Tag: c2 communication

22 Attack Reports | 0 Vulnerabilities

Attack reports

Silver Fox Targeting India Using Tax Themed Phishing Lures

A sophisticated campaign by the Chinese APT group Silver Fox is targeting Indian entities with authentic-looking Income Tax phishing lures. The attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. The campaign uses a multi-stage infection p…
apt
phishing
india
c2 communication
multi-stage attack
dll hijacking
chinese threat actor
2025-12-24
tax-themed
valley rat
Published: December 24, 2025
Downloadable IOCs: 8

Operation DupeHike: Targeting Russian employees with DUPERUNNER and AdaptixC2

A campaign targeting Russian corporate entities, particularly HR, payroll, and administrative departments, has been uncovered. The attack uses realistic decoy documents themed around employee bonuses and financial policies. The malware ecosystem involves a malicious LNK file leading to an implant d…
process injection
c2 communication
spear-phishing
adaptixc2
2025-12-03
employee bonus lure
duperunner
russian corporate
Published: December 3, 2025
Downloadable IOCs: 12

EVALUSION Campaign Delivers Amatera Stealer and NetSupport...

The eSentire Threat Response Unit identified a malware campaign using ClickFix as an initial access vector to deploy Amatera Stealer and NetSupport RAT. Amatera Stealer is a rebranded version of ACR Stealer, with advanced evasion techniques like WoW64 SysCalls to bypass security solutions. It targe…
powershell
information theft
clickfix
acr stealer
netsupport rat
c2 communication
evasion techniques
crypto-wallets
amatera stealer
2025-11-18
Published: November 18, 2025
Downloadable IOCs: 1

DarkComet RAT Malware Hidden Inside Fake Bitcoin Tool

A malware analysis reveals the reemergence of DarkComet RAT disguised as a Bitcoin-related application. The malware, packed with UPX to evade detection, is distributed as a RAR archive containing an executable file. Once unpacked, it installs itself as 'explorer.exe' in the user's AppData folder an…
rat
cryptocurrency
persistence
bitcoin
keylogging
c2 communication
darkcomet
upx packing
2025-11-14
darkcomet rat
Published: November 14, 2025
Downloadable IOCs: 5

Lazarus Group targets Aerospace and Defense with new Comebacker variant

This analysis details a recent espionage campaign by the DPRK-nexus threat actor Lazarus Group targeting the aerospace and defense sectors. The campaign employs a new variant of the Comebacker backdoor, showcasing the actor's ongoing refinement of their malware arsenal. The attackers use highly spe…
backdoor
north korea
defense
aerospace
comebacker
dprk
c2 communication
spear phishing
decryption
2025-11-10
Published: November 10, 2025
Downloadable IOCs: 15

Threat Actors Leverage SEO Poisoning and Malicious Ads to Distribute Backdoored Microsoft Teams Installers

A new campaign is distributing the Oyster (Broomstick) backdoor through trojanized Microsoft Teams installers. Threat actors are using SEO poisoning and malvertising to trick users into downloading fake installers from spoofed websites. The malicious installers deploy a persistent backdoor that ena…
malvertising
seo poisoning
persistence
dll sideloading
microsoft teams
c2 communication
oyster
broomstick
2025-10-02
oyster backdoor
trojanized installer
Published: October 2, 2025
Downloadable IOCs: 15

New Botnet Emerges from the Shadows: NightshadeC2

A new botnet called NightshadeC2 has been identified, employing sophisticated techniques to bypass malware analysis sandboxes and exclude itself from Windows Defender. It uses a 'UAC Prompt Bombing' technique and has both C and Python variants. The botnet's capabilities include reverse shell, file …
botnet
lumma stealer
keylogging
sandbox evasion
c2 communication
uac bypass
trojanized software
2025-09-05
nightshadec2
Published: September 5, 2025
Downloadable IOCs: 0

New Variant of ACRStealer Actively Distributed with Modifications

A modified version of the ACRStealer infostealer is being actively distributed, featuring enhanced detection evasion and analysis obstruction techniques. The malware uses the Heaven's Gate technique for executing x64 code in WoW64 processes and implements low-level NT functions for C2 communication…
infostealer
anti-analysis
c2 communication
heaven's gate
acrstealer
2025-08-21
data encryption
detection evasion
amaterastealer
Published: August 21, 2025
Downloadable IOCs: 0

Supply Chain Risk in Python: Termcolor and Colorama Explained

A suspicious Python package named termncolor was discovered, which imports a malicious dependency called colorinal. This multi-stage malware operation leverages DLL sideloading to decrypt payloads, establish persistence, and conduct command-and-control communication, ultimately leading to remote co…
supply-chain
python
persistence
pypi
dll-sideloading
2025-08-16
c2-communication
zulip
termncolor
colorinal
Published: August 16, 2025
Downloadable IOCs: 0

From ClickFix to Command: A Full PowerShell Attack Chain

A targeted intrusion campaign impacting Israeli organizations has been identified, leveraging compromised internal email infrastructure to distribute phishing messages. The attack uses a multi-stage, PowerShell-based infection chain, culminating in the delivery of a remote access trojan (RAT). Key …
obfuscation
rat
phishing
social engineering
powershell
lateral movement
c2 communication
2025-08-11
israeli targets
powershell rat
Published: August 11, 2025
Downloadable IOCs: 0

LNK Trojan delivers REMCOS

This report details a multi-stage malware campaign delivering the REMCOS backdoor via a malicious Windows LNK shortcut file. The attack begins with social engineering, leveraging PowerShell for initial execution and deploys a persistent backdoor capable of full system compromise. The infection chai…
backdoor
powershell
remcos
keylogger
lnk file
c2 communication
pif file
multi-stage attack
base64 encoding
2025-07-30
Published: July 30, 2025
Downloadable IOCs: 8

Targeted attacks leverage accounts on popular online platforms as C2 servers

A sophisticated cyberattack campaign targeted the Russian IT industry and other entities globally in late 2024. The attackers used social media profiles and popular websites to deliver payload information, bypassing detection methods. They employed spear phishing emails with malicious RAR archives,…
cobalt strike
cobalt strike beacon
shellcode
targeted attacks
social media
c2 communication
spear phishing
dll hijacking
2025-07-30
api obfuscation
Published: July 30, 2025
Downloadable IOCs: 2

DslogdRAT Malware Installed in Ivanti Connect Secure

The article discusses a malware called DslogdRAT, which was installed on Ivanti Connect Secure systems by exploiting CVE-2025-0282. The malware communicates with a C2 server during business hours to avoid detection. It uses a web shell for initial access and supports various commands for file opera…
zero-day
c2 communication
web shell
CVE-2025-0282
CVE-2025-22457
spawnsnare
ivanti connect secure
2025-04-28
spawnchimera
dslogdrat
Published: April 28, 2025
Downloadable IOCs: 0

New Stealer on the Horizon

SvcStealer 2025 is a novel information stealer delivered through spear phishing email attachments. It harvests sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates specific proce…
cryptocurrency
information stealer
c2 communication
evasion techniques
spear phishing
data harvesting
svcstealer
2025-04-23
Published: April 23, 2025
Downloadable IOCs: 4

PE32 Ransomware: A New Telegram-Based Threat on the Rise

PE32 Ransomware is a new strain of malware that utilizes Telegram for command and control. Despite its amateur execution, it effectively encrypts files and causes significant damage. The ransomware features a unique two-tiered payment model, demanding one fee to unlock files and another to prevent …
encryption
telegram
c2 communication
2025-04-22
two-tiered ransom
amateur execution
pe32 ransomware
bot api
exposed infrastructure
Published: April 22, 2025
Downloadable IOCs: 5

GorillaBot: Technical Analysis and Code Similarities with Mirai

GorillaBot is a newly discovered Mirai-based botnet that has launched over 300,000 attacks across more than 100 countries, targeting various industries including telecommunications, finance, and education. It reuses Mirai's core logic while adding custom encryption and evasion techniques. The malwa…
evasion
encryption
botnet
mirai
c2 communication
anti-debugging
2025-03-25
xtea
sha-256
gorillabot
Published: March 25, 2025
Downloadable IOCs: 3

SVC New Stealer on the Horizon

SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates speci…
cryptocurrency
data exfiltration
information stealer
c2 communication
evasion techniques
spear phishing
2025-03-21
svcstealer
Published: March 21, 2025
Downloadable IOCs: 0

Njrat Campaign Using Microsoft Dev Tunnels

A new Njrat malware campaign has been detected utilizing Microsoft's dev tunnels service for command and control (C2) communication. This service, designed for developers to securely expose local services to the internet, is being exploited by the malware to establish connections with C2 servers. T…
njrat
malware campaign
c2 communication
usb propagation
2025-02-27
microsoft dev tunnels
Published: February 27, 2025
Downloadable IOCs: 6

Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques

ValleyRAT, a sophisticated multi-stage malware attributed to Silver Fox APT, has updated its tactics, techniques, and procedures. The malware targets key roles in finance, accounting, and sales departments using phishing emails, malicious websites, and instant messaging platforms. The infection cha…
phishing
persistence
valleyrat
keylogger
dll side-loading
c2 communication
anti-vm
2025-02-05
ghostrat
silver fox apt
Published: February 5, 2025
Downloadable IOCs: 12

Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software

The Lazarus group, a highly active APT organization, has been observed weaponizing the IPMsg installer for attacks. When executed, the malicious installer releases the official IPMsg version 5.6.18.0 to deceive users while activating a malicious DLL in memory. This DLL connects to a remote control …
backdoor
apt
social engineering
data theft
c2 communication
2025-01-02
ipmsg
dll64.dll
loader1.dll
att_loader_dll.dll
weaponized installer
Published: January 2, 2025
Downloadable IOCs: 3

DarkVision RAT

DarkVision RAT is a customizable remote access trojan that first appeared in 2020, offered on Hack Forums for $60. Written in C/C++ and assembly, it offers features like keylogging, screenshots, file manipulation, process injection, remote code execution, and password theft. The analysis reveals a …
purecrypter
c2 communication
multi-stage attack
2024-10-10
remote access trojan
darkvision rat
Published: October 10, 2024
Downloadable IOCs: 0

Zharkbot Strings

Zharkbot is a C++ downloader with extensive anti-analysis and anti-sandbox features. It uses in-line string encryption and API calls, making static and emulation analysis challenging. The malware performs sandbox detection by checking for specific usernames and hypervisors. It installs itself in th…
persistence
anti-analysis
amadey
downloader
2024-09-03
anti-sandbox
string encryption
c2 communication
zharkbot
Published: September 3, 2024
Downloadable IOCs: 2
Click here to see more Attack Reports