Tag: dcrat

11 Attack Reports | 0 Vulnerabilities

Attack reports

Unmasking the Infrastructure of a Spear‑phishing Campaign

Censys researchers uncovered a spear‑phishing campaign where threat actors leveraged a cluster of 16 open directories hosting heavily obfuscated Visual Basic Script (VBS) files. The study analyzes how attackers set up these public-accessible directories to store malicious scripts, the obfuscation t…
spearphishing
remcos
asyncrat
dcrat
2025-06-11
limerat
opendir
Published: June 11, 2025
Downloadable IOCs: 54

Threat Analysis: DCRat presence growing in Latin America

Hive0131 is conducting email campaigns targeting users in Colombia with fake electronic notifications of criminal proceedings, purportedly from The Judiciary of Colombia. The campaigns deliver DCRat, a banking trojan operated as Malware-as-a-Service, through embedded links or PDF lures. DCRat's pre…
phishing
dcrat
banking trojan
maas
process hollowing
colombia
2025-06-06
vmdetectloader
Published: June 6, 2025
Downloadable IOCs: 3

New Steganographic Campaign Distributing Multiple Malware Variants

A sophisticated steganographic campaign has been observed distributing multiple stealer malware variants, including Remcos, DcRAT, AgentTesla, and VIPKeyLogger. The infection chain begins with a phishing email containing an Excel file that exploits CVE-2017-0199. This leads to the download of an HT…
obfuscation
phishing
remcos
steganography
asyncrat
dcrat
CVE-2017-0199
process hollowing
remote access trojan
agenttesla
vipkeylogger
2025-03-17
Published: March 17, 2025
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 13

SilentCryptoMiner distributed as a bypass tool

A mass malware campaign is infecting users with a cryptocurrency miner disguised as a tool for bypassing internet restrictions. The campaign has affected over 2,000 victims in Russia, utilizing YouTube channels to spread malicious links. Attackers are blackmailing content creators to post videos wi…
xworm
xmrig
njrat
dcrat
stealth techniques
cryptocurrency mining
silentcryptominer
2025-03-05
phemedrone
blackmail
restriction bypass
python loader
Published: March 5, 2025
Downloadable IOCs: 0

2024 Malicious Infrastructure Insights: Key Trends and Threats

The report highlights significant trends in malicious infrastructure for 2024, including the rise of malware-as-a-service infostealers, continued dominance of Cobalt Strike among offensive security tools, and increased use of legitimate services by threat actors. Key findings include LummaC2's domi…
lummac2
plugx
cobalt strike
asyncrat
cybercrime
infostealers
dcrat
latrodectus
botnets
mobile malware
malicious infrastructure
quasarrat
hook
gobrat
brute ratel c4
remote access trojans
2025-02-28
traffic distribution systems
mozi botnet
state-sponsored groups
command-and-control servers
solarmarker rat
offensive security tools
Published: February 28, 2025
Downloadable IOCs: 0

UAC-0173 against the Notary Office of Ukraine

A criminal group, UAC-0173, has resumed cyberattacks targeting notaries in Ukraine to gain unauthorized access to state registers. The attackers use phishing emails with malicious executable files to infect computers with DARKCRYSTALRAT malware. They then install additional tools like RDPWRAPPER an…
xworm
dcrat
peaklight
2025-02-26
rdpwrapper
darkcrystalrat
state registers
Published: February 26, 2025
Downloadable IOCs: 36

Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns

EclecticIQ analysts have identified a cyber espionage campaign by Sandworm (APT44) targeting Ukrainian Windows users. The group is leveraging pirated Microsoft Key Management Service (KMS) activators and fake Windows updates to deliver a new version of the BACKORDER loader, which ultimately deploys…
ukraine
cyber espionage
dcrat
apt44
2025-02-12
backorder
kalambur
gru
dark crystal rat
kms activators
backorder loader
software piracy
Published: February 12, 2025
Downloadable IOCs: 35

The RAT race: What happens when RATs go undetected

This analysis explores a sophisticated cyberattack attempt involving multiple Remote Access Tools (RATs) and a stealer. The attack chain begins with an email containing an exploit for CVE-2024-38213, bypassing Windows' Mark of the Web security feature. The malware uses WebDav directories and Cloudf…
xworm
rat
dcrat
CVE-2024-38213
2024-11-30
purelog stealer
Published: November 30, 2024
Downloadable IOCs: 0

Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans

A new phishing campaign targeting Russian-speaking users employs the open-source Gophish framework to deliver DarkCrystal RAT and a novel remote access trojan called PowerRAT. The attack utilizes modular infection chains, either through malicious Microsoft Word documents or HTML files with embedded…
phishing
dcrat
html smuggling
darkcrystal rat
russian-speaking
remote access trojan
2024-10-22
powerrat
gophish
Published: October 22, 2024
Downloadable IOCs: 2

WebDAV-as-a-Service: Uncovering the infrastructure behind Emmenhtal loader distribution - Sekoia.io Blog

The Emmenhtal loader, also known as PeakLight, operates in a memory-only manner, making it difficult to detect and analyse. It is primarily used to distribute other malicious payloads, including well-known infostealers that target sensitive information.
darkgate
dcrat
webdav
2024-09-19
marko polo
zgrat
google cloud
clearfake
emmenhtal
peaklight
selfau3
Published: September 19, 2024
Downloadable IOCs: 120

PDF “Flawed Design” Exploitation

Check Point Research identified an unusual pattern involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive users into executing harmful commands. The exploitation occurs through a flawed design in Foxit Reader, showing 'OK' as t…
malware
xworm
campaigns
remcos
asyncrat
2024-05-09
2024-05-14
njrat
dcrat
pdf
venomrat
exploitation
nanocore rat
pony
bladabindi
foxit
agent-tesla
njw0rm
lv
2024-05-10
Published: May 14, 2024
Downloadable IOCs: 40
Click here to see more Attack Reports