Tag: drive-by-download

8 Attack Reports | 0 Vulnerabilities

Attack reports

Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC

A financially motivated threat group dubbed Greedy Sponge has been targeting Mexican organizations since 2021 with a modified version of AllaKore RAT and SystemBC malware. The group uses spear-phishing and drive-by downloads to deliver custom packaged installers containing the RAT. Recent updates i…
allakore rat
financial fraud
credential theft
drive-by download
systembc
spear-phishing
geofencing
2025-08-21
mexico
Published: August 21, 2025
Downloadable IOCs: 0

FAKE TELEGRAM PREMIUM SITE DISTRIBUTES NEW LUMMA STEALER VARIANT

A malicious campaign using the domain 'telegrampremium[.]app' is distributing a new variant of Lumma Stealer malware. The fake site mimics the official Telegram Premium platform and automatically downloads an executable file 'start.exe' upon access. This sophisticated information-stealing trojan ca…
windows
infostealer
lumma stealer
credential theft
drive-by download
brand impersonation
2025-08-03
telegram premium
Published: August 3, 2025
Downloadable IOCs: 0

Threat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware

A new Epsilon Red ransomware campaign has been discovered targeting users globally through fake ClickFix verification pages. Active since July 2025, the threat actors employ social engineering tactics and impersonate popular platforms like Discord, Twitch, and OnlyFans to trick users into executing…
phishing
social engineering
impersonation
ransomware
quasar rat
drive-by download
clickfix
activex
2025-07-25
hta files
epsilon red
Published: July 25, 2025
Downloadable IOCs: 5

MintsLoader Malware Analysis: Multi-Stage Loader Used in Cyber Attacks

MintsLoader, a malicious loader first observed in 2024, is employed in phishing and drive-by download campaigns to deploy payloads like GhostWeaver, StealC, and modified BOINC clients. It uses obfuscated JavaScript and PowerShell scripts in a multi-stage infection chain, featuring sandbox evasion t…
phishing
socgholish
asyncrat
stealc
drive-by download
boinc
mintsloader
tag-124
ghostweaver
2025-04-29
multi-stage loader
Published: April 29, 2025
Downloadable IOCs: 0

New Evasive Campaign Delivers LegionLoader via Fake CAPTCHA & CloudFlare Turnstile

A new malicious campaign has been discovered targeting users searching for PDF documents online. The attack uses fake CAPTCHAs and CloudFlare Turnstile to deliver LegionLoader malware, which then installs a malicious browser extension. The infection chain involves a drive-by download, execution of …
phishing
drive-by download
captcha
process hollowing
legionloader
2025-04-05
browser extension
cloudflare turnstile
Published: April 5, 2025
Downloadable IOCs: 5

LegionLoader exposed!

LegionLoader, also known as Satacom, CurlyGate, and RobotDropper, is an active downloader malware that has gained significant traction recently, amassing over 2,000 samples in weeks. The campaign appears to have started on December 19, 2024, with Brazil being the most affected country. The malware …
brazil
downloader
drive-by download
anti-sandbox
msi
multi-stage
legionloader
robotdropper
2025-02-10
satacom
dll injection
curlygate
Published: February 10, 2025
Downloadable IOCs: 108

Exposing FakeBat loader: distribution methods and adversary infrastructure

During the first semester of 2024, FakeBat (aka EugenLoader, PaykLoader) was one of the most widespread loaders using the drive-by download technique. Researchers uncovered multiple FakeBat distribution campaigns leveraging malvertising, software impersonation, fake web browser updates, and social …
loader
social engineering
malvertising
fakebat
2024-07-02
drive-by download
paykloader
eugenloader
eugenfest
payk_34
Published: July 2, 2024
Downloadable IOCs: 237

SolarMarker Impersonates Job Employment Website

On April 2024, Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.
backdoor
phishing
solarmarker
solarphantom
2024-06-18
stellarinjector
drive-by-download
Published: June 18, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports