Tag: cybercrime
20 attack reports | 0 vulnerabilities
Attack reports
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24
The Mongolian Skimmer: different clothes, equally dangerous
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScri…
Downloadable IOCs 13
Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware
Repellent Scorpius is a new ransomware-as-a-service group distributing Cicada3301 ransomware. It emerged in May 2024 and employs double extortion tactics involving data theft. The report covers a technical analysis of the Cicada3301 ransomware, the group's tactics, connections to historical inciden…
Downloadable IOCs 8
Threat Assessment: North Korean Threat Groups
This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
Downloadable IOCs 58
2024 Paris Olympic Games Infrastructure Attack Report
This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
Downloadable IOCs 148
FIN7: The Truth Doesn't Need to be so STARK
In this collaborative effort, cybersecurity researchers from Silent Push, Stark Industries Solutions, and Team Cymru have identified and disrupted infrastructure associated with the financially motivated threat group FIN7. The analysis uncovered two clusters of potential FIN7 activity communicating…
Downloadable IOCs 103
A Dive into Latest Campaign
Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying soph…
Downloadable IOCs 30
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybe…
Downloadable IOCs 64
Solving the 7777 Botnet enigma: A cybersecurity quest
Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findi…
Downloadable IOCs 4
BianLian Ransomware Group: 2024 Activity Analysis
The intelligence report delves into the evolving tactics and operations of the BianLian ransomware group, which has emerged as one of the top three most active ransomware groups. It details the group's shift from encryption tactics to a steal-and-extort model after a decryptor was released. The ana…
Downloadable IOCs 8
Analysis of Suspected APT Attack Activities by “Silver Fox”
This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
Downloadable IOCs 7
How do cryptocurrency drainer phishing scams work?
Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
Downloadable IOCs 14
ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution
This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic M…
Downloadable IOCs 25
The Digital Legacy of Botnet 911 S5
The report provides an in-depth analysis of the notorious Botnet 911 S5, revealing its origins, operations, and digital remnants. It traces the botnet's evolution, from its inception in 2014 to its eventual demise in 2024, after a joint law enforcement operation. The botnet leveraged free VPN softw…
Downloadable IOCs 35
Cybercriminals attack banking customers in EU with V3B phishing kit
An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
Downloadable IOCs 44
Crimeware report: Acrid, ScarletStealer and Sys01 stealers
This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
Downloadable IOCs 5
Deserialization of VIEWSTATE: how an “unpatched” vulnerability plays into the hands of pro-government groups
At the end of 2023, the Solar 4RAYS team was investigating an attack on a Russian telecom company by an Asian advanced persistent threat (APT) group named Obstinate Mogwai (translated as "Stubborn Demon" in English). This group was persistent, repeatedly infiltrating the network until all entry poi…
Downloadable IOCs 9
From Document to Script: Insides of Campaign
This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
Downloadable IOCs 11
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
Downloadable IOCs 7
ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
Downloadable IOCs 8
Profiling Trafficers: Cerberus
This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
Downloadable IOCs 24