Tag: malware

86 Attack Reports | 0 Vulnerabilities

Attack reports

Steganography Analysis With pngdump.py

This article discusses the analysis of a PNG file containing hidden malicious content using the pngdump.py tool. The image, 31744 pixels wide and 1 pixel high, was found to have a PE file embedded in its pixel data. The author demonstrates how to extract the hidden file using various Python tools a…
malware
python
steganography
2025-04-26
pe file
data extraction
file analysis
png
pngdump
Published: April 26, 2025
Downloadable IOCs: 0

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid de…
malware
phishing
social engineering
remcos
credential theft
latrodectus
guloader
redirection
qr codes
remote access trojans
2025-04-03
tax season
ahkbot
bruteratel c4
Published: April 3, 2025
Downloadable IOCs: 0

Money Laundering 101, and why there is concern

This newsletter discusses the process of money laundering in the context of cybercrime, particularly ransomware attacks. It explains the three basic steps of money laundering: placement, layering, and integration. The author expresses concern about regulatory changes that might facilitate easier mo…
malware
ransomware
cryptocurrency
spam
cybercrime
email security
w32.file.malparent
coinminer:mbt.26mw.in14.talos
2025-03-28
trojan.generickd.33515991
money laundering
simple_custom_detection
regulatory changes
Published: March 28, 2025
Downloadable IOCs: 0

Melting Pot of macOS Malware Adds Go to Crystal, Nim and Rust Variants

ReaderUpdate, a macOS malware loader platform active since 2020, has evolved to include variants written in Crystal, Nim, Rust, and now Go programming languages. Originally a compiled Python binary, the malware has been largely dormant until late 2024. The loader is capable of executing remote comm…
malware
loader
persistence
macos
adware
rust
go
2025-03-26
nim
genieo
crystal
silver toucan
dolittle
wizardupdate
updateagent
readerupdate
Published: March 26, 2025
Downloadable IOCs: 12

Negative Exposure: Edimax Network Cameras Used to Spread Mirai

The Akamai Security Intelligence and Response Team (SIRT) has identified a critical command injection vulnerability, CVE-2025-1316, in Edimax IC-7100 IP cameras. This flaw allows attackers to execute arbitrary commands remotely, leading to the integration of these devices into Mirai-based botnets. …
malware
exploit
botnet
mirai
sha256
2025-03-17
sha256 hash
Published: March 17, 2025
Downloadable IOCs: 28

SPYLEND: The Android App Available on Google Play Store: Enabling Financial Cyber Crime & Extortion

A sophisticated Android malware called SpyLend, disguised as a 'Finance Simplified' app, is targeting Indian users through the Google Play Store. The app leverages location-based targeting to display unauthorized loan applications, enabling predatory lending, blackmail, and extortion. It has rapidl…
malware
android
data theft
extortion
india
financial
2025-02-22
google play store
spylend
loan apps
Published: February 22, 2025
Downloadable IOCs: 0

LightSpy Malware Now Targets Facebook & Instagram Data

LightSpy, a modular surveillance framework, has expanded its capabilities to target Facebook and Instagram data. The malware, initially focused on mobile devices, now compromises Windows, macOS, Linux, and routers. Recent analysis reveals a significant expansion in its command list, with over 100 c…
malware
surveillance
lightspy
plugins
infrastructure
command and control
facebook
2025-02-21
instagram
Published: February 21, 2025
Downloadable IOCs: 27

Inside the Scam: North Korea's IT Worker Threat

North Korea has exploited remote work opportunities to infiltrate international companies with fraudulent IT workers, generating revenue and posing cybersecurity risks. The group PurpleBravo targets cryptocurrency firms using malware like BeaverTail and InvisibleFerret. At least seven suspected Nor…
malware
espionage
north korea
cryptocurrency
beavertail
invisibleferret
remote work
2025-02-13
ottercookie
front companies
it workers
Published: February 13, 2025
Downloadable IOCs: 43

Hackers Hijack JFK File Release: Malware & Phishing Surge

A potentially growing cyber threat campaign has been uncovered surrounding the release of declassified JFK, RFK, and MLK files. Attackers are exploiting public interest in these historical documents to launch malware campaigns, phishing schemes, and exploit attempts. Within days of the announcement…
malware
phishing
social engineering
ransomware
spyware
domain spoofing
2025-02-03
cyber threat
trojans
declassified files
historical documents
jfk files
Published: February 3, 2025
Downloadable IOCs: 4

Unpacking the Diicot Malware Targeting Linux Environments

A new malware campaign attributed to the Romanian-speaking Diicot threat group has been discovered targeting Linux systems. The campaign shows significant advancements compared to previous iterations, including modified UPX headers with corrupted checksums, advanced payload staging, and environment…
malware
linux
openssh
xmrig
persistence
cryptomining
brute-force
2024-12-17
reverse-shell
upx
Published: December 17, 2024
Downloadable IOCs: 36

BADBOX Botnet Is Back

The BADBOX botnet, previously thought to be contained, has resurfaced with increased scope and sophistication. Recent findings reveal over 192,000 infected devices, including high-end Yandex 4K QLED Smart TVs and Hisense smartphones, expanding beyond the initially targeted off-brand Android devices…
malware
android
supply chain
botnet
proxy
ad fraud
triada
2024-12-17
badbox
firmware
smart tv
Published: December 17, 2024
Downloadable IOCs: 22

First UEFI bootkit malware for Linux discovered

A groundbreaking discovery has been made in the realm of cybersecurity: the first UEFI bootkit specifically targeting Linux systems. Named 'Bootkitty,' this proof-of-concept malware marks a significant evolution in stealthy and hard-to-remove bootkit threats. Although currently limited to certain U…
malware
linux
cybersecurity
kernel
2024-11-27
uefi
bootkit
bcdropper
ubuntu
proof-of-concept
bootkitty
bcobserver
Published: November 27, 2024
Downloadable IOCs: 0

Glove Stealer bypasses Chrome's App-Bound Encryption to steal cookies

Researchers have discovered a new .NET-based information stealer called Glove Stealer that targets browser extensions and local software to steal sensitive data like cookies, passwords, and cryptocurrency wallets. It uses a novel technique to bypass Chrome's App-Bound encryption by exploiting the I…
malware
phishing
information stealer
2024-11-16
chrome
encryption bypass
glove stealer
Published: November 16, 2024
Downloadable IOCs: 0

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Russian hackers, identified as UNC5812, are targeting the Ukrainian military through a sophisticated cyber operation. The attackers use a deceptive Telegram channel and website posing as a civil defense service to distribute malware for both Windows and Android devices. The Windows attack deploys P…
malware
social engineering
android
windows
russia
ukraine
information theft
telegram
cyber-espionage
pronsis loader
sunspinner
craxsrat
purestealer
2024-10-31
Published: October 31, 2024
Downloadable IOCs: 7

New wave of Bumblebee malware attacks warned

Security researchers have detected new attacks involving the Bumblebee malware loader, just four months after Europol disrupted its operations in Operation Endgame. The malware has resurfaced with updated tactics, using MSI files disguised as legitimate software installers to deliver its payload di…
malware
loader
phishing
ransomware
evasion
in-memory
msi
bumblebee
2024-10-22
Published: October 22, 2024
Downloadable IOCs: 9

New Linux Malware Targeting ATMs for Financial Fraud

A recent analysis reveals a new variant of the FASTCash malware, designed to compromise financial networks by manipulating payment transactions. Developed by threat actors potentially linked to North Korean hacking groups, this Linux version specifically targets Ubuntu 20.04 systems in ATMs. It int…
malware
linux
fraud
fastcash
2024-10-17
financial
transaction
atm
Published: October 17, 2024
Downloadable IOCs: 12

Hive0147 serving juicy Picanha with a side of Mekotio

IBM X-Force observed Hive0147, a highly active threat group in Latin America, distributing a new Golang-based downloader named Picanha to deploy the Mekotio banking trojan. Picanha is a two-stage malware that uses advanced techniques like direct syscalls and supports multiple download URLs, reliabl…
malware
trojan
banking
downloader
mekotio
2024-10-17
banker.fn
picanha
Published: October 17, 2024
Downloadable IOCs: 20

A Website Attacked

This report investigates a watering hole attack on a U.S. apartment website that delivered malware by spoofing a fake browser update. The investigation uncovered dozens of other compromised websites from various industries like healthcare, retail, and consumer sites. The compromised sites loaded ma…
malware
netsupport
spoofing
watering hole
2024-10-16
browser updates
compromised websites
Published: October 16, 2024
Downloadable IOCs: 72

The New Malware Distribution Service

This analysis uncovers a novel malware distribution mechanism utilizing VBE scripts stored in archive files to spread various malware families, including AgentTesla, Remcos, Snake, and NjRat. It details the infection chain, which involves downloading encoded files from a command-and-control server,…
malware
evasion
remcos
injection
njrat
bladabindi
njw0rm
lv
keylogger
2024-10-16
agenttesla
ekans
snakehose
distribution
Published: October 16, 2024
Downloadable IOCs: 7

FASTCash for Linux

A newly identified variant of FASTCash "payment switch" malware specifically targets the Linux operating system, as well as Microsoft Windows, according to CISA and the Department of Homeland Security (DHS).
malware
linux
windows
code
cisa
2024-10-15
bluenoroff
fastcash
linux variant
ubuntu linux
atms
lira
linux sample
atmpos
triton
format
aix
Published: October 15, 2024
Downloadable IOCs: 12

Hidden in Plain Sight: ErrorFather’s Deadly Deployment of Cerberus

This report examines a campaign called 'ErrorFather' that utilizes an undetected variant of the Cerberus Android Banking Trojan. The campaign employed a sophisticated multi-stage dropper technique to deploy the malicious payload, which incorporated features like keylogging, overlay attacks, VNC, an…
malware
android
dropper
banking
overlay
2024-10-15
cerberus
Published: October 15, 2024
Downloadable IOCs: 20

Technical Analysis of a Novel IMEEX Framework

The IMEEX framework is a newly discovered, custom-built malware targeting Windows systems. Delivered as a 64-bit DLL, it offers extensive control over compromised machines, featuring execution of additional modules, file manipulation, process management, registry modification, and remote command ex…
malware
windows
persistence
infrastructure
stealth
2024-10-14
imeex
Published: October 14, 2024
Downloadable IOCs: 9

From Perfctl to InfoStealer

A new stealthy Linux malware called perfctl has been analyzed. The malware runs two processes: perfctl and a disguised process mimicking known Linux processes. It uses Tor for external communications and local sockets for inter-process communication. After 30 minutes, the attacker drops scripts to …
malware
linux
rootkit
cryptominer
data exfiltration
stealth
perfctl
2024-10-09
trufflehog
Published: October 9, 2024
Downloadable IOCs: 3

Cuckoo Threat Actor Arsenal

This report delves into the technical aspects of the NOOPDOOR and NOOPLDR malwares employed by the APT10 threat actor in the Cuckoo Spear campaign. The analysis reveals how these tools operate and the potential risks they pose, helping cybersecurity professionals better understand and defend agains…
malware
loader
persistence
injection
shellcode
noopdoor
2024-10-07
apt10
noopldr
cuckoo spear
Published: October 7, 2024
Downloadable IOCs: 9

North Korea Still Attacking Developers via npm

Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
malware
obfuscation
python
cryptocurrency
exfiltration
persistence
javascript
moonstone sleet
npm
2024-09-30
contagious interview
multi-stage attack
Published: September 30, 2024
Downloadable IOCs: 12

Observes Targeted Attacks Amid FBI Warnings

The report details targeted attacks observed by Jamf Threat Labs that align with FBI warnings about the Democratic People's Republic of Korea (DPRK) targeting individuals in the crypto industry through social engineering tactics for malware delivery. It outlines attack scenarios involving malicious…
malware
backdoor
infostealer
northkorea
2024-09-17
socialengineering
rustdoor
thiefbucket
cryptoindustry
Published: September 17, 2024
Downloadable IOCs: 8

A SOC Team’s Guide to Detecting macOS Atomic Stealers

This article provides an analysis of the Atomic Infostealer malware family, which has been targeting macOS users throughout 2024. It discusses the various evolving variants, such as Amos, Banshee, Cthulu, Poseidon, and RodrigoStealer, developed and distributed by competing threat actor groups. The …
malware
obfuscation
infostealer
macos
crimeware
poseidon
2024-09-13
rodrigostealer
cthulu
amos atomic
banshee
Published: September 13, 2024
Downloadable IOCs: 3

There's Something About CryptBot: Yet Another Silly Stealer

This report provides an in-depth technical analysis of a new variant of the CryptBot infostealer, dubbed Yet Another Silly Stealer (YASS). It details the delivery chain, involving the MustardSandwich downloader, and dissects the YASS payload's functionalities, including its data gathering, encrypti…
malware
infostealer
cryptbot
stealer
exfiltration
netsupport
downloader
2024-09-11
yass
mustardsandwich
Published: September 11, 2024
Downloadable IOCs: 13

Earth Preta Evolves its Attacks with New Malware and Strategies

Trend Micros discusses analysis of Earth Preta’s enhancements in their attacks by introducing new tools, malware variants and strategies to their worm-based attacks and their time-sensitive spear-phishing campaign.
malware
plugx
persistence
execution
find
2024-09-10
winrar
earth preta
pubload
trojanspy
indonesia
hiupan
pullbait
fdmtp c
plugx c
pubload c
preta
fdmtp
Published: September 10, 2024
Downloadable IOCs: 41

Threat Assessment: North Korean Threat Groups

This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10…
malware
espionage
cybercrime
northkorea
rats
comebacker
rustbucket
kandykorn
2024-09-10
collectionrat
fullhouse
poolrat
odicloader
objcshellz
pondrat
smoothoperator
Published: September 10, 2024
Downloadable IOCs: 58

LummaC2 Malware and Malicious Chrome Extension Delivered

In August 2024, eSentire's Threat Response Unit observed a sophisticated attack involving LummaC2 stealer malware and a malicious Google Chrome browser extension. The attack leveraged DLL side-loading to execute a loader delivering the malware and a PowerShell script that installed the extension. T…
malware
lummac2
stealer
credentials
browser
2024-09-09
crypto
remote
extension
control
Published: September 9, 2024
Downloadable IOCs: 7

Ailurophile Stealer

This analysis examines a newly identified threat dubbed 'Ailurophile Stealer,' a malware designed to compromise victims' systems by extracting sensitive browser data including stored credentials, cookies, and browsing history. The stealer utilizes various techniques like placing malicious files in …
malware
stealer
exfiltration
credential
browser
ailurophile stealer
2024-09-09
Published: September 9, 2024
Downloadable IOCs: 3

Loki: a new private agent for the popular Mythic framework

Kaspersky researchers discovered a previously unknown Loki backdoor, utilized in a series of targeted attacks. Analysis revealed that Loki is a private version of an agent compatible with the open-source Mythic framework. The malware employs techniques like memory encryption, indirect system API ca…
malware
backdoor
loader
2024-09-09
mythic
agent
hellokitty
Published: September 9, 2024
Downloadable IOCs: 7

Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool

Cybercriminals are employing a sophisticated two-stage malware campaign masquerading as the Palo Alto GlobalProtect tool to infiltrate systems in the Middle East region. The malware leverages a complex command-and-control infrastructure, involving newly registered domains designed to resemble legit…
malware
phishing
evasion
globalprotect
2024-08-30
cnc
globalprotect.exe
Published: August 30, 2024
Linked vulnerabilities : CVE-2023-22527
Downloadable IOCs: 5

Analyzing the Mekotio Trojan

The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
malware
obfuscation
powershell
persistence
trojan
2024-08-30
mekotio trojan
Published: August 30, 2024
Downloadable IOCs: 2

Latrodectus Rapid Evolution Continues With Latest New Payload Features

This report discusses the latest updates to the Latrodectus malware, including a different string deobfuscation approach, a new C2 endpoint, and two new backdoor commands. It provides an in-depth analysis of the new version 1.4, focusing on the new features added or updated in this variant. The rep…
malware
icedid
analysis
payload
latrodectus
2024-08-30
evolution
Published: August 30, 2024
Downloadable IOCs: 10

Decoding the Stealthy Memory-Only Malware

This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
malware
obfuscation
powershell
infostealer
cryptbot
javascript
2024-08-23
lummac.v2
shadowladder
Published: August 23, 2024
Downloadable IOCs: 23

Report on Ukraine government attack campaign

Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
malware
powershell
data theft
ukraine
exfiltration
government
spectr
2024-08-23
firmachagent
Published: August 23, 2024
Downloadable IOCs: 33

NGate Android malware relays NFC traffic to steal cash

ESET researchers uncovered a crimeware campaign targeting bank customers in Czechia. The NGate Android malware can relay NFC data from victims' payment cards to attackers' devices, enabling unauthorized ATM withdrawals. It's the first time this capability has been observed in the wild. The campaign…
malware
phishing
android
banking
2024-08-22
czechia
ngate
relay
nfc
Published: August 22, 2024
Downloadable IOCs: 12

GreenCharlie Infrastructure Linked to US Political Campaign Targeting

An analysis by Insikt Group revealed a significant surge in cyber threat activities from GreenCharlie, an Iran-linked group associated with Mint Sandstorm, Charming Kitten, and APT42. The group persistently targets US political and governmental entities through sophisticated phishing operations inv…
malware
apt
espionage
phishing
iran
2024-08-21
powerstar
gorble
Published: August 21, 2024
Downloadable IOCs: 111

Double Trouble: Latrodectus And ACR Stealer Observed Spreading Via Google Authenticator Phishing Site

The Cyble Research and Intelligence Lab (CRIL) discovered a sophisticated phishing website mimicking Google Safety Centre, designed to trick users into downloading malware. The malware, compromising security and stealing sensitive information, drops two threats: Latrodectus, which maintains persist…
malware
phishing
stealer
latrodectus
downloader
cybersecurity
acr stealer
2024-08-20
Published: August 20, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21412, CVE-2024-21893
Downloadable IOCs: 15

Exploring the D3F@ck Malware-as-a-Service Loader

This report analyzes the D3F@ck Loader, a malware-as-a-service (MaaS) offering orchestrated by an individual going by the alias Sergei Panteleevich. The loader utilizes various evasion techniques, including the use of Extended Validation certificates, Inno Setup installers with custom Pascal script…
malware
loader
obfuscation
stealer
danabot
metastealer
sectoprat
2024-08-19
raccoon stealer
certificates
d3f@ck loader
Published: August 19, 2024
Linked vulnerabilities : CVE-2024-7593 (CVSS 9.8)
Downloadable IOCs: 4

Ande Loader Leads to 0bj3ctivity Stealer Infection

In July 2024, eSentire's Threat Response Unit observed a phishing attack leading to a 0bj3ctivity Stealer malware infection. The attack involved a malicious JavaScript file that retrieved and executed Ande Loader and the 0bj3ctivity Stealer. Ande Loader created persistence, downloaded additional pa…
malware
loader
obfuscation
phishing
stealer
infection
2024-08-12
ande loader
0bj3ctivity stealer
Published: August 12, 2024
Downloadable IOCs: 2

StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms

Volexity detected and responded to multiple incidents involving systems infected with malware linked to StormBamboo, a threat actor known for compromising internet service providers (ISPs) and leveraging DNS poisoning to redirect software update traffic to attacker-controlled servers hosting malici…
malware
dazzlespy
macma
2024-08-05
reloadext
dns poisoning
osx.cdds
pocostick
insecure updates
Published: August 5, 2024
Linked vulnerabilities : CVE-2024-3400
Downloadable IOCs: 2

Fighting Ursa Luring Targets With Car for Sale

This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure expl…
malware
backdoor
espionage
phishing
russia
headlace
2024-08-05
diplomats
Published: August 5, 2024
Linked vulnerabilities : CVE-2024-3400
Downloadable IOCs: 6

MirrorFace Attack against Japanese Organisations

The report provides in-depth details about the malware used by the threat actor MirrorFace in targeted attacks against Japanese organizations. It describes the NOOPDOOR malware's execution flow, obfuscation techniques, functionality, and the tactics, techniques, and procedures employed by the attac…
malware
apt
2024-08-02
lodeinfo
noopdoor
ttp
Published: August 2, 2024
Linked vulnerabilities : CVE-2022-1388
Downloadable IOCs: 27

Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT

This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of…
malware
rat
evasion
encryption
dropper
gh0st rat
moudoor
mydoor
2024-07-31
Published: July 31, 2024
Linked vulnerabilities : CVE-2024-5806 (CVSS 7.4)
Downloadable IOCs: 6

Analysis of Golang Payload and Information Theft Campaign

The report details a recent cyber attack campaign attributed to the APT-C-09 (Mozambique) threat group, which has historically targeted Pakistan and surrounding nations. The campaign employed a novel Golang malware payload and Quasar RAT to gather sensitive information. The analysis covers the tech…
malware
apt
espionage
pakistan
exfiltration
golang
2024-07-30
quasar
client.exe
winver.exe
Published: July 30, 2024
Downloadable IOCs: 8

Secret Message: Steganography Tricks of TA558 Group in Cyber Attacks on Enterprises in Russia and Belarus

F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishi…
malware
phishing
social engineering
russia
belarus
remcos
steganography
CVE-2017-11882
agent tesla
2024-07-30
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 74

New Mandrake Android spyware version discovered on Google Play

n April 2024, Securelist discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any …
malware
android
spyware
google play
2024-07-29
mobile malware
mandrake
response opcode
apk file
airfs
Published: July 29, 2024
Downloadable IOCs: 9

Fake update puts visitors at risk

This intelligence report discusses SocGholish, a JavaScript downloader used by threat actors to deliver malware payloads disguised as fake browser updates. It analyzes the recent tactics, techniques, and procedures employed by threat groups like Evil Corp in compromising WordPress websites, fingerp…
malware
cobalt strike
zloader
lumma stealer
socgholish
wordpress
downloader
redline stealer
2024-07-24
netsupport rat
egregor
ryuk
fake update
badspace
Published: July 24, 2024
Downloadable IOCs: 10

Exploiting CVE-2024-21412: A Stealer Campaign Unleashed

This report details a malicious campaign exploiting the CVE-2024-21412 vulnerability in Microsoft Windows SmartScreen to bypass security warnings and deliver malware. Attackers employ crafted links, LNK files, and HTA scripts to download decoy PDFs and shell code injectors, ultimately injecting ste…
malware
evasion
windows
stealer
CVE-2024-21412
injection
pdf
meduza stealer
2024-07-24
acr stealer
Published: July 24, 2024
Linked vulnerabilities : CVE-2024-21412
Downloadable IOCs: 27

Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android

ESET researchers discovered a vulnerability named EvilVideo that allows attackers to share malicious Android payloads disguised as video files through Telegram for Android. The exploit makes the malicious files appear as multimedia content, tricking users into installing malware. The vulnerability …
malware
exploit
android
vulnerability
telegram
2024-07-23
android/spy.spymax.t
Published: July 23, 2024
Downloadable IOCs: 1

Warning Against the Distribution of Malware Disguised as Software Cracks

This advisory cautions about the distribution of malware masquerading as crack programs for software. The malicious actors aim to prevent the installation of V3 Lite, an anti-malware solution, by terminating its installation process. This tactic allows them to maintain persistence and continue upda…
malware
xmrig
coinminer
persistence
installer
2024-07-19
update
Published: July 19, 2024
Downloadable IOCs: 1

Analysis of Suspected APT Attack Activities by “Silver Fox”

This document examines the recent activities of the Silver Fox cybercrime group, which has traditionally targeted financial and tax entities but has now shifted its focus towards impersonating national institutions and security companies. The analysis involves a phishing website, Winos remote contr…
malware
obfuscation
apt
phishing
cybercrime
winos
2024-07-10
updatedll
Published: July 10, 2024
Downloadable IOCs: 7

Kematian-Stealer: A Deep Dive into a New Information Stealer

This report provides an in-depth analysis of a newly discovered information stealer named Kematian-Stealer, actively developed on GitHub and distributed as open-source software. The malware employs various techniques to collect sensitive data from compromised systems, evade detection, and maintain …
malware
stealer
persistence
data exfiltration
github
2024-07-10
kematian-stealer
Published: July 10, 2024
Downloadable IOCs: 4

Persistent npm Campaign Shipping Trojanized jQuery

The report describes a persistent supply chain attack involving the distribution of a trojanized version of jQuery through various platforms like npm and GitHub. The malicious jQuery variant, containing a modified 'end' function, exfiltrates website form data by sending it to remote URLs controlled…
malware
supply chain
exfiltration
npm
github
2024-07-10
Published: July 10, 2024
Downloadable IOCs: 67

Exposing Attack Operations Utilizing PyPI Against Windows, Linux and macOS Platforms

The report details the APT-C-26 (Lazarus) group's recent attack campaign utilizing malicious Python packages hosted on the PyPI repository to deliver payloads targeting multiple platforms including Windows, Linux, and macOS. It analyzes the attack flow, delivery methods, and malware components invo…
malware
apt
supply chain
lazarus
2024-07-08
pypi
comebacker
cross-platform
Published: July 8, 2024
Downloadable IOCs: 28

Kimsuky Deploys TRANSLATEXT Chrome Extension

In March 2024, the cybersecurity firm Zscaler observed a new activity from Kimsuky, a North Korean state-sponsored hacker group. They employed a malicious Google Chrome extension named 'TRANSLATEXT' specifically crafted to steal email addresses, usernames, passwords, cookies, and capture browser sc…
malware
north korea
cyber espionage
credential theft
2024-06-28
chrome extension
Published: June 28, 2024
Downloadable IOCs: 10

Malvertising Campaign Leads to Execution of Oyster Backdoor

Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
malware
powershell
persistence
execution
malicious
python script
2024-06-24
lnk file
schtasks
json
microsoft teams
temp directory
http post
oyster main
Published: June 24, 2024
Downloadable IOCs: 13

Behind the Great Wall Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 CC Framework

Trend Micro recently discovered a threat actor group dubbed Void Arachne targeting Chinese-speaking users with malicious Windows Installer (MSI) files containing legitimate software bundled with malicious Winos payloads. The campaign promotes compromised MSI files embedded with nudifiers, deepfake …
malware
backdoor
social-engineering
2024-06-19
winos
chinese
seo-poisoning
Published: June 19, 2024
Linked vulnerabilities : CVE-2024-21412
Downloadable IOCs: 46

FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy

This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
malware
apt
powershell
2024-06-19
poison ivy
poisonivy
geocities
encodedpayload
breut
darkmoon
Published: June 19, 2024
Downloadable IOCs: 5

From Clipboard to Compromise: A PowerShell Self-Pwn

This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
malware
social engineering
powershell
xmrig
darkgate
lumma stealer
matanbuchus
2024-06-17
netsupport
malicious script
jaskago
compromise
amadey loader
vidar stealer
Published: June 17, 2024
Downloadable IOCs: 14

Dipping into Danger: The WARMCOOKIE backdoor

Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command …
malware
backdoor
obfuscation
phishing
campaigns
2024-06-12
warmcookie
Published: June 12, 2024
Downloadable IOCs: 6

New Agent Tesla Campaign Targeting Spanish-Speaking People

This report analyzes a phishing campaign spreading a new Agent Tesla variant designed to infiltrate victims' computers and steal sensitive information like credentials, email contacts, and system details. It leverages techniques like exploiting Microsoft Office vulnerabilities, executing JavaScript…
malware
obfuscation
phishing
infostealer
2024-06-10
CVE-2017-0199
CVE-2017-11882
agent tesla
spain
Published: June 10, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 6

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

This report details a cryptojacking campaign exploiting exposed Docker remote API servers. Threat actors employ the cmd.cat/chattr Docker image for initial access, utilizing techniques like chroot and volume binding to break out of the container and access host systems. They deploy cryptocurrency m…
malware
cryptocurrency
cloud
2024-06-07
cryptojacking
docker
containers
ziggystartux
Published: June 7, 2024
Downloadable IOCs: 7

Operation ControlPlug: Targeted attack campaign using MSC files

An investigation revealed that the threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files, generally unfamiliar, leveraged the Console Taskpad feature to exec…
malware
stealthy
apt
plugx
campaign
2024-06-06
korplug
kaba
tvt
destroyrat
thoper
sogu
Published: June 6, 2024
Downloadable IOCs: 14

Operation Crimson Palace: A Technical Deep Dive

Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast As…
malware
cobalt strike
cyberespionage
lateral movement
intrusion
2024-06-06
impersoni-fake-ator
powheartbeat
credential access
pocoproxy
rudebird
phantomnet
ccoredoor
eagerbee
nupakage
Published: June 6, 2024
Downloadable IOCs: 138

Malware botnet installing NiceRAT

This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. On…
malware
botnet
2024-06-06
nitol
nanocore
nicerat
Published: June 6, 2024
Downloadable IOCs: 24

Excel File Deploys Cobalt Strike at Ukraine

A sophisticated multi-stage cyberattack was identified, utilizing an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker employed various evasion techniques and a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload, establishing communication w…
malware
evasion
ukraine
2024-06-04
excel
Published: June 4, 2024
Downloadable IOCs: 10

Vidar Stealer: An In-depth Analysis of an Information-Stealing Malware

Vidar Stealer is a potent malware written in C++, capable of stealing a wide range of data from the compromised system. Vidar Stealer targets user’s personal data, web-browser data, cryptocurrency wallets, financial data, sensitive files within user directories, communication applications, process …
malware
persistence
2024-06-04
c2
Published: June 4, 2024
Downloadable IOCs: 6

Disrupting FlyingYeti's campaign targeting Ukraine

This report details Cloudforce One's real-time effort to detect, deny, degrade, disrupt, and delay a phishing campaign by the Russia-aligned threat actor FlyingYeti targeting Ukraine. The campaign aimed to capitalize on anxiety over potential loss of housing and utilities by enticing targets to ope…
malware
phishing
russia
ukraine
2024-05-31
CVE-2023-38831
cookbox
Published: May 31, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 8

Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea

An investigation by Bitdefender Labs uncovered a previously unidentified cyber threat actor called Unfading Sea Haze. This group has systematically targeted high-level organizations across countries in the South China Sea region. The extensive analysis spanned several years, revealing their evolvin…
malware
apt
espionage
2024-05-23
.net
dustyexfiltool
2024-05-24
unfading sea haze
silentgh0st
translucentgh0st
sharpjshandler
Published: May 24, 2024
Downloadable IOCs: 47

Crimeware report: Acrid, ScarletStealer and Sys01 stealers

This analysis delves into three distinct stealers: Acrid, ScarletStealer, and Sys01. Acrid is a new stealer found in December, employing the 'Heaven's Gate' technique to bypass security controls. ScarletStealer downloads additional executables and Chrome extensions to facilitate data theft. Sys01, …
malware
stealer
data-theft
cybercrime
2024-05-22
acrid
scarletstealer
crimeware
sys01
newb
Published: May 22, 2024
Downloadable IOCs: 5

Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear

This comprehensive analysis delves into the continuous evolution and refinement of sophisticated malware entities employed by a persistent cyberespionage group targeting organizations in the Asia-Pacific region. The malware, known as Waterbear and its latest iteration, Deuterbear, have undergone si…
malware
evasion
anti-analysis
encryption
2024-05-21
cyberespionage
deuterbear
waterbear
Published: May 21, 2024
Downloadable IOCs: 29

Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID

LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
malware
loader
icedid
cybercrime
2024-05-17
latrodectus
financially-motivated
Published: May 17, 2024
Downloadable IOCs: 7

ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information

This analysis focuses on the recent activities of the ViperSoftX malware strain, which controls infected systems and steals user information. The malware is known to install additional malware payloads, including Quasar RAT and a new infostealer called TesseractStealer. TesseractStealer utilizes th…
malware
cybercrime
infostealers
2024-05-17
quasar rat
tesseractstealer
malware-distribution
vipersoftx
crypto-targeting
Published: May 17, 2024
Downloadable IOCs: 8

Payload Trends in Malicious OneNote Samples

This analysis examines the types of malicious payloads that attackers embed within Microsoft OneNote files to deceive users into executing malicious code. By analyzing approximately 6,000 malicious OneNote samples, it reveals that attackers frequently employ images resembling buttons to lure victim…
malware
phishing
shellcode
2024-05-16
onenote
malicious
payload
Published: May 16, 2024
Downloadable IOCs: 550

Springtail: New Linux Backdoor Added to Toolkit

Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-…
malware
linux
backdoor
2024-05-16
troll stealer
gobear
southkorea
northkorea
linux.gomir
Published: May 16, 2024
Downloadable IOCs: 20

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

The report describes a recent campaign by the threat actor Storm-1811, a financially motivated cybercriminal group known for deploying Black Basta ransomware. The campaign begins with social engineering tactics like voice phishing (vishing) and email bombing to trick users into granting remote acce…
malware
ransomware
qakbot
qbot
quackbot
pinkslipbot
2024-05-16
2024-05-11
black basta
remote-access
vishing
social-engineering
Published: May 16, 2024
Downloadable IOCs: 12

The Overlapping Cyber Strategies Of Transparent Tribe And SideCopy Against India

CRIL's analysis revealed SideCopy APT group's sophisticated malware campaign, employing malicious LNK files and a complex infection chain involving HTAs and loader DLLs to deploy malware like ReverseRAT and Action RAT. SideCopy targets Indian universities and government entities, suggesting potenti…
malware
apt
rat
action rat
india
infection chain
2024-05-15
2024-05-10
reverserat
Published: May 15, 2024
Downloadable IOCs: 21

Ongoing Malvertising Campaign leads to Ransomware

Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
malware
ransomware
python
cobalt strike
2024-05-15
2024-05-10
msi package
winscp
sliver
putty
service
execution
localappdata
dropped
c2 address
sliver beacon
dnstwist
Published: May 15, 2024
Downloadable IOCs: 78

PDF “Flawed Design” Exploitation

Check Point Research identified an unusual pattern involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive users into executing harmful commands. The exploitation occurs through a flawed design in Foxit Reader, showing 'OK' as t…
malware
xworm
campaigns
remcos
asyncrat
2024-05-09
2024-05-14
njrat
dcrat
pdf
venomrat
exploitation
nanocore rat
pony
bladabindi
foxit
agent-tesla
njw0rm
lv
2024-05-10
Published: May 14, 2024
Downloadable IOCs: 40

Distribution of DanaBot Malware via Word Files Detected

This analysis examines the infection process of the DanaBot malware, distributed through sophisticated spam emails containing malicious Word documents. The documents leverage external links to download and execute macro files, which subsequently fetch and run the DanaBot payload. The infection chai…
malware
evasion
data theft
spam
2024-05-09
macros
danabot
2024-05-14
2024-05-10
Published: May 14, 2024
Downloadable IOCs: 0

Profiling Trafficers: Cerberus

This analysis delves into the activities of a group of malware operators known as Cerberus (formerly Amnesia) Team, who specialize in spreading infostealers, particularly in the Commonwealth of Independent States (CIS) region. It provides insights into their operations, tactics, and the evolution o…
malware
infostealer
russia
2024-05-05
2024-05-06
2024-05-07
lumma stealer
2024-05-08
aurora stealer
redline
hacking
cybercrime
rhadamanthys stealer
casbaneiro
metamorfo
dracula stealer (samurai)
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 24

New Pakistan-based Cyber Espionage Group’s Year-Long Campaign Targeting Indian Defense Forces with Android Malware

CYFIRMA researchers identified an Android malware campaign, active for over a year, targeting Indian defense personnel by an unidentified Pakistan-based cyber espionage group. The threat actor utilized Spynote or a modified version called Craxs Rat, obfuscating the app with high complexity. Through…
malware
espionage
android
pakistan
2024-05-03
2024-05-04
2024-05-05
2024-05-06
india
spynote
defense
craxs rat
Published: May 6, 2024
Downloadable IOCs: 3
Click here to see more Attack Reports