Tag: initial access

8 Attack Reports | 0 Vulnerabilities

Attack reports

Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates

The Rhysida ransomware gang, formerly known as Vice Society, is conducting an ongoing malicious ad campaign to deliver OysterLoader malware. This initial access tool establishes a foothold on devices for dropping a persistent backdoor. The campaign uses Bing search engine advertisements to direct u…
ransomware
malvertising
latrodectus
initial access
code-signing
2025-11-03
microsoft trusted signing
oysterloader
Published: November 3, 2025
Downloadable IOCs: 271

Email-Delivered RMM: Abusing PDFs for Silent Initial Access

A targeted campaign has been observed since November 2024, primarily affecting organizations in France and Luxembourg. The attackers use socially engineered emails to deliver PDF documents containing embedded links to Remote Monitoring and Management (RMM) tool installers. This method bypasses many…
phishing
social engineering
rmm
pdf
initial access
france
2025-08-07
luxembourg
Published: August 7, 2025
Downloadable IOCs: 51

Bumblebee Malware SEO Poisoning Campaign Leads to Akira Ransomware Deployment

A coordinated threat campaign has been identified leveraging SEO poisoning to distribute Bumblebee malware via trojanized installers of IT management tools. The campaign targets users searching for legitimate software like ManageEngine OpManager. Upon execution, Bumblebee establishes initial access…
seo poisoning
lateral movement
data exfiltration
akira
credential dumping
bumblebee
initial access
akira ransomware
trojanized installers
2025-08-05
Published: August 5, 2025
Downloadable IOCs: 19

Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker's First Choice

Threat actors are increasingly using legitimate remote monitoring and management (RMM) tools as initial payloads in email campaigns. This trend aligns with a decrease in the use of traditional loaders and botnets by initial access brokers. RMMs can be exploited for data collection, financial theft,…
screenconnect
rmm
remcos
lumma stealer
asyncrat
remote access
cybercrime
grandoreiro
email campaigns
netsupport
astaroth
initial access
2025-03-12
guildma
atera
mispadu
bluetrait
fleetdeck
Published: March 12, 2025
Downloadable IOCs: 15

The BadPilot campaign: Multiyear global access operation

A Russian state actor subgroup within Seashell Blizzard has conducted a global access operation called the BadPilot campaign since 2021. The group exploits vulnerabilities in Internet-facing infrastructure to gain persistent access to high-value targets across various sectors worldwide. Their tacti…
persistence
credential theft
CVE-2024-1709
CVE-2021-34473
vulnerability exploitation
CVE-2023-42793
CVE-2023-48788
initial access
2025-02-12
CVE-2023-23397
CVE-2023-32315
badpilot
russian state actor
global operation
localolive
CVE-2022-41352
remote management
shadowlink
Published: February 12, 2025
Downloadable IOCs: 0

Technical Analysis of Zloader 2.9.0.4

The latest version of Zloader (2.9.4.0) introduces significant enhancements to its capabilities. Key features include a custom DNS tunnel protocol for C2 communications, an interactive shell supporting various commands, and updated anti-analysis techniques. The malware's distribution has become mor…
zloader
zeus
dns tunneling
banking trojan
initial access
2024-12-11
ghostsocks
Published: December 11, 2024
Downloadable IOCs: 18

Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign

A new Gootloader variant has been discovered using search engine optimization (SEO) poisoning to target Australian Bengal cat enthusiasts. The campaign uses Google search results for 'Are Bengal Cats legal in Australia?' to deliver malicious payloads. When users click on compromised links, a zip fi…
powershell
seo poisoning
javascript
gootloader
scheduled task
initial access
2024-11-06
gootkit
Published: November 6, 2024
Downloadable IOCs: 14

Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN

Since early August, there has been a significant increase in Fog and Akira ransomware intrusions targeting SonicWall SSL VPN users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for CVE-2024-40766. Initial acce…
ransomware
vpn
data exfiltration
akira
CVE-2024-40766
2024-10-24
sonicwall
initial access
fog
Published: October 24, 2024
Linked vulnerabilities : CVE-2024-40766 (CVSS 9.8)
Downloadable IOCs: 16
Click here to see more Attack Reports