Tag: data exfiltration

103 Attack Reports | 0 Vulnerabilities

Attack reports

4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign

A threat actor named ShadyPanda has been identified as responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users. The campaign includes two active operations: a 300,000-user RCE backdoor and a 4-million-user spyware operation. ShadyPanda's extension…
spyware
data exfiltration
malware campaign
chrome
edge
browser extension
trust exploitation
2025-12-03
infinity v+
clean master
wetab
rce backdoor
Published: December 3, 2025
Downloadable IOCs: 0

Striking Panda Attacks: APT31 Today

APT31, a Chinese cyber espionage group, has been actively targeting the Russian IT sector from 2024 to 2025, particularly companies working as contractors for government agencies. The group uses sophisticated tactics to remain undetected, including leveraging cloud services as command and control i…
malware
cyber espionage
chinese
data exfiltration
cloudsorcerer
grewapacha
cloud services
2025-11-27
localplugx
coffproxy
vtchatter
it sector
onedrivedoor
cloudyloader
auftime
government contractors
yaleak
Published: November 27, 2025
Downloadable IOCs: 11

Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats

This analysis examines the latest attack flow of the KimJongRAT variant, attributed to the North Korean threat actor Kimsuky. The malware has evolved to include both PE-based and PowerShell-based attack chains, which have been merged into a single workflow. The attackers use phishing emails for ini…
phishing
north korea
babyshark
powershell
credential theft
keylogging
data exfiltration
spear-phishing
browser credentials
kimjongrat
2025-11-24
pe executable
Published: November 24, 2025
Downloadable IOCs: 13

ShadowRay 2.0: Active Global Campaign Hijacks Ray AI Infrastructure Into Self-Propagating Botnet

A global hacking campaign dubbed ShadowRay 2.0 has been discovered, exploiting a vulnerability in the Ray AI framework to seize control of computing clusters and create a self-replicating botnet. The attackers use GitLab and GitHub for payload delivery, leveraging AI-generated code to adapt their m…
xmrig
ddos
botnet
cryptojacking
data exfiltration
self-propagation
devops
2025-11-19
CVE-2023-48022
ai infrastructure
sockstress
ray framework
Published: November 19, 2025
Downloadable IOCs: 0

Cat's Got Your Files: Lynx Ransomware

A threat actor gained initial access to a network via RDP using compromised credentials, likely obtained through an infostealer, data breach, or initial access broker. They quickly moved laterally to a domain controller, created multiple impersonation accounts with high privileges, and installed An…
ransomware
lateral movement
rdp
backup deletion
data exfiltration
lynx ransomware
credential abuse
2025-11-17
network reconnaissance
Published: November 17, 2025
Downloadable IOCs: 7

Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

Trend Research observed a resurgence in Lumma Stealer activity since October 20, 2025, accompanied by new behaviors and C&C techniques. The malware now employs browser fingerprinting as part of its command-and-control tactics, collecting and exfiltrating system, network, hardware, and browser data …
infostealer
lumma stealer
data exfiltration
process injection
evasion techniques
command-and-control
ghostsocks
browser fingerprinting
2025-11-14
cybercriminal activity
Published: November 14, 2025
Downloadable IOCs: 3

LeakyInjector and LeakyStealer Duo Hunts For Crypto and Browser History

A new two-stage malware named LeakyInjector and LeakyStealer has been identified, targeting cryptocurrency wallets and browser history. LeakyInjector uses low-level APIs for injection to avoid detection and injects LeakyStealer into explorer.exe. LeakyStealer implements a polymorphic engine to modi…
cryptocurrency
persistence
injection
polymorphic
data-exfiltration
2025-11-07
two-stage
leakystealer
browser-history
leakyinjector
Published: November 7, 2025
Downloadable IOCs: 5

Velociraptor leveraged in ransomware attacks

A ransomware attack involving the use of Velociraptor, an open-source digital forensics tool, has been linked to the threat actor Storm-2603. The attackers deployed Warlock, LockBit, and Babuk ransomware to encrypt virtual machines and servers. They exploited a vulnerability in an outdated version …
ransomware
windows
privilege-escalation
lockbit
data-exfiltration
babuk
vmware
warlock
2025-10-09
CVE-2025-6264
velociraptor
open-source-tools
Published: October 9, 2025
Linked vulnerabilities : CVE-2025-6264
Downloadable IOCs: 5

Shuyal Stealer: Advanced Infostealer Targeting 19 Browsers

Shuyal Stealer is a sophisticated infostealer malware targeting 19 different browsers. It conducts deep system reconnaissance, collecting detailed hardware information and user data. The malware disables Windows Task Manager, ensures persistence through startup folder insertion, and exfiltrates sto…
evasion
powershell
infostealer
persistence
data exfiltration
system reconnaissance
telegram bot
browser targeting
2025-10-08
shuyal stealer
Published: October 8, 2025
Downloadable IOCs: 1

New spyware campaigns target privacy-conscious Android users in the UAE

Two Android spyware campaigns, ProSpy and ToSpy, have been discovered targeting users in the United Arab Emirates. These campaigns impersonate secure messaging apps like Signal and ToTok, distributing malware through deceptive websites and social engineering tactics. Once installed, the spyware exf…
phishing
android
persistence
spyware
data exfiltration
uae
signal
2025-10-02
android/spy.tospy
totok
app impersonation
android/spy.prospy
Published: October 2, 2025
Downloadable IOCs: 30

Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations

This analysis focuses on UNC6040, a financially motivated threat group specializing in voice phishing campaigns targeting Salesforce instances. The group employs social engineering tactics to trick employees into granting access or sharing credentials, facilitating large-scale data theft and extort…
social engineering
voice phishing
data exfiltration
multi-factor authentication
detection
salesforce
2025-10-01
access control
logging
identity verification
data loader
connected apps
Published: October 1, 2025
Linked vulnerabilities : CVE-2025-53690
Downloadable IOCs: 2

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

A user executed a malicious JavaScript file linked to Lunar Spider, initiating a two-month intrusion. The file downloaded a Brute Ratel DLL, which then injected Latrodectus malware. The threat actor used various tools including Cobalt Strike, BackConnect, and a custom .NET backdoor for persistence …
cobalt strike
javascript
latrodectus
data-exfiltration
lateral-movement
brute ratel c4
backconnect
credential-harvesting
cobalt-strike
2025-09-29
Published: September 29, 2025
Downloadable IOCs: 0

Kimsuky Attack Disguised as Sex Offender Notification Information

In late July 2025, an organized APT attack using shortcut files was discovered, attributed to the North Korean Kimsuky group. The attackers distribute decoy zip files containing password-protected documents and a disguised shortcut file. When executed, it connects to a C2 server, downloads encrypte…
apt
north korea
data exfiltration
cryptocurrency theft
spear-phishing
anti-vm
2025-09-24
browser hijacking
Published: September 24, 2025
Downloadable IOCs: 7

Unmasking Akira: The ransomware tactics you can't afford to ignore

The Akira ransomware group has been targeting UK businesses since 2023, primarily affecting retail, finance, manufacturing, and medical sectors. Their tactics include exploiting SSL VPNs, using double extortion, and focusing on financial gain. Key observations from 2023-2025 include initial access …
ransomware
encryption
credential theft
data exfiltration
akira
CVE-2023-27532
CVE-2024-40766
CVE-2024-40711
double extortion
CVE-2023-20269
2025-09-22
backup destruction
Published: September 22, 2025
Downloadable IOCs: 0

DeerStealer Malware Campaign: Stealth, Persistence, and Rootkit-Like Capabilities

DeerStealer is a sophisticated information-stealing malware that targets a wide range of user and system data. It employs deception techniques, persistence mechanisms, and rootkit-like capabilities to evade detection and maintain stealth on compromised systems. The malware uses signed executables, …
rootkit
persistence
information-stealing
deerstealer
data-exfiltration
stealth
uac-bypass
2025-09-20
multi-stage-execution
xfiles spyware
Published: September 20, 2025
Downloadable IOCs: 0

Malicious PyPI Packages Deliver SilentSync RAT

Two malicious Python packages, sisaws and secmeasure, were discovered in the Python Package Index (PyPI) repository. These packages, created by the same author, deliver a Remote Access Trojan (RAT) called SilentSync. The RAT is capable of remote command execution, file exfiltration, screen capturin…
rat
python
typosquatting
supply chain
data theft
remote access
pypi
data-exfiltration
supply-chain-attack
browser-data-theft
2025-09-18
silentsync
2025-09-19
python packages
Published: September 19, 2025
Downloadable IOCs: 0

AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks

AdaptixC2, an open-source post-exploitation and adversarial emulation framework, has been observed being used in real-world attacks. This versatile tool allows threat actors to execute commands, transfer files, and perform data exfiltration on compromised systems. Its open-source nature enables eas…
social engineering
foggyweb
data exfiltration
open-source
post-exploitation
c2 framework
tunneling
adaptixc2
2025-09-10
ai-generated scripts
adversarial emulation
Published: September 10, 2025
Downloadable IOCs: 0

Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed

The Gentlemen ransomware group has emerged as a sophisticated threat actor targeting multiple industries across 17 countries, with a focus on the Asia-Pacific region. Their campaign demonstrates advanced capabilities, including the use of custom tools to bypass enterprise endpoint protections, expl…
ransomware
lateral movement
data exfiltration
defense evasion
custom tools
driver abuse
2025-09-09
the gentlemen ransomware
group policy manipulation
enterprise targeting
Published: September 9, 2025
Downloadable IOCs: 0

Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

This intelligence report details a sophisticated cyber intrusion with links to three major ransomware groups: Play, RansomHub, and DragonForce. The attack began with a malicious file impersonating DeskSoft's EarthTime application, which deployed SectopRAT malware. The threat actors used various too…
ransomware
lateral movement
data exfiltration
sectoprat
systembc
grixba
2025-09-08
multi-group affiliation
betruger
multi-group operation
Published: September 8, 2025
Downloadable IOCs: 0

Windows Targeted with Rust Backdoor and Python Loader

APT37, a North Korean threat actor, has been observed using new tactics and tools in recent campaigns. They have deployed a Rust-based backdoor named Rustonotto, alongside the existing PowerShell-based Chinotto malware and FadeStealer. The group utilizes Windows shortcut files and help files as ini…
surveillance
data exfiltration
spear phishing
code injection
2025-09-08
chinotto
fadestealer
rust backdoor
rustonotto
Published: September 8, 2025
Downloadable IOCs: 1

An Analysis of the AMOS Stealer Campaign Targeting macOS via 'Cracked' Apps

This analysis examines a campaign distributing Atomic macOS Stealer (AMOS), targeting macOS users through fake 'cracked' applications. Attackers use two main delivery methods: malicious .dmg installers and terminal commands that bypass Gatekeeper protection. AMOS employs rotating domains to evade d…
social engineering
stealer
persistence
macos
data exfiltration
amos
atomic macos stealer
2025-09-04
cracked apps
gatekeeper bypass
Published: September 4, 2025
Downloadable IOCs: 0

Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers

Proofpoint researchers have observed an increase in cybercriminals using Stealerium-based malware, an open-source infostealer available on GitHub. Multiple stealers share code with Stealerium, including Phantom Stealer. Campaigns delivering Stealerium have used various lures and file types, targeti…
infostealer
anti-analysis
cybercrime
data exfiltration
snake keylogger
stealerium
2025-09-04
warp stealer
phantom stealer
Published: September 4, 2025
Downloadable IOCs: 8

Google Salesforce Breach: A Deep dive into the chain and extent of the compromise

In June 2025, Google's Salesforce instance was breached by UNC6040 & UNC6240 using vishing, OAuth app abuse, and anonymity layers. The attackers stole business data of small and medium-sized clients. A parallel attack by UNC6395 compromised Salesloft Drift's Salesforce integration, affecting hundre…
social engineering
vishing
cloud security
data exfiltration
tor
oauth
2025-09-03
salesforce
saas security
Published: September 3, 2025
Downloadable IOCs: 19

UNVEILING A PYTHON STEALER – INF0S3C STEALER

Inf0s3c Stealer is a sophisticated Python-based malware designed to collect system information and user data. It systematically gathers host identifiers, CPU information, network configuration, and captures screenshots. The malware enumerates running processes, generates directory views, and compil…
python
stealer
discord
data exfiltration
pyinstaller
system reconnaissance
upx packing
2025-09-03
windows api
blank grabber
inf0s3c stealer
umbral-stealer
Published: September 3, 2025
Downloadable IOCs: 1

Operation HanKook Phantom: Spear-Phishing Campaign

APT37, a North Korean state-backed cyber espionage group, has launched a sophisticated spear-phishing campaign targeting South Korean government sectors, research institutions, and academics. The attackers use malicious LNK files disguised as legitimate documents to deliver a multi-stage infection …
espionage
north korea
powershell
rokrat
south korea
data exfiltration
fileless
spear-phishing
cloud services
lnk files
2025-08-29
Published: August 29, 2025
Downloadable IOCs: 0

Backdoor in "AppSuite PDF Editor": A Detailed Technical Analysis

A detailed analysis of a malicious PDF editor application called AppSuite PDF Editor reveals it to be a sophisticated backdoor. The software, masquerading as a legitimate productivity tool, is distributed through high-ranking websites. Once installed, it creates scheduled tasks and establishes pers…
backdoor
trojan
data exfiltration
aes encryption
command and control
scheduled tasks
browser manipulation
2025-08-28
appsuite pdf editor
pdf editor
appsuite
Published: August 28, 2025
Downloadable IOCs: 9

From SharePoint Vulnerability Exploit to Enterprise Ransomware

The Warlock ransomware group exploited unpatched Microsoft SharePoint servers to gain initial access and deploy ransomware across enterprise environments. The attack chain involved exploiting vulnerabilities, privilege escalation through Group Policy modification, credential theft using Mimikatz, l…
ransomware
lockbit
vulnerability
credential theft
dll sideloading
lateral movement
data exfiltration
CVE-2023-27532
lockbit 3.0
sharepoint
warlock
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

SOC files: an APT41 attack on government IT services in Africa

Kaspersky's MDR team detected a targeted attack by APT41 against government IT services in Africa. The attackers used Impacket tools, Cobalt Strike, and custom agents for lateral movement and data collection. They leveraged DLL sideloading techniques and publicly available tools like Mimikatz and R…
cobalt strike
government
dll sideloading
africa
credential harvesting
lateral movement
mimikatz
data exfiltration
web shell
sharepoint
targeted attack
2025-07-21
checkout
pillager
2025-08-20
Published: August 20, 2025
Downloadable IOCs: 0

Legitimate Chrome VPN Extension Turns to Browser Spyware

A popular Chrome VPN extension, FreeVPN.One, with over 100,000 installs has transformed into spyware. Initially legitimate, the extension began capturing screenshots of users' online activities and collecting sensitive information after an update in April 2025. The spyware operates covertly, automa…
spyware
vpn
data exfiltration
chrome extension
browser security
google web store
2025-08-19
screenshot capture
freevpn.one
user privacy
Published: August 19, 2025
Downloadable IOCs: 3

This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

A sophisticated ransomware campaign has been uncovered, masquerading as a new SAP Ariba tool. The attack uses email lures, sender spoofing, and impersonation of legitimate software vendors to deliver LeeMe Ransomware. The malware employs SAP branding, a fake GUI, and a Portuguese ransom note. It ta…
phishing
social engineering
ransomware
encryption
bitcoin
keylogger
data exfiltration
2025-08-15
sap ariba
leeme ransomware
Published: August 15, 2025
Downloadable IOCs: 0

Atomic macOS Stealer includes a backdoor for persistent access

The Atomic macOS Stealer (AMOS) has received a major update, now including an embedded backdoor for persistent access to compromised Mac devices. This upgrade allows attackers to maintain access, run remote tasks, and gain extended control over infected machines. The Russia-affiliated AMOS threat g…
backdoor
cryptocurrency
macos
data exfiltration
amos
atomic macos stealer
spear-phishing
spear phishing
command-and-control
persistent access
russia-affiliated
2025-07-10
2025-08-08
Published: August 8, 2025
Downloadable IOCs: 6

New Arsenal: LAMEHUG, the First AI-Powered Malware

APT28, a Russian threat group, has developed LAMEHUG, a Python-based malware that utilizes AI to generate and execute system commands. This malware, targeting Ukraine's security and defense sector, begins with a phishing email containing a malicious attachment. LAMEHUG employs the Qwen 2.5-Coder-32…
phishing
python
ukraine
reconnaissance
data exfiltration
2025-08-07
ai-powered malware
hugging face api
lamehug
Published: August 7, 2025
Downloadable IOCs: 0

From Reconnaissance to Control: The Operational Blueprint of Kimsuky APT for Cyber Espionage

This report details a cyber-espionage campaign attributed to Kimsuky, a North Korean APT group, targeting South Korean entities. The attack uses malicious Windows shortcut files as initial access, followed by obfuscated scripts and a sophisticated malware framework. The malware performs extensive s…
obfuscation
apt43
powershell
keylogging
data exfiltration
2025-08-07
Published: August 7, 2025
Downloadable IOCs: 0

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

A sophisticated cyber attack campaign leveraged SEO poisoning to compromise organizations through trojanized IT management tool installers. The attack began when users searching for ManageEngine OpManager were directed to a malicious website, downloading a compromised MSI file that installed Bumble…
ransomware
seo poisoning
credential theft
lateral movement
data exfiltration
akira
bumblebee
2025-08-07
rustdesk
it management tools
adaptixc2
Published: August 7, 2025
Downloadable IOCs: 0

Bumblebee Malware SEO Poisoning Campaign Leads to Akira Ransomware Deployment

A coordinated threat campaign has been identified leveraging SEO poisoning to distribute Bumblebee malware via trojanized installers of IT management tools. The campaign targets users searching for legitimate software like ManageEngine OpManager. Upon execution, Bumblebee establishes initial access…
seo poisoning
lateral movement
data exfiltration
akira
credential dumping
bumblebee
initial access
akira ransomware
trojanized installers
2025-08-05
Published: August 5, 2025
Downloadable IOCs: 19

RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration

Raven Stealer is a modern information-stealing malware developed in Delphi and C++, designed to extract sensitive data from victim machines. It targets Chromium-based browsers, extracting passwords, cookies, payment details, and autofill information. The malware uses a modular architecture and a bu…
infostealer
credential theft
information-stealing
data exfiltration
github
telegram
c++
browser data
delphi
octalyn stealer
2025-07-26
raven stealer
upx packing
2025-08-01
Published: August 1, 2025
Downloadable IOCs: 0

MaaS Appeal: An Infostealer Rises From The Ashes

NOVABLIGHT is a NodeJS-based Malware-as-a-Service (MaaS) information stealer developed by a French-speaking threat group. It's sold as an educational tool but used for credential theft and cryptowallet compromise. The malware features heavy obfuscation, multiple anti-analysis techniques, and variou…
obfuscation
infostealer
anti-analysis
electron
credential theft
data exfiltration
maas
nodejs
2025-07-31
nova sentinel
malicord
novablight
Published: July 31, 2025
Downloadable IOCs: 8

Getting to the Crux (Ransomware) of the Matter

A new ransomware variant named Crux has been identified, claiming association with the BlackByte group. Observed in three separate incidents, Crux encrypts files with a .crux extension and leaves ransom notes. Initial access appears to involve Remote Desktop Protocol (RDP) using valid credentials. …
ransomware
rclone
rdp
svchost
data exfiltration
process injection
2025-07-21
bcdedit
crux
Published: July 21, 2025
Downloadable IOCs: 3

Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor

A financially-motivated threat actor, UNC6148, is targeting fully patched end-of-life SonicWall SMA 100 series appliances. They are using stolen credentials and OTP seeds from previous intrusions to regain access. The actor has deployed a new persistent backdoor/user-mode rootkit called OVERSTEP, w…
backdoor
rootkit
credential theft
vpn
data exfiltration
sonicwall
CVE-2025-32819
2025-07-18
overstep
CVE-2021-20038
CVE-2024-38475
CVE-2021-20039
CVE-2021-20035
sma
Published: July 18, 2025
Linked vulnerabilities : CVE-2025-32819 (CVSS 8.8), CVE-2021-20039, CVE-2023-44221, CVE-2021-20035, CVE-2024-38475, CVE-2021-20038
Downloadable IOCs: 4

Powerful MaaS On the Prowl for Credentials and Crypto Assets

Katz Stealer is a sophisticated infostealer marketed as Malware-as-a-Service (MaaS), launched in early 2025. It features robust credential and data theft capabilities, along with modern evasion and anti-analysis techniques. The stealer targets a wide range of personal and sensitive information, inc…
infostealer
cryptocurrency
credential theft
data exfiltration
maas
evasion techniques
browser injection
katz stealer
2025-07-17
Published: July 17, 2025
Downloadable IOCs: 31

A Hybrid Approach with Data Exfiltration and Encryption

The BlackSuit ransomware group, believed to be a rebrand of Royal ransomware, has emerged as a significant threat to organizations. This sophisticated attack combines data exfiltration and encryption, utilizing tools like Cobalt Strike for command and control, rclone for data exfiltration, and Blac…
ransomware
cobalt strike
rclone
encryption
data exfiltration
blacksuit
2025-07-12
Published: July 12, 2025
Downloadable IOCs: 0

Spyware Targets Employees via Weaponized Word Documents Delivering Malware Payloads

An unidentified spyware called Batavia has been targeting Russian industrial organizations since July 2024 through a sophisticated phishing operation. The campaign uses bait emails disguised as contract agreements to trick employees into downloading malicious scripts, initiating a multi-stage infec…
phishing
spyware
data exfiltration
evasion tactics
multi-stage attack
batavia
2025-07-09
c++ malware
persistence mechanisms
russian targets
vbs scripts
delphi executable
Published: July 9, 2025
Downloadable IOCs: 2

Hide Your RDP: Password Spray Leads to RansomHub Deployment

This report details a cyberattack where threat actors gained initial access through a password spray attack on an exposed RDP server. They used Mimikatz and Nirsoft for credential harvesting, and employed living-off-the-land techniques along with tools like Advanced IP Scanner for network discovery…
ransomware
credential theft
lateral movement
rdp
ransomhub
mimikatz
data exfiltration
password spray
living-off-the-land
2025-06-30
Published: June 30, 2025
Downloadable IOCs: 9

Strategic Pivot: From Browser Stealer to Data Exfiltration Platform During Critical Ukraine Negotiations

The cyber-espionage group UAC-0226 has significantly evolved its GIFTEDCROOK malware from a basic browser data stealer to a robust intelligence-gathering tool. Three versions were identified between April-June 2025, with the latest iterations capable of exfiltrating a wide range of sensitive docume…
ukraine
data exfiltration
telegram
geopolitical
spear-phishing
cyber-espionage
2025-06-27
giftedcrook
Published: June 27, 2025
Linked vulnerabilities : CVE-2025-5777 (CVSS 9.3)
Downloadable IOCs: 11

Caught in the Act: Uncovering SpyNote in Unexpected Places

Multiple samples of SpyNote, a sophisticated Android spyware, were discovered in open directories, disguised as legitimate apps like Google Translate, Temp Mail, and Deutsche Postbank. The malware exploits accessibility services and device administrator privileges to steal sensitive information fro…
android
spyware
spynote
data exfiltration
c2 infrastructure
open directories
accessibility services
2025-06-20
device administrator
malicious apps
Published: June 20, 2025
Downloadable IOCs: 2

Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry

A sophisticated variant of the Masslogger credential stealer malware has been identified spreading through .VBE files. This multi-stage fileless malware heavily relies on Windows Registry to store and execute its malicious payload. The infection begins with a .VBE file, likely distributed via spam …
obfuscation
persistence
windows registry
vbscript
data exfiltration
process hollowing
credential stealer
fileless malware
2025-06-18
masslogger
Published: June 18, 2025
Downloadable IOCs: 1

Clone, Compile, Compromise: Open-Source Malware Trap on GitHub

A newly identified threat actor, Water Curse, is exploiting GitHub to deliver weaponized repositories containing multistage malware. The group has been linked to at least 76 GitHub accounts, targeting cybersecurity professionals, game developers, and DevOps teams. Their malware enables data exfiltr…
supply chain
persistence
privilege escalation
data exfiltration
open-source
github
anti-debugging
2025-06-16
backdoor.js.dullrat
multistage malware
Published: June 16, 2025
Downloadable IOCs: 0

Understanding CyberEYE RAT Builder: Capabilities and Implications

CyberEye is a modular, .NET-based Remote Access Trojan that utilizes Telegram for Command and Control, eliminating the need for attackers to maintain their own infrastructure. It offers a wide array of surveillance and data theft capabilities, including keylogging, file grabbing, and clipboard hija…
rat
persistence
anti-analysis
credential theft
data exfiltration
telegram
2025-06-13
cybereye
windows defender evasion
telegramrat
Published: June 13, 2025
Downloadable IOCs: 0

Operation Sindoor – Anatomy of a Digital Siege

Operation Sindoor, a coordinated cyber campaign targeting critical Indian sectors, involved state-sponsored APT activity and hacktivist operations. The campaign utilized spear phishing, malicious scripts, website defacements, and data leaks. APT36, a Pakistan-aligned threat group, deployed advanced…
apt
crimson rat
ares rat
ddos
cyber espionage
hacktivism
data exfiltration
spear phishing
operation sindoor
2025-06-04
hybrid warfare
website defacement
Published: June 4, 2025
Downloadable IOCs: 0

PyPI Supply Chain Attack Uncovered: Colorama and Colorizr Name Confusion

A malicious package campaign targeting Python and NPM users on Windows and Linux has been discovered. The attack uses typo-squatting and name-confusion tactics against the popular colorama Python package and the similar colorizr JavaScript package. Multiple packages with risky payloads were uploade…
typosquatting
remote-access
npm
pypi
data-exfiltration
supply-chain-attack
2025-06-02
colorama
colorizr
Published: June 2, 2025
Downloadable IOCs: 2

Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns

A novel Rust-based infostealer called EDDIESTEALER has been discovered, distributed through fake CAPTCHA campaigns. The malware uses deceptive verification pages to trick users into executing a malicious PowerShell script, which deploys the infostealer. EDDIESTEALER targets sensitive data including…
powershell
infostealer
cryptocurrency
rust
data exfiltration
captcha
2025-05-29
eddiestealer
Published: May 29, 2025
Downloadable IOCs: 27

Russian Unit 26165 Targets Western Logistics and Technology Companies

Chihuahua Infostealer is a sophisticated .NET-based malware discovered in April 2025, targeting browser credentials and cryptocurrency wallet data. It employs multi-stage delivery through obfuscated PowerShell scripts, often using trusted platforms like Google Drive for initial distribution. The ma…
obfuscation
powershell
infostealer
persistence
data-exfiltration
2025-05-27
crypto-wallet-theft
chihuahua infostealer
browser-data-theft
.net-malware
Published: May 27, 2025
Downloadable IOCs: 10

China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability

A critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) is being actively exploited by a China-nexus threat actor, UNC5221. The exploitation targets internet-facing EPMM deployments across various sectors including healthcare, telecommunications, and government. The attackers utilize unau…
ivanti
sliver
data exfiltration
china-nexus
auto-color
2025-05-21
krustyloader
frp
unauthenticated rce
epmm
CVE-2025-4427
CVE-2025-4428
Published: May 21, 2025
Linked vulnerabilities : CVE-2025-22457 (CVSS 9.0), CVE-2025-31324 (CVSS 10.0), CVE-2025-4428, CVE-2025-4427
Downloadable IOCs: 12

New Nitrogen Ransomware Targets Financial Firms in the US, UK and Canada

Nitrogen, a new ransomware strain identified in September 2024, has become a significant threat to organizations worldwide, particularly in the financial sector. It encrypts critical data and demands substantial payments for decryption, targeting industries such as finance, construction, manufactur…
ransomware
malvertising
cobalt strike
meterpreter
data exfiltration
nitrogen
2025-05-20
vulnerable driver
Published: May 20, 2025
Downloadable IOCs: 2

Operation RoundPress targeting high-value webmail servers

ESET researchers have uncovered a Russia-aligned espionage operation named RoundPress, targeting high-value webmail servers through XSS vulnerabilities. The campaign, attributed to the Sednit group, aims to steal confidential data from specific email accounts. Initially focused on Roundcube in 2023…
espionage
spearphishing
russia
zero-day
credential theft
xss
data exfiltration
CVE-2024-27443
CVE-2024-11182
2025-05-15
2025-05-18
webmail
eastern europe
spypress.roundcube
spypress.mdaemon
CVE-2023-43770
spypress.zimbra
spypress.horde
Published: May 18, 2025
Linked vulnerabilities : CVE-2024-27443, CVE-2024-11182 (CVSS 6.1), CVE-2020-35730, CVE-2023-23397, CVE-2023-43770
Downloadable IOCs: 16

Marbled Dust leverages zero-day in Output Messenger for regional espionage

A Türkiye-affiliated espionage threat actor, Marbled Dust, has been exploiting a zero-day vulnerability in Output Messenger since April 2024. The attacks target Kurdish military entities in Iraq, allowing the actor to deliver malicious files and exfiltrate data. The exploit involves a directory tra…
backdoor
espionage
zero-day
golang
data exfiltration
iraq
dns hijacking
CVE-2025-27920
CVE-2025-27921
2025-05-12
omserverservice.exe
omserverservice.vbs
omclientservice.exe
kurdistan
output messenger
2025-05-13
directory traversal
om.vbs
Published: May 13, 2025
Linked vulnerabilities : CVE-2025-27920 (CVSS 9.8), CVE-2025-27921 (CVSS 6.1)
Downloadable IOCs: 3

Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors

An APT group named Earth Kurma is actively targeting government and telecommunications organizations in Southeast Asia, particularly in the Philippines, Vietnam, Thailand, and Malaysia. The campaign, which dates back to November 2020, employs advanced custom malware, rootkits, and cloud storage ser…
apt
rootkit
data exfiltration
2025-05-01
tesdat
simpoboxspy
moriya
krnrat
Published: May 1, 2025
Downloadable IOCs: 58

HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage

The Hannibal Stealer is a sophisticated information stealer targeting Chromium and Gecko-based browsers, developed in C# and operating on the .NET Framework. It bypasses Chrome Cookie V20 protection and steals data from cryptocurrency wallets, FTP clients, VPNs, and messaging apps. The malware perf…
cryptocurrency
sharp stealer
data exfiltration
information stealer
browser data theft
geofencing
2025-04-26
hannibal stealer
tx stealer
vpn credentials
c2 panel
telegram channels
2025-04-30
rebranded malware
vpn credential theft
Published: April 30, 2025
Downloadable IOCs: 4

Gremlin Stealer: New Stealer on Sale in Underground Forum

A new information-stealing malware called Gremlin Stealer, written in C#, has been identified by researchers. Advertised on Telegram since March 2025, it targets a wide range of data including browser information, crypto wallets, FTP and VPN credentials. The malware exfiltrates stolen data to a web…
infostealer
cryptocurrency
vpn
data exfiltration
telegram
browser
2025-04-29
c#
ftp
gremlin stealer
Published: April 29, 2025
Downloadable IOCs: 2

FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE

An investigation of nine malware samples revealed FOG ransomware being distributed by cybercriminals impersonating the Department of Government Efficiency (DOGE). The ransomware, spread via email and phishing attacks, is concealed in a ZIP file named 'Pay Adjustment.zip'. The infection chain involv…
phishing
ransomware
foggyweb
privilege escalation
data exfiltration
sandbox evasion
multi-stage
2025-04-21
doge
Published: April 21, 2025
Downloadable IOCs: 6

Newly Registered Domains Distributing SpyNote Malware

Cybercriminals are employing deceptive websites on newly registered domains to distribute AndroidOS SpyNote malware. These sites imitate the Google Chrome install page on the Google Play Store, tricking users into downloading SpyNote, a powerful Android remote access trojan. SpyNote is used for sur…
rat
phishing
android
spynote
remote access
keylogging
data exfiltration
spymax
google play store
2025-04-10
apk dropper
androidos
2025-04-15
Published: April 15, 2025
Downloadable IOCs: 0

APT Targets South Korea with Deceptive PDF Lures

The Kimsuky APT group, also known as Black Banshee, has been actively targeting South Korean government entities using evolving tactics. Two distinct campaigns were uncovered, both utilizing government-themed PDF documents as lures. The infection chain begins with a phishing email containing a mali…
obfuscation
apt
phishing
south korea
keylogging
lnk file
data exfiltration
cryptocurrency theft
snakekeylogger
2025-04-04
vba script
Published: April 4, 2025
Downloadable IOCs: 0

Analysis of New Mobile Banking Malware

Salvador Stealer is a newly discovered Android malware that poses as a banking application to steal sensitive user information. It employs a multi-stage attack chain, utilizing a dropper APK to install the main payload. The malware incorporates a phishing website within the app to collect personal …
phishing
android
persistence
banking
data exfiltration
credential stealing
sms interception
otp theft
2025-04-01
salvador stealer
Published: April 1, 2025
Downloadable IOCs: 0

Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques

Konni RAT, a sophisticated remote access Trojan targeting Windows systems, employs a multi-stage attack process using batch files, PowerShell scripts, and VBScript. It exploits Windows Explorer limitations, obfuscates file paths, dynamically generates URLs, and uses temporary files to erase activit…
windows
persistence
anti-analysis
data exfiltration
multi-stage attack
stealth techniques
remote access trojan
2025-04-01
konni rat
Published: April 1, 2025
Downloadable IOCs: 0

SVC New Stealer on the Horizon

SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates speci…
cryptocurrency
data exfiltration
information stealer
c2 communication
evasion techniques
spear phishing
2025-03-21
svcstealer
Published: March 21, 2025
Downloadable IOCs: 0

New Ransomware Operator Exploits Fortinet Vulnerability Duo

A new ransomware operator, dubbed Mora_001, has been exploiting Fortinet firewall vulnerabilities CVE-2024-55591 and CVE-2025-24472 to gain unauthorized access and deploy a modified version of LockBit ransomware. The threat actor creates persistent admin accounts, exfiltrates firewall configuration…
ransomware
lockbit
lateral movement
data exfiltration
fortinet
firewall
CVE-2024-55591
CVE-2025-24472
2025-03-14
superblack
wipeblack
Published: March 14, 2025
Downloadable IOCs: 23

Malicious Packages Identified in the Wild: Insights and Trends from November 2024 Onward

FortiGuard Labs has analyzed malicious software packages detected from November 2024 to March 2025, revealing various attack techniques used to exploit system vulnerabilities. Key findings include 1,082 packages with low file counts, 1,052 packages with suspicious install scripts, and 1,043 package…
obfuscation
python
typosquatting
node.js
backdoors
data exfiltration
vulnerability exploitation
2025-03-10
install scripts
software packages
Published: March 10, 2025
Downloadable IOCs: 11

Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency

A new malware called Zhong Stealer has been identified targeting the cryptocurrency and fintech sectors through a phishing campaign. The attackers exploited chat support platforms, posing as customers to trick agents into downloading the malware. Zhong Stealer's execution flow involves multiple sta…
phishing
cryptocurrency
persistence
credential theft
data exfiltration
fintech
2025-02-18
zhong stealer
Published: February 18, 2025
Downloadable IOCs: 5

CL0P Ransomware: Latest Attacks

The Cl0p ransomware group has recently targeted 43 organizations across various industries, with a focus on Manufacturing, Retail, and Transportation sectors. The majority of victims are located in the US, Canada, and Europe. The attackers likely exploited the Cleo vulnerability (CVE-2024-50623) fo…
ransomware
data exfiltration
transportation
CVE-2024-50623
manufacturing
retail
2025-02-12
ta505
cl0p
cleo vulnerability
evil corp
Published: February 12, 2025
Linked vulnerabilities : CVE-2024-50623 (CVSS 8.8)
Downloadable IOCs: 6

Blast from the Past

A large-scale campaign targeting Russian organizations across various industries has been detected. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed as Malware-as-a-Service, is capable of stealing …
phishing
stealer
persistence
credential theft
data exfiltration
russian
maas
nova
snakelogger
2025-02-05
organizations
Published: February 5, 2025
Downloadable IOCs: 1

Stealers on the Rise: A Closer Look at a Growing macOS Threat

This analysis examines the increasing prevalence of macOS infostealers, focusing on three prominent threats: Atomic Stealer, Poseidon Stealer, and Cthulhu Stealer. These malware variants target sensitive information, including financial details, credentials, and intellectual property. The article d…
infostealer
macos
credential theft
data exfiltration
atomic stealer
cthulhu stealer
applescript
2025-02-04
poseidon stealer
Published: February 4, 2025
Downloadable IOCs: 26

Analysis of Astral Stealer

Astral Stealer v1.8 is a powerful malware tool coded in Python, C#, and JavaScript, designed for data theft and crypto wallet exploitation. It targets gaming accounts, browser credentials, and cryptocurrency wallets while employing anti-debugging and VM bypass techniques. The stealer offers advance…
cryptocurrency
stealer
data exfiltration
information theft
2025-01-31
browser injection
discord injection
astral stealer
Published: January 31, 2025
Downloadable IOCs: 3

Operation Phantom Circuit: North Korea's Global Data Exfiltration Campaign

In December 2024, the Lazarus Group, a North Korean threat actor, launched a sophisticated global campaign targeting cryptocurrency and technology developers. The operation, code-named 'Phantom Circuit,' involved embedding malware into trusted development tools, compromising hundreds of victims wor…
north korea
cryptocurrency
data exfiltration
software supply chain
command-and-control
2025-01-30
phantom circuit
Published: January 30, 2025
Downloadable IOCs: 13

Analysis of Interlock Ransomware Attack on Healthcare Facilities

The Interlock ransomware group has been actively targeting healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data. The attacks involve drive-by compromise techniques, using fake software updaters to deploy malware. The group employs double-ex…
ransomware
credential theft
healthcare
lateral movement
data exfiltration
double-extortion
interlock
2025-01-28
drive-by compromise
Published: January 28, 2025
Downloadable IOCs: 0

Investigating A Web Shell Intrusion With Managed XDR

This analysis details a web shell intrusion incident where attackers exploited an IIS worker to exfiltrate data. The attacker uploaded a web shell, created a new account for persistence, modified an existing user's password, and used encoded PowerShell commands to establish a reverse TCP shell for …
powershell
anydesk
privilege escalation
data exfiltration
web shell
command-and-control
2025-01-15
reverse tcp shell
iis worker
Published: January 15, 2025
Downloadable IOCs: 0

Cyberhaven’s preliminary analysis of the recent malicious Chrome extension

A phishing attack on December 24th, 2024 compromised a Cyberhaven employee's access to the Google Chrome Web Store, leading to the publication of a malicious version of their Chrome extension. This was part of a larger campaign targeting Chrome Extension developers, primarily aiming at Facebook Ads…
phishing
data exfiltration
chrome extension
command and control
2025-01-02
facebook ads
oauth
Published: January 2, 2025
Downloadable IOCs: 5

NotLockBit: A Deep Dive Into the New Ransomware Threat

NotLockBit is an emerging ransomware family that mimics LockBit's behavior while targeting both macOS and Windows systems. Distributed as an x86_64 golang binary, it showcases advanced capabilities including targeted file encryption, data exfiltration, and self-deletion mechanisms. The malware gath…
ransomware
encryption
golang
cross-platform
data-exfiltration
2024-12-19
notlockbit
aws-abuse
self-deletion
Published: December 19, 2024
Downloadable IOCs: 5

Python-Based NodeStealer Version Targets Facebook Ads Manager

The latest variant of NodeStealer has evolved from JavaScript to Python, expanding its data theft capabilities. Trend Micro's MXDR team uncovered this advanced version in a campaign targeting a Malaysian educational institution, linked to a Vietnamese threat group. The malware now targets Facebook …
python
infostealer
dll sideloading
data exfiltration
telegram
spear-phishing
2024-12-19
nodestealer
facebook ads manager
Published: December 19, 2024
Downloadable IOCs: 5

Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks

Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved spear-phishing emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rog…
data exfiltration
spear-phishing
apt29
midnight blizzard
2024-12-17
python remote desktop protocol mitm tool (pyrdp)
roguerdp
tor exit nodes
Published: December 17, 2024
Downloadable IOCs: 421

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red f…
phishing
autoit
credential harvesting
formbook
keylogging
data exfiltration
process injection
2024-12-06
holiday-themed
Published: December 6, 2024
Downloadable IOCs: 0

Credit Card Skimmer Malware Targeting Magento Checkout Pages

A sophisticated credit card skimmer malware has been discovered targeting Magento-powered eCommerce websites, specifically their checkout processes. The malware dynamically creates a fake credit card form or extracts payment fields, activating only on checkout pages. It uses advanced obfuscation te…
obfuscation
encryption
data exfiltration
credit card skimmer
magento
2024-11-27
ecommerce
javascript injection
checkout pages
Published: November 27, 2024
Downloadable IOCs: 0

Threat Campaign Targeting Palo Alto Networks Firewall Devices Observed

Arctic Wolf has identified multiple intrusions across various industries involving Palo Alto Network firewall devices. The attacks likely exploit recently disclosed PAN-OS vulnerabilities CVE-2024-0012 and CVE-2024-9474 for initial access. Affected devices downloaded payloads including the Sliver C…
xmrig
data exfiltration
vulnerability exploitation
webshells
CVE-2024-0012
CVE-2024-9474
2024-11-25
sliver c2
palo alto networks
Published: November 25, 2024
Downloadable IOCs: 14

Threat Assessment: Distributors of BlackSuit Ransomware

Ignoble Scorpius, previously known as Royal ransomware, has rebranded as BlackSuit ransomware and increased its activity since March 2024. The group has targeted at least 93 victims globally, with a focus on the construction and manufacturing industries. Their initial ransom demands average 1.6% of…
ransomware
extortion
cobalt strike
credential theft
gootloader
lateral movement
mimikatz
data exfiltration
blacksuit
systembc
supply chain attack
2024-11-20
nanodump
Published: November 20, 2024
Downloadable IOCs: 2

Helldown Ransomware: an overview of this emerging threat

Helldown is a new and highly active ransomware group that has claimed 31 victims in three months. It employs custom ransomware for Windows and Linux systems, engages in double extortion, and exploits vulnerabilities in Zyxel firewalls for initial access. The group exfiltrates large volumes of data,…
linux
ransomware
windows
data exfiltration
CVE-2024-42057
double extortion
2024-11-20
helldown
emerging threat
zyxel vulnerability
vmware esx
Published: November 20, 2024
Downloadable IOCs: 0

The State of Cloud Ransomware in 2024

Cloud ransomware attacks are evolving, primarily targeting storage services like Amazon S3 and Azure Blob Storage. Attackers exploit misconfigurations or use stolen credentials to access and encrypt data. Cloud service providers have implemented security measures, such as AWS's 7-day key deletion w…
lockbit
bianlian
cloud security
data exfiltration
rhysida
2024-11-14
CVE-2023-34362
cspm
cloud ransomware
pandora
s3 buckets
ransomes
web application attacks
identity management
kms
Published: November 14, 2024
Downloadable IOCs: 0

Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN

Since early August, there has been a significant increase in Fog and Akira ransomware intrusions targeting SonicWall SSL VPN users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for CVE-2024-40766. Initial acce…
ransomware
vpn
data exfiltration
akira
CVE-2024-40766
2024-10-24
sonicwall
initial access
fog
Published: October 24, 2024
Linked vulnerabilities : CVE-2024-40766 (CVSS 9.8)
Downloadable IOCs: 16

Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA

Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
powershell
cryptocurrency
lumma stealer
information-stealing
data exfiltration
fileless
maas
process hollowing
fake captcha
2024-10-21
Published: October 21, 2024
Downloadable IOCs: 23

Stealers on the rise: Kral, AMOS, Vidar and ACR

This intelligence report analyzes the increasing prevalence of information stealers, focusing on Kral, AMOS, Vidar, and ACR. Kral, delivered by its downloader, targets cryptocurrency wallets and browser data. AMOS, a macOS stealer, spreads through malvertising impersonating Homebrew. Vidar distribu…
cryptocurrency
macos
credential theft
vidar
data exfiltration
amos
aurora
2024-10-21
dll hijacking
information stealers
kral
penguish
acr
Published: October 21, 2024
Downloadable IOCs: 0

Fake LockBit Real Damage Ransomware Samples Abuse AWS S3 to Steal Data

This report discusses malicious Golang ransomware samples that exploit Amazon S3's Transfer Acceleration feature to exfiltrate victims' data and upload it to attacker-controlled S3 buckets. The samples contained hard-coded AWS credentials linked to compromised accounts, allowing the researchers to …
ransomware
golang
aws
data-exfiltration
2024-10-17
lockbit-imitation
Published: October 17, 2024
Downloadable IOCs: 39

From Perfctl to InfoStealer

A new stealthy Linux malware called perfctl has been analyzed. The malware runs two processes: perfctl and a disguised process mimicking known Linux processes. It uses Tor for external communications and local sockets for inter-process communication. After 30 minutes, the attacker drops scripts to …
malware
linux
rootkit
cryptominer
data exfiltration
stealth
perfctl
2024-10-09
trufflehog
Published: October 9, 2024
Downloadable IOCs: 3

Dark Angels Exposed

The Dark Angels ransomware group, active since April 2022, operates with sophisticated strategies targeting large companies for substantial ransom demands. They focus on stealthy attacks, avoiding outsourcing to third-party brokers. The group uses various ransomware payloads, including Babuk and Re…
ransomware
data exfiltration
babuk
raas
2024-10-08
ragnarlocker
CVE-2023-22069
Published: October 8, 2024
Downloadable IOCs: 0

No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection

This article analyzes four previously undisclosed DNS tunneling campaigns identified through a new campaign monitoring system. The system detects tunneling domains based on common techniques and attributes used in malicious campaigns. Four new campaigns were uncovered: FinHealthXDS (targeting finan…
cobalt strike
icedid
dns tunneling
data exfiltration
redline stealer
2024-10-05
russiansite
nsfinder
8ns
covert communications
hiloti
finhealthxds
Published: October 5, 2024
Downloadable IOCs: 0

Separating the bee from the panda: CeranaKeeper making a beeline for Thailand

This intelligence report details a sophisticated malware campaign targeting multiple industries across various countries. The threat actor employs advanced tactics, techniques, and procedures (TTPs) to infiltrate networks, maintain persistence, and exfiltrate sensitive data. The malware used in thi…
social engineering
data exfiltration
advanced persistent threat
2024-10-03
custom malware
multi-industry targeting
persistence techniques
network infiltration
Published: October 3, 2024
Downloadable IOCs: 16

New Android Spyware Campaign Targets South Koreans via AWS

A sophisticated Android spyware campaign targeting South Koreans has been uncovered by Cyble Research and Intelligence Labs. Active since June 2024, the malware exploits an Amazon AWS S3 bucket as its Command and Control server to exfiltrate sensitive personal data including SMS messages, contacts,…
android
spyware
south korea
cloud security
data exfiltration
aws
mobile malware
2024-10-01
stealth techniques
Published: October 1, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21893
Downloadable IOCs: 7

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

A BlackCat ransomware intrusion began with a Nitrogen malware campaign impersonating Advanced IP Scanner. The attackers used Sliver and Cobalt Strike beacons for post-exploitation, leveraging Python scripts for memory loading. They performed network enumeration using various tools and moved lateral…
ransomware
blackcat
alphv
cobalt strike
sliver
credential harvesting
lateral movement
noberus
data exfiltration
2024-10-01
nitrogen
Published: October 1, 2024
Downloadable IOCs: 45

Storm-0501: Ransomware attacks expanding to hybrid cloud environments

Microsoft has observed Storm-0501, a financially motivated cybercriminal group, conducting multi-staged attacks targeting hybrid cloud environments. The group compromises on-premises networks, performs lateral movement to cloud environments, exfiltrates data, steals credentials, creates persistent …
backdoor
ransomware
credential-theft
cobalt strike
rclone
impacket
data-exfiltration
lateral-movement
2024-09-30
CVE-2022-47966
CVE-2023-4966
hybrid-cloud
embargo
aadinternals
CVE-2023-38203
CVE-2023-29300
Published: September 30, 2024
Linked vulnerabilities : CVE-2023-4966, CVE-2023-38203, CVE-2023-29300, CVE-2022-47966
Downloadable IOCs: 14

BLX STEALER

Identified as a sophisticated dropper binary designed to deploy an information stealer dubbed BLX Stealer or XLABB Stealer, this malware has been actively promoted on Telegram and Discord platforms. It targets credentials, browser data, cryptocurrency wallets, and other sensitive personal informati…
cryptocurrency
stealer
persistence
credential
data exfiltration
2024-09-11
xlabb stealer
blx stealer
Published: September 11, 2024
Downloadable IOCs: 5

StopRansomware: RansomHub Ransomware

RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to …
privilege-escalation
cobalt strike
encryption
CVE-2020-1472
ransomware-as-a-service
ransomhub
mimikatz
CVE-2023-3519
2024-08-30
metasploit
CVE-2023-22515
CVE-2023-46604
CVE-2017-0144
CVE-2023-48788
double-extortion
CVE-2023-27997
data-exfiltration
CVE-2023-46747
critical-infrastructure
CVE-2020-0787
lateral-movement
Published: August 30, 2024
Linked vulnerabilities : CVE-2020-1472, CVE-2023-46604, CVE-2023-22515, CVE-2020-0787, CVE-2017-0144, CVE-2023-3519, CVE-2023-27997, CVE-2023-48788, CVE-2023-46747
Downloadable IOCs: 14

Likely compromise of Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

A government-affiliated Taiwanese research institute specializing in computing technologies experienced a cyber intrusion likely carried out by the Chinese hacking group APT41. The attackers employed ShadowPad malware, Cobalt Strike, and custom tools, exploiting vulnerabilities like CVE-2018-0824 f…
apt
cobalt strike
credential theft
cobaltstrike
shadowpad
data exfiltration
2024-08-02
poisonplug.shadow
CVE-2018-0824
unmarshalpwn
Published: August 2, 2024
Linked vulnerabilities : CVE-2018-0824
Downloadable IOCs: 13

Mint Stealer: A Comprehensive Study of a Python-Based Information Stealer

At Cyfirma, this report offers a comprehensive analysis of Mint Stealer, an information-stealing malware operating within a malware-as-a-service (MaaS) framework. Mint Stealer targets sensitive data and uses sophisticated techniques to evade detection. This in-depth study explores Mint Stealer's ev…
malware-as-a-service
data exfiltration
2024-07-31
information stealer
mint stealer
evasion tactics
Published: July 31, 2024
Downloadable IOCs: 10

Kematian-Stealer: A Deep Dive into a New Information Stealer

This report provides an in-depth analysis of a newly discovered information stealer named Kematian-Stealer, actively developed on GitHub and distributed as open-source software. The malware employs various techniques to collect sensitive data from compromised systems, evade detection, and maintain …
malware
stealer
persistence
data exfiltration
github
2024-07-10
kematian-stealer
Published: July 10, 2024
Downloadable IOCs: 4

BlackSuit Ransomware: Insights and Defense Strategies

This report provides an in-depth analysis of the BlackSuit ransomware, a threat that has been actively targeting various sectors since May 2023. It presents statistics from incident response engagements, explores the ransomware's behavior and technical analysis, and offers insights into the potenti…
ransomware
encryption
data exfiltration
2024-07-08
blacksuit
cybersecurity
threat analysis
Published: July 8, 2024
Downloadable IOCs: 8

Phishing Incident Report: Facts and Timeline

On June 18, 2024, an employee's account at ANY.RUN was compromised and used to carry out a phishing attack against the company's entire contact list. The initial compromise occurred on May 27 through an AiTM phishing campaign targeting the employee. Over the following weeks, the attacker maintained…
phishing
2024-06-25
data exfiltration
incident response
mfa bypass
email compromise
Published: June 25, 2024
Downloadable IOCs: 9
Click here to see more Attack Reports