCs 9
HZ Rat backdoor for macOS harvests data from WeChat and DingTalk
A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
Downloadable IOCs 10
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic
Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, Go…
Downloadable IOCs 20
Fighting Ursa Luring Targets With Car for Sale
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
Downloadable IOCs 6
BITS and Bytes: Analyzing BITSLOTH, a newly identified backdoor
Elastic Security Labs uncovered a new Windows backdoor called BITSLOTH that utilizes the Background Intelligent Transfer Service (BITS) for command-and-control communication. This malware, discovered during an intrusion into a South American government's Foreign Ministry, possesses capabilities for…
Downloadable IOCs 8
Patch or Peril: A Veeam vulnerability incident
While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerabi…
Downloadable IOCs 2
MoonWalk
This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
Downloadable IOCs 3
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)
A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
Downloadable IOCs 14
Appearance of Kimsuky group's new backdoor (HappyDoor)
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypt…
Downloadable IOCs 16
Malicious npm package targets AWS users
ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
Downloadable IOCs 3
North Korean based backdoor packs a punch
This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors a…
Downloadable IOCs 20
Sustained Campaign Using Chinese Espionage Tools Targets Telcos
Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
Downloadable IOCs 47
Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework
Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
Downloadable IOCs 46
SolarMarker Impersonates Job Employment Website
On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
Downloadable IOCs 6
Dipping into Danger: The WARMCOOKIE backdoor
Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
Downloadable IOCs 6
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
Downloadable IOCs 33
Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor
Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
Downloadable IOCs 11
Wineloader - Analysis of the Infection Chain
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Execut…
Downloadable IOCs 9
CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack
Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
Downloadable IOCs 10
Springtail: New Linux Backdoor Added to Toolkit
Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
Downloadable IOCs 20
To the Moon and back(doors): Lunar landing in diplomatic missions
ESET researchers discovered two previously unknown backdoors – LunarWeb and LunarMail – compromising a European ministry of foreign affairs and its diplomatic missions abroad. LunarWeb, deployed on servers, utilizes HTTP(S) for command and control communications, mimicking legitimate requests to av…
Downloadable IOCs 12
LNK File Disguised as Certificate Distributing RokRAT Malware
This analysis delves into the continuous distribution of malicious shortcut files (*.LNK) targeting South Korean users, particularly those related to North Korea. These LNK files contain legitimate documents, script code, and encoded malware data. When executed, they create and run a document file …
Downloadable IOCs 4
Playing Possum: What's the Backdoor Up To?
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeep…
Downloadable IOCs 98