Tag: CVE-2023-38831

7 Attack Reports | 0 Vulnerabilities

Attack reports

How NTLM is being abused in 2025 cyberattacks

NTLM, a legacy authentication protocol, remains prevalent in Windows environments despite known vulnerabilities. Threat actors continue to exploit both old and newly discovered flaws in NTLM for credential theft, privilege escalation, and lateral movement. Recent vulnerabilities like CVE-2024-43451…
apt
windows
credential theft
lateral movement
exploits
CVE-2023-38831
authentication
phantomcore
remcos rat
CVE-2024-43451
ntlm
vulnerabilities
CVE-2025-24054
CVE-2025-24071
CVE-2025-33073
2025-11-26
warzone
avemaria
Published: November 26, 2025
Linked vulnerabilities : CVE-2024-43451 (CVSS 6.5), CVE-2025-24054 (CVSS 6.5), CVE-2025-24071 (CVSS 7.5), CVE-2023-38831, CVE-2025-33073 (CVSS 8.8)
Downloadable IOCs: 4

Head Mare and Twelve: Joint attacks on Russian entities

Head Mare and Twelve, two hacktivist groups, have launched joint attacks on Russian companies. Head Mare has expanded its toolkit, now using tools previously associated only with Twelve, such as the CobInt backdoor. The attackers gained initial access through phishing emails and compromised contrac…
ransomware
lockbit
hacktivism
CVE-2021-26855
CVE-2023-38831
babuk
lockbit 3.0
cobint
infrastructure sharing
2025-03-13
phantomjitter
Published: March 13, 2025
Downloadable IOCs: 0

Russian State Actors: Development in Group Attributions

This analysis explores the evolution of Russian state-backed cyber actors and their operations. It highlights the activities of several prominent groups, including UNC2589, APT44 (Sandworm), APT29, and APT28. These actors, associated with various Russian intelligence agencies, have been involved in…
espionage
apt28
CVE-2023-0669
CVE-2023-38831
whispergate
unc2589
apt29
CVE-2023-34362
fsb
apt44
gru
2025-03-08
turla
sabotage
svr
Published: March 8, 2025
Downloadable IOCs: 0

"Breach Report" from UAC-0099 (CERT-UA#12463)

The Ukrainian CERT-UA investigated cyberattacks by UAC-0099 against government organizations during November-December 2024. The attacks involved emails with malicious attachments, including exploits for CVE-2023-38831. The LONEPAGE program, used for command execution, has evolved to use encrypted f…
powershell
CVE-2023-38831
cloudflare
winrar
lnk files
2024-12-18
lonepage program
Published: December 18, 2024
Downloadable IOCs: 25

Intensifies Attacks On Russia With PhantomCore

The Head Mare hacktivist group has escalated its campaign against Russian targets using the PhantomCore backdoor. The group employs deceptive ZIP archives containing malicious LNK files and executables disguised as archive files to deploy PhantomCore. This C++-compiled backdoor, which replaces earl…
backdoor
apt
ransomware
russia
lockbit
CVE-2023-38831
babuk
phantomcore
2024-12-11
hacktivist
boost.beast
Published: December 11, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 31

Head Mare: adventures of a unicorn in Russia and Belarus

Head Mare is a hacktivist group targeting companies in Russia and Belarus since 2023. They use phishing campaigns exploiting the CVE-2023-38831 vulnerability in WinRAR for initial access. Their toolkit includes custom malware like PhantomDL and PhantomCore, as well as publicly available tools like …
phishing
ransomware
russia
belarus
lockbit
CVE-2023-38831
2024-09-02
babuk
vasa locker
phantomdl
phantomcore
babyk
hacktivists
Published: September 2, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 52

Disrupting FlyingYeti's campaign targeting Ukraine

This report details Cloudforce One's real-time effort to detect, deny, degrade, disrupt, and delay a phishing campaign by the Russia-aligned threat actor FlyingYeti targeting Ukraine. The campaign aimed to capitalize on anxiety over potential loss of housing and utilities by enticing targets to ope…
malware
phishing
russia
ukraine
2024-05-31
CVE-2023-38831
cookbox
Published: May 31, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 8
Click here to see more Attack Reports