Tag: malspam

10 Attack Reports | 0 Vulnerabilities

Attack reports

Inside DesckVB Rat Analysis: From Malspam to In-Memory RAT

DesckVB RAT emerged in February 2026 through a sophisticated malspam campaign utilizing a dynamic delivery kit that personalizes lures on-the-fly by extracting victim email addresses and pulling company logos in real-time. The attack chain routes through Google's DoubleClick domain to evade email g…
malspam
venomrat
in-memory execution
amsi bypass
2026-06-03
desckvb rat
jscript loader
Published: June 3, 2026
Downloadable IOCs: 8

Thousands of Fake Hotel Domains Used in Massive Phishing Campaign

A Russian-speaking threat actor has orchestrated a large-scale phishing campaign targeting travelers by registering over 4,300 domain names since early 2025. The sophisticated operation impersonates major travel brands like Airbnb and Booking.com to steal payment card data. The phishing sites use c…
phishing
malspam
domain registration
2025-11-11
Published: November 11, 2025
Downloadable IOCs: 4135

Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources

This article discusses a new obfuscation technique used by threat actors to conceal malware within bitmap resources embedded in seemingly benign 32-bit .NET applications. The malware employs a multi-stage process to extract, deobfuscate, load, and execute secondary payloads, ultimately leading to t…
obfuscation
steganography
malspam
.net
agent tesla
remcos rat
multi-stage
xloader
2025-05-09
bitmap
Published: May 9, 2025
Downloadable IOCs: 0

CVE-2025-24054, NTLM Exploit in the Wild

A critical vulnerability, CVE-2025-24054, related to NTLM hash disclosure via spoofing, has been actively exploited since March 19, 2025. The flaw allows attackers to leak NTLM hashes or user passwords using a maliciously crafted .library-ms file, potentially compromising systems. A campaign target…
malspam
spoofing
ntlm
CVE-2025-24054
2025-04-16
Published: April 16, 2025
Downloadable IOCs: 1

PhaaS actor uses DoH and DNS MX to dynamically distribute phishing

Infoblox discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.
phishing
cloud
malspam
2025-03-31
morphing meerkat
Published: March 31, 2025
Downloadable IOCs: 21

Lumma Stealer Malware Thrives as Unique Patterns Uncovered in the Infostealer's Domain Clusters

Recent research reveals Lumma Stealer command and control domain clusters share specific technical characteristics, enabling mapping of entire infrastructure clusters. The infostealer's logs are being shared for free on Leaky[.]pro, a new hacking forum, offering billions of stolen credential record…
malvertising
infostealer
lumma stealer
credential theft
youtube
malspam
sectoprat
c2 infrastructure
2025-02-22
domain clusters
Published: February 22, 2025
Downloadable IOCs: 0

Malware Distributed Using Falcon Sensor Update Phishing Lure

CrowdStrike Intelligence uncovered a phishing campaign impersonating CrowdStrike and distributing malicious files containing a Microsoft Installer (MSI) loader. The loader executes the commodity stealer 'Lumma Stealer' packed with 'CypherIt'. This campaign is likely linked to a previous 'Lumma Stea…
phishing
stealer
lumma stealer
malspam
lumma
2024-07-29
Published: July 29, 2024
Downloadable IOCs: 32

DarkGate switches up its tactics with new payload, email templates

This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code…
autohotkey
darkgate
malspam
2024-06-06
template injection
email campaigns
in-memory execution
Published: June 6, 2024
Downloadable IOCs: 12

Files with TXZ extension used as malspam attachments

A recent report describes a malspam campaign distributing malware payloads in attachments with TXZ file extensions. The attachments were RAR archives with renamed extensions, likely attempting to exploit native TXZ support in Windows 11. Two campaigns distributed the payloads, one with GuLoader mal…
malspam
2024-05-28
formbook
guloader
Published: May 28, 2024
Downloadable IOCs: 2

Security Brief: Millions of Messages Distribute LockBit Black Ransomware

In late April 2024, Proofpoint observed high-volume email campaigns facilitated by the Phorpiex botnet, distributing millions of messages with attachments leading to LockBit Black ransomware infections. The messages appeared to originate from 'Jenny Green' and contained ZIP attachments with executa…
ransomware
lockbit
botnet
2024-05-08
malspam
phorpiex
lockbit black
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 16
Click here to see more Attack Reports