Tag: initial access broker

8 Attack Reports | 0 Vulnerabilities

Attack reports

Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation

Storm-0249, a seasoned initial access broker, has evolved from mass phishing to sophisticated post-exploitation tactics. The group now abuses legitimate Endpoint Detection and Response processes, particularly SentinelOne's SentinelAgentWorker.exe, through DLL sideloading. This allows them to concea…
ransomware
dll sideloading
domain spoofing
initial access broker
fileless execution
stealth tactics
2025-12-10
edr exploitation
Published: December 10, 2025
Downloadable IOCs: 3

CountLoader: New Malware Loader Being Served in 3 Different Versions

A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, Blac…
phishing
ransomware
powershell
ukraine
lumma stealer
malware loader
.net
cobaltstrike
jscript
purehvnc
evasion techniques
initial access broker
adaptixc2
2025-09-19
countloader
Published: September 19, 2025
Downloadable IOCs: 27

Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator

SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enablin…
ransomware
lockbit
socgholish
malware-as-a-service
initial access broker
raspberry robin
mintsloader
fake updates
2025-08-08
dridex
wastedlocker
netsupportrat
traffic distribution system
domain shadowing
hades
Published: August 8, 2025
Downloadable IOCs: 33

Exploitation of Leaked Machine Keys by Initial Access Broker

An initial access broker exploited leaked Machine Keys on ASP.NET sites to gain unauthorized access to organizations. The group, tracked as TGR-CRI-0045, targeted industries in Europe and the U.S. including finance, manufacturing, and technology. They used ASP.NET View State deserialization to exec…
in-memory execution
privilege escalation
post-exploitation
iis
initial access broker
asp.net
machine keys
2025-07-09
txportmap
updf
view state deserialization
Published: July 9, 2025
Downloadable IOCs: 21

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools

A spam campaign targeting Brazilian users, particularly C-level executives and financial/HR accounts, has been identified since January 2025. The campaign exploits commercial remote monitoring and management (RMM) tools, specifically PDQ Connect and N-able remote access tools. Attackers use Brazili…
dropbox
rmm
spam
initial access broker
2025-05-08
nf-e
n-able
screen connect
pdq connect
Published: May 8, 2025
Downloadable IOCs: 26

Lessons from Ted Lasso for cybersecurity success

This article draws parallels between the popular TV show Ted Lasso and the cybersecurity industry, emphasizing the importance of intellectual curiosity in the field. The author, William Largent, discusses his approach to interviewing candidates for Talos, focusing on their innate curiosity rather t…
xorddos
initial access broker
cybersecurity news
lagtoy
2025-04-24
intellectual curiosity
lagtoy backdoor
cactus ransomware
ted lasso
cisco talos
hiring process
Published: April 24, 2025
Downloadable IOCs: 4

Introducing ToyMaker

The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. …
ransomware
powershell
anydesk
persistence
winscp
impacket
bugsleep
ssh
metasploit
initial access broker
file transfer
cactus
2025-04-23
lagtoy
toymaker
magnet ram
capture
holerun
Published: April 23, 2025
Downloadable IOCs: 20

Play Ransomware Engagement

Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group, as a key player in a recent ransomware incident. The group appears to be collaborating with the Play ransomware group, marking a shift in their tactics. This is the first observed instance of Jumpy Pisces using existi…
north korea
sliver
mimikatz
dtrack
2024-10-30
play
reconnaissance general bureau
initial access broker
korean people's army
fiddling scorpius
play ransomware
Published: October 30, 2024
Downloadable IOCs: 0
Click here to see more Attack Reports