Tag: powershell

162 Attack Reports | 0 Vulnerabilities

Attack reports

Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp

The Water Saci campaign in Brazil is using advanced techniques to deliver banking trojans through WhatsApp. The attack chain involves various file formats and scripting languages, designed to bypass detection and increase analysis complexity. Attackers have transitioned from PowerShell to Python fo…
backdoor
python
whatsapp
powershell
casbaneiro
metamorfo
banking trojan
brazil
anti-sandbox
2025-12-02
ai-enhanced
multi-format attacks
Published: December 2, 2025
Downloadable IOCs: 0

The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations

A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finge…
phishing
social engineering
powershell
lumma stealer
netsupport rat
lnk files
russian targets
2025-11-26
infrastructure reuse
finger protocol
Published: November 26, 2025
Downloadable IOCs: 50

Water APT Multi-Stage Attack Uncovered

A sophisticated multi-stage attack attributed to the Water Gamayun APT group has been analyzed. The attack begins with a compromised legitimate website redirecting to a lookalike domain, delivering a double-extension RAR payload disguised as a PDF. This payload exploits the MSC EvilTwin vulnerabili…
supply-chain
obfuscation
apt
powershell
rhadamanthys
zero-day
CVE-2025-26633
msc eviltwin
encrypthub
darkwisp
silentprism
russia-aligned
2025-11-26
Published: November 26, 2025
Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)
Downloadable IOCs: 5

Stories from the SOC: Mystery of the postponed proxyware install

A suspicious PowerShell alert led to the discovery of an attack chain aimed at installing proxyware on a compromised system. The infection originated from a disk-cleaning utility installed three days prior, which included malicious scripts and established a connection to a C2 server. The attack uti…
powershell
node.js
c2 server
in-memory execution
proxyware
2025-11-24
download cradle
unauthorized software
disk-cleaning utility
Published: November 24, 2025
Downloadable IOCs: 11

Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats

This analysis examines the latest attack flow of the KimJongRAT variant, attributed to the North Korean threat actor Kimsuky. The malware has evolved to include both PE-based and PowerShell-based attack chains, which have been merged into a single workflow. The attackers use phishing emails for ini…
phishing
north korea
babyshark
powershell
credential theft
keylogging
data exfiltration
spear-phishing
browser credentials
kimjongrat
2025-11-24
pe executable
Published: November 24, 2025
Downloadable IOCs: 13

New Tools and Techniques of ToddyCat APT

The ToddyCat APT group has evolved its methods to gain covert access to corporate email. The report details their use of PowerShell-based TomBerBil for extracting browser data, TCSectorCopy for copying Outlook OST files, and attempts to steal OAuth tokens from Microsoft 365 processes. These tools a…
apt
tomberbil
powershell
data theft
browser
oauth
outlook
2025-11-21
email
xstreader
tcsectorcopy
sharptokenfinder
Published: November 21, 2025
Downloadable IOCs: 0

The Tsundere botnet uses the Ethereum blockchain to infect its targets

The Tsundere botnet, discovered in mid-2025, is an active threat targeting Windows users. It utilizes the Ethereum blockchain to retrieve C2 addresses and employs Node.js for its operations. The botnet spreads through MSI installers and PowerShell scripts, often disguised as popular games. It uses …
powershell
javascript
node.js
botnet
msi
ethereum
websocket
2025-11-20
123 stealer
aes-256
tsundere bot
koneko
tsundere
Published: November 20, 2025
Downloadable IOCs: 21

Sophisticated Tuoni C2 Attack on U.S. Real Estate Firm Thwarted

In October 2025, a major U.S. real estate company was targeted by a highly advanced cyberattack using the emerging Tuoni C2 framework. The attack, which showed signs of AI assistance in code generation, was neutralized by Morphisec's Automated Moving Target Defense (AMTD) technology. The campaign l…
powershell
steganography
in-memory execution
ai-assisted
real estate
2025-11-19
tuoni c2
prevention
amtd
tuoni
Published: November 19, 2025
Downloadable IOCs: 4

EVALUSION Campaign Delivers Amatera Stealer and NetSupport...

The eSentire Threat Response Unit identified a malware campaign using ClickFix as an initial access vector to deploy Amatera Stealer and NetSupport RAT. Amatera Stealer is a rebranded version of ACR Stealer, with advanced evasion techniques like WoW64 SysCalls to bypass security solutions. It targe…
powershell
information theft
clickfix
acr stealer
netsupport rat
c2 communication
evasion techniques
crypto-wallets
amatera stealer
2025-11-18
Published: November 18, 2025
Downloadable IOCs: 1

A Closer Look at Outlook Macros and More

The analysis examines NotDoor, a backdoor utilizing Outlook macros for persistence and lateral movement. It stages files in C:\ProgramData, employing DLL sideloading with OneDrive.exe. The malware creates directories, executes encoded PowerShell commands, and modifies registry entries to enable mac…
backdoor
powershell
persistence
dll sideloading
c2
notdoor
2025-11-15
registry modification
outlook macros
Published: November 15, 2025
Downloadable IOCs: 0

Analyzing the Link Between Two Evolving Brazilian Banking Trojans

This intelligence report examines the connection between two Brazilian banking trojans, Maverick and Coyote. The malware spreads through WhatsApp, using a multi-stage attack that begins with a malicious LNK file. Both trojans share similarities in their infection methods, targeting Brazilian users …
obfuscation
whatsapp
powershell
.net
banking trojan
brazil
multi-stage attack
coyote
2025-11-12
maverick
Published: November 12, 2025
Downloadable IOCs: 9

Operation Peek-a-Baku: Silent Lynx APT Targets Dushanbe with Espionage Campaign

The Silent Lynx APT group has been conducting espionage campaigns targeting Central Asian nations, Russia, China, and Azerbaijan. Two main campaigns were identified: one focusing on Russia-Azerbaijan relations and another on China-Central Asia relations. The group uses various malware including Pow…
apt
espionage
powershell
russia
china
.net
reverse shell
central asia
azerbaijan
silent loader
laplas
silentsweeper
ligolo-ng
2025-11-05
Published: November 5, 2025
Downloadable IOCs: 0

Evasion and Persistence via Hidden Hyper-V Virtual Machines

This investigation uncovered new tools and techniques used by the Curly COMrades threat actor to establish covert, long-term access to victim networks. The attackers exploited Hyper-V virtualization on compromised Windows 10 machines to create hidden remote operating environments. They deployed a m…
evasion
powershell
persistence
lateral movement
proxy
reverse shell
virtualization
2025-11-05
hyper-v
kerberos
alpine linux
curlcat
curlyshell
Published: November 5, 2025
Downloadable IOCs: 4

Operation Peek-a-Baku: APT Targets Dushanbe with Espionage Campaign

The Silent Lynx APT group has been conducting espionage campaigns targeting diplomatic entities and critical infrastructure in Central Asia, Russia, and China. Two major campaigns were identified: one focused on Russia-Azerbaijan relations and another on China-Central Asia relations. The group used…
apt
espionage
powershell
russia
china
github
reverse shell
central asia
tajikistan
2025-11-03
azerbaijan
silent loader
laplas
silentsweeper
ligolo-ng
Published: November 3, 2025
Downloadable IOCs: 33

Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus

A sophisticated campaign targeting Russian and Belarusian military personnel has been identified, using multi-stage infection chains and decoy documents. The attackers deploy OpenSSH and Tor bridges to establish covert remote access and lateral movement capabilities. The infection process involves …
obfuscation
espionage
powershell
russia
belarus
ssh
tor
military
2025-10-31
Published: October 31, 2025
Downloadable IOCs: 12

Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

A coordinated spearphishing campaign targeted NGOs and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare captcha page to execute malware. The final payload was …
spearphishing
android
powershell
ukraine
captcha
ngos
2025-10-22
coldriver
websocket rat
Published: October 22, 2025
Downloadable IOCs: 24

PhantomCaptcha: Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

A coordinated spearphishing campaign targeted NGOs and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare captcha page to execute malware. The final payload was …
spearphishing
android
powershell
ukraine
captcha
ngos
2025-10-22
coldriver
websocket rat
Published: October 22, 2025
Downloadable IOCs: 0

APT Meets GPT: Targeted Operations with Untamed LLMs

Over the course of three months, Volexity observed UTA0388 using various themes and fictional identities across dozens of spear phishing campaigns. As time passed, Volexity observed UTA0388 broaden their targeting and send emails in a variety of different languages, including English, Chinese, Japa…
phishing
powershell
persistence
zip
websocket
rar
2025-10-08
uta0388
govershell
llms
randomdir8char
govershell c2
archive file
Published: October 8, 2025
Downloadable IOCs: 41

Shuyal Stealer: Advanced Infostealer Targeting 19 Browsers

Shuyal Stealer is a sophisticated infostealer malware targeting 19 different browsers. It conducts deep system reconnaissance, collecting detailed hardware information and user data. The malware disables Windows Task Manager, ensures persistence through startup folder insertion, and exfiltrates sto…
evasion
powershell
infostealer
persistence
data exfiltration
system reconnaissance
telegram bot
browser targeting
2025-10-08
shuyal stealer
Published: October 8, 2025
Downloadable IOCs: 1

XWorm V6: Exploring Pivotal Plugins

Since the release of XWorm V6.0 on June 4, 2025, we have noted a surge in samples identified as XWorm V6.0 on VirusTotal, reflecting its rapid adoption by threat actors. One prominent campaign illustrates its delivery: a malicious JavaScript (JS) file initiates a PowerShell (PS1) script, which depl…
xworm
rat
phishing
powershell
javascript
remote desktop
amsi bypass
2025-10-06
file manager
Published: October 6, 2025
Downloadable IOCs: 22

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)

SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more…
malware
loader
phishing
whatsapp
powershell
persistence
brazil
c server
lnk file
telegram
format
2025-10-06
whatsapp web
water saci
bradesco
brazilian
turn
watsonclient
sorvepotel
Published: October 6, 2025
Downloadable IOCs: 23

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users

SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more…
malware
loader
phishing
whatsapp
powershell
persistence
brazil
c server
lnk file
telegram
format
2025-10-06
whatsapp web
water saci
bradesco
brazilian
turn
watsonclient
sorvepotel
Published: October 6, 2025
Downloadable IOCs: 0

Analysis: AI-powered Ransomware from APT Group

FunkLocker, a ransomware strain developed by the FunkSec APT group, showcases the growing trend of AI-assisted malware creation. The ransomware exhibits inconsistent quality across multiple builds, with some versions incorporating advanced features like anti-VM checks. It aggressively disrupts syst…
ransomware
powershell
encryption
ai-assisted
2025-10-02
funklocker
process-disruption
system-abuse
Published: October 2, 2025
Downloadable IOCs: 1

Updates Arsenal with BAITSWITCH and SIMPLEFIX

A new multi-stage ClickFix campaign, attributed to the Russia-linked APT group COLDRIVER, has been discovered targeting Russian civil society members. The campaign employs social engineering techniques to trick users into executing malicious commands, leading to the deployment of two new malware fa…
backdoor
apt
social engineering
powershell
russia
clickfix
2025-09-24
baitswitch
simplefix
Published: September 24, 2025
Downloadable IOCs: 0

NodeJS backdoors delivering proxyware and monetization schemes

This report details a campaign involving NodeJS backdoors used to distribute proxyware and monetization schemes. The attackers employ Inno setup installers to drop PowerShell scripts that download and execute NodeJS packages with malicious JavaScript. The backdoors collect system information, commu…
backdoor
powershell
proxyware
browser extension
nodejs
honeygain
infatica
2025-09-24
packetlab
monetization
Published: September 24, 2025
Downloadable IOCs: 0

CountLoader: New Malware Loader Being Served in 3 Different Versions

A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, Blac…
phishing
ransomware
powershell
ukraine
lumma stealer
malware loader
.net
cobaltstrike
jscript
purehvnc
evasion techniques
initial access broker
adaptixc2
2025-09-19
countloader
Published: September 19, 2025
Downloadable IOCs: 27

AppSuite, OneStart & ManualFinder: The Nexus of Deception

This analysis reveals connections between three seemingly distinct malicious programs: AppSuite, OneStart, and ManualFinder. The investigation uncovers shared server infrastructure and similar installation patterns, indicating that these programs are likely created by the same threat actor. OneStar…
powershell
node.js
infrastructure
appsuite
manualfinder
2025-09-16
browser-extension
cloudfront
onestart
desktopbar
browserassistant
Published: September 16, 2025
Downloadable IOCs: 0

August 2025 APT Attack Trends Report

In August 2025, APT attacks in South Korea primarily utilized spear phishing techniques, with LNK files being the most prevalent method. Two main types of attacks were observed: Type A, which used compressed CAB files containing malicious scripts for information exfiltration and additional malware …
apt
rat
powershell
rokrat
south korea
xenorat
lnk files
spear phishing
cab files
2025-09-16
Published: September 16, 2025
Downloadable IOCs: 5

Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign

This analysis delves into the HijackLoader malware campaign, which has gained prominence since 2023 for its sophisticated payload delivery and evasion techniques. The campaign initiates with a CAPTCHA-based phishing attack, progressing through multiple stages of obfuscated PowerShell scripts. It em…
obfuscation
phishing
powershell
infostealer
hijackloader
lumma
deerstealer
anti-vm
multi-stage
castleloader
2025-09-12
castlebot
nekostealer
Published: September 12, 2025
Downloadable IOCs: 14

Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

A sophisticated malware campaign has been uncovered that utilizes various techniques to deliver Remote Access Trojans (RATs) such as XWorm and Remcos. The attack chain begins with a ZIP archive, often hosted on trusted platforms like ImgKit, containing obfuscated BAT scripts. These scripts execute …
obfuscation
xworm
rat
phishing
powershell
remcos
evasion techniques
bat scripts
svg
fileless execution
2025-09-11
Published: September 11, 2025
Downloadable IOCs: 2

Operation BarrelFire: Targeting Kazakhstan Oil & Gas

A threat group dubbed NoisyBear has been targeting Kazakhstan's oil and gas sector since April 2025. The campaign focuses on KazMunaiGas employees, using spear-phishing emails with malicious attachments. The infection chain involves a ZIP file containing a malicious LNK file and decoy document, whi…
powershell
infrastructure
spear-phishing
kazakhstan
central asia
russian threat actor
dll injection
amsi bypass
oil and gas
2025-09-04
2025-09-05
downshell
Published: September 5, 2025
Downloadable IOCs: 14

Analysis of APT-C-53 (Gamaredon) Attack on Ukrainian Government Agencies

APT-C-53, also known as Gamaredon, is a Russian state-sponsored threat group active since 2013, targeting Ukrainian government and military entities. The group has upgraded its attack techniques, focusing on dynamic cloud-based C2 infrastructure and targeted delivery of cloud storage tools. In 2025…
apt
dropbox
powershell
russia
ukraine
cyberespionage
vbscript
2025-09-01
cloudflareworkers
devtunnels
Published: September 1, 2025
Downloadable IOCs: 11

Operation HanKook Phantom: Spear-Phishing Campaign

APT37, a North Korean state-backed cyber espionage group, has launched a sophisticated spear-phishing campaign targeting South Korean government sectors, research institutions, and academics. The attackers use malicious LNK files disguised as legitimate documents to deliver a multi-stage infection …
espionage
north korea
powershell
rokrat
south korea
data exfiltration
fileless
spear-phishing
cloud services
lnk files
2025-08-29
Published: August 29, 2025
Downloadable IOCs: 0

Threat Actor Profile: Interlock Ransomware

Interlock, a relatively new ransomware group first observed in September 2024, has gained prominence in 2025 as an opportunistic ransomware operator. Unlike traditional Ransomware-as-a-Service models, Interlock operates without affiliates or public advertisements. The group conducts double extortio…
social engineering
ransomware
powershell
cobalt strike
clickfix
systembc
double extortion
trycloudflare
remote access trojan
compromised websites
interlock rat
2025-08-15
nodesnake rat
Published: August 15, 2025
Downloadable IOCs: 24

What happened in Vegas (that you actually want to know about)

This article recaps key highlights from Black Hat USA, including Joe Marshall's live incident-response exercise using the Backdoors & Breaches card game, Amy Chang's research on bypassing AI guardrails through 'decomposition', and Philippe Laulheret's ReVault presentation on vulnerabilities in embe…
malvertising
powershell
c#
CVE-2025-6543
ps1bot
2025-08-14
embedded security
ai guardrails
incident-response
black hat usa
Published: August 14, 2025
Linked vulnerabilities : CVE-2025-6543 (CVSS 9.2)
Downloadable IOCs: 3

When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub's Expanding Arsenal

EncryptHub, an emerging threat group, has launched a campaign combining social engineering with exploitation of CVE-2025-26633 to deliver malicious payloads. The attackers impersonate IT support staff, use remote desktop sessions, and execute PowerShell commands to deploy malware. The campaign abus…
social engineering
powershell
golang
fickle stealer
CVE-2025-26633
socks5 proxy
2025-08-14
silentcrystal
rivatalk
brave support
Published: August 14, 2025
Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)
Downloadable IOCs: 16

Silent Watcher: Dissecting Cmimai Stealer's VBS Payload

A VBS-based infostealer called Cmimai Stealer has emerged, targeting Windows systems since June 2025. It collects system information, browser metadata, and screenshots, exfiltrating data via Discord webhooks. The malware uses PowerShell scripts for browser data collection and screen capture, runnin…
powershell
windows
infostealer
exfiltration
discord
vbs
browser-data
2025-08-13
wmi
screenshot
cmimai stealer
Published: August 13, 2025
Downloadable IOCs: 0

CastleLoader Analysis

CastleLoader, a versatile malware loader, has infected 469 devices since May 2025 using Cloudflare-themed ClickFix phishing and fake GitHub repositories. It delivers information stealers and RATs, with a 28.7% infection rate. The malware employs sophisticated techniques, including PowerShell and Au…
phishing
powershell
malware loader
redline
autoit
hijackloader
c2
rats
stealc
github
netsupport rat
deerstealer
sectoprat
information stealers
2025-08-13
payload delivery
castleloader
u.s. government
Published: August 13, 2025
Downloadable IOCs: 0

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

A malware campaign utilizing malvertising has been distributing PS1Bot, a sophisticated multi-stage framework implemented in PowerShell and C#. PS1Bot features modular design, enabling information theft, keylogging, reconnaissance, and persistent system access. The malware minimizes artifacts and u…
malvertising
powershell
cryptocurrency
modular
in-memory execution
information stealer
multi-stage
c#
2025-08-12
ahk bot
ps1bot
skitnet
Published: August 12, 2025
Downloadable IOCs: 0

From ClickFix to Command: A Full PowerShell Attack Chain

A targeted intrusion campaign impacting Israeli organizations has been identified, leveraging compromised internal email infrastructure to distribute phishing messages. The attack uses a multi-stage, PowerShell-based infection chain, culminating in the delivery of a remote access trojan (RAT). Key …
obfuscation
rat
phishing
social engineering
powershell
lateral movement
c2 communication
2025-08-11
israeli targets
powershell rat
Published: August 11, 2025
Downloadable IOCs: 0

CoinMiner Attacks Exploiting GeoServer Vulnerability

A critical remote code execution vulnerability (CVE-2024-36401) in GeoServer has been actively exploited by threat actors to install CoinMiner malware. The attacks target both Windows and Linux environments with unpatched GeoServer installations. In South Korea, attackers exploited the vulnerabilit…
powershell
xmrig
coinminer
bash
mirai
netcat
remote code execution
condi
geoserver
monero
CVE-2024-36401
goreverse
2025-08-08
sidewalk
Published: August 8, 2025
Downloadable IOCs: 4

Unveiling a New Variant of the DarkCloud Campaign

A new DarkCloud campaign was observed in July 2025, targeting Windows users with a sophisticated infection chain. The attack begins with a phishing email containing a RAR archive, which leads to the execution of obfuscated JavaScript and PowerShell code. This code downloads and deploys a fileless .…
powershell
credential-theft
anti-analysis
process-hollowing
fileless
information-stealer
2025-08-08
darkcloud
Published: August 8, 2025
Downloadable IOCs: 2

From Reconnaissance to Control: The Operational Blueprint of Kimsuky APT for Cyber Espionage

This report details a cyber-espionage campaign attributed to Kimsuky, a North Korean APT group, targeting South Korean entities. The attack uses malicious Windows shortcut files as initial access, followed by obfuscated scripts and a sophisticated malware framework. The malware performs extensive s…
obfuscation
apt43
powershell
keylogging
data exfiltration
2025-08-07
Published: August 7, 2025
Downloadable IOCs: 0

Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal

A sophisticated malware campaign called JSCEAL is targeting cryptocurrency users through fake apps impersonating popular trading platforms. The attackers use malicious ads to lure victims into downloading installers that deploy a multi-stage infection chain. This includes PowerShell scripts for pro…
evasion
malvertising
powershell
cryptocurrency
stealer
node.js
multi-stage
fake apps
2025-07-31
jsceal
jsc
Published: July 31, 2025
Downloadable IOCs: 268

LNK Trojan delivers REMCOS

This report details a multi-stage malware campaign delivering the REMCOS backdoor via a malicious Windows LNK shortcut file. The attack begins with social engineering, leveraging PowerShell for initial execution and deploys a persistent backdoor capable of full system compromise. The infection chai…
backdoor
powershell
remcos
keylogger
lnk file
c2 communication
pif file
multi-stage attack
base64 encoding
2025-07-30
Published: July 30, 2025
Downloadable IOCs: 8

Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode

The Arctic Wolf Labs team has uncovered a new cyber-espionage campaign by the Dropping Elephant APT group targeting Turkish defense contractors. The attack leverages a five-stage execution chain delivered via malicious LNK files disguised as conference invitations. It uses legitimate binaries like …
apt
powershell
shellcode
dll side-loading
cyber-espionage
turkey
defense industry
2025-07-23
vlc player
dropping elephant rat
Published: July 23, 2025
Linked vulnerabilities : CVE-2025-5777 (CVSS 9.3), CVE-2025-20337 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8)
Downloadable IOCs: 10

Fix the Click: Preventing the ClickFix Attack Vector

This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetS…
rat
social engineering
typosquatting
powershell
infostealer
lumma stealer
latrodectus
autoit
clickfix
netsupport rat
clipboard hijacking
2025-07-10
Published: July 10, 2025
Downloadable IOCs: 65

Digging Gold with a Spoon – Resurgence of Monero-mining Malware

A resurgence of malware deploying XMRig cryptominer was discovered in mid-April 2025, coinciding with a rally in Monero cryptocurrency value. The malware uses a multi-staged approach and LOLBAS techniques, leveraging Windows tools like PowerShell for payload delivery, detection evasion, and persist…
powershell
xmrig
persistence
cryptomining
monero
lolbas
windows defender evasion
2025-07-07
Published: July 7, 2025
Downloadable IOCs: 4

BERT Ransomware Group Targets Asia and Europe on Multiple Platforms

A newly emerged ransomware group called BERT has been targeting organizations across Asia and Europe since April. The group employs simple code with effective execution, impacting sectors such as healthcare, technology, and event services. BERT's ransomware operates on both Windows and Linux platfo…
linux
ransomware
powershell
windows
encryption
esxi
europe
asia
2025-07-07
bert
Published: July 7, 2025
Downloadable IOCs: 9

Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

Throughout 2024, Gamaredon focused exclusively on targeting Ukrainian governmental institutions with spearphishing campaigns and weaponized USB drives. The group developed six new tools and significantly updated existing ones, improving stealth and evasion capabilities. Gamaredon increased the scal…
apt
spearphishing
powershell
cloudflare tunnels
2025-07-04
Published: July 4, 2025
Downloadable IOCs: 53

Analysis of the threat case of kimsuky group using 'ClickFix' tactic

The Kimsuky group has adopted a deceptive tactic called 'ClickFix' to trick users into unknowingly participating in attack chains. This method involves disguising malicious instructions as troubleshooting guides or security document verification procedures. The campaign is believed to be an extensi…
social engineering
powershell
clickfix
quasarrat
spear-phishing
2025-07-02
Published: July 2, 2025
Downloadable IOCs: 40

BERT RANSOMWARE - THE RAVEN FILE

BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufactu…
linux
phishing
ransomware
powershell
windows
encryption
revil
sodinokibi
dark web
2025-06-20
bert ransomware
Published: June 20, 2025
Downloadable IOCs: 11

Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation

This article analyzes two new variants of the KimJongRAT stealer: a Portable Executable (PE) variant and a PowerShell implementation. Both variants use a multi-stage infection process, starting with a Windows shortcut (LNK) file that downloads a dropper from a content delivery network. The PE varia…
powershell
cryptocurrency
stealer
multi-stage infection
browser extensions
2025-06-17
kimjongrat
content delivery network
Published: June 17, 2025
Downloadable IOCs: 0

Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users

A fileless AsyncRAT campaign is targeting German-speaking users through Clickfix-themed websites. The attack uses a fake 'I'm not a robot' prompt to execute malicious PowerShell code, which downloads and runs obfuscated C# code in memory. This technique enables full remote access, credential theft,…
obfuscation
powershell
asyncrat
c2
in-memory execution
fileless
clickfix
2025-06-16
german-speaking
Published: June 16, 2025
Downloadable IOCs: 0

More Steganography!

A malicious Excel file using steganography was analyzed, revealing embedded XLS sheets and a complex infection chain. The file downloads an HTA file that creates a BAT file, which in turn generates and executes a VBS file. The VBS file fetches a VBA script that creates and runs a PowerShell script.…
powershell
steganography
excel
base64
dll
vbs
katz stealer
hta
2025-06-14
Published: June 14, 2025
Downloadable IOCs: 0

Analysis of the Triple Combo Threat of the Kimsuky Group

The Genians Security Center (GSC) detected an APT (Advanced Persistent Threat) campaign targeting users of Facebook, email, and Telegram in Korea between March and April 2025. The threat actor explored reconnaissance and selected attack targets through two Facebook accounts.
apt
kimsuky
babyshark
powershell
shell
dll file
execution
appleseed
telegram
facebook
linkedin
vmprotect
2025-06-11
username
kimsuky group
flowerpower
golddragon
Published: June 11, 2025
Downloadable IOCs: 14

Operation Phantom Enigma

A malicious campaign targeting primarily Brazilian residents has been discovered, with attacks detected since early 2025. The attackers employed phishing emails, some sent from compromised company servers, to distribute malware. Two attack chains were identified: one using a malicious browser exten…
phishing
powershell
stealer
banking
browser extension
2025-06-05
mesh agent
pdq connect agent
Published: June 5, 2025
Downloadable IOCs: 0

Cybercriminals camouflaging threats as AI tool installers

Cybercriminals are exploiting the popularity of AI by distributing malware disguised as AI solution installers. Three threats have been identified: CyberLock ransomware, Lucky_Gh0$t ransomware, and a newly discovered destructive malware called Numero. CyberLock, developed using PowerShell, encrypts…
ransomware
powershell
seo poisoning
ai
yashma
chaos
seo manipulation
2025-05-29
cyberlock
technology sector
b2b sales
ai tools
lucky_gh0$t
marketing sector
fake installers
numero
2025-06-05
Published: June 5, 2025
Downloadable IOCs: 20

Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns

A novel Rust-based infostealer called EDDIESTEALER has been discovered, distributed through fake CAPTCHA campaigns. The malware uses deceptive verification pages to trick users into executing a malicious PowerShell script, which deploys the infostealer. EDDIESTEALER targets sensitive data including…
powershell
infostealer
cryptocurrency
rust
data exfiltration
captcha
2025-05-29
eddiestealer
Published: May 29, 2025
Downloadable IOCs: 27

Russian Unit 26165 Targets Western Logistics and Technology Companies

Chihuahua Infostealer is a sophisticated .NET-based malware discovered in April 2025, targeting browser credentials and cryptocurrency wallet data. It employs multi-stage delivery through obfuscated PowerShell scripts, often using trusted platforms like Google Drive for initial distribution. The ma…
obfuscation
powershell
infostealer
persistence
data-exfiltration
2025-05-27
crypto-wallet-theft
chihuahua infostealer
browser-data-theft
.net-malware
Published: May 27, 2025
Downloadable IOCs: 10

Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers

Threat actors are exploiting user fatigue with anti-spam mechanisms through a technique called ClickFix. This method involves compromising websites and embedding fraudulent CAPTCHA images, which, when solved by unsuspecting users, lead to the execution of malicious code. The attack chain typically …
rat
social engineering
powershell
infostealer
lumma
netsupport rat
sectoprat
captcha
clipboard injection
2025-05-22
Published: May 22, 2025
Downloadable IOCs: 10

Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT

A new PowerShell-based shellcode loader has been discovered, designed to execute a variant of Remcos RAT. The attack chain begins with malicious LNK files in ZIP archives, using mshta.exe for initial execution. The loader employs fileless techniques, executing code directly in memory to evade tradi…
powershell
keylogger
process hollowing
remcos rat
evasion techniques
uac bypass
shellcode loader
2025-05-15
tls communication
fileless execution
Published: May 15, 2025
Downloadable IOCs: 5

Excel(ent) Obfuscation: Regex Gone Rogue

A new Excel-based attack technique leverages recently introduced regex functions for advanced code obfuscation. The proof-of-concept demonstrates how malicious actors can use REGEXEXTRACT to hide PowerShell commands within large text blocks, significantly reducing antivirus detection rates. This me…
obfuscation
vba
evasion
powershell
excel
2025-05-15
macro
regex
regexextract
Published: May 15, 2025
Downloadable IOCs: 3

New 'Chihuahua Stealer' Targets Browser Data and Crypto Wallets

A novel infostealer named Chihuahua Stealer has been detected, blending standard malware techniques with advanced features. This .NET-based malware employs a multi-stage PowerShell script infection process, utilizing Base64 encoding, hex-string obfuscation, and scheduled tasks for persistence. It t…
powershell
infostealer
.net
multi-stage infection
crypto wallets
browser data
2025-05-14
chihuahua stealer
aes-gcm
Published: May 14, 2025
Downloadable IOCs: 2

TA406 Pivots to the Front

In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting at…
phishing
north korea
powershell
ukraine
credential harvesting
reconnaissance
2025-05-13
government targeting
chm files
Published: May 13, 2025
Downloadable IOCs: 11

A New Breed of Infostealer

A newly discovered .NET-based infostealer, Chihuahua Stealer, combines common malware techniques with advanced features. The infection begins with an obfuscated PowerShell script shared via Google Drive, initiating a multi-stage payload chain. Persistence is achieved through scheduled tasks, and th…
powershell
infostealer
exfiltration
persistence
encryption
.net
multi-stage
2025-05-13
browser-data
chihuahua stealer
crypto-wallets
Published: May 13, 2025
Downloadable IOCs: 8

Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information

The Google Threat Intelligence Group has identified a sophisticated malware called LOSTKEYS, attributed to the Russian government-backed threat actor COLDRIVER. Active since December 2023, LOSTKEYS represents an evolution in COLDRIVER's toolkit, targeting high-value entities such as NATO government…
powershell
ukraine
captcha
nato
multi-stage infection
ngo
lostkeys
2025-05-10
intelligence collection
russian hackers
western governments
Published: May 10, 2025
Downloadable IOCs: 0

COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs

Russian government-backed threat group COLDRIVER has developed a new malware called LOSTKEYS, capable of stealing files and system information. The group targets high-profile individuals, NGOs, and former intelligence officers through credential phishing and malware delivery. LOSTKEYS is delivered …
phishing
powershell
credential theft
clickfix
2025-05-07
spica
document theft
lostkeys
ngos
Published: May 7, 2025
Downloadable IOCs: 0

Lampion Is Back With ClickFix Lures

A highly focused malicious campaign targeting Portuguese organizations, particularly in government, finance, and transportation sectors, has been uncovered. The campaign is linked to Lampion malware, an infostealer focusing on banking information. The threat actors have incorporated ClickFix lures,…
obfuscation
social engineering
powershell
infostealer
vbscript
clickfix
2025-05-06
lampion
Published: May 6, 2025
Downloadable IOCs: 10

Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer

Cybercriminals are exploiting the US tax season to deploy Stealerium malware, targeting citizens through sophisticated phishing campaigns. The attack utilizes deceptive email attachments with malicious LNK files, leading to the execution of PowerShell scripts and the download of a PyInstaller-packa…
powershell
anti-analysis
information stealing
process injection
2025-04-30
tax-season phishing
stealerium
Published: April 30, 2025
Downloadable IOCs: 0

Introducing ToyMaker

The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. …
ransomware
powershell
anydesk
persistence
winscp
impacket
bugsleep
ssh
metasploit
initial access broker
file transfer
cactus
2025-04-23
lagtoy
toymaker
magnet ram
capture
holerun
Published: April 23, 2025
Downloadable IOCs: 20

DOGE Binary Loader Indicators of Compromise

This intelligence document provides a list of Indicators of Compromise (IoCs) associated with the DOGE Binary Loader. It includes several malicious URLs hosted on the domain 'hilarious-trifle-d9182e.netlify.app' along with their corresponding SHA-256 hashes. The listed files include PowerShell scri…
powershell
ioc
sha-256
2025-04-22
url
doge binary loader
netlify
Published: April 22, 2025
Downloadable IOCs: 0

How Lumma Stealer sneaks into organizations

Lumma Stealer, a sophisticated information-stealing malware, has gained prominence in cybercriminal circles since 2022. It employs various distribution methods, with fake CAPTCHA pages being a notable vector. These pages mimic legitimate services and trick users into executing malicious commands. T…
obfuscation
powershell
anti-analysis
lumma stealer
autoit
information stealer
cryptocurrency theft
fake captcha
2025-04-21
Published: April 21, 2025
Downloadable IOCs: 15

Two sides of the same coin

This intelligence report analyzes the similarities between two previously separate APT groups, Team46 and TaxOff, concluding they are likely the same entity. The analysis covers their shared tactics, techniques, and procedures, including similar PowerShell commands, loader functionality, and infras…
backdoor
loader
obfuscation
apt
powershell
cobalt strike
zero-day
encryption
CVE-2024-6473
CVE-2025-2783
2025-04-18
dante
trinper
Published: April 18, 2025
Downloadable IOCs: 0

Shuckworm Targets Foreign Military Mission Based in Ukraine

Russian-linked cyber-espionage group Shuckworm appears to be targeting a Western military mission based in Ukraine, according to research by Symantec and its partner, the UK-based security firm.
powershell
infostealer
ukraine
c server
gamaredon
shuckworm
2025-04-10
gammasteel
desktop folder
armageddon
Published: April 10, 2025
Downloadable IOCs: 56

ViperSoftX Malware Distributed by Arabic-Speaking Threat Actor

An Arabic-speaking threat actor has been distributing ViperSoftX malware to Korean victims since April 1, 2025. The malware, typically spread through cracked software or torrents, operates as a PowerShell script and communicates with C&C servers. The campaign involves downloading additional malware…
powershell
purecrypter
quasar rat
vipersoftx
evasion techniques
vbs
2025-04-10
c&c communication
arabic-speaking
Published: April 10, 2025
Downloadable IOCs: 0

March 2025 APT Group Trends (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks in South Korea during March 2025. The majority of attacks were classified as spear phishing, with LNK file distribution being the most prevalent method. Two types of LNK-based attacks were identified: Type A, which uses a CA…
obfuscation
apt
python
powershell
south korea
pebbledash
lnk files
spear phishing
2025-04-10
nukesped
task scheduler
cab files
Published: April 10, 2025
Downloadable IOCs: 0

A miner and the ClipBanker Trojan being distributed via SourceForge

A unique malware distribution scheme exploiting SourceForge has been discovered. The attackers create a seemingly legitimate project on sourceforge.net, which automatically generates a sourceforge.io subdomain. This subdomain is then used to host a malicious page that tricks users into downloading …
powershell
cryptocurrency
persistence
autoit
clipbanker
2025-04-08
miner
sourceforge
Published: April 8, 2025
Downloadable IOCs: 0

Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign

A Russian-speaking threat actor has launched a new phishing campaign using Cloudflare-branded pages themed around DMCA takedown notices. The attack abuses the ms-search protocol to deliver malicious LNK files disguised as PDFs. Once executed, the malware communicates with a Telegram bot to report t…
phishing
python
powershell
lnk
cloudflare
telegram
pyramid
pyramid c2
open directory
2025-04-04
dmca
ms-search
Published: April 4, 2025
Downloadable IOCs: 0

Proactive ClickFix Threat Hunting with Hunt.io

ClickFix is a browser-based delivery technique that uses deceptive prompts and clipboard hijacking to trick users into executing malicious commands. Cybercriminals and advanced actors employ this method to deploy malware, primarily information stealers. The technique involves luring users with fake…
powershell
cryptbot
lumma stealer
credential theft
clickfix
captcha
information stealers
malware delivery
threat hunting
browser-based attacks
2025-04-04
clipboard hijacking
Published: April 4, 2025
Downloadable IOCs: 0

Gootloader Returns: Malware Hidden in Google Ads for Legal Documents

The Gootloader malware campaign has evolved its tactics, now using Google Ads to target victims seeking legal templates. The threat actor advertises legal documents, primarily agreements, through compromised ad accounts. Users searching for templates are directed to a malicious website where they a…
social engineering
powershell
javascript
google ads
gootloader
scheduled tasks
2025-04-03
email phishing
wordpress blogs
legal templates
Published: April 3, 2025
Downloadable IOCs: 0

Cyber Espionage using PowerShell stealer WRECKSTEEL

Ukrainian government's CERT-UA has identified a series of cyberattacks against government agencies and critical infrastructure facilities in Ukraine during March 2025. The attacks, aimed at information theft, utilize compromised accounts to distribute emails with links to public file services. Thes…
powershell
ukraine
cyber espionage
government
vbscript
critical infrastructure
2025-04-03
file stealing
wrecksteel
Published: April 3, 2025
Downloadable IOCs: 71

Thunderstruck! Malicious ads for RVTools lead to ThunderShell payload

A security incident involving malicious sponsored ads distributing backdoored administrative tools was detected. Users searching for RVTools were served a tampered version containing ThunderShell, a PowerShell-based remote access tool. The malicious ads, appearing in Google search results, led to a…
malvertising
powershell
icedid
google ads
c2
remote access tool
2025-04-03
thundershell
rvtools
trojanized software
Published: April 3, 2025
Downloadable IOCs: 0

Delivering Trojans Via ClickFix Captcha

A new social engineering technique exploiting ClickFix Captcha has emerged as an effective method for delivering various types of malware, including Quakbot. This technique deceives users and bypasses security measures by utilizing a seemingly harmless captcha. The process involves redirecting user…
obfuscation
social engineering
powershell
qbot
banking trojan
evasion techniques
2025-04-01
clickfix captcha
php dropper
quakbot
Published: April 1, 2025
Downloadable IOCs: 0

Analysis: SmokeLoader malware distribution

A malicious campaign targeting First Ukrainian International Bank has been observed using the Emmenhtal loader to distribute SmokeLoader malware. The infection chain begins with a deceptive email containing a 7z archive, which extracts to reveal a bait PDF and a shortcut file. The shortcut download…
obfuscation
powershell
cryptbot
infostealers
banking
smokeloader
lumma
emmenhtal
lolbas
2025-03-31
mshta
Published: March 31, 2025
Downloadable IOCs: 0

A Deep Dive into Water Arsenal and Infrastructure

Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and…
backdoor
powershell
rhadamanthys
zero-day
stealer
stealc
c&c
CVE-2025-26633
msc eviltwin
2025-03-29
lolbins
darkwisp
encrypthub stealer
silentprism
Published: March 29, 2025
Downloadable IOCs: 0

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading t…
phishing
powershell
ukraine
remcos
dll sideloading
lnk files
2025-03-28
gthost
hyperhosting
Published: March 28, 2025
Downloadable IOCs: 0

YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake …
social engineering
spearphishing
powershell
cryptocurrency
lumma stealer
credential theft
youtube
2025-03-25
clickflix
Published: March 25, 2025
Downloadable IOCs: 5

The rising threat of social engineering through fake fixes

ClickFix is an emerging social engineering tactic that manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance. Attackers present fake error messages, CAPTCHA verifications, or system prompts to convince users to take actions that compromise their…
phishing
social engineering
powershell
asyncrat
clickfix
captcha
2025-03-21
command line
fake fixes
Published: March 21, 2025
Downloadable IOCs: 4

Fake Cloudflare Verification Results in LummaStealer Trojan Infections

A malicious campaign targeting Windows users through WordPress websites is deploying the LummaStealer trojan. Attackers use fake Cloudflare verification prompts to trick users into running malicious PowerShell commands. The infection is spread through compromised plugins or injected JavaScript in l…
powershell
lummac2
infostealer
trojan
wordpress
cloudflare
lummastealer
javascript injection
2025-03-20
Published: March 20, 2025
Downloadable IOCs: 4

VHDs Used to Distribute VenomRAT and Other Malware

A phishing campaign is utilizing virtual hard disk (VHD) image files to deliver VenomRAT malware. The attack begins with a purchase order-themed email containing a ZIP archive with a VHD file. When opened, the VHD mounts as a drive and executes a heavily obfuscated batch script. This script employs…
obfuscation
phishing
powershell
persistence
venomrat
keylogger
aes encryption
2025-03-14
vhd
Published: March 14, 2025
Downloadable IOCs: 0

APT37 - RokRat

APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing email…
phishing
north korea
powershell
rokrat
cloud services
lnk files
remote access trojan
2025-03-12
Published: March 12, 2025
Downloadable IOCs: 9

Desert Dexter.Attacks on Middle Eastern Countries

A malicious campaign targeting residents of Middle East and North Africa has been discovered, active since September 2024. The attackers create fake news groups on social media and publish posts with links to file-sharing services or Telegram channels containing modified AsyncRAT malware. The malwa…
powershell
asyncrat
2025-03-11
crypto wallets
Published: March 11, 2025
Downloadable IOCs: 2

Unmasking the new persistent attacks on Japan

An unknown attacker has been targeting organizations in Japan since January 2025, exploiting CVE-2024-4577, a remote code execution vulnerability in PHP-CGI on Windows. The attacker uses the Cobalt Strike kit 'TaoWu' for post-exploitation activities, including reconnaissance, privilege escalation, …
powershell
cobalt strike
persistence
credential theft
CVE-2024-4577
japan
2025-03-06
php-cgi
taowu
Published: March 6, 2025
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8)
Downloadable IOCs: 3

Stealers and backdoors are spreading under the guise of a DeepSeek client

Cybercriminals are exploiting the popularity of DeepSeek, a powerful reasoning large language model, by creating fake websites that mimic the official DeepSeek chatbot site and distribute malicious code disguised as a client. Three main schemes were identified: a Python stealer targeting user data …
backdoor
social engineering
typosquatting
powershell
stealer
dll sideloading
farfli
deepseek
2025-03-06
Published: March 6, 2025
Downloadable IOCs: 9

Remcos RAT Targets Europe: New AMSI and ETW Evasion Tactics Uncovered

This week, the SonicWall threat research team discovered a new update in the Remcos infection chain aimed at enhancing its stealth by patching AMSI scanning and ETW logging to evade detection. This loader was seen distributing Async RAT in the past but now it has extended its functionality to Remco…
rat
phishing
powershell
remcos
2025-03-05
zip
vb script
Published: March 5, 2025
Downloadable IOCs: 7

Booking a Threat: Inside LummaStealer's Fake reCAPTCHA

A new malicious campaign targeting booking websites has been discovered, utilizing LummaStealer, an info-stealer operating under a Malware-as-a-Service model. The attack employs fake CAPTCHAs to trick users into executing malicious PowerShell commands. Initially targeting the Philippines, the campa…
obfuscation
social engineering
malvertising
powershell
clickfix
fake captcha
lummastealer
2025-03-04
emotet
info-stealer
binary padding
booking websites
indirect control flow
Published: March 4, 2025
Downloadable IOCs: 12

XWorm Cocktail: A Mix of PE data with PowerShell Code

A malicious file discovered on VirusTotal triggered a PowerShell rule, leading to the investigation of two closely related files identified as 'data files' but named as executables. The files contain a mix of PowerShell code, binary data, and obfuscated text. Analysis revealed characteristics of XW…
obfuscation
xworm
evasion
powershell
persistence
keylogging
virustotal
deobfuscation
2025-02-19
Published: February 19, 2025
Downloadable IOCs: 3

Don't Ghost the SocGholish: GhostWeaver Backdoor

The article details a sophisticated malware infection chain involving SocGholish, MintsLoader, and the GhostWeaver backdoor. The attack begins with a fake browser update, progressing through multiple stages to deploy a PowerShell backdoor and various plugins. These components work together to steal…
backdoor
powershell
cryptocurrency
socgholish
credential theft
boinc
fakeupdates
netsupport rat
mintsloader
2025-02-17
web injection
ghostweaver
juniper stealer
Published: February 17, 2025
Downloadable IOCs: 14

You've Got Malware: FINALDRAFT Hides in Your Drafts

While investigating REF7707, Elastic Security Labs discovered a new family of previously unknown malware that leverages Outlook as a communication channel via the Microsoft Graph API. This post-exploitation kit includes a loader, a backdoor, and multiple submodules that enable advanced post-exploit…
linux
powershell
shell
lsass
mimikatz
finaldraft
ref7707
pathloader
2025-02-14
elf
microsoft graph
outlook
elf variant
ntlm hash
pe
updatetask
Published: February 14, 2025
Downloadable IOCs: 9

From South America to Southeast Asia: The Fragile Web of REF7707

While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices.
linux
powershell
windows
persistence
siestagraph
certutil
scheduled task
2025-02-12
lolbas
southeast asia
finaldraft
ref7707
guidloader
pathloader
typo squatting
lolbin
remote admin
Published: February 12, 2025
Downloadable IOCs: 40

GetSmoked: UAC-0006 Returns With SmokeLoader Targeting Ukraine's Largest State-Owned Bank

UAC-0006, a financially motivated cyber threat group, has resurfaced with a sophisticated phishing campaign targeting customers of Ukraine’s largest state-owned bank, PrivatBank.
powershell
ukraine
javascript
black basta
vbscript
smokeloader
uac-0006
carbanak
anunak
defense evasion
sha256
2025-02-10
fin7
uac0006
privatbank
bank
model
demo
Published: February 10, 2025
Downloadable IOCs: 62

Analysis of malicious HWP cases of 'APT37' group distributed through K messenger

The report details a sophisticated APT attack targeting South Korea, utilizing spear-phishing techniques and malicious HWP files distributed through a popular Korean messenger service. The APT37 group exploited trust-based tactics, using compromised accounts to spread malware through group chats. T…
powershell
rokrat
spear-phishing
2025-02-05
pcloud
ole
file-less
hwp
k messenger
Published: February 5, 2025
Downloadable IOCs: 0

From Credit Card Skimming to Exploiting Zero-Days

XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sec…
powershell
zero-day
meterpreter
aspxspy
webshell
supply-chain-attack
2025-02-03
CVE-2024-57968
CVE-2025-25181
information-theft
remote-access-trojan
sql-injection
persistent-access
Published: February 3, 2025
Linked vulnerabilities : CVE-2024-57968 (CVSS 9.9), CVE-2025-25181 (CVSS 5.8), CVE-2019-18935, CVE-2017-9248
Downloadable IOCs: 17

Protecting Against the Exploited CVEs in the Cleo Data Theft Attacks

The Clop ransomware group has exploited critical vulnerabilities in Cleo's managed file transfer software, specifically CVE-2024-50623 and CVE-2024-55956. These vulnerabilities allow unrestricted file upload/download and execution of arbitrary commands. Imperva has observed over 1 million exploitat…
ransomware
powershell
data theft
extortion
persistence
CVE-2024-50623
CVE-2024-55956
2025-01-22
clop
file transfer
Published: January 22, 2025
Downloadable IOCs: 2

Proxyware Being Distributed Through Ad Pages

Security researchers have confirmed the unauthorized installation of proxyware on systems through advertisement pages from freeware software sites. The proxyware, identified as DigitalPulse, allows threat actors to share a portion of the system's Internet bandwidth for financial gain without user c…
powershell
lummac2
javascript
adware
downloader
2025-01-21
digitalpulse
proxyware
autoclicker
Published: January 21, 2025
Downloadable IOCs: 3

Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighboring Nations

A new threat group dubbed Silent Lynx has been uncovered targeting entities in Kyrgyzstan and neighboring nations. The group, believed to be Kazakhstan-based, employs sophisticated multi-stage attack strategies using ISO files, C++ loaders, PowerShell scripts, and Golang implants. Their campaigns f…
apt
espionage
powershell
government
golang
telegram
central asia
2025-01-21
yorotrooper
gservice.exe
xerox_scan17510875802718752175.exe
kyrgyzstan
resocks
Published: January 21, 2025
Downloadable IOCs: 12

Investigating A Web Shell Intrusion With Managed XDR

This analysis details a web shell intrusion incident where attackers exploited an IIS worker to exfiltrate data. The attacker uploaded a web shell, created a new account for persistence, modified an existing user's password, and used encoded PowerShell commands to establish a reverse TCP shell for …
powershell
anydesk
privilege escalation
data exfiltration
web shell
command-and-control
2025-01-15
reverse tcp shell
iis worker
Published: January 15, 2025
Downloadable IOCs: 0

Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page

A new distribution method for the LummaC2 infostealer malware has been identified, using a fake CAPTCHA verification page. The process begins with a deceptive authentication screen that copies a malicious command to the clipboard when users click 'I'm not a robot'. This command executes an obfuscat…
obfuscation
phishing
powershell
lummac2
infostealer
cryptocurrency
captcha
2025-01-13
clipbanker
Published: January 13, 2025
Downloadable IOCs: 4

Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit

A fake proof-of-concept exploit for the LDAPNightmare vulnerability (CVE-2024-49113) is being used to distribute information-stealing malware. The malicious repository, disguised as a fork from the original creator, contains an executable file that, when run, drops and executes a PowerShell script.…
powershell
github
information stealer
CVE-2024-49112
CVE-2024-49113
2025-01-10
ldapnightmare
poc exploit
ftp exfiltration
Published: January 10, 2025
Downloadable IOCs: 0

EAGERBEE, with updated and novel components, targets the Middle East

The EAGERBEE backdoor, deployed at ISPs and governmental entities in the Middle East, has been analyzed to reveal new components and capabilities. The malware uses a novel service injector to inject the backdoor into running services, and employs several plugins for various malicious activities. Th…
powershell
2025-01-06
proxylogon
dllloader1x64.dll
ssl
coughingdown
Published: January 6, 2025
Downloadable IOCs: 8

Espionage cluster Paper Werewolf engages in destructive behavior

The Paper Werewolf cluster, also known as GOFFEE, has increased its activity, targeting Russian organizations in government, energy, finance, and media sectors. Their primary method involves phishing emails with malicious Microsoft Word attachments containing macros. The group has evolved from cybe…
phishing
powershell
powerrat
2024-12-25
qwakmyagent
goffee
powertaskel
freyja
owowa
Published: December 25, 2024
Downloadable IOCs: 0

Stealthy Cyber Attacks: LNK Files & SSH Commands Playbook

This analysis explores a rising trend in cyber attacks where threat actors leverage LNK files and SSH commands as initial infection vectors. The attackers use meticulously crafted shortcut files, often disguised as legitimate documents, to execute commands using Living-off-the-Land Binaries (LOLBin…
powershell
evasion techniques
lnk files
rundll32
2024-12-19
hackbrowserdata
scp
living-off-the-land binaries
cyber attacks
ssh commands
Published: December 19, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21893
Downloadable IOCs: 6

"Breach Report" from UAC-0099 (CERT-UA#12463)

The Ukrainian CERT-UA investigated cyberattacks by UAC-0099 against government organizations during November-December 2024. The attacks involved emails with malicious attachments, including exploits for CVE-2023-38831. The LONEPAGE program, used for command execution, has evolved to use encrypted f…
powershell
CVE-2023-38831
cloudflare
winrar
lnk files
2024-12-18
lonepage program
Published: December 18, 2024
Downloadable IOCs: 25

Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising

A large-scale fake captcha campaign has been distributing Lumma info-stealer malware through malvertising techniques. The campaign, relying on a single ad network, delivers over 1 million daily ad impressions, causing thousands of daily victims to lose their accounts and money. The malicious activi…
malvertising
powershell
lumma stealer
fake captcha
2024-12-18
Published: December 18, 2024
Downloadable IOCs: 50

Threat Actor Targets Manufacturing Industry With Malware

A sophisticated cyberattack campaign targeting the manufacturing industry has been identified, utilizing a deceptive LNK file disguised as a PDF document. The attack leverages multiple Living-off-the-Land Binaries and Google Accelerated Mobile Pages to evade detection. The threat actor employs vari…
powershell
lumma stealer
dll sideloading
lnk file
process injection
manufacturing
code injection
2024-12-05
amadey bot
amp url
Published: December 5, 2024
Downloadable IOCs: 0

XWorm: Analyzing New Infection Tactics With Old Payload

A recent malware campaign utilizes a multi-stage infection chain starting with a LNK file that lures victims into opening an invoice in a web browser. The attack involves PowerShell commands, batch files, and Python scripts to download and execute the XWorm payload. The infection process includes d…
xworm
python
powershell
keylogging
lnk file
shellcode injection
multi-stage infection
2024-12-04
Published: December 4, 2024
Downloadable IOCs: 0

Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape

Proofpoint researchers have identified a surge in the ClickFix social engineering technique across the threat landscape. This technique uses dialogue boxes with fake error messages to trick users into copying, pasting, and running malicious content on their computers. Multiple threat actors are emp…
xworm
phishing
social engineering
powershell
darkgate
lumma stealer
asyncrat
danabot
latrodectus
netsupport
cybersecurity
clickfix
threat actors
brute ratel c4
2024-11-18
malware delivery
lucky volunteer
recaptcha phish
threat landscape
Published: November 18, 2024
Downloadable IOCs: 0

Attack On Maritime & Defense Manufacturing

The DONOT APT group has launched a campaign targeting Pakistan's manufacturing industry supporting maritime and defense sectors. The attack uses a malicious LNK file disguised as an RTF, which executes PowerShell commands to deliver a lure document and stager malware. The malware establishes persis…
apt
powershell
pakistan
persistence
encryption
defense
lnk file
maritime
2024-11-15
stager
manufacturing
Published: November 15, 2024
Downloadable IOCs: 0

Dissecting A Multi-Stage PowerShell Campaign Using Chisel

A sophisticated multi-stage PowerShell campaign has been identified, utilizing an LNK file to initiate a sequence of obfuscated scripts. The attack maintains persistence and stealth by connecting with a command-and-control server. It employs Chisel, a fast TCP/UDP tunneling tool, and a Netskope pro…
powershell
persistence
lateral movement
lnk file
multi-stage
command-and-control
2024-11-12
chisel
Published: November 12, 2024
Downloadable IOCs: 17

New Ymir ransomware discovered used together with RustyStealer | Securelist

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…
ransomware
powershell
encryption
incident response
chacha20
systembc
2024-11-11
rustystealer
ymir
Published: November 11, 2024
Downloadable IOCs: 12

New Ymir ransomware discovered used together with RustyStealer

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…
ransomware
powershell
encryption
incident response
chacha20
systembc
2024-11-11
rustystealer
ymir
Published: November 11, 2024
Downloadable IOCs: 0

Hello again, FakeBat: popular loader returns after months-long hiatus

FakeBat, a loader previously known as Eugenloader and PaykLoader, has resurfaced after a three-month absence. The malware was distributed through a malicious Google ad impersonating the productivity application Notion. The attack chain involves a tracking template, cloaking domain, and a decoy site…
loader
obfuscation
malvertising
powershell
lummac2
stealer
fakebat
google ads
brand impersonation
2024-11-11
Published: November 11, 2024
Downloadable IOCs: 19

New Campaign Uses Remcos RAT to Exploit Victims

A phishing campaign utilizing Remcos RAT has been detected. The attack begins with an email containing a malicious Excel document that exploits CVE-2017-0199. When opened, it downloads and executes an HTA file, which in turn downloads and runs a malicious EXE. This EXE uses PowerShell to load and e…
rat
phishing
powershell
remcos
CVE-2017-0199
process hollowing
2024-11-08
Published: November 8, 2024
Downloadable IOCs: 2

Analysis of AsyncRAT's Infection Tactics via Open Directories

This analysis explores two distinct methods used to infect systems with AsyncRAT through open directories. The first technique involves a multi-stage process using various obfuscated scripts (VBS, BAT, PowerShell) and disguised files to download and execute the AsyncRAT payload. The second method e…
obfuscation
powershell
asyncrat
remote access trojan
multi-stage infection
2024-11-07
vbs
scheduled tasks
bat
open directories
Published: November 7, 2024
Downloadable IOCs: 15

Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign

A new Gootloader variant has been discovered using search engine optimization (SEO) poisoning to target Australian Bengal cat enthusiasts. The campaign uses Google search results for 'Are Bengal Cats legal in Australia?' to deliver malicious payloads. When users click on compromised links, a zip fi…
powershell
seo poisoning
javascript
gootloader
scheduled task
initial access
2024-11-06
gootkit
Published: November 6, 2024
Downloadable IOCs: 14

InfoStealer Malware Attacking Meta Business Page To Steal Logins

A sophisticated malvertising campaign is distributing the SYS01 infostealer malware through Meta's advertising platform. The attackers impersonate trusted brands and popular software, targeting primarily senior male demographics. The malware, designed to steal personal data and credentials, is dist…
malvertising
powershell
infostealer
persistence
electron
credential theft
sys01
meta
social media
2024-11-04
Published: November 4, 2024
Downloadable IOCs: 26

Strela Stealer Targets Europe Stealthily Via WebDav

Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users thr…
phishing
powershell
infostealer
dll file
webdav
2024-10-30
javascript code
zip file
webdav server
strela
Published: October 30, 2024
Downloadable IOCs: 103

Unauthorized RDP Connections For Cyberespionage Operations

Cyble Research and Intelligence Labs uncovered an ongoing cyberattack campaign utilizing malicious LNK files to gain unauthorized Remote Desktop access on compromised systems. The sophisticated multi-stage attack chain employs PowerShell and BAT scripts to evade detection, create administrative acc…
powershell
persistence
credential theft
cyberespionage
rdp
multi-stage attack
uac bypass
2024-10-26
bat scripts
chromepass
Published: October 26, 2024
Downloadable IOCs: 0

Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA

Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
powershell
cryptocurrency
lumma stealer
information-stealing
data exfiltration
fileless
maas
process hollowing
fake captcha
2024-10-21
Published: October 21, 2024
Downloadable IOCs: 23

Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
social engineering
powershell
windows
rhadamanthys
stealer
macos
infostealers
stealc
clickfix
2024-10-18
google meet
atomic
Published: October 18, 2024
Downloadable IOCs: 0

Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA

A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
rootkit
powershell
lockbit
attack
service
malicious
web shell
2024-10-15
threat actor
zero-day vulnerability
csa appliance
cve20248190
zero
life
Published: October 15, 2024
Downloadable IOCs: 17

HijackLoader evolution: abusing genuine signing certificates

A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
loader
powershell
lumma stealer
infection chain
dll sideloading
hijackloader
installer
path
samples
lumma
2024-10-15
zip archive
sha256
fake captcha
harfanglab edr
hider
gate
Published: October 15, 2024
Downloadable IOCs: 69

Malware by the (Bit)Bucket: Uncovering AsyncRAT

A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
obfuscation
rat
powershell
asyncrat
vbscript
.net
2024-10-10
bitbucket
Published: October 10, 2024
Downloadable IOCs: 0

Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines

Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
ransomware
powershell
redline
lua script
compiler
redline stealer
2024-10-09
morphisec
lua malware
lua loader
c2 lua
windows servers
linux server
prometheus
crypter
Published: October 9, 2024
Downloadable IOCs: 18

Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware

A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
obfuscation
xworm
phishing
python
powershell
asyncrat
webdav
2024-10-04
shellcode injection
trycloudflare
Published: October 4, 2024
Downloadable IOCs: 15

PowerShell Keylogger

A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
powershell
proxy
keylogger
2024-09-04
screen capture
Published: September 4, 2024
Downloadable IOCs: 3

Exploring AsyncRAT and Infostealer Plugin Delivery Through…

This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
phishing
powershell
infostealer
asyncrat
vbscript
2024-09-02
process hollowing
cryptocurrency wallets
browser data theft
Published: September 2, 2024
Linked vulnerabilities : CVE-2024-7593 (CVSS 9.8), CVE-2024-28986
Downloadable IOCs: 8

Analyzing the Mekotio Trojan

The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
malware
obfuscation
powershell
persistence
trojan
2024-08-30
mekotio trojan
Published: August 30, 2024
Downloadable IOCs: 2

Decoding the Stealthy Memory-Only Malware

This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
malware
obfuscation
powershell
infostealer
cryptbot
javascript
2024-08-23
lummac.v2
shadowladder
Published: August 23, 2024
Downloadable IOCs: 23

Report on Ukraine government attack campaign

Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
malware
powershell
data theft
ukraine
exfiltration
government
spectr
2024-08-23
firmachagent
Published: August 23, 2024
Downloadable IOCs: 33

Multiple Malware Dropped Through MSI Package

An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
powershell
stealer
persistence
dropper
redline
c2
2024-08-14
sectoprat
Published: August 14, 2024
Downloadable IOCs: 11

Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell

The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
phishing
ransomware
powershell
fileless
2024-08-07
cronus
Published: August 7, 2024
Downloadable IOCs: 8

Detecting evolving threats: NetSupport RAT campaign

This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
obfuscation
rat
malvertising
powershell
persistence
netsupport rat
2024-08-02
Published: August 2, 2024
Downloadable IOCs: 3

Distribution of AsyncRAT Disguised as Ebook

This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
obfuscation
powershell
persistence
trojan
asyncrat
2024-07-10
Published: July 10, 2024
Downloadable IOCs: 5

Kimsuky Group’s New Backdoor (HappyDoor)

This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
powershell
keylogger
happydoor
2024-07-08
pebbledash
alphaseed
infostealing
regsvr32
Published: July 8, 2024
Downloadable IOCs: 7

Turla: A Master of Deception

This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
backdoor
evasion
powershell
2024-07-08
snake
msbuild
fileless
uroburos
Published: July 8, 2024
Downloadable IOCs: 10

ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America

This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
python
powershell
CVE-2021-34473
2024-07-05
proxyshell
CVE-2021-31207
CVE-2021-34523
microsoft exchange
Published: July 5, 2024
Downloadable IOCs: 4

Malvertising Campaign Leads to Execution of Oyster Backdoor

Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
malware
powershell
persistence
execution
malicious
python script
2024-06-24
lnk file
schtasks
json
microsoft teams
temp directory
http post
oyster main
Published: June 24, 2024
Downloadable IOCs: 13

AdsExhaust, a Newly Discovered Adware MasqueradingOculus…

In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
phishing
powershell
c2 server
download
2024-06-24
urls
adsexhaust
Published: June 24, 2024
Downloadable IOCs: 17

FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy

This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
malware
apt
powershell
2024-06-19
poison ivy
poisonivy
geocities
encodedpayload
breut
darkmoon
Published: June 19, 2024
Downloadable IOCs: 5

From Clipboard to Compromise: A PowerShell Self-Pwn

This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
malware
social engineering
powershell
xmrig
darkgate
lumma stealer
matanbuchus
2024-06-17
netsupport
malicious script
jaskago
compromise
amadey loader
vidar stealer
Published: June 17, 2024
Downloadable IOCs: 14

APT Attacks Using Cloud Storage

The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
apt
dropbox
powershell
cloud
2024-06-11
xenorat
Published: June 11, 2024
Downloadable IOCs: 1

Warning Against Phishing Emails Prompting Execution of Commands via Paste

This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
phishing
powershell
darkgate
malicious
2024-06-06
emails
commands
Published: June 6, 2024
Downloadable IOCs: 15

Decoding Water Sigbin's Latest Obfuscation Tricks

The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
powershell
2024-05-30
exploits
CVE-2023-21839
cryptocoin miner
CVE-2017-3506
Published: May 30, 2024
Linked vulnerabilities : CVE-2023-21839, CVE-2017-3506
Downloadable IOCs: 9

Gootloader walkthrough

The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
social engineering
powershell
seo poisoning
javascript
2024-05-24
gootloader
Published: May 24, 2024
Downloadable IOCs: 12

Spring Exacerbation: UAC-0006 increased cyberattacks

This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
powershell
ukraine
2024-05-22
smokeloader
uac-0006
taleshot
Published: May 22, 2024
Downloadable IOCs: 31

Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware

Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
phishing
powershell
cloud
2024-05-22
vbscript
cloud#reverser
Published: May 22, 2024
Downloadable IOCs: 16

Exploring the Metamorfo Banking Trojan

This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
powershell
html
casbaneiro
metamorfo
2024-05-17
autoit
appdata
script file
deobfuscating
script
Published: May 17, 2024
Downloadable IOCs: 39

Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns

A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
powershell
plugx
ransom
mallox
purecrypter
2024-05-09
2024-05-14
bitcoin
trigona
mssql
mssql server
maestro
as208091
mallox raas
unsafe
shutdown
clr sqlshell
sqlshell
xollam
link http
2024-05-10
Published: May 14, 2024
Downloadable IOCs: 10

Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself

Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
powershell
cobalt strike
icedid
sharefinder
lsass
javascript file
amazon
usps
dns query
dll file
Published: April 29, 2024
Downloadable IOCs: 34

From IcedID to Dagon Locker Ransomware in 29 Days

This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
powershell
cobalt strike
anydesk
icedid
adfind
rclone
shell
encrypted
discovery
domain account
access token
manipulation
utility
modify system
aws collector
prometheustds
seatbelt
sharefinder
Published: April 29, 2024
Downloadable IOCs: 33
Click here to see more Attack Reports