Tag: credential-theft

154 Attack Reports | 0 Vulnerabilities

Attack reports

Russian APT actor phishes the Baltics and the Balkans

A Russian Advanced Persistent Threat (APT) group has been targeting government entities in the Baltic and Balkan regions with sophisticated phishing campaigns. The attackers use email attachments spoofing official documents to lure victims into entering their credentials on fake login pages. The ph…
apt
phishing
credential-theft
government
eastern europe
2025-12-16
Published: December 16, 2025
Downloadable IOCs: 0

Technical Analysis of the BlackForce Phishing Kit

The BlackForce phishing kit, first observed in August 2025, has evolved through multiple versions and is capable of stealing credentials and performing Man-in-the-Browser attacks to bypass multi-factor authentication. It impersonates various brands and uses sophisticated evasion techniques, includi…
phishing
credential theft
mfa bypass
telegram
evasion techniques
2025-12-12
blackforce
mitb
Published: December 12, 2025
Downloadable IOCs: 0

Operation MoneyMount, ISO Deploying Phantom Stealer

A Russian phishing campaign targeting finance and accounting sectors uses fake payment confirmation emails to deliver Phantom stealer malware. The attack chain involves a ZIP file containing an ISO, which when mounted reveals an executable that loads the stealer. The malware employs anti-analysis t…
phishing
russia
exfiltration
steganography
credential theft
finance
multi-stage attack
phantom stealer
2025-12-12
iso
Published: December 12, 2025
Downloadable IOCs: 4

Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users

An active phishing campaign has been identified targeting organizations using Microsoft 365 and Okta for single sign-on. The campaign employs modern techniques to bypass multi-factor authentication and hijack legitimate SSO flows. It uses lookalike domains to impersonate Okta authentication pages a…
phishing
credential theft
adversary-in-the-middle
microsoft 365
session hijacking
sso
2025-12-10
okta
Published: December 10, 2025
Downloadable IOCs: 1

Teams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist

A sophisticated social engineering attack utilizing Microsoft Teams' new 'Chat with Anyone' feature has been uncovered. Threat actors impersonated IT support to trick users into initiating Quick Assist sessions, ultimately leading to credential theft and potential data exfiltration. The attack invo…
phishing
social engineering
infostealer
credential theft
reconnaissance
microsoft teams
2025-12-03
quick assist
Published: December 3, 2025
Downloadable IOCs: 0

Shai-Hulud V2 Poses Risk to NPM Supply Chain

A second wave of the Shai-Hulud malware campaign, dubbed 'The Second Coming', has emerged targeting the npm ecosystem. This advanced software supply chain attack has compromised over 700 npm packages and created more than 27,000 malicious GitHub repositories. Shai-Hulud V2 introduces critical advan…
backdoor
supply chain
worm
exfiltration
credential theft
github
2025-12-03
shai-hulud v2
Published: December 3, 2025
Downloadable IOCs: 3

Analysis of the Lumma infostealer

The Lumma infostealer is a sophisticated malware distributed as Malware-as-a-Service, targeting Windows systems. It primarily steals sensitive data such as browser credentials, cryptocurrency wallets, and VPN/RDP accounts. Lumma is often used in the initial stages of multi-vector attacks, including…
phishing
windows
infostealer
credential theft
autoit
nsis
lumma
maas
process hollowing
2025-11-27
Published: November 27, 2025
Downloadable IOCs: 3

Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems

The Shai-hulud 2.0 campaign features an advanced malware variant that steals credentials and secrets from major cloud platforms and developer services. It automates the backdooring of NPM packages maintained by victims, enabling rapid propagation across the software supply chain. The malware target…
supply chain
cloud
credential theft
azure
npm
aws
github
shai-hulud
2025-11-27
gcp
Published: November 27, 2025
Downloadable IOCs: 6

How NTLM is being abused in 2025 cyberattacks

NTLM, a legacy authentication protocol, remains prevalent in Windows environments despite known vulnerabilities. Threat actors continue to exploit both old and newly discovered flaws in NTLM for credential theft, privilege escalation, and lateral movement. Recent vulnerabilities like CVE-2024-43451…
apt
windows
credential theft
lateral movement
exploits
CVE-2023-38831
authentication
phantomcore
remcos rat
CVE-2024-43451
ntlm
vulnerabilities
CVE-2025-24054
CVE-2025-24071
CVE-2025-33073
2025-11-26
warzone
avemaria
Published: November 26, 2025
Linked vulnerabilities : CVE-2024-43451 (CVSS 6.5), CVE-2025-24054 (CVSS 6.5), CVE-2025-24071 (CVSS 7.5), CVE-2023-38831, CVE-2025-33073 (CVSS 8.8)
Downloadable IOCs: 3

macOS Malware Deploys in Fake Job Scams

A sophisticated malware campaign targeting macOS users has been discovered, involving fake job assessments and social engineering tactics. The FlexibleFerret malware, attributed to DPRK-aligned operators, uses multi-stage attacks to deploy on victims' systems. The campaign begins with JavaScript fi…
social engineering
macos
credential theft
multi-stage attack
flexibleferret
2025-11-26
golang backdoor
fake job scams
Published: November 26, 2025
Downloadable IOCs: 21

Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats

This analysis examines the latest attack flow of the KimJongRAT variant, attributed to the North Korean threat actor Kimsuky. The malware has evolved to include both PE-based and PowerShell-based attack chains, which have been merged into a single workflow. The attackers use phishing emails for ini…
phishing
north korea
babyshark
powershell
credential theft
keylogging
data exfiltration
spear-phishing
browser credentials
kimjongrat
2025-11-24
pe executable
Published: November 24, 2025
Downloadable IOCs: 9

New Banking Trojan Identified, Distributed Through WhatsApp

A new banking Trojan dubbed Eternidade Stealer has been identified, distributed through WhatsApp hijacking and social engineering. The malware, written in Delphi, uses IMAP to retrieve C2 addresses dynamically. It's spread via a WhatsApp worm campaign using a Python script. The attack chain involve…
social engineering
whatsapp
credential theft
banking trojan
brazil
delphi
2025-11-20
eternidade stealer
imap
Published: November 20, 2025
Linked vulnerabilities : CVE-2025-59287 (CVSS 9.8)
Downloadable IOCs: 23

Major October 2025 Cyber Attacks Your SOC Can't Ignore

October 2025 saw a surge in sophisticated cyber attacks, including phishing campaigns exploiting Google Careers and ClickUp, abuse of Figma for credential theft, the emergence of LockBit 5.0 targeting ESXi and Linux systems, and the discovery of TyKit, a new phishing kit. Attackers increasingly abu…
phishing
ransomware
lockbit
credential theft
cloud abuse
lockbit 5.0
2025-10-29
tykit
clickup
google careers
figma
Published: October 29, 2025
Downloadable IOCs: 10

New Android Malware Mimics Human Behavior to Evade Detection

A new Android malware called Herodotus has been discovered, designed to perform device takeover while mimicking human behavior to bypass biometric detection. Active campaigns have been observed in Italy and Brazil. Herodotus is being offered as Malware-as-a-Service and shows links to the previously…
android
credential theft
malware-as-a-service
banking trojan
device takeover
hook
mqtt
remote control
2025-10-28
octo
behavior mimicry
herodotus
brokewell
Published: October 28, 2025
Downloadable IOCs: 1

Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials

A group of financially motivated threat actors from Vietnam, tracked as UNC6229, is targeting individuals in the digital advertising and marketing sectors through fake job postings. They use social engineering tactics to deliver malware and phishing kits, aiming to compromise high-value corporate a…
social engineering
credential theft
remote access trojans
2025-10-23
fake job postings
digital advertising
Published: October 23, 2025
Downloadable IOCs: 0

SecuritySnack: 18+E-Crime

A financially motivated cybercrime operation has been identified, targeting users with over 80 spoofed domain names and lure websites. The campaign, which began in September 2024, focuses on government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications. Th…
social engineering
credential theft
spoofed domains
android malware
trojans
lure websites
2025-10-06
windows malware
Published: October 6, 2025
Downloadable IOCs: 140

Update on Ongoing Akira Ransomware Campaign

The Akira ransomware campaign targeting SonicWall SSL VPN accounts has intensified since July 2025, with new infrastructure observed as recently as September 20. Threat actors are exploiting previously exfiltrated credentials, including those with OTP MFA, likely related to CVE-2024-40766. The atta…
ransomware
credential theft
akira
CVE-2024-40766
CVE-2023-20269
CVE-2020-3259
sonicwall
ssl vpn
2025-09-27
infrastructure rotation
Published: September 27, 2025
Downloadable IOCs: 0

Hidden WordPress Backdoors Creating Admin Accounts

Two malicious files were discovered on a compromised WordPress website, designed to manipulate administrator accounts and maintain unauthorized access. The first file, disguised as a plugin called 'DebugMaster Pro', created a secret admin user and communicated with a command and control server. The…
backdoor
wordpress
credential theft
compromise
stealth
2025-09-24
debugmaster pro
admin accounts
Published: September 24, 2025
Downloadable IOCs: 0

Unmasking Akira: The ransomware tactics you can't afford to ignore

The Akira ransomware group has been targeting UK businesses since 2023, primarily affecting retail, finance, manufacturing, and medical sectors. Their tactics include exploiting SSL VPNs, using double extortion, and focusing on financial gain. Key observations from 2023-2025 include initial access …
ransomware
encryption
credential theft
data exfiltration
akira
CVE-2023-27532
CVE-2024-40766
CVE-2024-40711
double extortion
CVE-2023-20269
2025-09-22
backup destruction
Published: September 22, 2025
Downloadable IOCs: 0

Warlock operation joins busy ransomware landscape

GOLD SALEM, also known as Warlock Group, has emerged as a significant player in the ransomware landscape since March 2025. The group has compromised networks across North America, Europe, and South America, targeting a range of organizations from small entities to large corporations. GOLD SALEM ope…
ransomware
credential theft
lateral movement
CVE-2024-51324
CVE-2025-53770
CVE-2025-53771
CVE-2025-49704
CVE-2025-49706
warlock
dedicated leak site
2025-09-17
edr bypass
sharepoint exploitation
warlock group
Published: September 17, 2025
Linked vulnerabilities : CVE-2024-51324 (CVSS 3.8), CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 2

The Dangers of Storing Unencrypted Passwords

A threat actor exploited a SonicWall VPN vulnerability to gain initial access to an organization's network. The attacker discovered plaintext Huntress recovery codes on a user's desktop, allowing them to bypass MFA and access the Huntress portal. They then proceeded to close active incident reports…
ransomware
credential theft
akira
sonicwall
2025-09-15
certificate export
vpn exploit
recovery codes
Published: September 15, 2025
Downloadable IOCs: 2

AI-Generated Code and Fake Apps Used for Far-Reaching Attacks

A new malware campaign called EvilAI is spreading globally by disguising itself as legitimate AI-enhanced productivity tools. The malware uses AI-generated code and professional interfaces to evade detection, targeting organizations across sectors like manufacturing, government, and healthcare. It …
obfuscation
persistence
node.js
trojan
credential theft
command and control
2025-09-12
ai-generated code
evilai
fake applications
Published: September 12, 2025
Downloadable IOCs: 14

Threat Spotlight: Speed, Scale, and Stealth: How Axios Powers Automated Phishing

Axios user agent activity has surged by 241% from June to August 2025, outpacing other flagged user agents. Attacks combining Axios with Direct Send achieved a 70% success rate in recent campaigns, significantly higher than non-Axios campaigns. The combination exploits Direct Send's trusted nature …
phishing
credential theft
qr codes
automation
axios
api exploitation
direct send
2025-09-10
user agent
Published: September 10, 2025
Downloadable IOCs: 14

Inside the Kimsuky Leak: How the 'Kim' Dump Exposed North Korea's Credential Theft Playbook

A data breach attributed to a North Korean-affiliated actor known as "Kim" has provided new insights into Kimsuky (APT43) tactics and infrastructure. The actor's operations focus on credential-based intrusions targeting South Korean and Taiwanese networks, utilizing Chinese-language tools and infra…
phishing
north korea
rootkit
south korea
credential theft
taiwan
ocr
2025-09-08
hybrid attribution
vmmisc.ko
gpki
Published: September 8, 2025
Downloadable IOCs: 11

Malicious Appsuite PDF Editor Spreads Tamperedchef Malware

A large cybercrime campaign has been observed involving multiple fraudulent websites promoted through Google advertising. The campaign aims to trick users into downloading and installing a trojanized PDF editor containing the TamperedChef information-stealing malware. The malware harvests sensitive…
obfuscation
credential theft
information stealer
trojanized software
tamperedchef
2025-08-28
google advertising
appsuite pdf editor
Published: August 28, 2025
Downloadable IOCs: 97

UNC Cluster Targeting South Asian Countries

A South Asian APT group has been consistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. The operation involves phishing campaigns using military-themed lures to compromise phones of military personnel. The attackers employ various tactics, including PDF phishing documents, fake login p…
phishing
credential theft
remote access
rafel rat
information stealer
android malware
2025-08-27
military targets
south asian apt
Published: August 27, 2025
Downloadable IOCs: 0

Android Document Readers and Deception: Tracking the Latest Updates to Anatsa

Anatsa, an Android banking malware first discovered in 2020, has evolved with new capabilities and targets. The latest variant now affects over 831 financial institutions worldwide, including new countries and cryptocurrency platforms. Anatsa has streamlined its payload delivery, implemented DES ru…
android
cryptocurrency
credential theft
banking trojan
anatsa
teabot
evasion techniques
coper
joker
google play store
financial institutions
2025-08-22
harly
facestealer
Published: August 22, 2025
Downloadable IOCs: 0

Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC

A financially motivated threat group dubbed Greedy Sponge has been targeting Mexican organizations since 2021 with a modified version of AllaKore RAT and SystemBC malware. The group uses spear-phishing and drive-by downloads to deliver custom packaged installers containing the RAT. Recent updates i…
allakore rat
financial fraud
credential theft
drive-by download
systembc
spear-phishing
geofencing
2025-08-21
mexico
Published: August 21, 2025
Downloadable IOCs: 0

Cybercriminals Abuse AI Website Creation App For Phishing

Cybercriminals are exploiting an AI-powered website creation platform called Lovable to generate fraudulent websites for credential phishing and malware delivery. The threat actors create or clone sites impersonating well-known brands, use CAPTCHA for filtering, and post stolen credentials to Teleg…
phishing
cryptocurrency
credential theft
zgrat
malware delivery
doiloader
tycoon
2025-08-21
ai-generated websites
lovable platform
Published: August 21, 2025
Downloadable IOCs: 0

From SharePoint Vulnerability Exploit to Enterprise Ransomware

The Warlock ransomware group exploited unpatched Microsoft SharePoint servers to gain initial access and deploy ransomware across enterprise environments. The attack chain involved exploiting vulnerabilities, privilege escalation through Group Policy modification, credential theft using Mimikatz, l…
ransomware
lockbit
vulnerability
credential theft
dll sideloading
lateral movement
data exfiltration
CVE-2023-27532
lockbit 3.0
sharepoint
warlock
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

Microsoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations

Threat actors are actively exploiting Microsoft 365's Direct Send feature to deliver phishing emails, bypassing perimeter security solutions by routing malicious messages through trusted infrastructure. This technique requires no credentials, only knowledge of the target domain and valid recipient …
phishing
credential theft
spoofing
microsoft 365
business email compromise
email security
2025-08-18
direct send
Published: August 18, 2025
Downloadable IOCs: 27

A New Threat Actor Targeting Geopolitical Hotbeds

Bitdefender Labs has uncovered a new threat actor group named Curly COMrades, operating since mid-2024 to support Russian interests. The group targets critical organizations in countries experiencing geopolitical shifts, focusing on judicial and government bodies in Georgia and an energy distributi…
backdoor
russia
credential theft
lateral movement
geopolitical
moldova
resocks
2025-08-12
georgia
clsid hijacking
mucoragent
proxy tools
Published: August 12, 2025
Downloadable IOCs: 0

Unveiling a New Variant of the DarkCloud Campaign

A new DarkCloud campaign was observed in July 2025, targeting Windows users with a sophisticated infection chain. The attack begins with a phishing email containing a RAR archive, which leads to the execution of obfuscated JavaScript and PowerShell code. This code downloads and deploys a fileless .…
powershell
credential-theft
anti-analysis
process-hollowing
fileless
information-stealer
2025-08-08
darkcloud
Published: August 8, 2025
Downloadable IOCs: 2

Unmasking the SVG Threat: How Hackers Use Vector Graphics for Phishing Attacks

Attackers are exploiting Scalable Vector Graphics (SVG) files to execute sophisticated phishing attacks. SVGs, typically used for scalable images, can contain embedded JavaScript that executes when opened in a browser. The attack chain involves sending SVG attachments via spear-phishing emails or c…
phishing
javascript
credential theft
captcha
svg
email attachments
2025-08-07
cloud storage
browser execution
Published: August 7, 2025
Downloadable IOCs: 2

Odyssey Stealer Malware Attacks macOS Users

A phishing campaign targeting macOS users employs a ClickFix technique to deliver the Odyssey Stealer malware. The attack uses a fake CAPTCHA verification page that executes without dropping a binary on the system. When users follow the instructions, they unknowingly execute a malicious AppleScript…
phishing
macos
credential theft
clickfix
applescript
odyssey stealer
2025-08-07
crypto wallet
Published: August 7, 2025
Downloadable IOCs: 3

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

A sophisticated cyber attack campaign leveraged SEO poisoning to compromise organizations through trojanized IT management tool installers. The attack began when users searching for ManageEngine OpManager were directed to a malicious website, downloading a compromised MSI file that installed Bumble…
ransomware
seo poisoning
credential theft
lateral movement
data exfiltration
akira
bumblebee
2025-08-07
rustdesk
it management tools
adaptixc2
Published: August 7, 2025
Downloadable IOCs: 0

Active Exploitation of SonicWall VPNs

A potential zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. The attack chain begins with a breach of the SonicWall appliance, followed by post-exploitation techniques including enumeration, detection evasion, lateral movement, and credential…
ransomware
zero-day
credential theft
lateral movement
vpn
mfa bypass
akira
sonicwall
2025-08-04
Published: August 4, 2025
Downloadable IOCs: 12

FAKE TELEGRAM PREMIUM SITE DISTRIBUTES NEW LUMMA STEALER VARIANT

A malicious campaign using the domain 'telegrampremium[.]app' is distributing a new variant of Lumma Stealer malware. The fake site mimics the official Telegram Premium platform and automatically downloads an executable file 'start.exe' upon access. This sophisticated information-stealing trojan ca…
windows
infostealer
lumma stealer
credential theft
drive-by download
brand impersonation
2025-08-03
telegram premium
Published: August 3, 2025
Downloadable IOCs: 0

Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing

Proofpoint has uncovered a sophisticated phishing campaign utilizing fake Microsoft OAuth applications to bypass multifactor authentication and steal credentials. The threat actors impersonate various enterprise apps like RingCentral, SharePoint, Adobe, and DocuSign to lure victims. The attack chai…
phishing
aitm
credential theft
mfa bypass
microsoft 365
oauth
2025-08-01
application impersonation
tycoon
Published: August 1, 2025
Downloadable IOCs: 0

RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration

Raven Stealer is a modern information-stealing malware developed in Delphi and C++, designed to extract sensitive data from victim machines. It targets Chromium-based browsers, extracting passwords, cookies, payment details, and autofill information. The malware uses a modular architecture and a bu…
infostealer
credential theft
information-stealing
data exfiltration
github
telegram
c++
browser data
delphi
octalyn stealer
2025-07-26
raven stealer
upx packing
2025-08-01
Published: August 1, 2025
Downloadable IOCs: 0

MaaS Appeal: An Infostealer Rises From The Ashes

NOVABLIGHT is a NodeJS-based Malware-as-a-Service (MaaS) information stealer developed by a French-speaking threat group. It's sold as an educational tool but used for credential theft and cryptowallet compromise. The malware features heavy obfuscation, multiple anti-analysis techniques, and variou…
obfuscation
infostealer
anti-analysis
electron
credential theft
data exfiltration
maas
nodejs
2025-07-31
nova sentinel
malicord
novablight
Published: July 31, 2025
Downloadable IOCs: 8

Android Malware Posing As Indian Bank Apps

This report analyzes a sophisticated Android malware targeting Indian banking apps. The malware uses a dropper and main payload structure, leveraging permissions like SMS access and silent installation to steal credentials, intercept messages, and perform unauthorized financial activities. It emplo…
phishing
android
credential-theft
trojan
banking
firebase
2025-07-25
call-forwarding
sms-interception
Published: July 25, 2025
Downloadable IOCs: 2

Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor

A financially-motivated threat actor, UNC6148, is targeting fully patched end-of-life SonicWall SMA 100 series appliances. They are using stolen credentials and OTP seeds from previous intrusions to regain access. The actor has deployed a new persistent backdoor/user-mode rootkit called OVERSTEP, w…
backdoor
rootkit
credential theft
vpn
data exfiltration
sonicwall
CVE-2025-32819
2025-07-18
overstep
CVE-2021-20038
CVE-2024-38475
CVE-2021-20039
CVE-2021-20035
sma
Published: July 18, 2025
Linked vulnerabilities : CVE-2025-32819 (CVSS 8.8), CVE-2021-20039, CVE-2023-44221, CVE-2021-20035, CVE-2024-38475, CVE-2021-20038
Downloadable IOCs: 4

Powerful MaaS On the Prowl for Credentials and Crypto Assets

Katz Stealer is a sophisticated infostealer marketed as Malware-as-a-Service (MaaS), launched in early 2025. It features robust credential and data theft capabilities, along with modern evasion and anti-analysis techniques. The stealer targets a wide range of personal and sensitive information, inc…
infostealer
cryptocurrency
credential theft
data exfiltration
maas
evasion techniques
browser injection
katz stealer
2025-07-17
Published: July 17, 2025
Downloadable IOCs: 31

Applications of Snake Keylogger in Geopolitics: Abuse of Trusted Java Utilities in Cybercriminal Activities

A new phishing campaign using Snake Keylogger, a Russian-origin stealer, has been discovered targeting various victims including corporations, governments, and individuals. The campaign uses spear-phishing emails offering petroleum products, with malicious attachments exploiting the legitimate jsad…
credential theft
dll sideloading
java
keylogger
geopolitical
maas
snake keylogger
spear-phishing
2025-07-06
petroleum
Published: July 6, 2025
Downloadable IOCs: 0

Hide Your RDP: Password Spray Leads to RansomHub Deployment

This report details a cyberattack where threat actors gained initial access through a password spray attack on an exposed RDP server. They used Mimikatz and Nirsoft for credential harvesting, and employed living-off-the-land techniques along with tools like Advanced IP Scanner for network discovery…
ransomware
credential theft
lateral movement
rdp
ransomhub
mimikatz
data exfiltration
password spray
living-off-the-land
2025-06-30
Published: June 30, 2025
Downloadable IOCs: 9

Phishing Campaign Targets Indian Defense Using Credential-Stealing Malware

APT36, a Pakistan-based cyber espionage group, is actively targeting Indian defense personnel through sophisticated phishing campaigns. The group disseminates emails with malicious PDF attachments resembling official government documents. When opened, these PDFs display a blurred background and a b…
phishing
pakistan
cyber espionage
credential theft
pdf
transparent tribe
2025-06-21
indian defense
Published: June 21, 2025
Downloadable IOCs: 0

Steam Phishing: Popular as Ever

A recent phishing campaign targeting Steam users has been identified, involving deceptive messages sent through the platform's Friends list. The attackers use fraudulent URLs that closely mimic Steam's official domain, directing users to a fake 'Summer Gift Marathon' page. Upon logging in, users' c…
phishing
social engineering
credential theft
fraud
cybersecurity
gaming
steam
2025-06-20
Published: June 20, 2025
Downloadable IOCs: 31

Resurgence of the Prometei Botnet

Unit 42 researchers identified a new wave of Prometei botnet attacks in March 2025. The malware, which includes Linux and Windows variants, allows remote control of compromised systems for cryptocurrency mining and credential theft. Prometei is actively developed, incorporating new modules and meth…
linux
backdoor
botnet
credential theft
cryptominer
dga
prometei
2025-06-20
Published: June 20, 2025
Downloadable IOCs: 11

Understanding CyberEYE RAT Builder: Capabilities and Implications

CyberEye is a modular, .NET-based Remote Access Trojan that utilizes Telegram for Command and Control, eliminating the need for attackers to maintain their own infrastructure. It offers a wide array of surveillance and data theft capabilities, including keylogging, file grabbing, and clipboard hija…
rat
persistence
anti-analysis
credential theft
data exfiltration
telegram
2025-06-13
cybereye
windows defender evasion
telegramrat
Published: June 13, 2025
Downloadable IOCs: 0

UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign

A spear phishing campaign targeting Polish entities has been observed, exploiting the CVE-2024-42009 vulnerability in Roundcube to steal user credentials. The campaign, attributed to UNC1151, involves sending emails with malicious JavaScript that installs a Service Worker in the victim's browser. T…
spearphishing
poland
credential theft
vulnerability exploitation
CVE-2024-42009
unc1151
CVE-2025-49113
2025-06-05
roundcube
Published: June 5, 2025
Linked vulnerabilities : CVE-2024-42009, CVE-2025-49113 (CVSS 9.9)
Downloadable IOCs: 3

PumaBot: Novel Botnet Targeting IoT Surveillance Devices

A new Go-based Linux botnet named PumaBot has been identified targeting IoT devices, particularly surveillance systems. It brute-forces SSH credentials using lists from a C2 server, then deploys itself and establishes persistence. The malware disguises itself as legitimate system files, creates sys…
linux
surveillance
persistence
iot
botnet
credential theft
2025-06-04
pumabot
ssh brute-force
Published: June 4, 2025
Downloadable IOCs: 1

Behind the Script: Unmasking Phishing Attacks Using Google Apps Script

A sophisticated phishing campaign has been identified that leverages Google Apps Script to create a false sense of security. The attack begins with an email masquerading as an invoice, containing a link to a webpage hosted on Google's trusted environment. When clicked, the link redirects to a fake …
phishing
social engineering
credential theft
email spoofing
2025-06-04
google apps script
invoice scam
microsoft login
Published: June 4, 2025
Downloadable IOCs: 2

AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers

A sophisticated campaign using typo-squatted 'Spectrum' domains has been uncovered, spreading a new Atomic macOS Stealer (AMOS) variant. The attack, disguised as a CAPTCHA verification, employs dynamic payloads based on the victim's operating system. For macOS users, a malicious shell script steals…
social engineering
typosquatting
credential theft
clickfix
poseidon
amos
2025-06-04
dynamic payload
spectrum
multi-platform attack
macos stealer
Published: June 4, 2025
Downloadable IOCs: 4

PhaaS the Secrets: The Hidden Ties Between Tycoon2FA and Dadsec's Operations

This analysis explores the connections between two Phishing-as-a-Service (PhaaS) platforms: Tycoon2FA and Dadsec. The investigation reveals shared infrastructure and operational similarities, suggesting a common origin or adaptation. The report details the evolving tactics of Tycoon2FA, including i…
aitm
credential theft
mfa bypass
phishing-as-a-service
dadsec
tycoon2fa
2025-05-29
Published: May 29, 2025
Downloadable IOCs: 0

Inside a VenomRAT Malware Campaign

A malicious campaign utilizing VenomRAT, a Remote Access Trojan, is analyzed. The attackers use a fake Bitdefender download website to spread malware, including VenomRAT, StormKitty, and SilentTrinity. These tools work together to provide initial access, steal credentials, and maintain long-term hi…
phishing
credential theft
venomrat
open-source malware
command and control
remote access trojan
stormkitty
silenttrinity
2025-05-29
Published: May 29, 2025
Downloadable IOCs: 35

Evolution of Zanubis, a banking Trojan for Android

Zanubis is an evolving Android banking Trojan that emerged in 2022, targeting financial institutions in Peru before expanding to virtual cards and crypto wallets. It impersonates legitimate apps to trick users into granting accessibility permissions, enabling extensive data theft and device control…
android
credential theft
banking trojan
2025-05-28
zanubis
sms hijacking
Published: May 28, 2025
Downloadable IOCs: 8

Global operation disrupts Lumma Stealer

ESET collaborated with Microsoft and other partners in a global operation to disrupt Lumma Stealer, a prominent malware-as-a-service infostealer. ESET's contribution involved analyzing tens of thousands of malware samples to extract key data like C&C servers and affiliate identifiers. The operation…
infostealer
lumma stealer
credential theft
malware-as-a-service
disruption
2025-05-26
c&c infrastructure
Published: May 26, 2025
Downloadable IOCs: 113

PupkinStealer .NET Infostealer Using Telegram for Data Theft

PupkinStealer is a newly identified .NET-based information-stealing malware that extracts sensitive data like web browser passwords and app session tokens, exfiltrating it via Telegram. It targets Chromium-based browsers, Telegram, and Discord, focusing on credential theft and session hijacking. Th…
infostealer
credential theft
2025-05-22
session hijacking
pupkinstealer
Published: May 22, 2025
Downloadable IOCs: 1

Operation RoundPress targeting high-value webmail servers

ESET researchers have uncovered a Russia-aligned espionage operation named RoundPress, targeting high-value webmail servers through XSS vulnerabilities. The campaign, attributed to the Sednit group, aims to steal confidential data from specific email accounts. Initially focused on Roundcube in 2023…
espionage
spearphishing
russia
zero-day
credential theft
xss
data exfiltration
CVE-2024-27443
CVE-2024-11182
2025-05-15
2025-05-18
webmail
eastern europe
spypress.roundcube
spypress.mdaemon
CVE-2023-43770
spypress.zimbra
spypress.horde
Published: May 18, 2025
Linked vulnerabilities : CVE-2024-27443, CVE-2024-11182 (CVSS 6.1), CVE-2020-35730, CVE-2023-23397, CVE-2023-43770
Downloadable IOCs: 16

Part 2: Compromised WordPress Pages and Malware Campaigns

This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign tar…
xworm
phishing
ransomware
android
remcos
wordpress
credential theft
strela stealer
proton66
weaxor
2025-05-16
Published: May 16, 2025
Downloadable IOCs: 45

Security Incident Response Team

A critical vulnerability in various Fortinet products allows remote attackers to execute arbitrary code via crafted HTTP requests. Observed exploitation on FortiVoice involved network scanning, erasing system logs, and enabling fcgi debugging to capture credentials. Affected products include FortiV…
credential theft
remote code execution
buffer overflow
network scanning
2025-05-14
fortivoice
CVE-2025-32756
fortindr
forticamera
fortimail
log manipulation
fortirecorder
Published: May 14, 2025
Linked vulnerabilities : CVE-2025-32756
Downloadable IOCs: 6

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins wi…
obfuscation
phishing
infostealer
anti-analysis
credential theft
autoit
information stealing
2025-05-14
multi-stage payload
darkcloud stealer
Published: May 14, 2025
Linked vulnerabilities : CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 4

New Noodlophile Stealer Distributes Via Fake AI Video Generation Platforms

As artificial intelligence (AI) surges into mainstream adoption, millions of users turn daily to AI-powered tools for content creation—from generating art and music to transforming photos into videos. But amid this excitement, cybercriminals have uncovered a potent new lure: fake AI platforms promi…
xworm
python
infostealer
worm
credential theft
remote access
ai
morphisec
facebook
2025-05-12
word document
noodlophile
capcutloader
video dream
Published: May 12, 2025
Downloadable IOCs: 32

Additional Features of OtterCookie Malware Used by WaterPlum

The article discusses updates to the OtterCookie malware utilized by the North Korea-linked attack group WaterPlum. The malware has evolved through four versions, with v3 and v4 being the focus. OtterCookie v3 introduced Windows support and enhanced file collection capabilities. Version 4 added new…
north korea
windows
cryptocurrency
stealer
macos
credential theft
beavertail
invisibleferret
ottercookie
2025-05-11
financial institutions
Published: May 11, 2025
Downloadable IOCs: 0

COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs

Russian government-backed threat group COLDRIVER has developed a new malware called LOSTKEYS, capable of stealing files and system information. The group targets high-profile individuals, NGOs, and former intelligence officers through credential phishing and malware delivery. LOSTKEYS is delivered …
phishing
powershell
credential theft
clickfix
2025-05-07
spica
document theft
lostkeys
ngos
Published: May 7, 2025
Downloadable IOCs: 0

CoGUI Phish Kit Targets Japan with Millions of Messages

A sophisticated phishing kit named CoGUI is targeting Japanese organizations with high-volume campaigns, primarily impersonating consumer and finance brands to steal credentials and payment data. The kit employs advanced evasion techniques like geofencing and fingerprinting to avoid detection. Sinc…
phishing
credential theft
brand impersonation
2025-05-06
darcula
cogui
Published: May 6, 2025
Downloadable IOCs: 7

TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered

Insikt Group has discovered two new malware families, TerraStealerV2 and TerraLogger, linked to the financially motivated threat actor Golden Chickens. TerraStealerV2 is designed to steal browser credentials, cryptocurrency wallet data, and browser extension information, while TerraLogger functions…
stealer
credential theft
malware-as-a-service
keylogger
revc2
venomlnk
2025-05-01
terraloader
terrastealerv2
terralogger
browser data
Published: May 1, 2025
Downloadable IOCs: 39

Pick your Poison - A Double-Edged Email Attack

A sophisticated cyber-attack campaign has been identified, combining phishing techniques targeting Office365 credentials with malware delivery. The attackers use a file deletion reminder as a pretext, exploiting a legitimate file-sharing service to appear more credible. Upon opening a shared PDF fi…
phishing
social engineering
credential theft
remote access
connectwise rat
2025-04-08
office365
file-sharing
2025-04-28
Published: April 28, 2025
Downloadable IOCs: 0

Navigating Through The Fog

An open directory linked to a Fog ransomware affiliate was discovered, containing tools for reconnaissance, exploitation, lateral movement, and persistence. Initial access was gained through compromised SonicWall VPN credentials, while other tools facilitated credential theft and exploitation of Ac…
ransomware
anydesk
persistence
credential theft
CVE-2020-1472
CVE-2021-42278
CVE-2021-42287
sliver
lateral movement
vpn
fog ransomware
sonicwall
2025-04-28
active directory
Published: April 28, 2025
Linked vulnerabilities : CVE-2021-42287, CVE-2021-42278, CVE-2020-1472
Downloadable IOCs: 1

A new version of Triada spreads embedded in the firmware of Android devices

Kaspersky researchers have discovered a new version of the Triada Trojan being distributed through infected Android device firmware. The malware is embedded into system files before devices are sold, making it nearly impossible to remove. It infects the Zygote process to compromise all apps on the …
android
cryptocurrency
trojan
credential theft
triada
sms interception
firmware
reverse proxy
2025-04-25
Published: April 25, 2025
Downloadable IOCs: 0

Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents

A sophisticated malware campaign exploits users' trust in online file conversion tools by impersonating the legitimate service pdfcandy.com. The attack involves fake PDF-to-DOCX converters that trick victims into executing a malicious PowerShell command, leading to the installation of Arechclient2,…
phishing
social engineering
credential theft
information stealer
sectoprat
2025-04-15
pdf converter
arechclient2
Published: April 15, 2025
Downloadable IOCs: 0

March 2025 Trends Report on Phishing Emails

The report analyzes phishing email trends in March 2025, revealing that phishing attacks constituted 59% of email threats. Attackers primarily used HTML scripts to mimic login pages and promotional content, aiming to steal user credentials. The analysis covers distribution statistics, Korean phishi…
phishing
social engineering
malware distribution
credential theft
infostealers
email attachments
2025-04-10
downloaders
html scripts
document exploits
compressed files
Published: April 10, 2025
Downloadable IOCs: 0

Sapphire Werewolf refines Amethyst stealer to attack energy companies

The Sapphire Werewolf cluster has upgraded its toolkit with a new version of the Amethyst stealer, targeting energy companies through phishing emails. The enhanced malware features advanced checks for virtualized environments and uses Triple DES for string encryption. The attack involves distributi…
phishing
credential theft
2025-04-09
amethyst stealer
virtualization detection
Published: April 9, 2025
Downloadable IOCs: 0

Proactive ClickFix Threat Hunting with Hunt.io

ClickFix is a browser-based delivery technique that uses deceptive prompts and clipboard hijacking to trick users into executing malicious commands. Cybercriminals and advanced actors employ this method to deploy malware, primarily information stealers. The technique involves luring users with fake…
powershell
cryptbot
lumma stealer
credential theft
clickfix
captcha
information stealers
malware delivery
threat hunting
browser-based attacks
2025-04-04
clipboard hijacking
Published: April 4, 2025
Downloadable IOCs: 0

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid de…
malware
phishing
social engineering
remcos
credential theft
latrodectus
guloader
redirection
qr codes
remote access trojans
2025-04-03
tax season
ahkbot
bruteratel c4
Published: April 3, 2025
Downloadable IOCs: 0

TsarBot Trojan Hits 750+ Banking & Crypto Apps!

A newly discovered Android banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. It spreads through phishing sites masquerading as legitimate financial platforms and is installed via a dropper disguised as Google Play Servi…
phishing
android
credential theft
banking trojan
keylogging
sms interception
on-device fraud
2025-04-01
websocket
screen recording
tsarbot
overlay attack
Published: April 1, 2025
Downloadable IOCs: 0

YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake …
social engineering
spearphishing
powershell
cryptocurrency
lumma stealer
credential theft
youtube
2025-03-25
clickflix
Published: March 25, 2025
Downloadable IOCs: 5

SnakeKeylogger: Multistage Info Stealer Malware Analysis & Prevention

SnakeKeylogger is a highly active credential-stealing malware targeting individuals and businesses. It employs a multi-stage infection chain, starting with malicious spam emails containing .img files. The malware uses sophisticated techniques like process hollowing and obfuscation to evade detectio…
obfuscation
credential-theft
process-hollowing
multi-stage
snakekeylogger
info-stealer
2025-03-25
spam-email
apache-server
Published: March 25, 2025
Downloadable IOCs: 2

New Phishing Campaign Uses Browser-in-the-Browser Attacks to Target Video Gamers/Counter-Strike 2 Players

A sophisticated phishing campaign targeting Counter-Strike 2 players has been uncovered, employing browser-in-the-browser (BitB) attacks. The campaign aims to steal Steam accounts by creating convincing fake browser pop-ups that mimic legitimate login pages. The threat actors are abusing the identi…
phishing
credential theft
gaming
2025-03-25
steam
counter-strike 2
browser-in-the-browser
esports
Published: March 25, 2025
Downloadable IOCs: 8

Clickbait to Catastrophe: How a Fake Meta Email Leads to Password Plunder

A sophisticated phishing campaign targeting Meta Business accounts has been uncovered by the Cofense Phishing Defense Center. The attack begins with a fake Instagram alert claiming the user's ads are suspended due to policy violations. Victims are directed to a fraudulent page mimicking Meta's busi…
phishing
credential theft
meta
social media
two-factor authentication
instagram
2025-03-21
chat support
business accounts
Published: March 21, 2025
Linked vulnerabilities : CVE-2025-24071 (CVSS 7.5)
Downloadable IOCs: 5

StilachiRAT analysis: From system reconnaissance to cryptocurrency theft

Microsoft Incident Response researchers discovered a novel remote access trojan named StilachiRAT, demonstrating sophisticated evasion, persistence, and data exfiltration techniques. The malware collects extensive system information, targets cryptocurrency wallet extensions, steals browser credenti…
persistence
credential theft
cryptocurrency theft
command and control
remote access trojan
2025-03-17
stilachirat
system reconnaissance
anti-forensics
rdp monitoring
Published: March 17, 2025
Linked vulnerabilities : CVE-2023-36884
Downloadable IOCs: 2

SocGholish's Intrusion Techniques Facilitate Distribution of RansomHub Ransomware

SocGholish, a malware-as-a-service framework, is being used to deploy RansomHub ransomware. It compromises legitimate websites, redirecting visitors to fake browser updates that deliver malicious payloads. The highly obfuscated JavaScript loader evades detection and executes various tasks, includin…
backdoor
ransomware
javascript
socgholish
credential theft
ransomhub
compromised websites
2025-03-14
keitaro tds
Published: March 14, 2025
Downloadable IOCs: 0

Unmasking the new persistent attacks on Japan

An unknown attacker has been targeting organizations in Japan since January 2025, exploiting CVE-2024-4577, a remote code execution vulnerability in PHP-CGI on Windows. The attacker uses the Cobalt Strike kit 'TaoWu' for post-exploitation activities, including reconnaissance, privilege escalation, …
powershell
cobalt strike
persistence
credential theft
CVE-2024-4577
japan
2025-03-06
php-cgi
taowu
Published: March 6, 2025
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8)
Downloadable IOCs: 3

Confluence Exploit Leads to LockBit Ransomware

An intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, leading to LockBit ransomware deployment across the environment. The threat actor utilized various tools including Mimikatz, Metasploit, and AnyDesk. They leveraged RDP for lateral movement and deplo…
ransomware
lockbit
exfiltration
credential theft
lateral movement
rdp
CVE-2023-22527
confluence
2025-02-24
Published: February 24, 2025
Linked vulnerabilities : CVE-2017-0199, CVE-2023-22515, CVE-2023-22527, CVE-2023-22518
Downloadable IOCs: 15

Lumma Stealer Malware Thrives as Unique Patterns Uncovered in the Infostealer's Domain Clusters

Recent research reveals Lumma Stealer command and control domain clusters share specific technical characteristics, enabling mapping of entire infrastructure clusters. The infostealer's logs are being shared for free on Leaky[.]pro, a new hacking forum, offering billions of stolen credential record…
malvertising
infostealer
lumma stealer
credential theft
youtube
malspam
sectoprat
c2 infrastructure
2025-02-22
domain clusters
Published: February 22, 2025
Downloadable IOCs: 0

Evolving Snake Keylogger Variant

A new variant of Snake Keylogger, identified as AutoIt/Injector.GTY!tr, has been detected by FortiSandbox v5.0. This malware has attempted over 280 million infections, primarily targeting China, Turkey, Indonesia, Taiwan, and Spain. Snake Keylogger steals sensitive information from popular web brow…
credential theft
autoit
keylogging
snake keylogger
process hollowing
2025-02-20
fortisandbox
ai detection
404 keylogger
paix
Published: February 20, 2025
Downloadable IOCs: 3

Amazon Phish Hunts for Security Answers and Payment Information

A phishing scheme targeting Amazon Prime users has been identified, aiming to steal login credentials, verification information, and payment data. The attack begins with a spoofed email claiming the user's payment method has expired. Clicking the update button redirects to a fake Amazon security al…
phishing
social engineering
credential theft
email spoofing
2025-02-18
payment fraud
fake login page
amazon prime
Published: February 18, 2025
Downloadable IOCs: 3

Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency

A new malware called Zhong Stealer has been identified targeting the cryptocurrency and fintech sectors through a phishing campaign. The attackers exploited chat support platforms, posing as customers to trick agents into downloading the malware. Zhong Stealer's execution flow involves multiple sta…
phishing
cryptocurrency
persistence
credential theft
data exfiltration
fintech
2025-02-18
zhong stealer
Published: February 18, 2025
Downloadable IOCs: 5

Don't Ghost the SocGholish: GhostWeaver Backdoor

The article details a sophisticated malware infection chain involving SocGholish, MintsLoader, and the GhostWeaver backdoor. The attack begins with a fake browser update, progressing through multiple stages to deploy a PowerShell backdoor and various plugins. These components work together to steal…
backdoor
powershell
cryptocurrency
socgholish
credential theft
boinc
fakeupdates
netsupport rat
mintsloader
2025-02-17
web injection
ghostweaver
juniper stealer
Published: February 17, 2025
Downloadable IOCs: 14

FinStealer

A sophisticated malware campaign exploits a leading Indian bank's brand through fraudulent mobile applications. Distributed via phishing links and social engineering, these fake apps mimic legitimate bank apps, tricking users into revealing sensitive information. The malware uses advanced evasion t…
sql injection
phishing
android
credential theft
banking
telegram
mobile
c2 servers
xor encryption
2025-02-17
finstealer
trojan.rewardsteal/joxpk
CVE-2011-2688
Published: February 17, 2025
Linked vulnerabilities : CVE-2011-2688
Downloadable IOCs: 5

The BadPilot campaign: Multiyear global access operation

A Russian state actor subgroup within Seashell Blizzard has conducted a global access operation called the BadPilot campaign since 2021. The group exploits vulnerabilities in Internet-facing infrastructure to gain persistent access to high-value targets across various sectors worldwide. Their tacti…
persistence
credential theft
CVE-2024-1709
CVE-2021-34473
vulnerability exploitation
CVE-2023-42793
CVE-2023-48788
initial access
2025-02-12
CVE-2023-23397
CVE-2023-32315
badpilot
russian state actor
global operation
localolive
CVE-2022-41352
remote management
shadowlink
Published: February 12, 2025
Downloadable IOCs: 0

ClickFix Scam Exposed! Protect Your Data Before It's Too Late

Cybercriminals are exploiting DeepSeek's popularity to launch ClickFix phishing campaigns, tricking users into clicking fake CAPTCHA links that steal credentials and install malware like Vidar and Lumma Stealer. These attacks impersonate DeepSeek's branding to appear legitimate and bypass security …
phishing
social engineering
lumma stealer
credential theft
vidar stealer
clickfix
captcha
deepseek
2025-02-11
Published: February 11, 2025
Downloadable IOCs: 7

Fake DeepSeek Sites Used for Credential Phishing, Crypto Theft, Scams

Researchers have identified numerous fake DeepSeek websites being used for malicious purposes, including credential phishing, cryptocurrency theft, and various scams. Over 50 active sites and thousands of potentially malicious domains have been observed. These fake sites range from obvious imitatio…
phishing
cryptocurrency
credential theft
scams
2025-02-06
deepseek
qr code scams
wallet drainers
fake websites
Published: February 6, 2025
Downloadable IOCs: 0

When Data Tools Become Dangerous: MS Power BI Links Used in Phishing Campaigns

A sophisticated phishing campaign has been detected that exploits trusted platforms like SharePoint and Power BI to steal user credentials. The scheme uses a seemingly legitimate SharePoint link in an email, which leads to a Power BI report. Users are then prompted to click 'Open Document', redirec…
phishing
social engineering
credential theft
email spoofing
sharepoint
2025-02-06
power bi
microsoft impersonation
Published: February 6, 2025
Downloadable IOCs: 0

Scalable Vector Graphics files pose a novel phishing threat

Cybercriminals are exploiting the SVG file format to conduct phishing attacks that bypass existing anti-spam and anti-phishing protection. These attacks involve email messages with .svg file attachments, which open in the default browser on Windows computers. The SVG files contain anchor tags and s…
phishing
social engineering
credential theft
evasion techniques
2025-02-05
nymeria
file format abuse
svg
browser-based attacks
troj/autoit-dhb
email attachments
Published: February 5, 2025
Downloadable IOCs: 0

Blast from the Past

A large-scale campaign targeting Russian organizations across various industries has been detected. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed as Malware-as-a-Service, is capable of stealing …
phishing
stealer
persistence
credential theft
data exfiltration
russian
maas
nova
snakelogger
2025-02-05
organizations
Published: February 5, 2025
Downloadable IOCs: 1

APT Targets NetEase 163.com Users with Fake Download Pages & Spoofed Domains

The GreenSpot Advanced Persistent Threat group, operating from Taiwan since 2007, is targeting users of NetEase's 163.com email service. The group employs sophisticated phishing techniques, including spoofed domains and fake download pages, to steal login credentials. Researchers identified domains…
apt
phishing
credential theft
taiwan
spoofed domains
2025-02-05
fake download pages
163.com
netease
Published: February 5, 2025
Downloadable IOCs: 9

Stealers on the Rise: A Closer Look at a Growing macOS Threat

This analysis examines the increasing prevalence of macOS infostealers, focusing on three prominent threats: Atomic Stealer, Poseidon Stealer, and Cthulhu Stealer. These malware variants target sensitive information, including financial details, credentials, and intellectual property. The article d…
infostealer
macos
credential theft
data exfiltration
atomic stealer
cthulhu stealer
applescript
2025-02-04
poseidon stealer
Published: February 4, 2025
Downloadable IOCs: 26

NOVA: blast from the past

A large-scale campaign targeting Russian organizations across various industries has been uncovered. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed under the Malware-as-a-Service model, steals cr…
phishing
credential-theft
stealer
persistence
maas
nova
2025-02-04
snakelogger
Published: February 4, 2025
Downloadable IOCs: 1

Microsoft advertisers phished via malicious Google ads

Malicious actors are targeting Microsoft advertisers through fraudulent Google ads, aiming to steal login credentials for Microsoft's advertising platform. The campaign involves sophisticated techniques like cloaking, Cloudflare challenges, and redirection chains to evade detection. Phishing pages …
phishing
credential theft
google ads
2025-01-31
Published: January 31, 2025
Downloadable IOCs: 101

Threat Actors Exploit Government Website Vulnerabilities for Phishing Campaigns

Threat actors are exploiting vulnerabilities in government websites, particularly .gov domains, to conduct phishing campaigns. The abuse primarily involves using open redirects to bypass secure email gateways and lead victims to credential phishing pages. A significant portion of these exploits may…
phishing
credential theft
email security
2025-01-29
stormkitty
agent tesla keylogger
CVE-2024-25608
open redirects
.gov domains
liferay
government websites
Published: January 29, 2025
Linked vulnerabilities : CVE-2024-25608
Downloadable IOCs: 4

Analysis of Interlock Ransomware Attack on Healthcare Facilities

The Interlock ransomware group has been actively targeting healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data. The attacks involve drive-by compromise techniques, using fake software updaters to deploy malware. The group employs double-ex…
ransomware
credential theft
healthcare
lateral movement
data exfiltration
double-extortion
interlock
2025-01-28
drive-by compromise
Published: January 28, 2025
Downloadable IOCs: 0

Hidden in Plain Sight: PDF Mishing Attack

A sophisticated phishing campaign targeting mobile devices has been discovered, impersonating the United States Postal Service (USPS). The campaign uses a novel obfuscation technique in PDF files to hide malicious links, making detection difficult for many security solutions. The attack exploits us…
phishing
credential theft
pdf
2025-01-27
Published: January 27, 2025
Downloadable IOCs: 654

New Star Blizzard spear-phishing campaign targets WhatsApp accounts

Star Blizzard, a Russian threat actor, has launched a new spear-phishing campaign targeting WhatsApp accounts. The campaign, observed in mid-November 2024, marks a shift in the actor's tactics. Targets include government officials, diplomats, and researchers focused on Russia-related topics. The at…
social engineering
whatsapp
credential theft
government targets
spear-phishing
2025-01-17
diplomacy targets
qr code
russian threat actor
Published: January 17, 2025
Downloadable IOCs: 2

Chinese Malware Delivery Websites

A cluster of over 400 domains have been registered since June 2024 to host spoofed websites delivering malware to Chinese-speaking users. The sites imitate popular applications like web browsers, VPNs, messaging apps, and crypto wallets. Identified malware includes Gh0stRAT, ValleyRAT, RemKos RAT, …
apt
credential theft
redline
gh0strat
valleyrat
lummastealer
malware delivery
2025-01-16
farfli
remote access trojans
chinese-speaking users
remkos rat
spoofed websites
hack-for-hire
Published: January 16, 2025
Downloadable IOCs: 526

Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation

A new zero-day vulnerability, CVE-2025-0282, in Ivanti Connect Secure VPN appliances has been exploited since mid-December 2024. The vulnerability allows unauthenticated remote code execution. Attackers have deployed multiple malware families, including SPAWN, DRYHOOK, and PHASEJAM, to maintain per…
credential theft
ivanti
vpn
2025-01-09
phasejam
dryhook
spawnsloth
spawnant
Published: January 9, 2025
Linked vulnerabilities : CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-21887, CVE-2023-46805
Downloadable IOCs: 7

Araneida Scanner: Cracked Acunetix Web App & API Scanner Discovered

Silent Push Threat Analysts have uncovered the Araneida Scanner, a cracked version of Acunetix being used for illegal purposes. The scanner is employed for offensive reconnaissance, user data scraping, and vulnerability exploitation. It was detected during a partner's reconnaissance effort, prompti…
credential theft
reconnaissance
telegram
2024-12-20
araneida scanner
web vulnerability
data scraping
cracked acunetix
Published: December 20, 2024
Downloadable IOCs: 13

Attackers exploiting a FortiClient EMS vulnerability in the wild

Kaspersky's GERT team identified an attack exploiting a patched vulnerability (CVE-2023-48788) in FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. The attackers used SQL injection to infiltrate a company's network through an exposed Windows server. They deployed remote access tools like…
screenconnect
sql injection
forticlient ems
anydesk
credential theft
remote access
lateral movement
mimikatz
CVE-2023-48788
2024-12-19
Published: December 19, 2024
Downloadable IOCs: 0

Inside the incident: Uncovering an advanced phishing attack

A sophisticated phishing campaign targeted a U.K.-based insurance company, using a compromised CEO's email account from a major shipping company. The attack involved a malicious PDF link hosted on AWS, leading to a fake Microsoft authentication page. The threat actor employed tactics like deletion …
phishing
social engineering
credential theft
2024-12-11
account takeover
email security
Published: December 11, 2024
Downloadable IOCs: 4

Analyzing threat actor Kimsuky email phishing campaign

The report provides an in-depth analysis of the email phishing campaigns conducted by the Kimsuky threat actor group. It highlights their tactics of using diverse themes and subjects to pique the curiosity of recipients, targeting researchers and individuals related to North Korean affairs in an at…
phishing
north korea
impersonation
credential theft
2024-12-04
malwareless
Published: December 4, 2024
Downloadable IOCs: 24

SmokeLoader picks up ancient MS Office bugs to pack fresh credential stealer

Threat actors are exploiting old Microsoft Office vulnerabilities using SmokeLoader, a modular malware loader, to steal browser credentials. The campaign targets manufacturing, healthcare, and IT companies in Taiwan, utilizing CVE-2017-0199 and CVE-2017-11882 to execute remote code and deploy malic…
phishing
plugins
credential theft
smokeloader
CVE-2017-0199
CVE-2017-11882
taiwan
modular malware
2024-12-03
microsoft office
vulnerabilities
andeloader
Published: December 3, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 28

Threat Assessment: Distributors of BlackSuit Ransomware

Ignoble Scorpius, previously known as Royal ransomware, has rebranded as BlackSuit ransomware and increased its activity since March 2024. The group has targeted at least 93 victims globally, with a focus on the construction and manufacturing industries. Their initial ransom demands average 1.6% of…
ransomware
extortion
cobalt strike
credential theft
gootloader
lateral movement
mimikatz
data exfiltration
blacksuit
systembc
supply chain attack
2024-11-20
nanodump
Published: November 20, 2024
Downloadable IOCs: 2

Spot the Difference: New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella

Earth Kasha, a threat group targeting Japan since 2019, has launched a new campaign with significant updates to their tactics and arsenals. The group has expanded its targets to include Taiwan and India, focusing on advanced technology organizations and government agencies. They now exploit public-…
backdoor
apt
cobalt strike
credential theft
lodeinfo
noopdoor
CVE-2023-27997
china-nexus
2024-11-19
mirrorstealer
CVE-2023-45727
CVE-2023-28461
Published: November 19, 2024
Linked vulnerabilities : CVE-2023-3519, CVE-2023-27997, CVE-2023-45727, CVE-2023-28461, CVE-2013-3900, CVE-2023-3467, CVE-2023-3466
Downloadable IOCs: 7

Chinese hackers exploit Fortinet VPN zero-day to steal credentials

Chinese threat actors, known as BrazenBamboo, are exploiting a zero-day vulnerability in Fortinet's FortiClient Windows VPN client to steal credentials. The hackers use a custom post-exploitation toolkit called DeepData, which includes a FortiClient plugin to extract usernames, passwords, and VPN s…
espionage
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese hackers
2024-11-18
deeppost
deepdata
forticlient
Published: November 18, 2024
Downloadable IOCs: 0

Fake AI video generators infect Windows, macOS with infostealers

Threat actors are using fake AI image and video generators to distribute Lumma Stealer and AMOS information-stealing malware on Windows and macOS. These malicious programs masquerade as an AI application called EditProAI, targeting users through search results and social media advertisements. The m…
social engineering
windows
infostealer
macos
lumma stealer
credential theft
ai
2024-11-16
deepfake
Published: November 16, 2024
Downloadable IOCs: 0

Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

A Chinese state-affiliated threat actor, BrazenBamboo, has exploited a zero-day vulnerability in Fortinet's Windows VPN client to steal user credentials. The vulnerability allows extraction of login information from the FortiClient process memory. BrazenBamboo uses two malware families: DEEPDATA, a…
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese threat actor
2024-11-16
deeppost
deepdata
forticlient
Published: November 16, 2024
Downloadable IOCs: 0

Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave

The Androxgh0st botnet, active since January 2024, has evolved to incorporate Mozi botnet payloads, expanding its attack surface from web servers to IoT devices. It exploits vulnerabilities in various platforms, including Cisco ASA, Atlassian JIRA, and PHP frameworks, utilizing remote code executio…
iot
botnet
credential theft
CVE-2024-4577
vulnerability exploitation
CVE-2018-10562
CVE-2018-10561
androxgh0st
remote code execution
routers
CVE-2022-1040
mozi
CVE-2022-21587
CVE-2024-36401
CVE-2021-41277
CVE-2023-1389
CVE-2021-26086
CVE-2014-2120
2024-11-12
web servers
persistent access
Published: November 12, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2021-41773, CVE-2018-15133, CVE-2017-9841, CVE-2022-1040, CVE-2021-41277, CVE-2018-10562, CVE-2014-2120, CVE-2021-26086, CVE-2024-36401, CVE-2022-21587, CVE-2018-10561, CVE-2023-1389
Downloadable IOCs: 10

Malware Steals Account Credentials

A malicious script targeting e-commerce sites, particularly Magento, has been discovered. The script, found in the dataPost.js file, is heavily obfuscated and designed to steal customer account credentials and admin login details. It waits for login actions to trigger, then scrapes data entered int…
obfuscation
credential theft
magento
e-commerce
2024-11-09
account hijacking
admin access
Published: November 9, 2024
Downloadable IOCs: 0

InfoStealer Malware Attacking Meta Business Page To Steal Logins

A sophisticated malvertising campaign is distributing the SYS01 infostealer malware through Meta's advertising platform. The attackers impersonate trusted brands and popular software, targeting primarily senior male demographics. The malware, designed to steal personal data and credentials, is dist…
malvertising
powershell
infostealer
persistence
electron
credential theft
sys01
meta
social media
2024-11-04
Published: November 4, 2024
Downloadable IOCs: 26

Booking.com Phishers May Leave You With Reservations

A recent spear-phishing campaign targeted a California hotel after its Booking.com credentials were stolen. The scam involved sending targeted messages within the Booking mobile app, claiming additional information was required for anti-fraud purposes. Booking.com confirmed a security incident affe…
phishing
credential theft
cybercrime
2024-11-02
2fa
hospitality
booking.com
travel
Published: November 2, 2024
Downloadable IOCs: 0

Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified

Researchers discovered a potential North Korean phishing campaign targeting Naver, a major South Korean tech platform. The investigation revealed an exposed directory containing phishing pages designed to steal Naver user credentials. Separately, an infrastructure cluster was identified using domai…
phishing
apple
credential theft
dprk
infrastructure analysis
domain spoofing
2024-10-30
naver
tls certificates
Published: October 30, 2024
Downloadable IOCs: 0

More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence

Threat actors are increasingly using legitimate third-party business software to evade detection and maintain deception. Atlassian's Confluence is being exploited to host malicious content, leveraging its trusted domain status. The attack involves an email with an Excel attachment containing a Docu…
phishing
social engineering
credential theft
microsoft
domain abuse
2024-10-30
atlassian
docusign
confluence
Published: October 30, 2024
Downloadable IOCs: 2

Unauthorized RDP Connections For Cyberespionage Operations

Cyble Research and Intelligence Labs uncovered an ongoing cyberattack campaign utilizing malicious LNK files to gain unauthorized Remote Desktop access on compromised systems. The sophisticated multi-stage attack chain employs PowerShell and BAT scripts to evade detection, create administrative acc…
powershell
persistence
credential theft
cyberespionage
rdp
multi-stage attack
uac bypass
2024-10-26
bat scripts
chromepass
Published: October 26, 2024
Downloadable IOCs: 0

Unmasking Prometei: A Deep Dive Into MXDR Findings

This analysis examines the Prometei botnet's infiltration of a customer's system through a targeted brute force attack. Leveraging Trend Vision One, the investigation traced the botnet's detailed installation routine and stealthy tactics. Prometei, a modular malware family used for cryptocurrency m…
botnet
credential theft
lateral movement
dga
web shell
tor
cryptocurrency mining
2024-10-23
prometei
CVE-2021-27065
CVE-2021-26858
CVE-2019-0708
Published: October 23, 2024
Downloadable IOCs: 0

Grandoreiro banking trojan: overview of recent versions and new tricks

Grandoreiro is a Brazilian banking trojan that has evolved into a global financial threat, targeting over 1,700 banks and 276 crypto wallets in 45 countries. Despite law enforcement efforts, the malware remains active, with new versions featuring enhanced evasion techniques like multiple Domain Gen…
credential theft
remote access
grandoreiro
banking trojan
brazil
evasion techniques
2024-10-22
financial malware
global threat
Published: October 22, 2024
Downloadable IOCs: 0

Over 10 Million Personal And Corporate Devices Infected By Information Stealers

A significant increase in data-stealing malware infections has been observed, with nearly 10 million devices compromised in 2023, marking a 643% rise over three years. Cybercriminals are using sophisticated distribution methods, including malvertising and YouTube comment spam. On average, 50.9 logi…
data theft
credential theft
redline
cybercrime
vidar
malware-as-a-service
lumma
amos
information stealers
2024-10-22
raccoon
vidar/acr
kral stealer
Published: October 22, 2024
Downloadable IOCs: 0

Stealers on the rise: Kral, AMOS, Vidar and ACR

This intelligence report analyzes the increasing prevalence of information stealers, focusing on Kral, AMOS, Vidar, and ACR. Kral, delivered by its downloader, targets cryptocurrency wallets and browser data. AMOS, a macOS stealer, spreads through malvertising impersonating Homebrew. Vidar distribu…
cryptocurrency
macos
credential theft
vidar
data exfiltration
amos
aurora
2024-10-21
dll hijacking
information stealers
kral
penguish
acr
Published: October 21, 2024
Downloadable IOCs: 0

LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits

This report details the tactics and techniques employed by the LemonDuck cryptomining malware, which exploits the SMB service by leveraging the EternalBlue vulnerability (CVE-2017-0144). After gaining initial access through brute-force attacks, the malware creates malicious files, disables security…
persistence
malicious scripts
credential theft
cryptomining
CVE-2017-0144
lemonduck
2024-10-14
network manipulation
Published: October 14, 2024
Linked vulnerabilities : CVE-2017-0144, CVE-2023-46865
Downloadable IOCs: 8

Advanced Cyberattacks Against UAE and Gulf Regions

Earth Simnavaz, also known as APT34 and OilRig, has been actively targeting governmental entities in the UAE and Gulf region. The group employs sophisticated tactics, including a backdoor that exploits Microsoft Exchange servers for credential theft and the use of CVE-2024-30088 for privilege escal…
cyber espionage
credential theft
oilrig
CVE-2024-30088
privilege escalation
microsoft exchange
2024-10-14
apt34
stealhook
iis malware
gulf region
uae
Published: October 14, 2024
Linked vulnerabilities : CVE-2024-30088 (CVSS 7.0)
Downloadable IOCs: 17

Threat actor believed to be spreading new MedusaLocker variant since 2022

A financially motivated threat actor has been active since 2022, delivering a MedusaLocker ransomware variant called 'BabyLockerKZ'. The group targets organizations worldwide, with a focus shift from EU countries to South American countries in mid-2023. The actor uses a combination of publicly know…
iab
ransomware
credential theft
lateral movement
financially motivated
2024-10-04
babylockerkz
medusalocker
Published: October 4, 2024
Downloadable IOCs: 11

Iranian Cyber Actors Targeting Personal Accounts to Support Operations

Cyber actors working for Iran's Islamic Revolutionary Guard Corps (IRGC) are targeting individuals connected to Iranian and Middle Eastern affairs, including government officials, think tank personnel, journalists, activists, and lobbyists. They use social engineering techniques, impersonating cont…
phishing
social engineering
impersonation
iran
credential theft
2024-09-30
two-factor authentication
political campaigns
Published: September 30, 2024
Downloadable IOCs: 65

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
backdoor
ransomware
credential-theft
cobalt strike
rclone
impacket
data-exfiltration
lateral-movement
2024-09-30
CVE-2022-47966
CVE-2023-4966
hybrid-cloud
embargo
aadinternals
CVE-2023-38203
CVE-2023-29300
Published: September 30, 2024
Linked vulnerabilities : CVE-2023-4966, CVE-2023-38203, CVE-2023-29300, CVE-2022-47966
Downloadable IOCs: 14

Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz

Unit42 explores Sniper Dz, a popular phishing-as-a-service (PhaaS) platform targeting social media and online services. Over 140,000 phishing websites associated with Sniper Dz were identified in the past year. The platform offers an admin panel with phishing page catalogs, allowing users to host o…
phishing
phaas
credential theft
2024-09-25
victim tracking
sniper dz
Published: September 25, 2024
Downloadable IOCs: 7

Phishing Pages Delivered Through Refresh HTTP Response Header

Unit 42 researchers observed large-scale phishing campaigns in 2024 using a refresh entry in the HTTP response header. This technique, unlike traditional HTML-based phishing, occurs before HTML content processing and automatically refreshes webpages without user interaction. Attackers distribute ma…
phishing
credential theft
2024-09-18
http header
business email compromise
Published: September 18, 2024
Downloadable IOCs: 7

Phishing Via Typosquatting and Brand Impersonation: Trends and Tactics

From February to July 2024, an analysis of over 500 popular domains revealed more than 10,000 malicious lookalike domains employing typosquatting and brand impersonation techniques. Google, Microsoft, and Amazon were the most targeted brands, accounting for nearly 75% of phishing domains. Almost ha…
phishing
typosquatting
credential theft
scams
domain abuse
2024-09-12
brand impersonation
certificate abuse
Published: September 12, 2024
Downloadable IOCs: 10

BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar

BlindEagle, an advanced persistent threat actor, has been observed targeting the Colombian insurance sector using the BlotchyQuasar Remote Access Trojan. The attack chain begins with phishing emails impersonating the Colombian tax authority, containing links to malware hosted on compromised Google …
phishing
remcosrat
asyncrat
credential theft
banking trojan
quasarrat
2024-09-05
blotchyquasar
Published: September 5, 2024
Downloadable IOCs: 16

Deep Analysis of Snake Keylogger’s New Variant

FortiGuard Labs recently caught a phishing campaign delivering a new variant of Snake Keylogger, a keylogger malware that can steal sensitive data like saved credentials, keystrokes, and screenshots. The analysis examines the phishing email, malicious Excel document, and techniques used by the malw…
phishing
persistence
credential theft
CVE-2017-0199
keylogger
2024-08-30
process injection
snake keylogger
Published: August 30, 2024
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 8

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

This advisory outlines the activities of an Iran-based cyber threat group that has conducted numerous intrusions against organizations in the United States and other countries since 2017, with the goal of obtaining network access to facilitate ransomware attacks. The group, known by various names s…
ransomware
state-sponsored
credential-theft
blackcat
alphv
CVE-2024-3400
iran
CVE-2024-21887
CVE-2024-24919
noberus
2024-08-28
webshells
CVE-2022-1388
CVE-2023-3519
noescape
ransomhouse
CVE-2019-19781
Published: August 28, 2024
Downloadable IOCs: 33

Iranian backed group steps up phishing campaigns against Israel, U.S.

An Iranian government-backed threat group known as APT42 has significantly intensified its phishing campaigns targeting high-profile individuals in Israel and the United States over the past six months. The group, associated with Iran's Islamic Revolutionary Guard Corps, has focused on current and …
phishing
social engineering
iran
credential theft
2024-08-26
election targeting
ycollection
lcollection
dwp
gcollection
Published: August 26, 2024
Downloadable IOCs: 38

Ailurophile: G DATA has sighted a new info stealer in the wild

G DATA has detected a novel information-stealing malware, dubbed 'Ailurophile Stealer'. It is a PHP-based stealer offered through a subscription model on its dedicated website. Customers utilize a web panel to generate customized malware variants, specifying features such as the malware name, icon,…
infostealer
stealer
exfiltration
credential theft
2024-08-19
cryptocurrency theft
ailurophile stealer
Published: August 19, 2024
Downloadable IOCs: 2

CheckMesh: Hidden Threats in Your FW

This report examines an advanced cyber-attack targeting an Israeli enterprise, where a sophisticated threat actor compromised a Check Point firewall by deploying a malicious ELF implant known as MeshAgent. The implant, disguised as a legitimate process, enabled encrypted communication with the atta…
credential theft
lateral movement
2024-08-05
meshagent
encrypted communication
advanced persistent threat
firewall compromise
Published: August 5, 2024
Downloadable IOCs: 9

Likely compromise of Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

A government-affiliated Taiwanese research institute specializing in computing technologies experienced a cyber intrusion likely carried out by the Chinese hacking group APT41. The attackers employed ShadowPad malware, Cobalt Strike, and custom tools, exploiting vulnerabilities like CVE-2018-0824 f…
apt
cobalt strike
credential theft
cobaltstrike
shadowpad
data exfiltration
2024-08-02
poisonplug.shadow
CVE-2018-0824
unmarshalpwn
Published: August 2, 2024
Linked vulnerabilities : CVE-2018-0824
Downloadable IOCs: 13

Social Media Malvertising Campaign Promotes Fake AI Editor Website for Credential Theft

An examination of how threat actors hijack social media pages, rename them to resemble legitimate AI photo editors, and post malicious links to fake websites promoted through paid ads. The links trick users into installing endpoint management software, allowing the execution of credential stealers …
phishing
credential theft
lumma
2024-08-01
Published: August 1, 2024
Downloadable IOCs: 73

Who You Gonna Call? AndroxGh0st Busters!

This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
python
botnet
credential theft
2024-07-17
androxgh0st
CVE-2021-41773
rce exploitation
CVE-2017-9841
web exploitation
CVE-2018-15133
Published: July 17, 2024
Linked vulnerabilities : CVE-2021-41773, CVE-2018-15133, CVE-2017-9841
Downloadable IOCs: 7

The Hidden Danger of PDF Files with Embedded QR Codes

The report describes how malware authors are abusing PDF files with embedded QR codes to deceive users into visiting malicious phishing URLs disguised as legitimate services. The QR codes redirect users to fake Microsoft login pages designed to harvest credentials and potentially gain unauthorized …
phishing
credential theft
2024-07-05
pdf files
qr codes
malicious urls
Published: July 5, 2024
Downloadable IOCs: 1

Mekotio Banking Trojan Threatens Financial Systems in Latin America

The Mekotio banking trojan, active since 2015, primarily targets Latin American countries to steal sensitive banking credentials through phishing emails containing malicious links or attachments. Upon execution, it gathers system information, connects to a command-and-control server, and performs c…
credential theft
banking trojan
2024-07-04
mekotio
Published: July 4, 2024
Downloadable IOCs: 15

ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution

This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
phishing
credential theft
cybercrime
2024-07-02
onnx store
qrcode
caffeine
fintech
Published: July 2, 2024
Downloadable IOCs: 25

Kimsuky Deploys TRANSLATEXT Chrome Extension

In March 2024, the cybersecurity firm Zscaler observed a new activity from Kimsuky, a North Korean state-sponsored hacker group. They employed a malicious Google Chrome extension named 'TRANSLATEXT' specifically crafted to steal email addresses, usernames, passwords, cookies, and capture browser sc…
malware
north korea
cyber espionage
credential theft
2024-06-28
chrome extension
Published: June 28, 2024
Downloadable IOCs: 10

Sustained Campaign Using Chinese Espionage Tools Targets Telcos

Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
backdoor
espionage
credential theft
keylogger
2024-06-20
coolclient
quickheal
rainyday
telecommunications
responder
Published: June 20, 2024
Downloadable IOCs: 47

Analysis of Attack Case Installing VPN on Korean ERP Server

This analysis examines an attack where a threat actor compromised a Korean company's ERP server, initially accessing it through a poorly secured MS-SQL service. The actor installed a web shell, stole credentials, and ultimately set up SoftEther VPN on the server, likely to use it as part of a comma…
sql injection
credential theft
remote access
2024-06-17
vpn
erp
softether vpn
Published: June 17, 2024
Downloadable IOCs: 11

Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling

Netskope Threat Labs has been tracking an increase in phishing campaigns hosted on Cloudflare Workers. The campaigns use techniques like HTML smuggling and transparent phishing to evade detections. The phishing pages target Microsoft and Google credentials. Netskope recommends inspecting web traffi…
phishing
credential theft
2024-05-28
html smuggling
cloudflare workers
Published: May 28, 2024
Downloadable IOCs: 134

New Campaigns from Scattered Spider

Scattered Spider, a financially motivated threat actor group, has been conducting aggressive phishing campaigns targeting various industries, particularly the finance and insurance sectors. Their tactics involve creating convincing lookalike domains and login pages to lure victims into revealing cr…
phishing
social engineering
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
telecom targeting
lookalike domains
2024-05-09
2024-05-10
Published: May 10, 2024
Linked vulnerabilities : CVE-2024-22024
Downloadable IOCs: 118

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

This comprehensive analysis provides a thorough examination of the REMCOS Remote Access Trojan (RAT), a prominent malware threat that gained significant prevalence in 2024. The analysis delves into the malware's configuration structure, command and control capabilities, persistence mechanisms, and …
rat
evasion
persistence
remcos
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
remote access
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 34
Click here to see more Attack Reports