Tag: malware-as-a-service

27 Attack Reports | 0 Vulnerabilities

Attack reports

CastleLoader Activity Clusters Target Multiple Industries

Insikt Group has identified four distinct activity clusters associated with GrayBravo's CastleLoader malware, each with unique tactics and victim profiles. This supports the assessment that GrayBravo operates a malware-as-a-service model. One cluster, TAG-160, impersonates logistics firms and uses …
phishing
matanbuchus
malware-as-a-service
warmcookie
clickfix
netsupport rat
sectoprat
booking.com
logistics
castleloader
castlebot
castlerat
2025-12-09
Published: December 9, 2025
Downloadable IOCs: 87

New Android Malware Mimics Human Behavior to Evade Detection

A new Android malware called Herodotus has been discovered, designed to perform device takeover while mimicking human behavior to bypass biometric detection. Active campaigns have been observed in Italy and Brazil. Herodotus is being offered as Malware-as-a-Service and shows links to the previously…
android
credential theft
malware-as-a-service
banking trojan
device takeover
hook
mqtt
remote control
2025-10-28
octo
behavior mimicry
herodotus
brokewell
Published: October 28, 2025
Downloadable IOCs: 1

WARMCOOKIE One Year Later: New Features and Fresh Insights

The WARMCOOKIE backdoor continues to evolve, with ongoing updates and new infections observed. Recent developments include new handlers for executing various file types, a string bank for defense evasion, and code optimizations. A campaign ID field has been added, providing context for operators. I…
backdoor
malware-as-a-service
warmcookie
castlebot
2025-10-06
Published: October 6, 2025
Downloadable IOCs: 0

Olymp Loader: A new Malware-as-a-Service written in Assembly

Olymp Loader is a recently emerged Malware-as-a-Service offering advertised on underground forums since June 2025. Developed by a team called OLYMPO, it's written in assembly language and marketed as fully undetectable. The loader executes other malware on victim systems and provides built-in steal…
loader
lummac2
stealer
amadey
malware-as-a-service
telegram
evasion techniques
crypter
raccoon
underground forums
2025-09-29
qasarrat
webrat
olymp loader
assembly
Published: September 29, 2025
Downloadable IOCs: 19

Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure

Salat Stealer, also known as WEB_RAT, is a sophisticated Go-based infostealer targeting Windows systems. It exfiltrates browser credentials, cryptocurrency wallet data, and session information while employing advanced evasion techniques. The malware uses UPX packing, process masquerading, registry …
evasion
windows
infostealer
cryptocurrency
persistence
malware-as-a-service
maas
russian-speaking
browser credentials
2025-09-06
salat stealer
web_rat
go-based
2025-09-10
Published: September 10, 2025
Downloadable IOCs: 14

ERMAC V3.0 Banking Trojan: Full Source Code Leak and Infrastructure Analysis

The complete source code for ERMAC V3.0, an advanced banking trojan, was discovered and analyzed, providing rare insight into this active Malware-as-a-Service platform. ERMAC has evolved to target over 700 financial and cryptocurrency apps, employing sophisticated form injection techniques and encr…
malware-as-a-service
banking trojan
infrastructure analysis
hook
ermac
android malware
cerberus
2025-08-15
exfiltration server
c2 backend
source code leak
encrypted communications
form injection
Published: August 15, 2025
Downloadable IOCs: 0

PhantomCard: New NFC-driven Android malware emerging in Brazil

A new Android Trojan called PhantomCard is targeting banking customers in Brazil, with potential for global expansion. The malware relays NFC data from victims' banking cards to fraudsters' devices, enabling unauthorized transactions. Distributed through fake 'Google Play' pages as a 'card protecti…
malware-as-a-service
brazil
banking fraud
2025-08-14
btmob
phantomcard
ghostspy
card protection
android trojan
nfc relay
Published: August 14, 2025
Downloadable IOCs: 2

Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator

SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enablin…
ransomware
lockbit
socgholish
malware-as-a-service
initial access broker
raspberry robin
mintsloader
fake updates
2025-08-08
dridex
wastedlocker
netsupportrat
traffic distribution system
domain shadowing
hades
Published: August 8, 2025
Downloadable IOCs: 33

Back to Business: Lumma Stealer Returns with Stealthier Methods

Lumma Stealer, an information-stealing malware, has resurfaced shortly after its takedown in May 2025. The cybercriminals behind it are now employing more covert tactics and expanding their reach. The malware is being distributed through discreet channels and uses stealthier evasion techniques. Lum…
social engineering
lumma stealer
malware-as-a-service
infrastructure
information stealer
evasion tactics
cracked software
2025-07-23
github abuse
Published: July 23, 2025
Downloadable IOCs: 52

Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations

The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victims, such as companies, governments or individuals. The campaign has been identified as using spearphish…
phishing
spearphishing
infostealer
russia
malware-as-a-service
keylogger
maas
snake keylogger
credential stealer
2025-06-30
Published: June 30, 2025
Downloadable IOCs: 34

Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication

Proofpoint has identified Amatera Stealer, a rebranded version of ACR Stealer with enhanced capabilities and evasion techniques. Distributed via ClearFake website injects, it utilizes sophisticated attack chains and web injects. Amatera Stealer employs NTSockets for stealthy C2 communication, WoW64…
rhadamanthys
lumma stealer
malware-as-a-service
clickfix
acr stealer
information stealer
clearfake
2025-06-18
web injects
amatera stealer
ntsockets
wow64 syscalls
Published: June 18, 2025
Downloadable IOCs: 12

DanaBot C2 Server Memory Leak Bug

A critical vulnerability named DanaBleed was discovered in DanaBot's C2 server, causing memory leaks from June 2022 to early 2025. This bug, introduced in version 2380, exposed sensitive information including threat actor details, server data, and victim credentials. The leak resulted from uninitia…
vulnerability
cybercrime
danabot
malware-as-a-service
c2 server
smokeloader
operation endgame
information theft
2025-06-10
danableed
banking fraud
memory leak
Published: June 10, 2025
Downloadable IOCs: 2

Global operation disrupts Lumma Stealer

ESET collaborated with Microsoft and other partners in a global operation to disrupt Lumma Stealer, a prominent malware-as-a-service infostealer. ESET's contribution involved analyzing tens of thousands of malware samples to extract key data like C&C servers and affiliate identifiers. The operation…
infostealer
lumma stealer
credential theft
malware-as-a-service
disruption
2025-05-26
c&c infrastructure
Published: May 26, 2025
Downloadable IOCs: 113

Danabot: Analyzing a fallen empire

ESET Research shares insights into Danabot, an infostealer recently disrupted by law enforcement. The malware, tracked since 2018, evolved from a banking trojan to a versatile tool for data theft and malware distribution. Operated as a malware-as-a-service, Danabot offered features like data steali…
infostealer
lockbit
data theft
darkgate
zloader
botnet
lumma stealer
matanbuchus
cybercrime
danabot
latrodectus
malware-as-a-service
smokeloader
banking trojan
systembc
buran
rescoms
recordbreaker
ursnif
2025-05-23
2025-05-25
nonransomware
proxy servers
crisis
c&c infrastructure
malware-as-service
Published: May 25, 2025
Downloadable IOCs: 1

Inside DanaBot's Infrastructure: In Support of Operation Endgame II

DanaBot, a versatile and persistent threat since 2018, has evolved from a banking trojan to a multi-purpose malware platform. It maintained an average of 150 active C2 servers daily, with 1,000 daily victims across 40+ countries. The malware's stealth and multi-tiered architecture contributed to it…
infostealer
danabot
malware-as-a-service
banking trojan
c2 infrastructure
2025-05-23
stealth tactics
Published: May 23, 2025
Downloadable IOCs: 65

Operation Endgame 2.0

International law enforcement agencies have taken additional actions in Operation Endgame, targeting cybercriminal organizations, particularly those behind DanaBot. DanaBot is a powerful modular malware family written in Delphi, capable of keylogging, capturing screenshots, recording desktop videos…
espionage
darkgate
ddos
danabot
malware-as-a-service
smokeloader
hijackloader
operation endgame
keylogger
targeted attacks
lumma
globeimposter
cactus
2025-05-23
Published: May 23, 2025
Downloadable IOCs: 9

Lumma Stealer is Out... of business!

A coordinated action led by Microsoft's Digital Crimes Unit, with participation from Bitsight and other partners, has successfully dismantled the operational capabilities of Lumma Stealer (LummaC2), a prominent information stealer operating since late 2022. The operation involved seizing over 1,000…
lummac2
data theft
redline
malware-as-a-service
information stealer
2025-05-21
lummac
infrastructure takedown
multi-tiered c2
Published: May 21, 2025
Downloadable IOCs: 1091

TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered

Insikt Group has discovered two new malware families, TerraStealerV2 and TerraLogger, linked to the financially motivated threat actor Golden Chickens. TerraStealerV2 is designed to steal browser credentials, cryptocurrency wallet data, and browser extension information, while TerraLogger functions…
stealer
credential theft
malware-as-a-service
keylogger
revc2
venomlnk
2025-05-01
terraloader
terrastealerv2
terralogger
browser data
Published: May 1, 2025
Downloadable IOCs: 39

DNS Early Detection - Fast Propagating Fake Captcha distributes LummaStealer

Between October 2024 and February 2025, LummaStealer malware was distributed via fake CAPTCHA pages, targeting users who store sensitive information in browsers and cryptocurrency wallets. The malware, available as a Malware-as-a-Service, collects data for fraud and unauthorized access. Threat acto…
lummac2
malware-as-a-service
information stealer
early detection
fake captcha
lummastealer
malicious domains
2025-02-27
dns traffic analysis
adtech
2025-02-28
dns monitoring
Published: February 28, 2025
Downloadable IOCs: 11

GhostSocks - Partner In Proxy

GhostSocks is a Golang-based SOCKS5 backconnect proxy malware first identified in October 2023. It is primarily deployed alongside the LummaC2 information stealer and offered as Malware-as-a-Service. GhostSocks uses a relay-based C2 implementation with HTTP API, allowing attackers to route traffic …
lummac2
malware-as-a-service
golang
c2 infrastructure
socks5
ghostsocks
2025-02-25
credential abuse
anti-fraud bypass
backconnect proxy
vdsina
Published: February 25, 2025
Downloadable IOCs: 17

Life on a crooked RedLine: Analyzing the infamous infostealer's backend

This article provides an in-depth analysis of RedLine Stealer, a notorious information-stealing malware. The research focuses on previously undocumented backend modules and the control panel used by affiliates. Key findings include the identification of over 1,000 unique IP addresses hosting RedLin…
infostealer
data theft
meta stealer
cybercrime
malware-as-a-service
redline stealer
2024-11-17
control panel
windows communication framework
backend analysis
Published: November 17, 2024
Downloadable IOCs: 0

Over 10 Million Personal And Corporate Devices Infected By Information Stealers

A significant increase in data-stealing malware infections has been observed, with nearly 10 million devices compromised in 2023, marking a 643% rise over three years. Cybercriminals are using sophisticated distribution methods, including malvertising and YouTube comment spam. On average, 50.9 logi…
data theft
credential theft
redline
cybercrime
vidar
malware-as-a-service
lumma
amos
information stealers
2024-10-22
raccoon
vidar/acr
kral stealer
Published: October 22, 2024
Downloadable IOCs: 0

MDR in Action: Preventing The More_eggs Backdoor From Hatching

A sophisticated spear-phishing attack led to a more_eggs backdoor infection at a company. The attack began with an email to a senior executive, followed by a recruitment officer downloading a fake resume. The malicious file, disguised as a resume, contained obfuscated commands that executed when op…
backdoor
malware-as-a-service
2024-10-01
spear-phishing
skid
more_eggs
vision one
spicyomelette
terra loader
recruitment
golden chickens
mdr
Published: October 1, 2024
Downloadable IOCs: 10

Gomorrah Stealer: An In-Depth Analysis of a .NET-Based Malware

This comprehensive report analyzes Gomorrah Stealer, a sophisticated malware designed to exfiltrate sensitive information from compromised systems. It operates within a malware-as-a-service framework and targets data from web browsers, cryptocurrency wallets, VPNs, and configuration files. The stea…
evasion
stealer
exfiltration
persistence
malware-as-a-service
2024-09-16
gomorrah stealer
Published: September 16, 2024
Downloadable IOCs: 6

The Abuse of ITarian RMM by Dolphin Loader

This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
stealthy
python
lummac2
rhadamanthys
rmm
darkgate
redline
autoit
malware-as-a-service
sectoprat
2024-08-19
itarian
evade
dolphin loader
Published: August 19, 2024
Downloadable IOCs: 24

Mint Stealer: A Comprehensive Study of a Python-Based Information Stealer

At Cyfirma, this report offers a comprehensive analysis of Mint Stealer, an information-stealing malware operating within a malware-as-a-service (MaaS) framework. Mint Stealer targets sensitive data and uses sophisticated techniques to evade detection. This in-depth study explores Mint Stealer's ev…
malware-as-a-service
data exfiltration
2024-07-31
information stealer
mint stealer
evasion tactics
Published: July 31, 2024
Downloadable IOCs: 10

Banking trojan unleashed: Observing emerging global campaigns

IBM's X-Force has been tracking large-scale phishing campaigns distributing the Grandoreiro banking trojan, likely operated as a Malware-as-a-Service. The malware targets over 1500 global banks, enabling banking fraud in over 60 countries. The latest variant features major updates, including string…
phishing
trojan
2024-05-20
banking
malware-as-a-service
grandoreiro
Published: May 20, 2024
Downloadable IOCs: 18
Click here to see more Attack Reports