Tag: data exfiltration

44 Attack Reports | 0 Vulnerabilities

Attack reports

FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE

An investigation of nine malware samples revealed FOG ransomware being distributed by cybercriminals impersonating the Department of Government Efficiency (DOGE). The ransomware, spread via email and phishing attacks, is concealed in a ZIP file named 'Pay Adjustment.zip'. The infection chain involv…
phishing
ransomware
foggyweb
privilege escalation
data exfiltration
sandbox evasion
multi-stage
2025-04-21
doge
Published: April 21, 2025
Downloadable IOCs: 6

Newly Registered Domains Distributing SpyNote Malware

Cybercriminals are employing deceptive websites on newly registered domains to distribute AndroidOS SpyNote malware. These sites imitate the Google Chrome install page on the Google Play Store, tricking users into downloading SpyNote, a powerful Android remote access trojan. SpyNote is used for sur…
rat
phishing
android
spynote
remote access
keylogging
data exfiltration
spymax
google play store
2025-04-10
apk dropper
androidos
2025-04-15
Published: April 15, 2025
Downloadable IOCs: 0

APT Targets South Korea with Deceptive PDF Lures

The Kimsuky APT group, also known as Black Banshee, has been actively targeting South Korean government entities using evolving tactics. Two distinct campaigns were uncovered, both utilizing government-themed PDF documents as lures. The infection chain begins with a phishing email containing a mali…
obfuscation
apt
phishing
south korea
keylogging
lnk file
data exfiltration
cryptocurrency theft
snakekeylogger
2025-04-04
vba script
Published: April 4, 2025
Downloadable IOCs: 0

Analysis of New Mobile Banking Malware

Salvador Stealer is a newly discovered Android malware that poses as a banking application to steal sensitive user information. It employs a multi-stage attack chain, utilizing a dropper APK to install the main payload. The malware incorporates a phishing website within the app to collect personal …
phishing
android
persistence
banking
data exfiltration
credential stealing
sms interception
otp theft
2025-04-01
salvador stealer
Published: April 1, 2025
Downloadable IOCs: 0

Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques

Konni RAT, a sophisticated remote access Trojan targeting Windows systems, employs a multi-stage attack process using batch files, PowerShell scripts, and VBScript. It exploits Windows Explorer limitations, obfuscates file paths, dynamically generates URLs, and uses temporary files to erase activit…
windows
persistence
anti-analysis
data exfiltration
multi-stage attack
stealth techniques
remote access trojan
2025-04-01
konni rat
Published: April 1, 2025
Downloadable IOCs: 0

SVC New Stealer on the Horizon

SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates speci…
cryptocurrency
data exfiltration
information stealer
c2 communication
evasion techniques
spear phishing
2025-03-21
svcstealer
Published: March 21, 2025
Downloadable IOCs: 0

New Ransomware Operator Exploits Fortinet Vulnerability Duo

A new ransomware operator, dubbed Mora_001, has been exploiting Fortinet firewall vulnerabilities CVE-2024-55591 and CVE-2025-24472 to gain unauthorized access and deploy a modified version of LockBit ransomware. The threat actor creates persistent admin accounts, exfiltrates firewall configuration…
ransomware
lockbit
lateral movement
data exfiltration
fortinet
firewall
CVE-2024-55591
CVE-2025-24472
2025-03-14
superblack
wipeblack
Published: March 14, 2025
Downloadable IOCs: 23

Malicious Packages Identified in the Wild: Insights and Trends from November 2024 Onward

FortiGuard Labs has analyzed malicious software packages detected from November 2024 to March 2025, revealing various attack techniques used to exploit system vulnerabilities. Key findings include 1,082 packages with low file counts, 1,052 packages with suspicious install scripts, and 1,043 package…
obfuscation
python
typosquatting
node.js
backdoors
data exfiltration
vulnerability exploitation
2025-03-10
install scripts
software packages
Published: March 10, 2025
Downloadable IOCs: 11

Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency

A new malware called Zhong Stealer has been identified targeting the cryptocurrency and fintech sectors through a phishing campaign. The attackers exploited chat support platforms, posing as customers to trick agents into downloading the malware. Zhong Stealer's execution flow involves multiple sta…
phishing
cryptocurrency
persistence
credential theft
data exfiltration
fintech
2025-02-18
zhong stealer
Published: February 18, 2025
Downloadable IOCs: 5

CL0P Ransomware: Latest Attacks

The Cl0p ransomware group has recently targeted 43 organizations across various industries, with a focus on Manufacturing, Retail, and Transportation sectors. The majority of victims are located in the US, Canada, and Europe. The attackers likely exploited the Cleo vulnerability (CVE-2024-50623) fo…
ransomware
data exfiltration
transportation
CVE-2024-50623
manufacturing
retail
2025-02-12
ta505
cl0p
cleo vulnerability
evil corp
Published: February 12, 2025
Linked vulnerabilities : CVE-2024-50623 (CVSS 8.8)
Downloadable IOCs: 6

Blast from the Past

A large-scale campaign targeting Russian organizations across various industries has been detected. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed as Malware-as-a-Service, is capable of stealing …
phishing
stealer
persistence
credential theft
data exfiltration
russian
maas
nova
snakelogger
2025-02-05
organizations
Published: February 5, 2025
Downloadable IOCs: 1

Stealers on the Rise: A Closer Look at a Growing macOS Threat

This analysis examines the increasing prevalence of macOS infostealers, focusing on three prominent threats: Atomic Stealer, Poseidon Stealer, and Cthulhu Stealer. These malware variants target sensitive information, including financial details, credentials, and intellectual property. The article d…
infostealer
macos
credential theft
data exfiltration
atomic stealer
cthulhu stealer
applescript
2025-02-04
poseidon stealer
Published: February 4, 2025
Downloadable IOCs: 26

Analysis of Astral Stealer

Astral Stealer v1.8 is a powerful malware tool coded in Python, C#, and JavaScript, designed for data theft and crypto wallet exploitation. It targets gaming accounts, browser credentials, and cryptocurrency wallets while employing anti-debugging and VM bypass techniques. The stealer offers advance…
cryptocurrency
stealer
data exfiltration
information theft
2025-01-31
browser injection
discord injection
astral stealer
Published: January 31, 2025
Downloadable IOCs: 3

Operation Phantom Circuit: North Korea's Global Data Exfiltration Campaign

In December 2024, the Lazarus Group, a North Korean threat actor, launched a sophisticated global campaign targeting cryptocurrency and technology developers. The operation, code-named 'Phantom Circuit,' involved embedding malware into trusted development tools, compromising hundreds of victims wor…
north korea
cryptocurrency
data exfiltration
software supply chain
command-and-control
2025-01-30
phantom circuit
Published: January 30, 2025
Downloadable IOCs: 13

Analysis of Interlock Ransomware Attack on Healthcare Facilities

The Interlock ransomware group has been actively targeting healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data. The attacks involve drive-by compromise techniques, using fake software updaters to deploy malware. The group employs double-ex…
ransomware
credential theft
healthcare
lateral movement
data exfiltration
double-extortion
interlock
2025-01-28
drive-by compromise
Published: January 28, 2025
Downloadable IOCs: 0

Investigating A Web Shell Intrusion With Managed XDR

This analysis details a web shell intrusion incident where attackers exploited an IIS worker to exfiltrate data. The attacker uploaded a web shell, created a new account for persistence, modified an existing user's password, and used encoded PowerShell commands to establish a reverse TCP shell for …
powershell
anydesk
privilege escalation
data exfiltration
web shell
command-and-control
2025-01-15
reverse tcp shell
iis worker
Published: January 15, 2025
Downloadable IOCs: 0

Cyberhaven’s preliminary analysis of the recent malicious Chrome extension

A phishing attack on December 24th, 2024 compromised a Cyberhaven employee's access to the Google Chrome Web Store, leading to the publication of a malicious version of their Chrome extension. This was part of a larger campaign targeting Chrome Extension developers, primarily aiming at Facebook Ads…
phishing
data exfiltration
chrome extension
command and control
2025-01-02
facebook ads
oauth
Published: January 2, 2025
Downloadable IOCs: 5

NotLockBit: A Deep Dive Into the New Ransomware Threat

NotLockBit is an emerging ransomware family that mimics LockBit's behavior while targeting both macOS and Windows systems. Distributed as an x86_64 golang binary, it showcases advanced capabilities including targeted file encryption, data exfiltration, and self-deletion mechanisms. The malware gath…
ransomware
encryption
golang
cross-platform
data-exfiltration
2024-12-19
notlockbit
aws-abuse
self-deletion
Published: December 19, 2024
Downloadable IOCs: 5

Python-Based NodeStealer Version Targets Facebook Ads Manager

The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook …
python
infostealer
dll sideloading
data exfiltration
telegram
spear-phishing
2024-12-19
nodestealer
facebook ads manager
Published: December 19, 2024
Downloadable IOCs: 5

Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks

Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved spear-phishing emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rog…
data exfiltration
spear-phishing
apt29
midnight blizzard
2024-12-17
python remote desktop protocol mitm tool (pyrdp)
roguerdp
tor exit nodes
Published: December 17, 2024
Downloadable IOCs: 421

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red f…
phishing
autoit
credential harvesting
formbook
keylogging
data exfiltration
process injection
2024-12-06
holiday-themed
Published: December 6, 2024
Downloadable IOCs: 0

Credit Card Skimmer Malware Targeting Magento Checkout Pages

A sophisticated credit card skimmer malware has been discovered targeting Magento-powered eCommerce websites, specifically their checkout processes. The malware dynamically creates a fake credit card form or extracts payment fields, activating only on checkout pages. It uses advanced obfuscation te…
obfuscation
encryption
data exfiltration
credit card skimmer
magento
2024-11-27
ecommerce
javascript injection
checkout pages
Published: November 27, 2024
Downloadable IOCs: 0

Threat Campaign Targeting Palo Alto Networks Firewall Devices Observed

Arctic Wolf has identified multiple intrusions across various industries involving Palo Alto Network firewall devices. The attacks likely exploit recently disclosed PAN-OS vulnerabilities CVE-2024-0012 and CVE-2024-9474 for initial access. Affected devices downloaded payloads including the Sliver C…
xmrig
data exfiltration
vulnerability exploitation
webshells
CVE-2024-0012
CVE-2024-9474
2024-11-25
sliver c2
palo alto networks
Published: November 25, 2024
Downloadable IOCs: 14

Threat Assessment: Distributors of BlackSuit Ransomware

Ignoble Scorpius, previously known as Royal ransomware, has rebranded as BlackSuit ransomware and increased its activity since March 2024. The group has targeted at least 93 victims globally, with a focus on the construction and manufacturing industries. Their initial ransom demands average 1.6% of…
ransomware
extortion
cobalt strike
credential theft
gootloader
lateral movement
mimikatz
data exfiltration
blacksuit
systembc
supply chain attack
2024-11-20
nanodump
Published: November 20, 2024
Downloadable IOCs: 2

Helldown Ransomware: an overview of this emerging threat

Helldown is a new and highly active ransomware group that has claimed 31 victims in three months. It employs custom ransomware for Windows and Linux systems, engages in double extortion, and exploits vulnerabilities in Zyxel firewalls for initial access. The group exfiltrates large volumes of data,…
linux
ransomware
windows
data exfiltration
CVE-2024-42057
double extortion
2024-11-20
helldown
emerging threat
zyxel vulnerability
vmware esx
Published: November 20, 2024
Downloadable IOCs: 0

The State of Cloud Ransomware in 2024

Cloud ransomware attacks are evolving, primarily targeting storage services like Amazon S3 and Azure Blob Storage. Attackers exploit misconfigurations or use stolen credentials to access and encrypt data. Cloud service providers have implemented security measures, such as AWS's 7-day key deletion w…
lockbit
bianlian
cloud security
data exfiltration
rhysida
2024-11-14
CVE-2023-34362
cspm
cloud ransomware
pandora
s3 buckets
ransomes
web application attacks
identity management
kms
Published: November 14, 2024
Downloadable IOCs: 0

Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN

Since early August, there has been a significant increase in Fog and Akira ransomware intrusions targeting SonicWall SSL VPN users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for CVE-2024-40766. Initial acce…
ransomware
vpn
data exfiltration
akira
CVE-2024-40766
2024-10-24
sonicwall
initial access
fog
Published: October 24, 2024
Linked vulnerabilities : CVE-2024-40766 (CVSS 9.8)
Downloadable IOCs: 16

Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA

Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
powershell
cryptocurrency
lumma stealer
information-stealing
data exfiltration
fileless
maas
process hollowing
fake captcha
2024-10-21
Published: October 21, 2024
Downloadable IOCs: 23

Stealers on the rise: Kral, AMOS, Vidar and ACR

This intelligence report analyzes the increasing prevalence of information stealers, focusing on Kral, AMOS, Vidar, and ACR. Kral, delivered by its downloader, targets cryptocurrency wallets and browser data. AMOS, a macOS stealer, spreads through malvertising impersonating Homebrew. Vidar distribu…
cryptocurrency
macos
credential theft
vidar
data exfiltration
amos
aurora
2024-10-21
dll hijacking
information stealers
kral
penguish
acr
Published: October 21, 2024
Downloadable IOCs: 0

Fake LockBit Real Damage Ransomware Samples Abuse AWS S3 to Steal Data

This report discusses malicious Golang ransomware samples that exploit Amazon S3's Transfer Acceleration feature to exfiltrate victims' data and upload it to attacker-controlled S3 buckets. The samples contained hard-coded AWS credentials linked to compromised accounts, allowing the researchers to …
ransomware
golang
aws
data-exfiltration
2024-10-17
lockbit-imitation
Published: October 17, 2024
Downloadable IOCs: 39

From Perfctl to InfoStealer

A new stealthy Linux malware called perfctl has been analyzed. The malware runs two processes: perfctl and a disguised process mimicking known Linux processes. It uses Tor for external communications and local sockets for inter-process communication. After 30 minutes, the attacker drops scripts to …
malware
linux
rootkit
cryptominer
data exfiltration
stealth
perfctl
2024-10-09
trufflehog
Published: October 9, 2024
Downloadable IOCs: 3

Dark Angels Exposed

The Dark Angels ransomware group, active since April 2022, operates with sophisticated strategies targeting large companies for substantial ransom demands. They focus on stealthy attacks, avoiding outsourcing to third-party brokers. The group uses various ransomware payloads, including Babuk and Re…
ransomware
data exfiltration
babuk
raas
2024-10-08
ragnarlocker
CVE-2023-22069
Published: October 8, 2024
Downloadable IOCs: 0

No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection

This article analyzes four previously undisclosed DNS tunneling campaigns identified through a new campaign monitoring system. The system detects tunneling domains based on common techniques and attributes used in malicious campaigns. Four new campaigns were uncovered: FinHealthXDS (targeting finan…
cobalt strike
icedid
dns tunneling
data exfiltration
redline stealer
2024-10-05
russiansite
nsfinder
8ns
covert communications
hiloti
finhealthxds
Published: October 5, 2024
Downloadable IOCs: 0

Separating the bee from the panda: CeranaKeeper making a beeline for Thailand

This intelligence report details a sophisticated malware campaign targeting multiple industries across various countries. The threat actor employs advanced tactics, techniques, and procedures (TTPs) to infiltrate networks, maintain persistence, and exfiltrate sensitive data. The malware used in thi…
social engineering
data exfiltration
advanced persistent threat
2024-10-03
custom malware
multi-industry targeting
persistence techniques
network infiltration
Published: October 3, 2024
Downloadable IOCs: 16

New Android Spyware Campaign Targets South Koreans via AWS

A sophisticated Android spyware campaign targeting South Koreans has been uncovered by Cyble Research and Intelligence Labs. Active since June 2024, the malware exploits an Amazon AWS S3 bucket as its Command and Control server to exfiltrate sensitive personal data including SMS messages, contacts,…
android
spyware
south korea
cloud security
data exfiltration
aws
mobile malware
2024-10-01
stealth techniques
Published: October 1, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21893
Downloadable IOCs: 7

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

A BlackCat ransomware intrusion began with a Nitrogen malware campaign impersonating Advanced IP Scanner. The attackers used Sliver and Cobalt Strike beacons for post-exploitation, leveraging Python scripts for memory loading. They performed network enumeration using various tools and moved lateral…
ransomware
blackcat
alphv
cobalt strike
sliver
credential harvesting
lateral movement
noberus
data exfiltration
2024-10-01
nitrogen
Published: October 1, 2024
Downloadable IOCs: 45

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
backdoor
ransomware
credential-theft
cobalt strike
rclone
impacket
data-exfiltration
lateral-movement
2024-09-30
CVE-2022-47966
CVE-2023-4966
hybrid-cloud
embargo
aadinternals
CVE-2023-38203
CVE-2023-29300
Published: September 30, 2024
Linked vulnerabilities : CVE-2023-4966, CVE-2023-38203, CVE-2023-29300, CVE-2022-47966
Downloadable IOCs: 14

BLX STEALER

Identified as a sophisticated dropper binary designed to deploy an information stealer dubbed BLX Stealer or XLABB Stealer, this malware has been actively promoted on Telegram and Discord platforms. It targets credentials, browser data, cryptocurrency wallets, and other sensitive personal informati…
cryptocurrency
stealer
persistence
credential
data exfiltration
2024-09-11
xlabb stealer
blx stealer
Published: September 11, 2024
Downloadable IOCs: 5

StopRansomware: RansomHub Ransomware

RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to …
privilege-escalation
cobalt strike
encryption
CVE-2020-1472
ransomware-as-a-service
ransomhub
mimikatz
CVE-2023-3519
2024-08-30
metasploit
CVE-2023-22515
CVE-2023-46604
CVE-2017-0144
CVE-2023-48788
double-extortion
CVE-2023-27997
data-exfiltration
CVE-2023-46747
critical-infrastructure
CVE-2020-0787
lateral-movement
Published: August 30, 2024
Linked vulnerabilities : CVE-2020-1472, CVE-2023-46604, CVE-2023-22515, CVE-2020-0787, CVE-2017-0144, CVE-2023-3519, CVE-2023-27997, CVE-2023-48788, CVE-2023-46747
Downloadable IOCs: 14

Likely compromise of Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

A government-affiliated Taiwanese research institute specializing in computing technologies experienced a cyber intrusion likely carried out by the Chinese hacking group APT41. The attackers employed ShadowPad malware, Cobalt Strike, and custom tools, exploiting vulnerabilities like CVE-2018-0824 f…
apt
cobalt strike
credential theft
cobaltstrike
shadowpad
data exfiltration
2024-08-02
poisonplug.shadow
CVE-2018-0824
unmarshalpwn
Published: August 2, 2024
Linked vulnerabilities : CVE-2018-0824
Downloadable IOCs: 13

Mint Stealer: A Comprehensive Study of a Python-Based Information Stealer

At Cyfirma, this report offers a comprehensive analysis of Mint Stealer, an information-stealing malware operating within a malware-as-a-service (MaaS) framework. Mint Stealer targets sensitive data and uses sophisticated techniques to evade detection. This in-depth study explores Mint Stealer's ev…
malware-as-a-service
data exfiltration
2024-07-31
information stealer
mint stealer
evasion tactics
Published: July 31, 2024
Downloadable IOCs: 10

Kematian-Stealer: A Deep Dive into a New Information Stealer

This report provides an in-depth analysis of a newly discovered information stealer named Kematian-Stealer, actively developed on GitHub and distributed as open-source software. The malware employs various techniques to collect sensitive data from compromised systems, evade detection, and maintain …
malware
stealer
persistence
data exfiltration
github
2024-07-10
kematian-stealer
Published: July 10, 2024
Downloadable IOCs: 4

BlackSuit Ransomware: Insights and Defense Strategies

This report provides an in-depth analysis of the BlackSuit ransomware, a threat that has been actively targeting various sectors since May 2023. It presents statistics from incident response engagements, explores the ransomware's behavior and technical analysis, and offers insights into the potenti…
ransomware
encryption
data exfiltration
2024-07-08
blacksuit
cybersecurity
threat analysis
Published: July 8, 2024
Downloadable IOCs: 8

Phishing Incident Report: Facts and Timeline

On June 18, 2024, an employee's account at ANY.RUN was compromised and used to carry out a phishing attack against the company's entire contact list. The initial compromise occurred on May 27 through an AiTM phishing campaign targeting the employee. Over the following weeks, the attacker maintained…
phishing
2024-06-25
data exfiltration
incident response
mfa bypass
email compromise
Published: June 25, 2024
Downloadable IOCs: 9
Click here to see more Attack Reports