Tag: c2 server

10 Attack Reports | 0 Vulnerabilities

Attack reports

Stories from the SOC: Mystery of the postponed proxyware install

A suspicious PowerShell alert led to the discovery of an attack chain aimed at installing proxyware on a compromised system. The infection originated from a disk-cleaning utility installed three days prior, which included malicious scripts and established a connection to a C2 server. The attack uti…
powershell
node.js
c2 server
in-memory execution
proxyware
2025-11-24
download cradle
unauthorized software
disk-cleaning utility
Published: November 24, 2025
Downloadable IOCs: 11

DanaBot C2 Server Memory Leak Bug

A critical vulnerability named DanaBleed was discovered in DanaBot's C2 server, causing memory leaks from June 2022 to early 2025. This bug, introduced in version 2380, exposed sensitive information including threat actor details, server data, and victim credentials. The leak resulted from uninitia…
vulnerability
cybercrime
danabot
malware-as-a-service
c2 server
smokeloader
operation endgame
information theft
2025-06-10
danableed
banking fraud
memory leak
Published: June 10, 2025
Downloadable IOCs: 2

Sophisticated backdoor mimicking secure networking software updates

A sophisticated backdoor targeting Russian organizations in government, finance, and industry sectors was discovered masquerading as updates for ViPNet secure networking software. The malware, distributed in LZH archives, exploits a path substitution technique to execute a malicious loader that dep…
backdoor
apt
russia
payload
c2 server
software updates
2025-04-22
targeted attack
secure networking
heur:trojan.win32.loader.gen
path substitution
vipnet
Published: April 22, 2025
Downloadable IOCs: 0

PJobRAT makes a comeback, takes another crack at chat apps

In the latest campaign, X-Ops researchers found PJobRAT samples disguising themselves as instant messaging apps. In our telemetry, all the victims appeared to be based in Taiwan.
android
infostealer
c2 server
github
2025-03-27
code issues
pull
breadcrumbs
history
pjobrat package
pjobrat domain
pjobrat
eio4
domain hosting
Published: March 27, 2025
Downloadable IOCs: 12

Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan

An advanced malware framework known as Winos4.0 was used to target companies in Taiwan in January 2025.
phishing
pdf
c2 server
valleyrat
wechat
screen capture
agent
2025-03-05
team
uacme
corrupt
Published: March 5, 2025
Downloadable IOCs: 55

Technical Analysis of Xloader Versions 6 and 7 P2

The latest versions of the Xloader malware, known as Formbook, use advanced obfuscation techniques to mask critical parts of its code and data, as part of a two-part technical analysis.
c2 server
formbook
base64
xloader
2025-02-14
c2 traffic
dword xor
dwords
decoy c2
pushdo
Published: February 14, 2025
Downloadable IOCs: 261

Chinese Hackers Attacking Linux Devices With New SSH Backdoor

Chinese hackers, specifically the DaggerFly espionage group, are targeting Linux devices with a sophisticated SSH backdoor called ELF/Sshdinjector.A!tr. The Lunar Peek campaign, active since mid-November 2024, primarily focuses on network appliances and IoT devices. The attack involves a dropper th…
linux
iot
c2 server
2025-02-05
ssh backdoor
network appliances
lunar peek campaign
Published: February 5, 2025
Downloadable IOCs: 3

The Mobile Malware Chronicles: Necro.N - Volume 101

Zimperium's zLabs researchers have been tracking Necro.N, a highly intrusive mobile malware campaign, since July. This malware, potentially succeeding Joker, uses obfuscation and steganography to hide malicious payloads within images. It downloads payloads from C2 servers, enabling remote code exec…
obfuscation
steganography
c2 server
mobile malware
2024-10-21
joker
necro.n
libsvm.so
fleeceware
advertising sdk
libcoral.so
Published: October 21, 2024
Downloadable IOCs: 6

AdsExhaust, a Newly Discovered Adware MasqueradingOculus…

In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
phishing
powershell
c2 server
download
2024-06-24
urls
adsexhaust
Published: June 24, 2024
Downloadable IOCs: 17

D3F@ck Loader, the New MaaS Loader

In March 2024, eSentire's Threat Response Unit (TRU) discovered multiple instances of D3F@ck Loader infections being propagated via Google Ads. This new loader, which debuted on hacking forums in January 2024 (Figure 1), can allegedly bypass several key security features such as Google Chrome, Edge…
loader
phishing
danabot
2024-05-21
google ads
smartscreen
c2 server
figure
inno setup
microsoft
unit
cyber
fileswindows nt
threat response
Published: May 21, 2024
Linked vulnerabilities : CVE-2024-3400
Downloadable IOCs: 3
Click here to see more Attack Reports