Tag: evasion

73 Attack Reports | 0 Vulnerabilities

Attack reports

From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect

A newly discovered loader called SILENTCONNECT is being used in active campaigns to silently install ScreenConnect, a remote monitoring and management tool, on victim machines. The infection chain begins with users being redirected to a Cloudflare Turnstile CAPTCHA page disguised as a digital invit…
loader
screenconnect
phishing
evasion
rmm
uac bypass
2026-03-19
peb masquerading
silentconnect
Published: March 19, 2026
Downloadable IOCs: 10

Technical Analysis of SnappyClient

Zscaler ThreatLabz identified a new command-and-control framework implant called SnappyClient, delivered via HijackLoader. SnappyClient is a C++-based implant with data theft and remote access capabilities. It employs evasion techniques like AMSI bypass, Heaven's Gate, direct system calls, and tran…
evasion
cryptocurrency
data theft
remote access
hijackloader
command and control
2026-03-18
snappyclient
Published: March 18, 2026
Downloadable IOCs: 5

Endgame Harvesting: Inside ACRStealer's Modern Infrastructure

ACRStealer, a sophisticated Malware as a Service, has evolved with enhanced evasion techniques and C2 communication strategies. It employs low-level syscalls and AFD for stealthy operations, bypassing user-mode hooks. The malware uses layered communication, establishing raw TCP connections followed…
evasion
data-theft
hijackloader
maas
lummastealer
acrstealer
c2-communication
syscalls
2026-03-17
browser-exploitation
gaming-malware
Published: March 17, 2026
Downloadable IOCs: 3

Unveiling the Weaponized Web Shell EncystPHP

A sophisticated web shell named EncystPHP has been discovered, targeting FreePBX systems through the CVE-2025-64328 vulnerability. Associated with the hacker group INJ3CTOR3, this malware exhibits advanced capabilities including remote command execution, persistence mechanisms, and web shell deploy…
evasion
command injection
persistence
web shell
CVE-2025-64328
2026-01-28
encystphp
freepbx
telephony
Published: January 28, 2026
Linked vulnerabilities : CVE-2025-64328 (CVSS 8.6), CVE-2019-19006, CVE-2021-45461
Downloadable IOCs: 5

VoidLink threat analysis: C2-compiled kernel rootkits discovered

The Sysdig Threat Research Team analyzed VoidLink, a sophisticated Linux malware framework targeting cloud environments. Key findings include the first documented Serverside Rootkit Compilation, Chinese development with AI assistance, adaptive detection evasion, and use of the Zig programming langu…
linux
rootkit
evasion
cloud
c2
containers
stealth
kernel
voidlink
2026-01-19
ebpf
zig
Published: January 19, 2026
Downloadable IOCs: 9

CastleLoader Malware Analysis: Full Execution Breakdown

CastleLoader is a sophisticated malware loader designed to deliver and install malicious components, primarily targeting government entities and critical infrastructure. It employs a multi-stage execution chain involving Inno Setup, AutoIt, and process hollowing to evade detection. The loader deliv…
loader
evasion
credential theft
process hollowing
multi-stage
castleloader
2026-01-15
memory-only
Published: January 15, 2026
Downloadable IOCs: 6

Command & Evade: Turla's Kazuar v3 Loader

Turla's Kazuar v3 loader employs sophisticated techniques to evade detection. It uses a VBScript to drop files and execute a native loader, which bypasses security measures and leverages COM for stealth. The loader utilizes control flow redirection, patchless ETW and AMSI bypasses, and COM integrat…
loader
evasion
in-memory execution
stealth
amsi bypass
kazuar
2026-01-15
etw bypass
Published: January 15, 2026
Downloadable IOCs: 15

MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware

MacSync Stealer malware has evolved from using drag-to-terminal and ClickFix techniques to a more sophisticated approach. The new variant is delivered as a code-signed and notarized Swift application within a disk image, eliminating the need for direct terminal interaction. The malware retrieves an…
evasion
infostealer
macos
dropper
notarized
2025-12-23
code-signed
macsync stealer
odyssey infostealer
swift
Published: December 23, 2025
Downloadable IOCs: 11

Inside Shanya, a packer-as-a-service fueling modern attacks

The Shanya crypter is a new packer-as-a-service offering gaining popularity among ransomware groups. It features advanced capabilities like non-standard module loading, unique stubs for each customer, AMSI bypass, anti-VM measures, and runtime protection. Early samples contained revealing artifacts…
ransomware
evasion
dll sideloading
medusa
stealc
akira
qilin
lumma
crypter
bumblebee
edr killer
packer-as-a-service
crytox
castlerat
2025-12-07
chuchuka
wht downloader
Published: December 7, 2025
Linked vulnerabilities : CVE-2022-26134, CVE-2023-3519, CVE-2022-3236, CVE-2022-30190, CVE-2020-15069, CVE-2018-0798, CVE-2023-40044
Downloadable IOCs: 5

Evasion and Persistence via Hidden Hyper-V Virtual Machines

This investigation uncovered new tools and techniques used by the Curly COMrades threat actor to establish covert, long-term access to victim networks. The attackers exploited Hyper-V virtualization on compromised Windows 10 machines to create hidden remote operating environments. They deployed a m…
evasion
powershell
persistence
lateral movement
proxy
reverse shell
virtualization
2025-11-05
hyper-v
kerberos
alpine linux
curlcat
curlyshell
Published: November 5, 2025
Downloadable IOCs: 4

Smoking Gun Uncovered: RPX Relay at PolarEdge's Core Exposed

A new component of PolarEdge's infrastructure, RPX_Client, has been discovered, revealing insights into the threat actor's relay operations. The investigation uncovered 140 VPS nodes acting as RPX Servers and over 25,000 infected devices serving as RPX Clients. The system uses a multi-hop design to…
evasion
iot
botnet
proxy
infrastructure
orb
command execution
polaredge
CVE-2023-20118
vps
2025-10-29
rpx_server
rpx_client
Published: October 29, 2025
Downloadable IOCs: 7

Shuyal Stealer: Advanced Infostealer Targeting 19 Browsers

Shuyal Stealer is a sophisticated infostealer malware targeting 19 different browsers. It conducts deep system reconnaissance, collecting detailed hardware information and user data. The malware disables Windows Task Manager, ensures persistence through startup folder insertion, and exfiltrates sto…
evasion
powershell
infostealer
persistence
data exfiltration
system reconnaissance
telegram bot
browser targeting
2025-10-08
shuyal stealer
Published: October 8, 2025
Downloadable IOCs: 1

Rhadamanthys 0.9.x - walk through the updates

Rhadamanthys, a complex multi-modular stealer, has released version 0.9.2 with significant updates. The malware now uses PNG files to deliver payloads, implements new evasion techniques, and introduces changes to its custom executable formats. Key modifications include a new message box mimicking L…
evasion
rhadamanthys
stealer
encryption
2025-10-01
configurability
png payload
custom formats
Published: October 1, 2025
Downloadable IOCs: 51

Technical Analysis of Zloader Updates

Recent versions of Zloader, a Zeus-based modular trojan, have introduced significant enhancements to its functionality. These updates include improved obfuscation techniques, anti-analysis strategies, and network communication methods. The malware now supports WebSockets and has modified its DNS tu…
obfuscation
ransomware
evasion
anti-analysis
zloader
zeus
trojan
banking
websockets
2025-09-22
dns-tunneling
zeus-based
ldap
Published: September 22, 2025
Downloadable IOCs: 0

Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure

Salat Stealer, also known as WEB_RAT, is a sophisticated Go-based infostealer targeting Windows systems. It exfiltrates browser credentials, cryptocurrency wallet data, and session information while employing advanced evasion techniques. The malware uses UPX packing, process masquerading, registry …
evasion
windows
infostealer
cryptocurrency
persistence
malware-as-a-service
maas
russian-speaking
browser credentials
2025-09-06
salat stealer
web_rat
go-based
2025-09-10
Published: September 10, 2025
Downloadable IOCs: 14

The Resurgence of IoT Malware: Inside the Mirai-Based "Gayfemboy" Botnet Campaign

FortiGuard Labs has been tracking a stealthy malware strain called "Gayfemboy" that exploits vulnerabilities in DrayTek, TP-Link, Raisecom, and Cisco products. The malware, based on Mirai, has evolved in form and behavior, targeting multiple countries and sectors. Gayfemboy employs obfuscation tech…
obfuscation
evasion
ddos
iot
botnet
mirai
2025-08-25
Published: August 25, 2025
Downloadable IOCs: 0

New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises

A new ransomware family called Charon has been identified, targeting the Middle East's public sector and aviation industry. The attack employs sophisticated APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities. Charon uses a multistage payload extraction tec…
apt
ransomware
evasion
encryption
dll sideloading
aviation
middle east
network propagation
2025-08-12
charon
Published: August 12, 2025
Downloadable IOCs: 0

Tracking Updates to Raspberry Robin

Raspberry Robin, an advanced malware downloader active since 2021, has undergone significant updates. The malware now employs improved obfuscation methods, including multiple initialization loops and obfuscated stack pointers, making analysis more challenging. It has switched from AES-CTR to ChaCha…
obfuscation
evasion
privilege-escalation
encryption
downloader
CVE-2024-38196
tor
raspberry robin
roshtyak
2025-08-07
usb-spread
Published: August 7, 2025
Linked vulnerabilities : CVE-2024-38196 (CVSS 7.8)
Downloadable IOCs: 121

Unmasking LockBit: A Deep Dive into DLL Sideloading and Masquerading Tactics

This analysis explores the sophisticated tactics employed by LockBit ransomware attackers, focusing on DLL sideloading and masquerading techniques. These methods allow attackers to evade detection and maximize impact. DLL sideloading involves tricking legitimate applications into loading malicious …
ransomware
evasion
lockbit
persistence
encryption
dll sideloading
2025-08-01
masquerading
Published: August 1, 2025
Downloadable IOCs: 11

Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal

A sophisticated malware campaign called JSCEAL is targeting cryptocurrency users through fake apps impersonating popular trading platforms. The attackers use malicious ads to lure victims into downloading installers that deploy a multi-stage infection chain. This includes PowerShell scripts for pro…
evasion
malvertising
powershell
cryptocurrency
stealer
node.js
multi-stage
fake apps
2025-07-31
jsceal
jsc
Published: July 31, 2025
Downloadable IOCs: 268

XWorm V6: Advanced Evasion and AMSI Bypass Capabilities Revealed

A new version of XWorm malware (version 6.0) has been discovered, showcasing advanced features for persistence and evasion. The infection chain begins with a VBScript that downloads and executes a PowerShell script. This script implements an AMSI bypass by modifying CLR.DLL in memory, then download…
malware
xworm
evasion
persistence
anti-analysis
in-memory execution
2025-07-30
amsi bypass
Published: July 30, 2025
Downloadable IOCs: 4

GhostContainer backdoor for Exchange servers

A sophisticated backdoor targeting Exchange servers of high-value organizations in Asia has been discovered. The malware, named GhostContainer, is a multi-functional backdoor that can be dynamically extended with additional modules. It leverages several open-source projects and employs various evas…
backdoor
apt
evasion
proxy
open-source
asia
2025-07-17
exchange
ghostcontainer
Published: July 17, 2025
Downloadable IOCs: 1

RondoDox Unveiled: Breaking Down a New Botnet Threat

A new botnet called RondoDox has been discovered, exploiting two high-risk vulnerabilities: CVE-2024-3721 and CVE-2024-12856. It targets Linux-based systems on various architectures, including ARM and MIPS. RondoDox uses sophisticated evasion techniques, such as XOR-encoded configuration data, cust…
linux
evasion
persistence
ddos
botnet
vulnerabilities
CVE-2024-12856
CVE-2024-3721
2025-07-16
traffic mimicry
rondodox
Published: July 16, 2025
Downloadable IOCs: 35

From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery

Check Point Research uncovered a malware campaign exploiting expired Discord invite links to redirect users to malicious servers. The attackers use a combination of techniques including ClickFix phishing, multi-stage loaders, and time-based evasions to deliver AsyncRAT and a customized Skuld Steale…
phishing
evasion
asyncrat
discord
crypto wallets
2025-06-13
chromekatz
skuld stealer
Published: June 13, 2025
Downloadable IOCs: 0

Beware of AI Pickpockets: Pickai Backdoor Spreading Through ComfyUI Vulnerability

A new backdoor named Pickai is exploiting ComfyUI vulnerabilities to spread and steal sensitive AI data. Developed in C++, Pickai offers remote command execution and reverse shell capabilities with strong persistence and evasion techniques. It uses multiple C2 servers for redundancy and has infecte…
backdoor
evasion
vulnerability
persistence
c2
supply chain attack
2025-06-13
pickai
comfyui
ai data theft
Published: June 13, 2025
Downloadable IOCs: 9

Excel(ent) Obfuscation: Regex Gone Rogue

A new Excel-based attack technique leverages recently introduced regex functions for advanced code obfuscation. The proof-of-concept demonstrates how malicious actors can use REGEXEXTRACT to hide PowerShell commands within large text blocks, significantly reducing antivirus detection rates. This me…
obfuscation
vba
evasion
powershell
excel
2025-05-15
macro
regex
regexextract
Published: May 15, 2025
Downloadable IOCs: 3

Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal

The Agenda ransomware group has expanded its capabilities by incorporating SmokeLoader malware and a new loader called NETXLOADER. NETXLOADER is a highly obfuscated .NET-based loader that utilizes advanced techniques to evade detection and complicate analysis. The group has been targeting healthcar…
ransomware
evasion
rust
smokeloader
.net
2025-05-07
netxloader
Published: May 7, 2025
Downloadable IOCs: 8

Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims

Arctic Wolf Labs discovered a new campaign by Venom Spider targeting corporate HR departments with fake resumes containing the More_eggs backdoor. The financially motivated threat group uses spear-phishing emails and abuses legitimate job platforms to apply for real jobs. The backdoor can steal cre…
backdoor
evasion
javascript
spear-phishing
more_eggs
lnk files
2025-05-03
polymorphism
Published: May 3, 2025
Downloadable IOCs: 3

Outlaw cybergang attacking targets worldwide

A recent incident response case in Brazil revealed a Perl-based crypto mining botnet called Outlaw, also known as Dota, targeting Linux environments. The threat actor exploits weak SSH credentials, downloads malicious scripts, and deploys an XMRig miner for Monero cryptocurrency. The botnet include…
linux
backdoor
evasion
xmrig
persistence
botnet
irc
ssh
crypto mining
outlaw
2025-04-29
dota
Published: April 29, 2025
Downloadable IOCs: 0

New HijackLoader Evasion Tactics

HijackLoader, a malware loader discovered in 2023, has evolved with new modules and evasion tactics. Recent updates include call stack spoofing to mask function call origins, virtual machine detection to identify analysis environments, and persistence establishment via scheduled tasks. The loader n…
evasion
persistence
modular
hijackloader
anti-vm
2025-03-31
virtual machine detection
call stack spoofing
Published: March 31, 2025
Downloadable IOCs: 0

GorillaBot: Technical Analysis and Code Similarities with Mirai

GorillaBot is a newly discovered Mirai-based botnet that has launched over 300,000 attacks across more than 100 countries, targeting various industries including telecommunications, finance, and education. It reuses Mirai's core logic while adding custom encryption and evasion techniques. The malwa…
evasion
encryption
botnet
mirai
c2 communication
anti-debugging
2025-03-25
xtea
sha-256
gorillabot
Published: March 25, 2025
Downloadable IOCs: 3

Weaver Ant, the Web Shell Whisperer: Tracking a China-Nexus Cyber Operation

Sygnia uncovered a sophisticated China-nexus threat actor, Weaver Ant, targeting a major Asian telecom company. The group employed web shells and tunneling techniques for persistence and lateral movement, maintaining access for over four years. They utilized encrypted China Chopper and custom 'INMe…
espionage
evasion
persistence
lateral movement
china chopper
china-nexus
telecom
2025-03-25
web shells
tunneling
inmemory web shell
Published: March 25, 2025
Downloadable IOCs: 1

Stopping Sobolan Malware with Aqua Runtime Protection

A new attack campaign targeting interactive computing environments like Jupyter Notebooks has been discovered. The attack involves downloading a compressed file from a remote server, which, when executed, deploys multiple malicious tools to exploit the server and establish persistence. The campaign…
evasion
persistence
cryptomining
cloud-native
2025-03-12
runtime protection
sobolan
jupyter notebooks
Published: March 12, 2025
Downloadable IOCs: 9

Auto-Color: An Emerging and Evasive Linux Backdoor

Auto-color is a newly discovered Linux malware that employs sophisticated evasion techniques. It renames itself to benign-looking filenames, hides remote C2 connections using advanced methods similar to Symbiote malware, and uses proprietary encryption for communication. The malware installs a mali…
linux
backdoor
evasion
encryption
government
c2
proxy
universities
reverse shell
2025-02-25
auto-color
library implant
symbiote
Published: February 25, 2025
Downloadable IOCs: 10

XWorm Cocktail: A Mix of PE data with PowerShell Code

A malicious file discovered on VirusTotal triggered a PowerShell rule, leading to the investigation of two closely related files identified as 'data files' but named as executables. The files contain a mix of PowerShell code, binary data, and obfuscated text. Analysis revealed characteristics of XW…
obfuscation
xworm
evasion
powershell
persistence
keylogging
virustotal
deobfuscation
2025-02-19
Published: February 19, 2025
Downloadable IOCs: 3

Vgod RANSOMWARE

A new ransomware strain called Vgod has been observed targeting Windows systems. It encrypts files, appending the '.Vgod' extension, and leaves a ransom note titled 'Decryption Instructions.txt'. The ransomware changes the desktop wallpaper and employs a double extortion model, threatening data exp…
ransomware
evasion
windows
persistence
encryption
double extortion
2025-02-18
file extension
vgod
Published: February 18, 2025
Downloadable IOCs: 1

New TorNet backdoor seen in widespread campaign

A financially motivated threat actor has been conducting a malicious campaign since July 2024, primarily targeting users in Poland and Germany. The campaign uses phishing emails impersonating financial institutions and companies to deliver various payloads, including a new backdoor called TorNet. T…
backdoor
phishing
evasion
poland
purecrypter
agent tesla
snake keylogger
2025-01-28
tornet
tor network
Published: January 28, 2025
Downloadable IOCs: 0

Malware Analysis: A Kernel Land Rootkit Loader for FK_Undead

This analysis delves into a Windows rootkit loader for the FK_Undead malware family, known for intercepting user network traffic through proxy manipulation. The loader, signed with a valid Microsoft certificate, installs itself as a system service and employs various evasion techniques. It download…
rootkit
evasion
windows
proxy
kernel
2024-12-11
vmprotect
driver
deaddrop
fk_undead
Published: December 11, 2024
Downloadable IOCs: 20

Iranian Dream Job campaign

An Iranian campaign targeting the aerospace industry has been uncovered, distributing SnailResin malware through a 'dream job' scheme. Attributed to TA455, a subgroup of Charming Kitten, the campaign uses social engineering tactics on LinkedIn, impersonating recruiters to lure victims. The attack e…
evasion
iran
aerospace
dll side-loading
2024-11-12
linkedin
slugresin
dream job
charming kitten
snailresin
apt35
Published: November 12, 2024
Downloadable IOCs: 26

WINELOADER Analysis

APT29, also known as Cozy Bear, has targeted European diplomats using a sophisticated multi-stage attack chain involving a new modular backdoor called WINELOADER. The attack begins with a fake PDF invitation to a wine-tasting event, which leads to the download of a malicious HTA file. This file the…
backdoor
wineloader
evasion
modular
diplomats
dll side-loading
apt29
cozy bear
2024-11-07
dll hollowing
Published: November 7, 2024
Downloadable IOCs: 0

Threat actors use copyright infringement phishing lure to deploy infostealers

An unknown threat actor is conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. The campaign uses emails impersonating legal departments, claiming copyright infringement to lure victims into downloading malware. The attackers abuse Google's Appspot dom…
obfuscation
phishing
evasion
lummac2
rhadamanthys
infostealer
taiwan
2024-10-31
facebook
copyright
Published: October 31, 2024
Downloadable IOCs: 0

ValleyRAT Insights: Tactics, Techniques, and Detection Methods

ValleyRAT is a remote access Trojan targeting Chinese-speaking users through phishing campaigns. It employs multi-stage, multi-component tactics to evade detection and maintain persistence. The malware uses various techniques including process injection, registry manipulation, and UAC bypass. It at…
phishing
evasion
persistence
valleyrat
remote access trojan
2024-10-25
uac bypass
chinese-speaking targets
Published: October 25, 2024
Downloadable IOCs: 3

DarkComet RAT: Technical Analysis of Attack Chain

This analysis examines the Remote Access Trojan (RAT) DarkComet, detailing its capabilities, distribution methods, and technical operations. The malware alters file attributes, establishes communication with malicious domains, modifies process privileges, and gathers system information. It employs …
rat
evasion
persistence
keylogging
privilege escalation
command and control
remote access trojan
2024-10-23
darkcomet
Published: October 23, 2024
Downloadable IOCs: 1

New wave of Bumblebee malware attacks warned

Security researchers have detected new attacks involving the Bumblebee malware loader, just four months after Europol disrupted its operations in Operation Endgame. The malware has resurfaced with updated tactics, using MSI files disguised as legitimate software installers to deliver its payload di…
malware
loader
phishing
ransomware
evasion
in-memory
msi
bumblebee
2024-10-22
Published: October 22, 2024
Downloadable IOCs: 9

Attackers Target Exposed Docker Remote API Servers With perfctl Malware

An unknown threat actor is exploiting exposed Docker Remote API servers to deploy the perfctl malware. The attack sequence involves probing the server, creating a Docker container with specific settings, and executing a Base64 encoded payload. The payload escapes the container, creates a bash scrip…
evasion
persistence
docker
privilege escalation
perfctl
2024-10-21
remote api
linux malware
container exploitation
Published: October 21, 2024
Downloadable IOCs: 6

The New Malware Distribution Service

This analysis uncovers a novel malware distribution mechanism utilizing VBE scripts stored in archive files to spread various malware families, including AgentTesla, Remcos, Snake, and NjRat. It details the infection chain, which involves downloading encoded files from a command-and-control server,…
malware
evasion
remcos
injection
njrat
bladabindi
njw0rm
lv
keylogger
2024-10-16
agenttesla
ekans
snakehose
distribution
Published: October 16, 2024
Downloadable IOCs: 7

CoreWarrior Spreader Malware Surge

This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
backdoor
evasion
anti-analysis
trojan
2024-10-15
propagation
corewarrior
Published: October 15, 2024
Downloadable IOCs: 3

perfctl: A Stealthy Malware Targeting Millions of Linux Servers

A sophisticated Linux malware named 'perfctl' has been actively targeting millions of servers worldwide for the past 3-4 years. It exploits over 20,000 types of misconfigurations to compromise Linux systems. The malware employs advanced evasion techniques, including rootkits, process masquerading, …
linux
rootkit
evasion
privilege-escalation
persistence
cryptomining
CVE-2023-33246
2024-10-04
tor
CVE-2021-4043
proxy-jacking
perfctl
Published: October 4, 2024
Linked vulnerabilities : CVE-2023-33246, CVE-2021-4034, CVE-2021-4043
Downloadable IOCs: 9

The Dark Knight Returns: Joker malware analysis

The report details sophisticated command and control (C2) techniques employed by the APT41 threat group. APT41 uses custom malware and legitimate tools to maintain persistent access to compromised networks while evading detection. Key techniques include DNS tunneling, domain fronting, and steganogr…
evasion
steganography
dns tunneling
social media
2024-10-03
command and control
apt41
cloud services
domain fronting
Published: October 3, 2024
Downloadable IOCs: 8

Gomorrah Stealer: An In-Depth Analysis of a .NET-Based Malware

This comprehensive report analyzes Gomorrah Stealer, a sophisticated malware designed to exfiltrate sensitive information from compromised systems. It operates within a malware-as-a-service framework and targets data from web browsers, cryptocurrency wallets, VPNs, and configuration files. The stea…
evasion
stealer
exfiltration
persistence
malware-as-a-service
2024-09-16
gomorrah stealer
Published: September 16, 2024
Downloadable IOCs: 6

A glimpse into the next moves and associated botnets

The report provides insights into the evolving tactics and infrastructure of a threat group referred to as the 'Quad7 botnet operators.' It details the discovery of new staging servers, implants, and botnet clusters associated with this group. The operators appear to be compromising various router …
evasion
backdoors
xlogin
botnets
routers
2024-09-10
hammertoss
axlogin
fsynet
hammerduke
stealth
alogin
updtae
zylogin
netduke
rlogin
Published: September 10, 2024
Downloadable IOCs: 11

A glimpse into the Quad7 operators’ next moves and associated botnets

The report provides insights into the evolving tactics and infrastructure of a threat group referred to as the 'Quad7 botnet operators.' It details the discovery of new staging servers, implants, and botnet clusters associated with this group. The operators appear to be compromising various router …
evasion
backdoors
xlogin
botnets
routers
2024-09-10
hammertoss
axlogin
fsynet
hammerduke
stealth
alogin
updtae
zylogin
netduke
rlogin
Published: September 10, 2024
Downloadable IOCs: 0

Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool

Cybercriminals are employing a sophisticated two-stage malware campaign masquerading as the Palo Alto GlobalProtect tool to infiltrate systems in the Middle East region. The malware leverages a complex command-and-control infrastructure, involving newly registered domains designed to resemble legit…
malware
phishing
evasion
globalprotect
2024-08-30
cnc
globalprotect.exe
Published: August 30, 2024
Linked vulnerabilities : CVE-2023-22527
Downloadable IOCs: 5

Sophisticated Malware Campaign Targets Czech Officials Using NATO-Themed Decoys

Seqrite Labs APT-Team discovered a sophisticated malware campaign targeting government and military officials in the Czech Republic. The campaign leveraged NATO-themed decoy documents to lure victims and employed a multistage attack chain involving a malicious batch script, a Rust-based loader, and…
evasion
persistence
injection
rust
2024-08-28
havoc
nato
czech republic
decoy
freeze
Published: August 28, 2024
Downloadable IOCs: 13

Unveiling sedexp: A Stealthy Linux Malware Exploiting udev Rules

Stroz Friedberg discovered sedexp, a stealthy Linux malware that utilizes udev rules to achieve persistence and evade detection. It provides reverse shell capabilities and advanced concealment tactics. Employed by a financially motivated threat actor, sedexp hides credit card scraping code, indicat…
linux
evasion
persistence
2024-08-23
reverse shell
sedexp
concealment
Published: August 23, 2024
Downloadable IOCs: 3

Campaign uses infostealers and clippers for financial gain

Kaspersky has uncovered a complex malware campaign orchestrated by Russian-speaking cybercriminals. The threat actors create sub-campaigns mimicking legitimate projects, using social media to enhance credibility. They host initial downloaders on Dropbox to deliver infostealers like Danabot and Stea…
phishing
evasion
infostealer
cryptocurrency
injection
danabot
stealc
russian
2024-08-16
clipper
Published: August 16, 2024
Downloadable IOCs: 68

Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts

An investigation by The DFIR report revealed a collection of batch scripts designed for defense evasion and executing command-and-control payloads. These scripts performed various actions, including disabling antivirus processes, stopping services related to SQL, Hyper-V, security tools, and Exchan…
evasion
sliver
2024-08-12
batch
poshc2
scripts
Published: August 12, 2024
Downloadable IOCs: 32

RHADAMANTHYS: In-Depth Analysis of a Sophisticated Stealer Targeting Israeli Users

This comprehensive technical analysis delves into the intricate workings of an advanced and localized malware campaign employing the RHADAMANTHYS stealer. Dissecting the infection chain, anti-analysis techniques, data theft capabilities, and Command & Control infrastructure, this detailed report sh…
phishing
evasion
rhadamanthys
stealer
persistence
2024-08-05
israeli
Published: August 5, 2024
Downloadable IOCs: 5

Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT

This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of…
malware
rat
evasion
encryption
dropper
gh0st rat
moudoor
mydoor
2024-07-31
Published: July 31, 2024
Linked vulnerabilities : CVE-2024-5806 (CVSS 7.4)
Downloadable IOCs: 6

Exploiting CVE-2024-21412: A Stealer Campaign Unleashed

This report details a malicious campaign exploiting the CVE-2024-21412 vulnerability in Microsoft Windows SmartScreen to bypass security warnings and deliver malware. Attackers employ crafted links, LNK files, and HTA scripts to download decoy PDFs and shell code injectors, ultimately injecting ste…
malware
evasion
windows
stealer
CVE-2024-21412
injection
pdf
meduza stealer
2024-07-24
acr stealer
Published: July 24, 2024
Linked vulnerabilities : CVE-2024-21412
Downloadable IOCs: 27

MoonWalk

This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
backdoor
evasion
windows
moonwalk
nationstate
dodgebox
2024-07-12
googledrive
Published: July 12, 2024
Downloadable IOCs: 3

DodgeBox: A deep dive into the updated arsenal of APT41

This blog post provides an in-depth technical analysis of a newly discovered malware loader called DodgeBox, which is attributed to the China-based advanced persistent threat (APT) actor APT41. DodgeBox incorporates various evasion techniques such as call stack spoofing, DLL sideloading, DLL hollow…
loader
evasion
china
2024-07-11
stealthvector
moonwalk
nationstate
dodgebox
Published: July 11, 2024
Downloadable IOCs: 1

Turla: A Master of Deception

This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
backdoor
evasion
powershell
2024-07-08
snake
msbuild
fileless
uroburos
Published: July 8, 2024
Downloadable IOCs: 10

Dissecting GootLoader With Node.js

This article demonstrates how to circumvent anti-analysis techniques employed by GootLoader malware while utilizing Node.js debugging in Visual Studio Code. GootLoader JavaScript files employ an evasion technique that can pose a formidable challenge for sandboxes attempting to analyze the malware. …
evasion
anti-analysis
javascript
gootloader
2024-07-04
deobfuscation
Published: July 4, 2024
Downloadable IOCs: 2

Attackers Exploiting Public Cobalt Strike Profiles

This report discusses recent findings of malicious Cobalt Strike infrastructure and malicious Cobalt Strike samples that leverage publicly available Malleable C2 profiles for evasion. Despite its defensive cybersecurity use, threat actors continue exploiting Cobalt Strike's malleable and evasive na…
evasion
cobalt strike
malicious
2024-06-26
profiles
samples
Published: June 26, 2024
Linked vulnerabilities : CVE-2024-3400
Downloadable IOCs: 6

Malware Targets Message Queuing Services Applications

The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
evasion
cryptocurrency
vulnerability
persistence
apache
2024-06-06
irc
rocketmq
lateral
muhstik
CVE-2023-33246
Published: June 6, 2024
Linked vulnerabilities : CVE-2023-33246
Downloadable IOCs: 21

Excel File Deploys Cobalt Strike at Ukraine

A sophisticated multi-stage cyberattack was identified, utilizing an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker employed various evasion techniques and a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload, establishing communication w…
malware
evasion
ukraine
2024-06-04
excel
Published: June 4, 2024
Downloadable IOCs: 10

Distribution of Malware Under the Guise of MS Office Cracked Versions (XMRig, OrcusRAT, etc.)

The report analyzes a campaign where threat actors distribute various malware strains like RATs, coinminers, and loaders disguised as cracked versions of popular software. South Korean systems are heavily targeted, with malware persisting via scheduled tasks and evading security products. Detailed …
loader
evasion
xmrig
purecrypter
cryptominer
3proxy
antiav
orcusrat
2024-05-30
Published: May 30, 2024
Downloadable IOCs: 11

Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear

This comprehensive analysis delves into the continuous evolution and refinement of sophisticated malware entities employed by a persistent cyberespionage group targeting organizations in the Asia-Pacific region. The malware, known as Waterbear and its latest iteration, Deuterbear, have undergone si…
malware
evasion
anti-analysis
encryption
2024-05-21
cyberespionage
deuterbear
waterbear
Published: May 21, 2024
Downloadable IOCs: 29

Distribution of DanaBot Malware via Word Files Detected

This analysis examines the infection process of the DanaBot malware, distributed through sophisticated spam emails containing malicious Word documents. The documents leverage external links to download and execute macro files, which subsequently fetch and run the DanaBot payload. The infection chai…
malware
evasion
data theft
spam
2024-05-09
macros
danabot
2024-05-14
2024-05-10
Published: May 14, 2024
Downloadable IOCs: 0

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

This comprehensive analysis provides a thorough examination of the REMCOS Remote Access Trojan (RAT), a prominent malware threat that gained significant prevalence in 2024. The analysis delves into the malware's configuration structure, command and control capabilities, persistence mechanisms, and …
rat
evasion
persistence
remcos
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
remote access
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 34

HijackLoader Updates

HijackLoader, also known as IDAT Loader, is a modular malware loader capable of executing multiple payloads. It utilizes a variety of modules for code injection, execution, and evasion techniques. This report analyzes the updated version of HijackLoader, which includes new modules for bypassing Win…
rat
evasion
rhadamanthys
stealer
remcos
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
amadey
lumma stealer
injection
modular
racoon stealer v2
malware loader
meta stealer
Published: May 7, 2024
Downloadable IOCs: 11

macOS Adload Pivots Just Days After Apple’s XProtect Clampdown

The report analyzes a new variant of the Adload adware that evades Apple's recent XProtect malware signature updates. Despite Apple adding 74 new rules targeting Adload in XProtect version 2192, the adware authors have rapidly modified their code to bypass these detections. The report examines a sp…
evasion
macos
dropper
adware
apple
adload
Published: May 1, 2024
Downloadable IOCs: 11
Click here to see more Attack Reports