Tag: c2

12 Attack Reports | 0 Vulnerabilities

Attack reports

Thunderstruck! Malicious ads for RVTools lead to ThunderShell payload

A security incident involving malicious sponsored ads distributing backdoored administrative tools was detected. Users searching for RVTools were served a tampered version containing ThunderShell, a PowerShell-based remote access tool. The malicious ads, appearing in Google search results, led to a…
malvertising
powershell
icedid
google ads
c2
remote access tool
2025-04-03
thundershell
rvtools
trojanized software
Published: April 3, 2025
Downloadable IOCs: 0

The Shelby Strategy

The SHELBY malware family exploits GitHub for command-and-control operations, employing sophisticated techniques to evade detection. The malware consists of a loader (SHELBYLOADER) and a backdoor (SHELBYC2), both obfuscated using Obfuscar. SHELBYLOADER employs various sandbox detection methods and …
obfuscation
phishing
c2
telecommunications
github
iraq
uae
2025-04-01
shelbyloader
shelby
sandbox-detection
shelbyc2
Published: April 1, 2025
Downloadable IOCs: 0

Auto-Color: An Emerging and Evasive Linux Backdoor

Auto-color is a newly discovered Linux malware that employs sophisticated evasion techniques. It renames itself to benign-looking filenames, hides remote C2 connections using advanced methods similar to Symbiote malware, and uses proprietary encryption for communication. The malware installs a mali…
linux
backdoor
evasion
encryption
government
c2
proxy
universities
reverse shell
2025-02-25
auto-color
library implant
symbiote
Published: February 25, 2025
Downloadable IOCs: 10

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

Pyramid, an open-source post-exploitation framework in Python, is being used by threat actors for malicious purposes. The tool features a lightweight HTTP/S server for encrypted payload delivery, blending with legitimate Python activity. This analysis examines Pyramid's server, outlines network sig…
python
c2
ransomhub
open-source
more_eggs
post-exploitation
2025-02-13
http server
network signatures
detection
pyramid
Published: February 13, 2025
Downloadable IOCs: 0

Unveiling the Past and Present of APT-K-47 Weapon: Asyncshell

The intelligence report details the discovery and analysis of an attack campaign by the APT-K-47 organization, also known as Mysterious Elephant. The attackers used a CHM file to execute a malicious payload, which is an upgraded version of their Asyncshell tool. The new version, dubbed Asyncshell-v…
c2
base64
2024-11-26
chm
asyncshell
hajj
Published: November 26, 2024
Downloadable IOCs: 3

The Evolution of a Cyber Threat: From JinxLoader to Astolfo Loader

JinxLoader, a Go-based malware loader distributed via phishing emails, has evolved into Astolfo Loader. Originally sold on Hack Forums, JinxLoader was designed to deploy additional malware on Windows and Linux systems. The malware operates as a Malware-as-a-Service, making sophisticated tools acces…
c2
2024-11-26
jinxloader
astolfo loader
Published: November 26, 2024
Downloadable IOCs: 6

Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware

A sophisticated supply chain attack has been discovered targeting the NPM ecosystem. The malicious package 'jest-fet-mock' impersonates popular testing utilities and uses Ethereum smart contracts for command-and-control operations. This cross-platform malware affects Windows, Linux, and macOS, exec…
supply-chain
typosquatting
c2
npm
multi-platform
2024-11-05
blockchain
development-tools
smart-contract
ethereum
jest-fet-mock
Published: November 5, 2024
Downloadable IOCs: 4

OSINT Investigation: Hunting Malicious Infrastructure Linked to Transparent Tribe

This investigation tracked infrastructure linked to the APT group Transparent Tribe, identifying 15 malicious hosts on DigitalOcean serving as command-and-control servers for the Mythic exploitation framework. The group employs Linux desktop entry files as an attack vector, targeting individuals in…
linux
india
c2
poseidon
mythic
2024-09-30
apt36
desktop entry
osint
digitalocean
jarm
Published: September 30, 2024
Downloadable IOCs: 19

Multiple Malware Dropped Through MSI Package

An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
powershell
stealer
persistence
dropper
redline
c2
2024-08-14
sectoprat
Published: August 14, 2024
Downloadable IOCs: 11

Brief Overview of the DeerStealer Distribution Campaign

A recent cybersecurity investigation uncovered a malware distribution campaign called DeerStealer. The malware was disseminated through counterfeit Google Authenticator websites, tricking visitors into downloading the malicious payload hosted on GitHub. Upon execution, the stealer collects system i…
phishing
stealer
c2
deerstealer
2024-08-02
xfiles
xor
Published: August 2, 2024
Downloadable IOCs: 28

Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications

While monitoring data in Recorded Future Malware Intelligence, Insikt Group identified purported virtual meeting software called Vortax that, upon download and installation, delivers three information stealers (“infostealers”) in cross-platform attacks — Rhadamanthys, Stealc, and, most notably, Ato…
macos
c2
2024-06-20
Published: June 20, 2024
Downloadable IOCs: 60

Vidar Stealer: An In-depth Analysis of an Information-Stealing Malware

Vidar Stealer is a potent malware written in C++, capable of stealing a wide range of data from the compromised system. Vidar Stealer targets user’s personal data, web-browser data, cryptocurrency wallets, financial data, sensitive files within user directories, communication applications, process …
malware
persistence
2024-06-04
c2
Published: June 4, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports