Tag: in-memory execution

10 Attack Reports | 0 Vulnerabilities

Attack reports

Stories from the SOC: Mystery of the postponed proxyware install

A suspicious PowerShell alert led to the discovery of an attack chain aimed at installing proxyware on a compromised system. The infection originated from a disk-cleaning utility installed three days prior, which included malicious scripts and established a connection to a C2 server. The attack uti…
powershell
node.js
c2 server
in-memory execution
proxyware
2025-11-24
download cradle
unauthorized software
disk-cleaning utility
Published: November 24, 2025
Downloadable IOCs: 11

Brazilian Campaign: Spreading the Malware via WhatsApp

A massive phishing campaign targeting Brazil is spreading malware through WhatsApp Web using an open-source automation script and loading a banking trojan into memory. The attack begins with a phishing email containing a malicious VBS script that downloads and executes an MSI file and another VBS f…
phishing
whatsapp
autoit
banking trojan
brazil
in-memory execution
selenium
sorvepotel
2025-11-24
water-saci
Published: November 24, 2025
Downloadable IOCs: 5

Sophisticated Tuoni C2 Attack on U.S. Real Estate Firm Thwarted

In October 2025, a major U.S. real estate company was targeted by a highly advanced cyberattack using the emerging Tuoni C2 framework. The attack, which showed signs of AI assistance in code generation, was neutralized by Morphisec's Automated Moving Target Defense (AMTD) technology. The campaign l…
powershell
steganography
in-memory execution
ai-assisted
real estate
2025-11-19
tuoni c2
prevention
amtd
tuoni
Published: November 19, 2025
Downloadable IOCs: 4

PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats

A sophisticated cyber espionage campaign attributed to the PRC-nexus threat actor UNC6384 targeted diplomats in Southeast Asia and other global entities. The attack chain involved hijacking web traffic through a captive portal redirect to deliver malware disguised as software updates. The multi-sta…
espionage
social engineering
in-memory execution
2025-08-26
prc-nexus
canonstager
sogu.sec
digital signatures
staticplugin
captive portal
Published: August 26, 2025
Downloadable IOCs: 9

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

A malware campaign utilizing malvertising has been distributing PS1Bot, a sophisticated multi-stage framework implemented in PowerShell and C#. PS1Bot features modular design, enabling information theft, keylogging, reconnaissance, and persistent system access. The malware minimizes artifacts and u…
malvertising
powershell
cryptocurrency
modular
in-memory execution
information stealer
multi-stage
c#
2025-08-12
ahk bot
ps1bot
skitnet
Published: August 12, 2025
Downloadable IOCs: 0

XWorm V6: Advanced Evasion and AMSI Bypass Capabilities Revealed

A new version of XWorm malware (version 6.0) has been discovered, showcasing advanced features for persistence and evasion. The infection chain begins with a VBScript that downloads and executes a PowerShell script. This script implements an AMSI bypass by modifying CLR.DLL in memory, then download…
malware
xworm
evasion
persistence
anti-analysis
in-memory execution
2025-07-30
amsi bypass
Published: July 30, 2025
Downloadable IOCs: 4

Exploitation of Leaked Machine Keys by Initial Access Broker

An initial access broker exploited leaked Machine Keys on ASP.NET sites to gain unauthorized access to organizations. The group, tracked as TGR-CRI-0045, targeted industries in Europe and the U.S. including finance, manufacturing, and technology. They used ASP.NET View State deserialization to exec…
in-memory execution
privilege escalation
post-exploitation
iis
initial access broker
asp.net
machine keys
2025-07-09
txportmap
updf
view state deserialization
Published: July 9, 2025
Downloadable IOCs: 21

Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users

A fileless AsyncRAT campaign is targeting German-speaking users through Clickfix-themed websites. The attack uses a fake 'I'm not a robot' prompt to execute malicious PowerShell code, which downloads and runs obfuscated C# code in memory. This technique enables full remote access, credential theft,…
obfuscation
powershell
asyncrat
c2
in-memory execution
fileless
clickfix
2025-06-16
german-speaking
Published: June 16, 2025
Downloadable IOCs: 0

New Bumblebee Loader Infection Chain Signals Possible Resurgence

A new infection chain for the Bumblebee loader malware has been discovered, potentially indicating its resurgence after Operation Endgame. The sophisticated downloader, first identified in March 2022, is used by cybercriminals to access corporate networks and deliver payloads like Cobalt Strike bea…
loader
pikabot
phishing
cobalt strike
icedid
lnk
darkgate
latrodectus
stealth
2024-10-21
msi
bumblebee
infection-chain
in-memory-execution
Published: October 21, 2024
Downloadable IOCs: 11

DarkGate switches up its tactics with new payload, email templates

This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
autohotkey
darkgate
malspam
2024-06-06
template injection
email campaigns
in-memory execution
Published: June 6, 2024
Downloadable IOCs: 12
Click here to see more Attack Reports