Tag: multi-stage attack

20 Attack Reports | 0 Vulnerabilities

Attack reports

Silver Fox Targeting India Using Tax Themed Phishing Lures

A sophisticated campaign by the Chinese APT group Silver Fox is targeting Indian entities with authentic-looking Income Tax phishing lures. The attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. The campaign uses a multi-stage infection p…
apt
phishing
india
c2 communication
multi-stage attack
dll hijacking
chinese threat actor
2025-12-24
tax-themed
valley rat
Published: December 24, 2025
Downloadable IOCs: 8

Operation MoneyMount, ISO Deploying Phantom Stealer

A Russian phishing campaign targeting finance and accounting sectors uses fake payment confirmation emails to deliver Phantom stealer malware. The attack chain involves a ZIP file containing an ISO, which when mounted reveals an executable that loads the stealer. The malware employs anti-analysis t…
phishing
russia
exfiltration
steganography
credential theft
finance
multi-stage attack
phantom stealer
2025-12-12
iso
Published: December 12, 2025
Downloadable IOCs: 4

macOS Malware Deploys in Fake Job Scams

A sophisticated malware campaign targeting macOS users has been discovered, involving fake job assessments and social engineering tactics. The FlexibleFerret malware, attributed to DPRK-aligned operators, uses multi-stage attacks to deploy on victims' systems. The campaign begins with JavaScript fi…
social engineering
macos
credential theft
multi-stage attack
flexibleferret
2025-11-26
golang backdoor
fake job scams
Published: November 26, 2025
Downloadable IOCs: 21

Analyzing the Link Between Two Evolving Brazilian Banking Trojans

This intelligence report examines the connection between two Brazilian banking trojans, Maverick and Coyote. The malware spreads through WhatsApp, using a multi-stage attack that begins with a malicious LNK file. Both trojans share similarities in their infection methods, targeting Brazilian users …
obfuscation
whatsapp
powershell
.net
banking trojan
brazil
multi-stage attack
coyote
2025-11-12
maverick
Published: November 12, 2025
Downloadable IOCs: 9

XWorm RAT Delivered via Shellcode: Multi-Stage Attack Analysis

This analysis details a sophisticated multi-stage attack delivering the XWorm RAT. The campaign begins with a phishing email containing a malicious .xlam file. The file harbors embedded shellcode that, when executed, retrieves a secondary payload. This payload is a .NET binary that reflectively loa…
obfuscation
xworm
rat
phishing
steganography
shellcode
.net
multi-stage attack
reflective dll injection
2025-09-29
Published: September 29, 2025
Downloadable IOCs: 8

LNK Trojan delivers REMCOS

This report details a multi-stage malware campaign delivering the REMCOS backdoor via a malicious Windows LNK shortcut file. The attack begins with social engineering, leveraging PowerShell for initial execution and deploys a persistent backdoor capable of full system compromise. The infection chai…
backdoor
powershell
remcos
keylogger
lnk file
c2 communication
pif file
multi-stage attack
base64 encoding
2025-07-30
Published: July 30, 2025
Downloadable IOCs: 8

Illusory Wishes: China-nexus APT Targets the Tibetan Community

Two cyberattack campaigns, Operation GhostChat and Operation PhantomPrayers, targeted the Tibetan community in June 2025, coinciding with the Dalai Lama's 90th birthday. These attacks involved strategic web compromises, DLL sideloading, and multi-stage infection chains to deploy Ghost RAT and Phant…
social engineering
dll sideloading
phantomnet
multi-stage attack
2025-07-23
ghost rat
web compromise
tibetan community
Published: July 23, 2025
Downloadable IOCs: 26

Analysis of APT-C-55 (Kimsuky) Organization's HappyDoor Backdoor Attack Based on VMP Strong Shell

The APT-C-55 (Kimsuky) group, a North Korean threat actor, has launched a new attack campaign targeting South Korea. They used a disguised Bandizip installation package to deliver malicious code and a VMP-protected HappyDoor trojan for espionage activities. The attack involves remote script loading…
backdoor
apt
happydoor
information theft
multi-stage attack
2025-07-10
vmp
Published: July 10, 2025
Downloadable IOCs: 6

Spyware Targets Employees via Weaponized Word Documents Delivering Malware Payloads

An unidentified spyware called Batavia has been targeting Russian industrial organizations since July 2024 through a sophisticated phishing operation. The campaign uses bait emails disguised as contract agreements to trick employees into downloading malicious scripts, initiating a multi-stage infec…
phishing
spyware
data exfiltration
evasion tactics
multi-stage attack
batavia
2025-07-09
c++ malware
persistence mechanisms
russian targets
vbs scripts
delphi executable
Published: July 9, 2025
Downloadable IOCs: 2

Discord Invite Hijacking: How Fake Links Are Delivering Infostealers

Cybercriminals are exploiting Discord's invite system and content delivery features to distribute malware and steal sensitive data. They use fake invite links, expired codes, and vanity URLs to redirect users to malicious servers. The attack chain involves a sophisticated combination of social engi…
phishing
social engineering
cryptocurrency
asyncrat
discord
multi-stage attack
wallet injection
chromekatz
skuld stealer
2025-06-20
invite hijacking
Published: June 20, 2025
Downloadable IOCs: 0

From ClickFix deception to information stealer deployment

The article describes a surge in ClickFix campaigns using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. It analyzes a multi-stage attack that begins with ClickFix social engineering, deploys GHOSTPULSE loader, and ultimately delivers ARECHCLIENT2, a potent remote access troj…
social engineering
infostealer
lumma
clickfix
multi-stage attack
remote access trojan
ghostpulse
arechclient2
eddiestealer
2025-06-18
Published: June 18, 2025
Downloadable IOCs: 47

Targeting Taiwan & Japan with DLL Implants

A newly discovered APT campaign dubbed Swan Vector is targeting educational institutes and mechanical engineering industries in Taiwan and Japan. The attack uses a sophisticated multi-stage infection chain involving malicious LNK files, DLL implants (Pterois and Isurus), and Cobalt Strike payloads.…
apt
cobalt strike
dll sideloading
taiwan
multi-stage attack
japan
2025-05-12
google drive
isurus
pterois
dll implants
Published: May 12, 2025
Downloadable IOCs: 16

Fake GIF Leveraged in Multi-Stage Reverse-Proxy Card Skimming Attack

A sophisticated multi-stage carding attack on a Magento eCommerce website has been uncovered. The malware used a fake gif image file, local browser sessionStorage data, and a malicious reverse-proxy server to steal credit card data, login details, cookies, and other sensitive information. The attac…
magento
multi-stage attack
ecommerce
javascript injection
2025-04-26
reverse-proxy
sessionstorage
card skimming
Published: April 26, 2025
Downloadable IOCs: 0

Detecting Multi-Stage Infection Chains Madness

This analysis examines a complex multi-stage attack exploiting a resilient network infrastructure known as 'Cloudflare tunnel infrastructure to deliver multiple RATs' since February 2024. The infection chain involves multiple steps, including phishing emails with malicious attachments, execution of…
phishing
asyncrat
infection chain
multi-stage attack
evasion techniques
2025-04-22
cloudflare tunnel
cyber threat intelligence
detection rules
Published: April 22, 2025
Downloadable IOCs: 15

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

The Lotus Blossom espionage group has been conducting cyber espionage campaigns targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan. The group employs various versions of the Sagerunex backdoor, including new variants that us…
backdoor
apt
espionage
persistence
multi-stage attack
cloud services
vmprotect
2025-02-27
sagerunex
evora
2025-04-04
lotus blossom
Published: April 4, 2025
Downloadable IOCs: 0

Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques

Konni RAT, a sophisticated remote access Trojan targeting Windows systems, employs a multi-stage attack process using batch files, PowerShell scripts, and VBScript. It exploits Windows Explorer limitations, obfuscates file paths, dynamically generates URLs, and uses temporary files to erase activit…
windows
persistence
anti-analysis
data exfiltration
multi-stage attack
stealth techniques
remote access trojan
2025-04-01
konni rat
Published: April 1, 2025
Downloadable IOCs: 0

Malvertising campaign leads to info stealers hosted on GitHub

A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms.…
malvertising
lumma stealer
github
lumma
netsupport rat
information stealer
multi-stage attack
doenerium
2025-03-06
living-off-the-land
Published: March 6, 2025
Downloadable IOCs: 3

Unauthorized RDP Connections For Cyberespionage Operations

Cyble Research and Intelligence Labs uncovered an ongoing cyberattack campaign utilizing malicious LNK files to gain unauthorized Remote Desktop access on compromised systems. The sophisticated multi-stage attack chain employs PowerShell and BAT scripts to evade detection, create administrative acc…
powershell
persistence
credential theft
cyberespionage
rdp
multi-stage attack
uac bypass
2024-10-26
bat scripts
chromepass
Published: October 26, 2024
Downloadable IOCs: 0

DarkVision RAT

DarkVision RAT is a customizable remote access trojan that first appeared in 2020, offered on Hack Forums for $60. Written in C/C++ and assembly, it offers features like keylogging, screenshots, file manipulation, process injection, remote code execution, and password theft. The analysis reveals a …
purecrypter
c2 communication
multi-stage attack
2024-10-10
remote access trojan
darkvision rat
Published: October 10, 2024
Downloadable IOCs: 0

North Korea Still Attacking Developers via npm

Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
malware
obfuscation
python
cryptocurrency
exfiltration
persistence
javascript
moonstone sleet
npm
2024-09-30
contagious interview
multi-stage attack
Published: September 30, 2024
Downloadable IOCs: 12
Click here to see more Attack Reports