Tag: c2

25 Attack Reports | 0 Vulnerabilities

Attack reports

ShadowV2 Casts a Shadow Over IoT Devices

A new Mirai variant called ShadowV2 has been observed spreading through IoT vulnerabilities during a global AWS disruption. The malware targeted multiple countries and industries worldwide, exploiting vulnerabilities in devices from vendors like DD-WRT, D-Link, Digiever, TBK, and TP-Link. ShadowV2 …
vulnerability
ddos
iot
botnet
mirai
c2
aws
CVE-2024-10914
CVE-2024-10915
CVE-2024-53375
CVE-2023-52163
CVE-2024-3721
shadowv2
CVE-2020-25506
2025-11-27
CVE-2009-2765
CVE-2022-37055
Published: November 27, 2025
Linked vulnerabilities : CVE-2024-10914 (CVSS 8.1), CVE-2024-10915 (CVSS 8.1), CVE-2024-53375 (CVSS 8.0), CVE-2023-52163 (CVSS 5.9), CVE-2024-3721, CVE-2020-25506, CVE-2009-2765, CVE-2022-37055
Downloadable IOCs: 16

A Closer Look at Outlook Macros and More

The analysis examines NotDoor, a backdoor utilizing Outlook macros for persistence and lateral movement. It stages files in C:\ProgramData, employing DLL sideloading with OneDrive.exe. The malware creates directories, executes encoded PowerShell commands, and modifies registry entries to enable mac…
backdoor
powershell
persistence
dll sideloading
c2
notdoor
2025-11-15
registry modification
outlook macros
Published: November 15, 2025
Downloadable IOCs: 0

GhostSocks: From Initial Access to Residential Proxy

GhostSocks is a Malware-as-a-Service (MAAS) that converts compromised devices into residential proxies, enabling threat actors to bypass anti-fraud mechanisms. Introduced in October 2023, it gained popularity after partnering with LummaStealer in February 2024. The malware, coded in Golang, uses ob…
obfuscation
c2
golang
maas
lummastealer
socks5
ghostsocks
blackbasta
residential proxy
2025-10-01
double victimization
Published: October 1, 2025
Downloadable IOCs: 12

Learn about ChillyHell, a modular Mac backdoor

ChillyHell is a sophisticated macOS backdoor discovered in 2021 that has evaded detection by antivirus vendors. It is a modular C++ malware targeting Intel architectures, using multiple persistence mechanisms and communication protocols. The backdoor performs host profiling, establishes persistence…
backdoor
dns
persistence
macos
modular
matanbuchus
c2
http
2025-09-10
password-cracking
notarized
chillyhell
Published: September 10, 2025
Downloadable IOCs: 0

ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT

ZynorRAT is a newly discovered Go-based Remote Access Trojan that provides a full suite of command and control capabilities for Linux and Windows systems. It was first identified in July 2025 and is believed to be of Turkish origin. The malware uses Telegram as its C2 infrastructure and offers feat…
linux
windows
c2
telegram
remote access trojan
go-based
2025-09-10
zynorrat
turkish
Published: September 10, 2025
Downloadable IOCs: 48

Paper Werewolf targets Russia with WinRAR zero-day vulnerability

A series of attacks by the Paper Werewolf (GOFFEE) cluster exploited vulnerabilities in WinRAR, including CVE-2025-6218 and a zero-day flaw. The threat actor used phishing emails impersonating Russian organizations, delivering malware through archive files. The attacks targeted Russian entities, ut…
phishing
zero-day
shellcode
c2
winrar
directory traversal
2025-08-20
rar
CVE-2025-6218
xpsrchvw74.exe
winrunapp.exe
Published: August 20, 2025
Downloadable IOCs: 0

Distribution of SmartLoader Malware via Github Repository Disguised as a Legitimate Project

A massive distribution of SmartLoader malware has been discovered through GitHub repositories masquerading as legitimate projects. These repositories focus on topics like game cheats, software cracks, and automation tools to attract users. The malware is distributed via compressed files containing …
obfuscation
rhadamanthys
infostealer
persistence
lumma stealer
redline
c2
github
smartloader
2025-08-13
game-cheats
software-cracks
luascript
Published: August 13, 2025
Downloadable IOCs: 11

CastleLoader Analysis

CastleLoader, a versatile malware loader, has infected 469 devices since May 2025 using Cloudflare-themed ClickFix phishing and fake GitHub repositories. It delivers information stealers and RATs, with a 28.7% infection rate. The malware employs sophisticated techniques, including PowerShell and Au…
phishing
powershell
malware loader
redline
autoit
hijackloader
c2
rats
stealc
github
netsupport rat
deerstealer
sectoprat
information stealers
2025-08-13
payload delivery
castleloader
u.s. government
Published: August 13, 2025
Downloadable IOCs: 0

Malware Analysis Report: UMBRELLA STAND - Malware targeting Fortinet devices

UMBRELLA STAND is a sophisticated malware targeting FortiGate 100D series firewalls produced by Fortinet. It contains remote shell execution functionality, configurable beacon frequency, and AES-encrypted C2 communications. The malware uses fake TLS on port 443 to beacon to its C2 server and has th…
persistence
c2
process injection
aes encryption
defense evasion
fortinet
firewall
2025-06-23
shoe rack
remote shell
umbrella stand
Published: June 23, 2025
Downloadable IOCs: 11

Analysis of a Malicious WordPress Plugin: The Covert Redirector

A malicious WordPress plugin named 'wordpress-player.php' has been discovered, affecting at least 26 websites. The plugin injects a hidden HTML5 video player and establishes a WebSocket connection to a command and control server. It redirects visitors to suspicious websites after 4-5 seconds, avoid…
wordpress
plugin
c2
seo
websocket
2025-06-19
redirect
wordpress-player.php
website-integrity
Published: June 19, 2025
Downloadable IOCs: 1

Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users

A fileless AsyncRAT campaign is targeting German-speaking users through Clickfix-themed websites. The attack uses a fake 'I'm not a robot' prompt to execute malicious PowerShell code, which downloads and runs obfuscated C# code in memory. This technique enables full remote access, credential theft,…
obfuscation
powershell
asyncrat
c2
in-memory execution
fileless
clickfix
2025-06-16
german-speaking
Published: June 16, 2025
Downloadable IOCs: 0

Beware of AI Pickpockets: Pickai Backdoor Spreading Through ComfyUI Vulnerability

A new backdoor named Pickai is exploiting ComfyUI vulnerabilities to spread and steal sensitive AI data. Developed in C++, Pickai offers remote command execution and reverse shell capabilities with strong persistence and evasion techniques. It uses multiple C2 servers for redundancy and has infecte…
backdoor
evasion
vulnerability
persistence
c2
supply chain attack
2025-06-13
pickai
comfyui
ai data theft
Published: June 13, 2025
Downloadable IOCs: 9

Technical Analysis of TransferLoader

TransferLoader is a newly identified malware loader active since February 2025. It comprises multiple components including a downloader, backdoor, and specialized loader. The malware employs various anti-analysis techniques and code obfuscation to hinder reverse engineering. TransferLoader has been…
backdoor
obfuscation
ransomware
anti-analysis
c2
downloader
morpheus
2025-05-15
ipfs
transferloader
Published: May 15, 2025
Downloadable IOCs: 7

Thunderstruck! Malicious ads for RVTools lead to ThunderShell payload

A security incident involving malicious sponsored ads distributing backdoored administrative tools was detected. Users searching for RVTools were served a tampered version containing ThunderShell, a PowerShell-based remote access tool. The malicious ads, appearing in Google search results, led to a…
malvertising
powershell
icedid
google ads
c2
remote access tool
2025-04-03
thundershell
rvtools
trojanized software
Published: April 3, 2025
Downloadable IOCs: 0

The Shelby Strategy

The SHELBY malware family exploits GitHub for command-and-control operations, employing sophisticated techniques to evade detection. The malware consists of a loader (SHELBYLOADER) and a backdoor (SHELBYC2), both obfuscated using Obfuscar. SHELBYLOADER employs various sandbox detection methods and …
obfuscation
phishing
c2
telecommunications
github
iraq
uae
2025-04-01
shelbyloader
shelby
sandbox-detection
shelbyc2
Published: April 1, 2025
Downloadable IOCs: 0

Auto-Color: An Emerging and Evasive Linux Backdoor

Auto-color is a newly discovered Linux malware that employs sophisticated evasion techniques. It renames itself to benign-looking filenames, hides remote C2 connections using advanced methods similar to Symbiote malware, and uses proprietary encryption for communication. The malware installs a mali…
linux
backdoor
evasion
encryption
government
c2
proxy
universities
reverse shell
2025-02-25
auto-color
library implant
symbiote
Published: February 25, 2025
Downloadable IOCs: 10

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

Pyramid, an open-source post-exploitation framework in Python, is being used by threat actors for malicious purposes. The tool features a lightweight HTTP/S server for encrypted payload delivery, blending with legitimate Python activity. This analysis examines Pyramid's server, outlines network sig…
python
c2
ransomhub
open-source
more_eggs
post-exploitation
2025-02-13
http server
network signatures
detection
pyramid
Published: February 13, 2025
Downloadable IOCs: 0

Unveiling the Past and Present of APT-K-47 Weapon: Asyncshell

The intelligence report details the discovery and analysis of an attack campaign by the APT-K-47 organization, also known as Mysterious Elephant. The attackers used a CHM file to execute a malicious payload, which is an upgraded version of their Asyncshell tool. The new version, dubbed Asyncshell-v…
c2
base64
2024-11-26
chm
asyncshell
hajj
Published: November 26, 2024
Downloadable IOCs: 3

The Evolution of a Cyber Threat: From JinxLoader to Astolfo Loader

JinxLoader, a Go-based malware loader distributed via phishing emails, has evolved into Astolfo Loader. Originally sold on Hack Forums, JinxLoader was designed to deploy additional malware on Windows and Linux systems. The malware operates as a Malware-as-a-Service, making sophisticated tools acces…
c2
2024-11-26
jinxloader
astolfo loader
Published: November 26, 2024
Downloadable IOCs: 6

Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware

A sophisticated supply chain attack has been discovered targeting the NPM ecosystem. The malicious package 'jest-fet-mock' impersonates popular testing utilities and uses Ethereum smart contracts for command-and-control operations. This cross-platform malware affects Windows, Linux, and macOS, exec…
supply-chain
typosquatting
c2
npm
multi-platform
2024-11-05
blockchain
development-tools
smart-contract
ethereum
jest-fet-mock
Published: November 5, 2024
Downloadable IOCs: 4

OSINT Investigation: Hunting Malicious Infrastructure Linked to Transparent Tribe

This investigation tracked infrastructure linked to the APT group Transparent Tribe, identifying 15 malicious hosts on DigitalOcean serving as command-and-control servers for the Mythic exploitation framework. The group employs Linux desktop entry files as an attack vector, targeting individuals in…
linux
india
c2
poseidon
mythic
2024-09-30
apt36
desktop entry
osint
digitalocean
jarm
Published: September 30, 2024
Downloadable IOCs: 19

Multiple Malware Dropped Through MSI Package

An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
powershell
stealer
persistence
dropper
redline
c2
2024-08-14
sectoprat
Published: August 14, 2024
Downloadable IOCs: 11

Brief Overview of the DeerStealer Distribution Campaign

A recent cybersecurity investigation uncovered a malware distribution campaign called DeerStealer. The malware was disseminated through counterfeit Google Authenticator websites, tricking visitors into downloading the malicious payload hosted on GitHub. Upon execution, the stealer collects system i…
phishing
stealer
c2
deerstealer
2024-08-02
xfiles
xor
Published: August 2, 2024
Downloadable IOCs: 28

Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications

While monitoring data in Recorded Future Malware Intelligence, Insikt Group identified purported virtual meeting software called Vortax that, upon download and installation, delivers three information stealers (“infostealers”) in cross-platform attacks — Rhadamanthys, Stealc, and, most notably, Ato…
macos
c2
2024-06-20
Published: June 20, 2024
Downloadable IOCs: 60

Vidar Stealer: An In-depth Analysis of an Information-Stealing Malware

Vidar Stealer is a potent malware written in C++, capable of stealing a wide range of data from the compromised system. Vidar Stealer targets user’s personal data, web-browser data, cryptocurrency wallets, financial data, sensitive files within user directories, communication applications, process …
malware
persistence
2024-06-04
c2
Published: June 4, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports