Tag: evasion techniques

40 Attack Reports | 0 Vulnerabilities

Attack reports

The HoneyMyte APT now protects malware with a kernel-mode rootkit

In mid-2025, a malicious driver file was discovered on Asian computer systems, signed with a compromised digital certificate. This driver injects a backdoor Trojan and protects malicious files, processes, and registry keys. The final payload is a new variant of the ToneShell backdoor, associated wi…
apt
rootkit
plugx
toneshell
evasion techniques
2025-12-29
tonedisk
Published: December 29, 2025
Downloadable IOCs: 0

Technical Analysis of the BlackForce Phishing Kit

The BlackForce phishing kit, first observed in August 2025, has evolved through multiple versions and is capable of stealing credentials and performing Man-in-the-Browser attacks to bypass multi-factor authentication. It impersonates various brands and uses sophisticated evasion techniques, includi…
phishing
credential theft
mfa bypass
telegram
evasion techniques
2025-12-12
blackforce
mitb
Published: December 12, 2025
Downloadable IOCs: 0

Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets

Albiriox is a newly identified Android malware offered as Malware-as-a-Service, likely managed by Russian-speaking threat actors. It employs a two-stage deployment chain using dropper applications and packing techniques to evade detection. The malware exhibits advanced On-Device Fraud capabilities,…
rat
android
cryptocurrency
banking trojan
maas
evasion techniques
overlay attacks
on-device fraud
2025-12-03
vnc
albiriox
Published: December 3, 2025
Downloadable IOCs: 4

EVALUSION Campaign Delivers Amatera Stealer and NetSupport...

The eSentire Threat Response Unit identified a malware campaign using ClickFix as an initial access vector to deploy Amatera Stealer and NetSupport RAT. Amatera Stealer is a rebranded version of ACR Stealer, with advanced evasion techniques like WoW64 SysCalls to bypass security solutions. It targe…
powershell
information theft
clickfix
acr stealer
netsupport rat
c2 communication
evasion techniques
crypto-wallets
amatera stealer
2025-11-18
Published: November 18, 2025
Downloadable IOCs: 1

Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

Trend Research observed a resurgence in Lumma Stealer activity since October 20, 2025, accompanied by new behaviors and C&C techniques. The malware now employs browser fingerprinting as part of its command-and-control tactics, collecting and exfiltrating system, network, hardware, and browser data …
infostealer
lumma stealer
data exfiltration
process injection
evasion techniques
command-and-control
ghostsocks
browser fingerprinting
2025-11-14
cybercriminal activity
Published: November 14, 2025
Downloadable IOCs: 3

Eye of the Storm: Analyzing DarkCloud's Latest Capabilities

eSentire's Threat Response Unit detected a spear-phishing campaign targeting a manufacturing customer, attempting to deliver the DarkCloud information-stealing malware. The malware, distributed through a malicious zip archive, has undergone significant updates including a VB6 rewrite and enhanced e…
exfiltration
information stealer
evasion techniques
spear-phishing
darkcloud
2025-09-29
crypto-wallet targeting
vb6
Published: September 29, 2025
Downloadable IOCs: 0

Olymp Loader: A new Malware-as-a-Service written in Assembly

Olymp Loader is a recently emerged Malware-as-a-Service offering advertised on underground forums since June 2025. Developed by a team called OLYMPO, it's written in assembly language and marketed as fully undetectable. The loader executes other malware on victim systems and provides built-in steal…
loader
lummac2
stealer
amadey
malware-as-a-service
telegram
evasion techniques
crypter
raccoon
underground forums
2025-09-29
qasarrat
webrat
olymp loader
assembly
Published: September 29, 2025
Downloadable IOCs: 19

Beyond Signatures: Detecting Lumma Stealer with an ML-Powered Sandbox

This analysis focuses on a new variant of Lumma Stealer, a malware that reemerged after a brief hiatus following a law enforcement operation. The article details the malware's code obfuscation, evasion techniques, and persistence mechanisms. It describes Netskope's machine learning-based detection …
persistence
anti-analysis
lumma stealer
autoit
nsis
evasion techniques
machine learning
sandbox
2025-09-25
Published: September 25, 2025
Downloadable IOCs: 1

CountLoader: New Malware Loader Being Served in 3 Different Versions

A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, Blac…
phishing
ransomware
powershell
ukraine
lumma stealer
malware loader
.net
cobaltstrike
jscript
purehvnc
evasion techniques
initial access broker
adaptixc2
2025-09-19
countloader
Published: September 19, 2025
Downloadable IOCs: 27

Technical Analysis of SmokeLoader Version 2025

SmokeLoader, a modular malware loader active since 2011, has resurfaced with new versions in 2025 after Operation Endgame suppressed its activity. The latest variants, 2025 alpha and 2025, include bug fixes and improvements to evade detection. Key changes include a new mutex check in the stager, mo…
persistence
anti-analysis
malware loader
smokeloader
evasion techniques
dofoil
2025-09-16
smoke
version 2025
network protocol
bug fixes
Published: September 16, 2025
Downloadable IOCs: 24

Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

A sophisticated malware campaign has been uncovered that utilizes various techniques to deliver Remote Access Trojans (RATs) such as XWorm and Remcos. The attack chain begins with a ZIP archive, often hosted on trusted platforms like ImgKit, containing obfuscated BAT scripts. These scripts execute …
obfuscation
xworm
rat
phishing
powershell
remcos
evasion techniques
bat scripts
svg
fileless execution
2025-09-11
Published: September 11, 2025
Downloadable IOCs: 2

MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access

A sophisticated phishing campaign targeting Japanese users employs MostereRAT, a Remote Access Trojan that utilizes advanced evasion techniques. The attack chain involves multiple stages, including an Easy Programming Language (EPL) payload, security tool disabling, and mTLS-secured C2 communicatio…
phishing
anydesk
remote access
evasion techniques
2025-09-09
tightvnc
mostererat
epl
mtls
Published: September 9, 2025
Downloadable IOCs: 12

Android Document Readers and Deception: Tracking the Latest Updates to Anatsa

Anatsa, an Android banking malware first discovered in 2020, has evolved with new capabilities and targets. The latest variant now affects over 831 financial institutions worldwide, including new countries and cryptocurrency platforms. Anatsa has streamlined its payload delivery, implemented DES ru…
android
cryptocurrency
credential theft
banking trojan
anatsa
teabot
evasion techniques
coper
joker
google play store
financial institutions
2025-08-22
harly
facestealer
Published: August 22, 2025
Downloadable IOCs: 0

Unmasking AsyncRAT: Navigating the labyrinth of forks

AsyncRAT, an open-source remote access trojan, has evolved into a sprawling network of forks and variants since its 2019 release. The article explores its origins, tracing influence from Quasar RAT, and maps out the relationships among various forks. DcRat and VenomRAT emerge as the most widely dep…
asyncrat
dcrat
venomrat
quasar rat
evasion techniques
remote access trojan
2025-07-16
2025-08-12
santarat
boratrat
xiebrorat
noneuclid rat
jasonrat
malware forks
Published: August 12, 2025
Downloadable IOCs: 22

Powerful MaaS On the Prowl for Credentials and Crypto Assets

Katz Stealer is a sophisticated infostealer marketed as Malware-as-a-Service (MaaS), launched in early 2025. It features robust credential and data theft capabilities, along with modern evasion and anti-analysis techniques. The stealer targets a wide range of personal and sensitive information, inc…
infostealer
cryptocurrency
credential theft
data exfiltration
maas
evasion techniques
browser injection
katz stealer
2025-07-17
Published: July 17, 2025
Downloadable IOCs: 31

Pay2Key's Resurgence: Iranian Cyber Warfare Targets the West

Pay2Key, an Iranian-backed ransomware-as-a-service operation, has re-emerged as Pay2Key.I2P, targeting Western organizations. Linked to the Fox Kitten APT group and collaborating with Mimic ransomware, the campaign has collected over $4 million in ransom payments in four months. The group offers an…
ransomware
raas
evasion techniques
2025-07-10
mimic
cyber warfare
pay2key
fox kitten
Published: July 10, 2025
Downloadable IOCs: 25

Fake Spam Plugin Uses Victim's Domain Name to Evade Detection

A sophisticated SEO spam infection was discovered utilizing a cleverly crafted plugin that mimics the infected domain's name to avoid detection. The malware injects spam content into websites, targeting search engine rankings, and only activates under specific conditions like when a crawler is dete…
obfuscation
wordpress
evasion techniques
search engine manipulation
code injection
remote control
2025-07-06
stealth malware
seo spam
plugin disguise
Published: July 6, 2025
Downloadable IOCs: 1

Eggs in a Cloudy Basket: Skeleton Spider's Trusted Cloud Malware Delivery

Skeleton Spider, also known as FIN6, is a financially motivated cybercrime group that has evolved from POS breaches to broader enterprise threats. They employ social engineering tactics, posing as job seekers on platforms like LinkedIn to deliver phishing messages. Their preferred payload is more_e…
backdoor
phishing
social engineering
aws
evasion techniques
more_eggs
2025-06-11
cloud infrastructure
resume lures
skeleton spider
Published: June 11, 2025
Downloadable IOCs: 24

Katz Stealer Threat Analysis

Katz Stealer is a sophisticated credential-stealing malware-as-a-service that targets multiple browsers, cryptocurrency wallets, and communication platforms. It employs advanced evasion techniques like geofencing, VM detection, and process hollowing. The infection chain involves obfuscated JavaScri…
cryptocurrency
process-hollowing
credential-stealer
2025-05-26
katz stealer
uac-bypass
browser-targeting
discord-hijacking
evasion-techniques
Published: May 26, 2025
Downloadable IOCs: 34

Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT

A new PowerShell-based shellcode loader has been discovered, designed to execute a variant of Remcos RAT. The attack chain begins with malicious LNK files in ZIP archives, using mshta.exe for initial execution. The loader employs fileless techniques, executing code directly in memory to evade tradi…
powershell
keylogger
process hollowing
remcos rat
evasion techniques
uac bypass
shellcode loader
2025-05-15
tls communication
fileless execution
Published: May 15, 2025
Downloadable IOCs: 5

New Stealer on the Horizon

SvcStealer 2025 is a novel information stealer delivered through spear phishing email attachments. It harvests sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates specific proce…
cryptocurrency
information stealer
c2 communication
evasion techniques
spear phishing
data harvesting
svcstealer
2025-04-23
Published: April 23, 2025
Downloadable IOCs: 4

Detecting Multi-Stage Infection Chains Madness

This analysis examines a complex multi-stage attack exploiting a resilient network infrastructure known as 'Cloudflare tunnel infrastructure to deliver multiple RATs' since February 2024. The infection chain involves multiple steps, including phishing emails with malicious attachments, execution of…
phishing
asyncrat
infection chain
multi-stage attack
evasion techniques
2025-04-22
cloudflare tunnel
cyber threat intelligence
detection rules
Published: April 22, 2025
Downloadable IOCs: 15

BRICKSTORM Backdoor Analysis: A Persistent Espionage Threat to European Industries

This analysis examines BRICKSTORM, an espionage backdoor linked to China-nexus cluster UNC5221. It details newly identified Windows variants, expanding on previous Linux presence. The backdoor, used in long-term espionage campaigns, targets European industries of strategic interest to China. BRICKS…
backdoor
espionage
brickstorm
evasion techniques
china-nexus
file management
2025-04-16
network tunneling
european industries
Published: April 16, 2025
Downloadable IOCs: 4

ViperSoftX Malware Distributed by Arabic-Speaking Threat Actor

An Arabic-speaking threat actor has been distributing ViperSoftX malware to Korean victims since April 1, 2025. The malware, typically spread through cracked software or torrents, operates as a PowerShell script and communicates with C&C servers. The campaign involves downloading additional malware…
powershell
purecrypter
quasar rat
vipersoftx
evasion techniques
vbs
2025-04-10
c&c communication
arabic-speaking
Published: April 10, 2025
Downloadable IOCs: 0

Silent Credit Card Thief Uncovered

A sophisticated credit card skimming campaign dubbed 'RolandSkimmer' has been discovered, targeting users in Bulgaria. The attack utilizes malicious browser extensions across Chrome, Edge, and Firefox, initiated through a deceptive LNK file. The malware employs obfuscated scripts to establish persi…
persistence
lnk file
evasion techniques
browser extensions
obfuscated scripts
2025-04-04
credit card skimming
financial data theft
rolandskimmer
bulgaria
Published: April 4, 2025
Downloadable IOCs: 0

Delivering Trojans Via ClickFix Captcha

A new social engineering technique exploiting ClickFix Captcha has emerged as an effective method for delivering various types of malware, including Quakbot. This technique deceives users and bypasses security measures by utilizing a seemingly harmless captcha. The process involves redirecting user…
obfuscation
social engineering
powershell
qbot
banking trojan
evasion techniques
2025-04-01
clickfix captcha
php dropper
quakbot
Published: April 1, 2025
Downloadable IOCs: 0

VanHelsing: New RaaS in Town

VanHelsing RaaS, a new ransomware-as-a-service program launched on March 7, 2025, has quickly gained traction in the cybercrime world. With a low $5,000 deposit for affiliates, it offers an 80% cut of ransom payments. The service provides a user-friendly control panel and targets multiple platforms…
encryption
cybercrime
ransomware-as-a-service
evasion techniques
multi-platform
2025-03-23
vanhelsing
affiliate program
Published: March 23, 2025
Downloadable IOCs: 0

SVC New Stealer on the Horizon

SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates speci…
cryptocurrency
data exfiltration
information stealer
c2 communication
evasion techniques
spear phishing
2025-03-21
svcstealer
Published: March 21, 2025
Downloadable IOCs: 0

Python Bot Delivered Through DLL Side-Loading

A sophisticated malware campaign employs DLL side-loading to deliver a Python bot. The attack begins with a ZIP archive containing a legitimate PDF reader executable and a hidden malicious DLL. When executed, the malicious DLL is loaded instead of the intended Microsoft one, altering the PDF reader…
persistence
dll side-loading
evasion techniques
bitbucket
2025-03-18
code obfuscation
pdf reader
python bot
Published: March 18, 2025
Downloadable IOCs: 0

Deep Dive Into Allegedly AI-Generated FunkSec Ransomware

A new Rust-based ransomware called FunkSec has emerged, claiming to use artificial intelligence in its development. First appearing in 2024, it demonstrates a mix of sophisticated capabilities and developmental inconsistencies. FunkSec implements advanced features like XChaCha20 encryption and comp…
ransomware
persistence
evasion techniques
anti-vm
funksec
2025-03-04
ai-generated
Published: March 4, 2025
Downloadable IOCs: 1

Scalable Vector Graphics files pose a novel phishing threat

Cybercriminals are exploiting the SVG file format to conduct phishing attacks that bypass existing anti-spam and anti-phishing protection. These attacks involve email messages with .svg file attachments, which open in the default browser on Windows computers. The SVG files contain anchor tags and s…
phishing
social engineering
credential theft
evasion techniques
2025-02-05
nymeria
file format abuse
svg
browser-based attacks
troj/autoit-dhb
email attachments
Published: February 5, 2025
Downloadable IOCs: 0

AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again

A new AsyncRAT malware campaign has been identified, utilizing malicious payloads delivered through TryCloudflare quick tunnels and Python packages. The attack chain begins with a phishing email containing a Dropbox URL, leading to a ZIP file with an internet shortcut. This triggers a series of dow…
xworm
phishing
python
dropbox
asyncrat
venomrat
process injection
evasion techniques
trycloudflare
remote access trojan
2025-02-01
Published: February 1, 2025
Downloadable IOCs: 0

Stealthy Cyber Attacks: LNK Files & SSH Commands Playbook

This analysis explores a rising trend in cyber attacks where threat actors leverage LNK files and SSH commands as initial infection vectors. The attackers use meticulously crafted shortcut files, often disguised as legitimate documents, to execute commands using Living-off-the-Land Binaries (LOLBin…
powershell
evasion techniques
lnk files
rundll32
2024-12-19
hackbrowserdata
scp
living-off-the-land binaries
cyber attacks
ssh commands
Published: December 19, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21893
Downloadable IOCs: 6

NodeLoader Exposed: The Node.js Malware Evading Detection

Zscaler ThreatLabz discovered a malware campaign using Node.js applications for Windows to distribute cryptocurrency miners and information stealers. Named NodeLoader, this malware family employs Node.js compiled executables to deliver second-stage payloads like XMRig, Lumma, and Phemedrone Stealer…
social engineering
node.js
lumma stealer
evasion techniques
information stealers
2024-12-13
game streaming
cryptocurrency miners
nodeloader
Published: December 13, 2024
Downloadable IOCs: 0

BabbleLoader

BabbleLoader is a highly evasive malware loader designed to bypass antivirus and sandbox environments to deliver stealers into memory. It employs sophisticated techniques such as junk code insertion, metamorphic transformations, dynamic API resolution, and anti-sandboxing measures. The loader's fea…
loader
stealer
evasion techniques
2024-11-19
babbleloader
dynamic api resolution
anti-sandboxing
whitesnake
meduza
metamorphism
Published: November 19, 2024
Downloadable IOCs: 43

Grandoreiro banking trojan: overview of recent versions and new tricks

Grandoreiro is a Brazilian banking trojan that has evolved into a global financial threat, targeting over 1,700 banks and 276 crypto wallets in 45 countries. Despite law enforcement efforts, the malware remains active, with new versions featuring enhanced evasion techniques like multiple Domain Gen…
credential theft
remote access
grandoreiro
banking trojan
brazil
evasion techniques
2024-10-22
financial malware
global threat
Published: October 22, 2024
Downloadable IOCs: 0

Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions

EDRSilencer, a red team tool designed to interfere with endpoint detection and response (EDR) solutions, has been discovered being abused by threat actors. It leverages the Windows Filtering Platform to block EDR traffic, concealing malicious activity. The tool dynamically identifies running EDR pr…
evasion techniques
2024-10-15
edrsilencer
windows filtering platform
red team tool
endpoint security
Published: October 15, 2024
Downloadable IOCs: 0

Mamba 2FA: A new contender in the AiTM phishing ecosystem

Mamba 2FA is a newly discovered adversary-in-the-middle (AiTM) phishing kit being sold as phishing-as-a-service (PhaaS). It features capabilities similar to other popular AiTM phishing services, including handling two-step verifications for non-phishing-resistant MFA methods, supporting various aut…
phishing
aitm
phaas
microsoft 365
evasion techniques
2024-10-07
socket.io
multi-factor authentication
mamba 2fa
Published: October 7, 2024
Downloadable IOCs: 0

XWorm: Analysis of Latest Version and Execution Flow

XWorm, a versatile tool discovered in 2022, enables attackers to access sensitive information, gain remote access, and deploy additional malware. The latest version's infection chain begins with a Windows Script File downloading a PowerShell script from paste.ee. This script creates multiple files,…
xworm
infection chain
remote access
process injection
2024-10-03
evasion techniques
reflective loading
telegram notification
Published: October 3, 2024
Downloadable IOCs: 8

A Measure of Motive: How Attackers Weaponize Digital Analytics Tools

Threat actors are repurposing digital analytics and advertising tools to evade detection and enhance their malicious campaigns. The report explores how link shorteners, IP geolocation utilities, CAPTCHA systems, and advertising intelligence platforms are being weaponized. It provides insights into …
phishing
malvertising
captcha
2024-09-30
azorult
sockrat
adwind
jsocket
jrat
jfrutas
jbifrost
alienspy
trojan.maljava
frutas
unrecom
geolocation
evasion techniques
kraken ransomware
turkeydrop
friendspeak
dancefloor
link shorteners
digital analytics
advertising tools
mixlabel
Published: September 30, 2024
Downloadable IOCs: 10
Click here to see more Attack Reports