SecuriTricks - powershell

Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp

The Water Saci campaign in Brazil is using advanced techniques to deliver banking trojans through WhatsApp. The attack chain involves various file formats and scripting languages, designed to bypass detection and increase analysis complexity. Attackers have transitioned from PowerShell to Python fo…

backdoor

python

Published: December 2, 2025

Downloadable IOCs: 18

The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations

A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finge…

Published: November 26, 2025

Downloadable IOCs: 38

Water APT Multi-Stage Attack Uncovered

A sophisticated multi-stage attack attributed to the Water Gamayun APT group has been analyzed. The attack begins with a compromised legitimate website redirecting to a lookalike domain, delivering a double-extension RAR payload disguised as a PDF. This payload exploits the MSC EvilTwin vulnerabili…

Published: November 26, 2025

Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)

Downloadable IOCs: 4

Stories from the SOC: Mystery of the postponed proxyware install

A suspicious PowerShell alert led to the discovery of an attack chain aimed at installing proxyware on a compromised system. The infection originated from a disk-cleaning utility installed three days prior, which included malicious scripts and established a connection to a C2 server. The attack uti…

unauthorized software

disk-cleaning utility

Published: November 24, 2025

Downloadable IOCs: 5

Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats

This analysis examines the latest attack flow of the KimJongRAT variant, attributed to the North Korean threat actor Kimsuky. The malware has evolved to include both PE-based and PowerShell-based attack chains, which have been merged into a single workflow. The attackers use phishing emails for ini…

Published: November 24, 2025

Downloadable IOCs: 9

New Tools and Techniques of ToddyCat APT

The ToddyCat APT group has evolved its methods to gain covert access to corporate email. The report details their use of PowerShell-based TomBerBil for extracting browser data, TCSectorCopy for copying Outlook OST files, and attempts to steal OAuth tokens from Microsoft 365 processes. These tools a…

Published: November 21, 2025

Downloadable IOCs: 0

The Tsundere botnet uses the Ethereum blockchain to infect its targets

The Tsundere botnet, discovered in mid-2025, is an active threat targeting Windows users. It utilizes the Ethereum blockchain to retrieve C2 addresses and employs Node.js for its operations. The botnet spreads through MSI installers and PowerShell scripts, often disguised as popular games. It uses …

Published: November 20, 2025

Downloadable IOCs: 21

Sophisticated Tuoni C2 Attack on U.S. Real Estate Firm Thwarted

In October 2025, a major U.S. real estate company was targeted by a highly advanced cyberattack using the emerging Tuoni C2 framework. The attack, which showed signs of AI assistance in code generation, was neutralized by Morphisec's Automated Moving Target Defense (AMTD) technology. The campaign l…

Published: November 19, 2025

Downloadable IOCs: 4

EVALUSION Campaign Delivers Amatera Stealer and NetSupport...

The eSentire Threat Response Unit identified a malware campaign using ClickFix as an initial access vector to deploy Amatera Stealer and NetSupport RAT. Amatera Stealer is a rebranded version of ACR Stealer, with advanced evasion techniques like WoW64 SysCalls to bypass security solutions. It targe…

Published: November 18, 2025

Downloadable IOCs: 1

A Closer Look at Outlook Macros and More

The analysis examines NotDoor, a backdoor utilizing Outlook macros for persistence and lateral movement. It stages files in C:\ProgramData, employing DLL sideloading with OneDrive.exe. The malware creates directories, executes encoded PowerShell commands, and modifies registry entries to enable mac…

registry modification

outlook macros

Published: November 15, 2025

Downloadable IOCs: 0

Analyzing the Link Between Two Evolving Brazilian Banking Trojans

This intelligence report examines the connection between two Brazilian banking trojans, Maverick and Coyote. The malware spreads through WhatsApp, using a multi-stage attack that begins with a malicious LNK file. Both trojans share similarities in their infection methods, targeting Brazilian users …

Published: November 12, 2025

Downloadable IOCs: 9

Operation Peek-a-Baku: Silent Lynx APT Targets Dushanbe with Espionage Campaign

The Silent Lynx APT group has been conducting espionage campaigns targeting Central Asian nations, Russia, China, and Azerbaijan. Two main campaigns were identified: one focusing on Russia-Azerbaijan relations and another on China-Central Asia relations. The group uses various malware including Pow…

Published: November 5, 2025

Downloadable IOCs: 0

Evasion and Persistence via Hidden Hyper-V Virtual Machines

This investigation uncovered new tools and techniques used by the Curly COMrades threat actor to establish covert, long-term access to victim networks. The attackers exploited Hyper-V virtualization on compromised Windows 10 machines to create hidden remote operating environments. They deployed a m…

Published: November 5, 2025

Downloadable IOCs: 4

Operation Peek-a-Baku: APT Targets Dushanbe with Espionage Campaign

The Silent Lynx APT group has been conducting espionage campaigns targeting diplomatic entities and critical infrastructure in Central Asia, Russia, and China. Two major campaigns were identified: one focused on Russia-Azerbaijan relations and another on China-Central Asia relations. The group used…

Published: November 3, 2025

Downloadable IOCs: 33

Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus

A sophisticated campaign targeting Russian and Belarusian military personnel has been identified, using multi-stage infection chains and decoy documents. The attackers deploy OpenSSH and Tor bridges to establish covert remote access and lateral movement capabilities. The infection process involves …

Published: October 31, 2025

Downloadable IOCs: 12

Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

A coordinated spearphishing campaign targeted NGOs and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare captcha page to execute malware. The final payload was …

Published: October 22, 2025

Downloadable IOCs: 24

PhantomCaptcha: Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

A coordinated spearphishing campaign targeted NGOs and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare captcha page to execute malware. The final payload was …

Published: October 22, 2025

Downloadable IOCs: 0

APT Meets GPT: Targeted Operations with Untamed LLMs

Over the course of three months, Volexity observed UTA0388 using various themes and fictional identities across dozens of spear phishing campaigns. As time passed, Volexity observed UTA0388 broaden their targeting and send emails in a variety of different languages, including English, Chinese, Japa…

Published: October 8, 2025

Downloadable IOCs: 41

Shuyal Stealer: Advanced Infostealer Targeting 19 Browsers

Shuyal Stealer is a sophisticated infostealer malware targeting 19 different browsers. It conducts deep system reconnaissance, collecting detailed hardware information and user data. The malware disables Windows Task Manager, ensures persistence through startup folder insertion, and exfiltrates sto…

system reconnaissance

Published: October 8, 2025

Downloadable IOCs: 1

XWorm V6: Exploring Pivotal Plugins

Since the release of XWorm V6.0 on June 4, 2025, we have noted a surge in samples identified as XWorm V6.0 on VirusTotal, reflecting its rapid adoption by threat actors. One prominent campaign illustrates its delivery: a malicious JavaScript (JS) file initiates a PowerShell (PS1) script, which depl…

Published: October 6, 2025

Downloadable IOCs: 22

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)

SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more…

Published: October 6, 2025

Downloadable IOCs: 23

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users

SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more…

Published: October 6, 2025

Downloadable IOCs: 0

Analysis: AI-powered Ransomware from APT Group

FunkLocker, a ransomware strain developed by the FunkSec APT group, showcases the growing trend of AI-assisted malware creation. The ransomware exhibits inconsistent quality across multiple builds, with some versions incorporating advanced features like anti-VM checks. It aggressively disrupts syst…

Published: October 2, 2025

Downloadable IOCs: 1

Updates Arsenal with BAITSWITCH and SIMPLEFIX

A new multi-stage ClickFix campaign, attributed to the Russia-linked APT group COLDRIVER, has been discovered targeting Russian civil society members. The campaign employs social engineering techniques to trick users into executing malicious commands, leading to the deployment of two new malware fa…

Published: September 24, 2025

Downloadable IOCs: 0

NodeJS backdoors delivering proxyware and monetization schemes

This report details a campaign involving NodeJS backdoors used to distribute proxyware and monetization schemes. The attackers employ Inno setup installers to drop PowerShell scripts that download and execute NodeJS packages with malicious JavaScript. The backdoors collect system information, commu…

Published: September 24, 2025

Downloadable IOCs: 0

CountLoader: New Malware Loader Being Served in 3 Different Versions

A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, Blac…

initial access broker

adaptixc2

2025-09-19

countloader

Published: September 19, 2025

Downloadable IOCs: 27

AppSuite, OneStart & ManualFinder: The Nexus of Deception

This analysis reveals connections between three seemingly distinct malicious programs: AppSuite, OneStart, and ManualFinder. The investigation uncovers shared server infrastructure and similar installation patterns, indicating that these programs are likely created by the same threat actor. OneStar…

Published: September 16, 2025

Downloadable IOCs: 0

August 2025 APT Attack Trends Report

In August 2025, APT attacks in South Korea primarily utilized spear phishing techniques, with LNK files being the most prevalent method. Two main types of attacks were observed: Type A, which used compressed CAB files containing malicious scripts for information exfiltration and additional malware …

Published: September 16, 2025

Downloadable IOCs: 5

Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign

This analysis delves into the HijackLoader malware campaign, which has gained prominence since 2023 for its sophisticated payload delivery and evasion techniques. The campaign initiates with a CAPTCHA-based phishing attack, progressing through multiple stages of obfuscated PowerShell scripts. It em…

Published: September 12, 2025

Downloadable IOCs: 14

Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

A sophisticated malware campaign has been uncovered that utilizes various techniques to deliver Remote Access Trojans (RATs) such as XWorm and Remcos. The attack chain begins with a ZIP archive, often hosted on trusted platforms like ImgKit, containing obfuscated BAT scripts. These scripts execute …

Published: September 11, 2025

Downloadable IOCs: 2

Operation BarrelFire: Targeting Kazakhstan Oil & Gas

A threat group dubbed NoisyBear has been targeting Kazakhstan's oil and gas sector since April 2025. The campaign focuses on KazMunaiGas employees, using spear-phishing emails with malicious attachments. The infection chain involves a ZIP file containing a malicious LNK file and decoy document, whi…

Published: September 5, 2025

Downloadable IOCs: 14

Analysis of APT-C-53 (Gamaredon) Attack on Ukrainian Government Agencies

APT-C-53, also known as Gamaredon, is a Russian state-sponsored threat group active since 2013, targeting Ukrainian government and military entities. The group has upgraded its attack techniques, focusing on dynamic cloud-based C2 infrastructure and targeted delivery of cloud storage tools. In 2025…

Published: September 1, 2025

Downloadable IOCs: 11

Operation HanKook Phantom: Spear-Phishing Campaign

APT37, a North Korean state-backed cyber espionage group, has launched a sophisticated spear-phishing campaign targeting South Korean government sectors, research institutions, and academics. The attackers use malicious LNK files disguised as legitimate documents to deliver a multi-stage infection …

Published: August 29, 2025

Downloadable IOCs: 0

Threat Actor Profile: Interlock Ransomware

Interlock, a relatively new ransomware group first observed in September 2024, has gained prominence in 2025 as an opportunistic ransomware operator. Unlike traditional Ransomware-as-a-Service models, Interlock operates without affiliates or public advertisements. The group conducts double extortio…

Published: August 15, 2025

Downloadable IOCs: 24

What happened in Vegas (that you actually want to know about)

This article recaps key highlights from Black Hat USA, including Joe Marshall's live incident-response exercise using the Backdoors & Breaches card game, Amy Chang's research on bypassing AI guardrails through 'decomposition', and Philippe Laulheret's ReVault presentation on vulnerabilities in embe…

Published: August 14, 2025

Linked vulnerabilities : CVE-2025-6543 (CVSS 9.2)

Downloadable IOCs: 3

When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub's Expanding Arsenal

EncryptHub, an emerging threat group, has launched a campaign combining social engineering with exploitation of CVE-2025-26633 to deliver malicious payloads. The attackers impersonate IT support staff, use remote desktop sessions, and execute PowerShell commands to deploy malware. The campaign abus…

Published: August 14, 2025

Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)

Downloadable IOCs: 16

Silent Watcher: Dissecting Cmimai Stealer's VBS Payload

A VBS-based infostealer called Cmimai Stealer has emerged, targeting Windows systems since June 2025. It collects system information, browser metadata, and screenshots, exfiltrating data via Discord webhooks. The malware uses PowerShell scripts for browser data collection and screen capture, runnin…

Published: August 13, 2025

Downloadable IOCs: 0

CastleLoader Analysis

CastleLoader, a versatile malware loader, has infected 469 devices since May 2025 using Cloudflare-themed ClickFix phishing and fake GitHub repositories. It delivers information stealers and RATs, with a 28.7% infection rate. The malware employs sophisticated techniques, including PowerShell and Au…

Published: August 13, 2025

Downloadable IOCs: 0

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

A malware campaign utilizing malvertising has been distributing PS1Bot, a sophisticated multi-stage framework implemented in PowerShell and C#. PS1Bot features modular design, enabling information theft, keylogging, reconnaissance, and persistent system access. The malware minimizes artifacts and u…

Published: August 12, 2025

Downloadable IOCs: 0

From ClickFix to Command: A Full PowerShell Attack Chain

A targeted intrusion campaign impacting Israeli organizations has been identified, leveraging compromised internal email infrastructure to distribute phishing messages. The attack uses a multi-stage, PowerShell-based infection chain, culminating in the delivery of a remote access trojan (RAT). Key …

Published: August 11, 2025

Downloadable IOCs: 0

CoinMiner Attacks Exploiting GeoServer Vulnerability

A critical remote code execution vulnerability (CVE-2024-36401) in GeoServer has been actively exploited by threat actors to install CoinMiner malware. The attacks target both Windows and Linux environments with unpatched GeoServer installations. In South Korea, attackers exploited the vulnerabilit…

remote code execution

Published: August 8, 2025

Downloadable IOCs: 4

Unveiling a New Variant of the DarkCloud Campaign

A new DarkCloud campaign was observed in July 2025, targeting Windows users with a sophisticated infection chain. The attack begins with a phishing email containing a RAR archive, which leads to the execution of obfuscated JavaScript and PowerShell code. This code downloads and deploys a fileless .…

Published: August 8, 2025

Downloadable IOCs: 2

From Reconnaissance to Control: The Operational Blueprint of Kimsuky APT for Cyber Espionage

This report details a cyber-espionage campaign attributed to Kimsuky, a North Korean APT group, targeting South Korean entities. The attack uses malicious Windows shortcut files as initial access, followed by obfuscated scripts and a sophisticated malware framework. The malware performs extensive s…

Published: August 7, 2025

Downloadable IOCs: 0

Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal

A sophisticated malware campaign called JSCEAL is targeting cryptocurrency users through fake apps impersonating popular trading platforms. The attackers use malicious ads to lure victims into downloading installers that deploy a multi-stage infection chain. This includes PowerShell scripts for pro…

Published: July 31, 2025

Downloadable IOCs: 268

LNK Trojan delivers REMCOS

This report details a multi-stage malware campaign delivering the REMCOS backdoor via a malicious Windows LNK shortcut file. The attack begins with social engineering, leveraging PowerShell for initial execution and deploys a persistent backdoor capable of full system compromise. The infection chai…

Published: July 30, 2025

Downloadable IOCs: 8

Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode

The Arctic Wolf Labs team has uncovered a new cyber-espionage campaign by the Dropping Elephant APT group targeting Turkish defense contractors. The attack leverages a five-stage execution chain delivered via malicious LNK files disguised as conference invitations. It uses legitimate binaries like …

dropping elephant rat

Published: July 23, 2025

Linked vulnerabilities : CVE-2025-5777 (CVSS 9.3), CVE-2025-20337 (CVSS 10.0), CVE-2025-53770 (CVSS 9.8)

Downloadable IOCs: 10

Fix the Click: Preventing the ClickFix Attack Vector

This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetS…

Published: July 10, 2025

Downloadable IOCs: 65

Digging Gold with a Spoon – Resurgence of Monero-mining Malware

A resurgence of malware deploying XMRig cryptominer was discovered in mid-April 2025, coinciding with a rally in Monero cryptocurrency value. The malware uses a multi-staged approach and LOLBAS techniques, leveraging Windows tools like PowerShell for payload delivery, detection evasion, and persist…

windows defender evasion

2025-07-07

Published: July 7, 2025

Downloadable IOCs: 4

BERT Ransomware Group Targets Asia and Europe on Multiple Platforms

A newly emerged ransomware group called BERT has been targeting organizations across Asia and Europe since April. The group employs simple code with effective execution, impacting sectors such as healthcare, technology, and event services. BERT's ransomware operates on both Windows and Linux platfo…

Published: July 7, 2025

Downloadable IOCs: 9

Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

Throughout 2024, Gamaredon focused exclusively on targeting Ukrainian governmental institutions with spearphishing campaigns and weaponized USB drives. The group developed six new tools and significantly updated existing ones, improving stealth and evasion capabilities. Gamaredon increased the scal…

Published: July 4, 2025

Downloadable IOCs: 53

Analysis of the threat case of kimsuky group using 'ClickFix' tactic

The Kimsuky group has adopted a deceptive tactic called 'ClickFix' to trick users into unknowingly participating in attack chains. This method involves disguising malicious instructions as troubleshooting guides or security document verification procedures. The campaign is believed to be an extensi…

Published: July 2, 2025

Downloadable IOCs: 40

BERT RANSOMWARE - THE RAVEN FILE

BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufactu…

Published: June 20, 2025

Downloadable IOCs: 11

Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation

This article analyzes two new variants of the KimJongRAT stealer: a Portable Executable (PE) variant and a PowerShell implementation. Both variants use a multi-stage infection process, starting with a Windows shortcut (LNK) file that downloads a dropper from a content delivery network. The PE varia…

powershell

cryptocurrency

stealer

multi-stage infection

browser extensions

2025-06-17

kimjongrat

content delivery network

Published: June 17, 2025

Downloadable IOCs: 0

Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users

A fileless AsyncRAT campaign is targeting German-speaking users through Clickfix-themed websites. The attack uses a fake 'I'm not a robot' prompt to execute malicious PowerShell code, which downloads and runs obfuscated C# code in memory. This technique enables full remote access, credential theft,…

Published: June 16, 2025

Downloadable IOCs: 0

More Steganography!

A malicious Excel file using steganography was analyzed, revealing embedded XLS sheets and a complex infection chain. The file downloads an HTA file that creates a BAT file, which in turn generates and executes a VBS file. The VBS file fetches a VBA script that creates and runs a PowerShell script.…

Published: June 14, 2025

Downloadable IOCs: 0

Analysis of the Triple Combo Threat of the Kimsuky Group

The Genians Security Center (GSC) detected an APT (Advanced Persistent Threat) campaign targeting users of Facebook, email, and Telegram in Korea between March and April 2025. The threat actor explored reconnaissance and selected attack targets through two Facebook accounts.

Published: June 11, 2025

Downloadable IOCs: 14

Operation Phantom Enigma

A malicious campaign targeting primarily Brazilian residents has been discovered, with attacks detected since early 2025. The attackers employed phishing emails, some sent from compromised company servers, to distribute malware. Two attack chains were identified: one using a malicious browser exten…

Published: June 5, 2025

Downloadable IOCs: 0

Cybercriminals camouflaging threats as AI tool installers

Cybercriminals are exploiting the popularity of AI by distributing malware disguised as AI solution installers. Three threats have been identified: CyberLock ransomware, Lucky_Gh0$t ransomware, and a newly discovered destructive malware called Numero. CyberLock, developed using PowerShell, encrypts…

Published: June 5, 2025

Downloadable IOCs: 20

Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns

A novel Rust-based infostealer called EDDIESTEALER has been discovered, distributed through fake CAPTCHA campaigns. The malware uses deceptive verification pages to trick users into executing a malicious PowerShell script, which deploys the infostealer. EDDIESTEALER targets sensitive data including…

Published: May 29, 2025

Downloadable IOCs: 27

Russian Unit 26165 Targets Western Logistics and Technology Companies

Chihuahua Infostealer is a sophisticated .NET-based malware discovered in April 2025, targeting browser credentials and cryptocurrency wallet data. It employs multi-stage delivery through obfuscated PowerShell scripts, often using trusted platforms like Google Drive for initial distribution. The ma…

chihuahua infostealer

browser-data-theft

.net-malware

Published: May 27, 2025

Downloadable IOCs: 10

Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers

Threat actors are exploiting user fatigue with anti-spam mechanisms through a technique called ClickFix. This method involves compromising websites and embedding fraudulent CAPTCHA images, which, when solved by unsuspecting users, lead to the execution of malicious code. The attack chain typically …

Published: May 22, 2025

Downloadable IOCs: 10

Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT

A new PowerShell-based shellcode loader has been discovered, designed to execute a variant of Remcos RAT. The attack chain begins with malicious LNK files in ZIP archives, using mshta.exe for initial execution. The loader employs fileless techniques, executing code directly in memory to evade tradi…

Published: May 15, 2025

Downloadable IOCs: 5

Excel(ent) Obfuscation: Regex Gone Rogue

A new Excel-based attack technique leverages recently introduced regex functions for advanced code obfuscation. The proof-of-concept demonstrates how malicious actors can use REGEXEXTRACT to hide PowerShell commands within large text blocks, significantly reducing antivirus detection rates. This me…

Published: May 15, 2025

Downloadable IOCs: 3

New 'Chihuahua Stealer' Targets Browser Data and Crypto Wallets

A novel infostealer named Chihuahua Stealer has been detected, blending standard malware techniques with advanced features. This .NET-based malware employs a multi-stage PowerShell script infection process, utilizing Base64 encoding, hex-string obfuscation, and scheduled tasks for persistence. It t…

powershell

infostealer

.net

multi-stage infection

Published: May 14, 2025

Downloadable IOCs: 2

TA406 Pivots to the Front

In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting at…

credential harvesting

Published: May 13, 2025

Downloadable IOCs: 11

A New Breed of Infostealer

A newly discovered .NET-based infostealer, Chihuahua Stealer, combines common malware techniques with advanced features. The infection begins with an obfuscated PowerShell script shared via Google Drive, initiating a multi-stage payload chain. Persistence is achieved through scheduled tasks, and th…

Published: May 13, 2025

Downloadable IOCs: 8

Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information

The Google Threat Intelligence Group has identified a sophisticated malware called LOSTKEYS, attributed to the Russian government-backed threat actor COLDRIVER. Active since December 2023, LOSTKEYS represents an evolution in COLDRIVER's toolkit, targeting high-value entities such as NATO government…

multi-stage infection

ngo

lostkeys

2025-05-10

intelligence collection

russian hackers

western governments

Published: May 10, 2025

Downloadable IOCs: 0

COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs

Russian government-backed threat group COLDRIVER has developed a new malware called LOSTKEYS, capable of stealing files and system information. The group targets high-profile individuals, NGOs, and former intelligence officers through credential phishing and malware delivery. LOSTKEYS is delivered …

Published: May 7, 2025

Downloadable IOCs: 0

Lampion Is Back With ClickFix Lures

A highly focused malicious campaign targeting Portuguese organizations, particularly in government, finance, and transportation sectors, has been uncovered. The campaign is linked to Lampion malware, an infostealer focusing on banking information. The threat actors have incorporated ClickFix lures,…

Published: May 6, 2025

Downloadable IOCs: 10

Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer

Cybercriminals are exploiting the US tax season to deploy Stealerium malware, targeting citizens through sophisticated phishing campaigns. The attack utilizes deceptive email attachments with malicious LNK files, leading to the execution of PowerShell scripts and the download of a PyInstaller-packa…

Published: April 30, 2025

Downloadable IOCs: 0

Introducing ToyMaker

The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. …

initial access broker

Published: April 23, 2025

Downloadable IOCs: 20

DOGE Binary Loader Indicators of Compromise

This intelligence document provides a list of Indicators of Compromise (IoCs) associated with the DOGE Binary Loader. It includes several malicious URLs hosted on the domain 'hilarious-trifle-d9182e.netlify.app' along with their corresponding SHA-256 hashes. The listed files include PowerShell scri…

Published: April 22, 2025

Downloadable IOCs: 0

How Lumma Stealer sneaks into organizations

Lumma Stealer, a sophisticated information-stealing malware, has gained prominence in cybercriminal circles since 2022. It employs various distribution methods, with fake CAPTCHA pages being a notable vector. These pages mimic legitimate services and trick users into executing malicious commands. T…

Published: April 21, 2025

Downloadable IOCs: 15

Two sides of the same coin

This intelligence report analyzes the similarities between two previously separate APT groups, Team46 and TaxOff, concluding they are likely the same entity. The analysis covers their shared tactics, techniques, and procedures, including similar PowerShell commands, loader functionality, and infras…

Published: April 18, 2025

Downloadable IOCs: 0

Shuckworm Targets Foreign Military Mission Based in Ukraine

Russian-linked cyber-espionage group Shuckworm appears to be targeting a Western military mission based in Ukraine, according to research by Symantec and its partner, the UK-based security firm.

Published: April 10, 2025

Downloadable IOCs: 56

ViperSoftX Malware Distributed by Arabic-Speaking Threat Actor

An Arabic-speaking threat actor has been distributing ViperSoftX malware to Korean victims since April 1, 2025. The malware, typically spread through cracked software or torrents, operates as a PowerShell script and communicates with C&C servers. The campaign involves downloading additional malware…

Published: April 10, 2025

Downloadable IOCs: 0

March 2025 APT Group Trends (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks in South Korea during March 2025. The majority of attacks were classified as spear phishing, with LNK file distribution being the most prevalent method. Two types of LNK-based attacks were identified: Type A, which uses a CA…

Published: April 10, 2025

Downloadable IOCs: 0

A miner and the ClipBanker Trojan being distributed via SourceForge

A unique malware distribution scheme exploiting SourceForge has been discovered. The attackers create a seemingly legitimate project on sourceforge.net, which automatically generates a sourceforge.io subdomain. This subdomain is then used to host a malicious page that tricks users into downloading …

Published: April 8, 2025

Downloadable IOCs: 0

Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign

A Russian-speaking threat actor has launched a new phishing campaign using Cloudflare-branded pages themed around DMCA takedown notices. The attack abuses the ms-search protocol to deliver malicious LNK files disguised as PDFs. Once executed, the malware communicates with a Telegram bot to report t…

Published: April 4, 2025

Downloadable IOCs: 0

Proactive ClickFix Threat Hunting with Hunt.io

ClickFix is a browser-based delivery technique that uses deceptive prompts and clipboard hijacking to trick users into executing malicious commands. Cybercriminals and advanced actors employ this method to deploy malware, primarily information stealers. The technique involves luring users with fake…

browser-based attacks

2025-04-04

clipboard hijacking

Published: April 4, 2025

Downloadable IOCs: 0

Gootloader Returns: Malware Hidden in Google Ads for Legal Documents

The Gootloader malware campaign has evolved its tactics, now using Google Ads to target victims seeking legal templates. The threat actor advertises legal documents, primarily agreements, through compromised ad accounts. Users searching for templates are directed to a malicious website where they a…

Published: April 3, 2025

Downloadable IOCs: 0

Cyber Espionage using PowerShell stealer WRECKSTEEL

Ukrainian government's CERT-UA has identified a series of cyberattacks against government agencies and critical infrastructure facilities in Ukraine during March 2025. The attacks, aimed at information theft, utilize compromised accounts to distribute emails with links to public file services. Thes…

critical infrastructure

2025-04-03

file stealing

wrecksteel

Published: April 3, 2025

Downloadable IOCs: 71

Thunderstruck! Malicious ads for RVTools lead to ThunderShell payload

A security incident involving malicious sponsored ads distributing backdoored administrative tools was detected. Users searching for RVTools were served a tampered version containing ThunderShell, a PowerShell-based remote access tool. The malicious ads, appearing in Google search results, led to a…

Published: April 3, 2025

Downloadable IOCs: 0

Delivering Trojans Via ClickFix Captcha

A new social engineering technique exploiting ClickFix Captcha has emerged as an effective method for delivering various types of malware, including Quakbot. This technique deceives users and bypasses security measures by utilizing a seemingly harmless captcha. The process involves redirecting user…

Published: April 1, 2025

Downloadable IOCs: 0

Analysis: SmokeLoader malware distribution

A malicious campaign targeting First Ukrainian International Bank has been observed using the Emmenhtal loader to distribute SmokeLoader malware. The infection chain begins with a deceptive email containing a 7z archive, which extracts to reveal a bait PDF and a shortcut file. The shortcut download…

Published: March 31, 2025

Downloadable IOCs: 0

A Deep Dive into Water Arsenal and Infrastructure

Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and…

Published: March 29, 2025

Downloadable IOCs: 0

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading t…

Published: March 28, 2025

Downloadable IOCs: 0

YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake …

Published: March 25, 2025

Downloadable IOCs: 5

The rising threat of social engineering through fake fixes

ClickFix is an emerging social engineering tactic that manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance. Attackers present fake error messages, CAPTCHA verifications, or system prompts to convince users to take actions that compromise their…

Published: March 21, 2025

Downloadable IOCs: 4

Fake Cloudflare Verification Results in LummaStealer Trojan Infections

A malicious campaign targeting Windows users through WordPress websites is deploying the LummaStealer trojan. Attackers use fake Cloudflare verification prompts to trick users into running malicious PowerShell commands. The infection is spread through compromised plugins or injected JavaScript in l…

Published: March 20, 2025

Downloadable IOCs: 4

VHDs Used to Distribute VenomRAT and Other Malware

A phishing campaign is utilizing virtual hard disk (VHD) image files to deliver VenomRAT malware. The attack begins with a purchase order-themed email containing a ZIP archive with a VHD file. When opened, the VHD mounts as a drive and executes a heavily obfuscated batch script. This script employs…

Published: March 14, 2025

Downloadable IOCs: 0

APT37 - RokRat

APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing email…

Published: March 12, 2025

Downloadable IOCs: 9

Desert Dexter.Attacks on Middle Eastern Countries

A malicious campaign targeting residents of Middle East and North Africa has been discovered, active since September 2024. The attackers create fake news groups on social media and publish posts with links to file-sharing services or Telegram channels containing modified AsyncRAT malware. The malwa…

Published: March 11, 2025

Downloadable IOCs: 2

Unmasking the new persistent attacks on Japan

An unknown attacker has been targeting organizations in Japan since January 2025, exploiting CVE-2024-4577, a remote code execution vulnerability in PHP-CGI on Windows. The attacker uses the Cobalt Strike kit 'TaoWu' for post-exploitation activities, including reconnaissance, privilege escalation, …

Published: March 6, 2025

Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8)

Downloadable IOCs: 3

Stealers and backdoors are spreading under the guise of a DeepSeek client

Cybercriminals are exploiting the popularity of DeepSeek, a powerful reasoning large language model, by creating fake websites that mimic the official DeepSeek chatbot site and distribute malicious code disguised as a client. Three main schemes were identified: a Python stealer targeting user data …

Published: March 6, 2025

Downloadable IOCs: 9

Remcos RAT Targets Europe: New AMSI and ETW Evasion Tactics Uncovered

This week, the SonicWall threat research team discovered a new update in the Remcos infection chain aimed at enhancing its stealth by patching AMSI scanning and ETW logging to evade detection. This loader was seen distributing Async RAT in the past but now it has extended its functionality to Remco…

Published: March 5, 2025

Downloadable IOCs: 7

Booking a Threat: Inside LummaStealer's Fake reCAPTCHA

A new malicious campaign targeting booking websites has been discovered, utilizing LummaStealer, an info-stealer operating under a Malware-as-a-Service model. The attack employs fake CAPTCHAs to trick users into executing malicious PowerShell commands. Initially targeting the Philippines, the campa…

indirect control flow

Published: March 4, 2025

Downloadable IOCs: 12

XWorm Cocktail: A Mix of PE data with PowerShell Code

A malicious file discovered on VirusTotal triggered a PowerShell rule, leading to the investigation of two closely related files identified as 'data files' but named as executables. The files contain a mix of PowerShell code, binary data, and obfuscated text. Analysis revealed characteristics of XW…

Published: February 19, 2025

Downloadable IOCs: 3

Don't Ghost the SocGholish: GhostWeaver Backdoor

The article details a sophisticated malware infection chain involving SocGholish, MintsLoader, and the GhostWeaver backdoor. The attack begins with a fake browser update, progressing through multiple stages to deploy a PowerShell backdoor and various plugins. These components work together to steal…

Published: February 17, 2025

Downloadable IOCs: 14

You've Got Malware: FINALDRAFT Hides in Your Drafts

While investigating REF7707, Elastic Security Labs discovered a new family of previously unknown malware that leverages Outlook as a communication channel via the Microsoft Graph API. This post-exploitation kit includes a loader, a backdoor, and multiple submodules that enable advanced post-exploit…

Published: February 14, 2025

Downloadable IOCs: 9

From South America to Southeast Asia: The Fragile Web of REF7707

While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices.

Published: February 12, 2025

Downloadable IOCs: 40

GetSmoked: UAC-0006 Returns With SmokeLoader Targeting Ukraine's Largest State-Owned Bank

UAC-0006, a financially motivated cyber threat group, has resurfaced with a sophisticated phishing campaign targeting customers of Ukraine’s largest state-owned bank, PrivatBank.

Published: February 10, 2025

Downloadable IOCs: 62

Analysis of malicious HWP cases of 'APT37' group distributed through K messenger

The report details a sophisticated APT attack targeting South Korea, utilizing spear-phishing techniques and malicious HWP files distributed through a popular Korean messenger service. The APT37 group exploited trust-based tactics, using compromised accounts to spread malware through group chats. T…

Published: February 5, 2025

Downloadable IOCs: 0

From Credit Card Skimming to Exploiting Zero-Days

XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sec…

Published: February 3, 2025

Linked vulnerabilities : CVE-2024-57968 (CVSS 9.9), CVE-2025-25181 (CVSS 5.8), CVE-2019-18935, CVE-2017-9248

Downloadable IOCs: 17

Protecting Against the Exploited CVEs in the Cleo Data Theft Attacks

The Clop ransomware group has exploited critical vulnerabilities in Cleo's managed file transfer software, specifically CVE-2024-50623 and CVE-2024-55956. These vulnerabilities allow unrestricted file upload/download and execution of arbitrary commands. Imperva has observed over 1 million exploitat…

Published: January 22, 2025

Downloadable IOCs: 2

Proxyware Being Distributed Through Ad Pages

Security researchers have confirmed the unauthorized installation of proxyware on systems through advertisement pages from freeware software sites. The proxyware, identified as DigitalPulse, allows threat actors to share a portion of the system's Internet bandwidth for financial gain without user c…

Published: January 21, 2025

Downloadable IOCs: 3

Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighboring Nations

A new threat group dubbed Silent Lynx has been uncovered targeting entities in Kyrgyzstan and neighboring nations. The group, believed to be Kazakhstan-based, employs sophisticated multi-stage attack strategies using ISO files, C++ loaders, PowerShell scripts, and Golang implants. Their campaigns f…

xerox_scan17510875802718752175.exe

kyrgyzstan

resocks

Published: January 21, 2025

Downloadable IOCs: 12

Investigating A Web Shell Intrusion With Managed XDR

This analysis details a web shell intrusion incident where attackers exploited an IIS worker to exfiltrate data. The attacker uploaded a web shell, created a new account for persistence, modified an existing user's password, and used encoded PowerShell commands to establish a reverse TCP shell for …

Published: January 15, 2025

Downloadable IOCs: 0

Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page

A new distribution method for the LummaC2 infostealer malware has been identified, using a fake CAPTCHA verification page. The process begins with a deceptive authentication screen that copies a malicious command to the clipboard when users click 'I'm not a robot'. This command executes an obfuscat…

Published: January 13, 2025

Downloadable IOCs: 4

Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit

A fake proof-of-concept exploit for the LDAPNightmare vulnerability (CVE-2024-49113) is being used to distribute information-stealing malware. The malicious repository, disguised as a fork from the original creator, contains an executable file that, when run, drops and executes a PowerShell script.…

Published: January 10, 2025

Downloadable IOCs: 0

EAGERBEE, with updated and novel components, targets the Middle East

The EAGERBEE backdoor, deployed at ISPs and governmental entities in the Middle East, has been analyzed to reveal new components and capabilities. The malware uses a novel service injector to inject the backdoor into running services, and employs several plugins for various malicious activities. Th…

Published: January 6, 2025

Downloadable IOCs: 8

Espionage cluster Paper Werewolf engages in destructive behavior

The Paper Werewolf cluster, also known as GOFFEE, has increased its activity, targeting Russian organizations in government, energy, finance, and media sectors. Their primary method involves phishing emails with malicious Microsoft Word attachments containing macros. The group has evolved from cybe…

Published: December 25, 2024

Downloadable IOCs: 0

Stealthy Cyber Attacks: LNK Files & SSH Commands Playbook

This analysis explores a rising trend in cyber attacks where threat actors leverage LNK files and SSH commands as initial infection vectors. The attackers use meticulously crafted shortcut files, often disguised as legitimate documents, to execute commands using Living-off-the-Land Binaries (LOLBin…

living-off-the-land binaries

cyber attacks

ssh commands

Published: December 19, 2024

Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21893

Downloadable IOCs: 6

"Breach Report" from UAC-0099 (CERT-UA#12463)

The Ukrainian CERT-UA investigated cyberattacks by UAC-0099 against government organizations during November-December 2024. The attacks involved emails with malicious attachments, including exploits for CVE-2023-38831. The LONEPAGE program, used for command execution, has evolved to use encrypted f…

Published: December 18, 2024

Downloadable IOCs: 25

Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising

A large-scale fake captcha campaign has been distributing Lumma info-stealer malware through malvertising techniques. The campaign, relying on a single ad network, delivers over 1 million daily ad impressions, causing thousands of daily victims to lose their accounts and money. The malicious activi…

Published: December 18, 2024

Downloadable IOCs: 50

Threat Actor Targets Manufacturing Industry With Malware

A sophisticated cyberattack campaign targeting the manufacturing industry has been identified, utilizing a deceptive LNK file disguised as a PDF document. The attack leverages multiple Living-off-the-Land Binaries and Google Accelerated Mobile Pages to evade detection. The threat actor employs vari…

Published: December 5, 2024

Downloadable IOCs: 0

XWorm: Analyzing New Infection Tactics With Old Payload

A recent malware campaign utilizes a multi-stage infection chain starting with a LNK file that lures victims into opening an invoice in a web browser. The attack involves PowerShell commands, batch files, and Python scripts to download and execute the XWorm payload. The infection process includes d…

multi-stage infection

2024-12-04

Published: December 4, 2024

Downloadable IOCs: 0

Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape

Proofpoint researchers have identified a surge in the ClickFix social engineering technique across the threat landscape. This technique uses dialogue boxes with fake error messages to trick users into copying, pasting, and running malicious content on their computers. Multiple threat actors are emp…

Published: November 18, 2024

Downloadable IOCs: 0

Attack On Maritime & Defense Manufacturing

The DONOT APT group has launched a campaign targeting Pakistan's manufacturing industry supporting maritime and defense sectors. The attack uses a malicious LNK file disguised as an RTF, which executes PowerShell commands to deliver a lure document and stager malware. The malware establishes persis…

Published: November 15, 2024

Downloadable IOCs: 0

Dissecting A Multi-Stage PowerShell Campaign Using Chisel

A sophisticated multi-stage PowerShell campaign has been identified, utilizing an LNK file to initiate a sequence of obfuscated scripts. The attack maintains persistence and stealth by connecting with a command-and-control server. It employs Chisel, a fast TCP/UDP tunneling tool, and a Netskope pro…

Published: November 12, 2024

Downloadable IOCs: 17

New Ymir ransomware discovered used together with RustyStealer | Securelist

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…

Published: November 11, 2024

Downloadable IOCs: 12

New Ymir ransomware discovered used together with RustyStealer

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…

Published: November 11, 2024

Downloadable IOCs: 0

Hello again, FakeBat: popular loader returns after months-long hiatus

FakeBat, a loader previously known as Eugenloader and PaykLoader, has resurfaced after a three-month absence. The malware was distributed through a malicious Google ad impersonating the productivity application Notion. The attack chain involves a tracking template, cloaking domain, and a decoy site…

Published: November 11, 2024

Downloadable IOCs: 19

New Campaign Uses Remcos RAT to Exploit Victims

A phishing campaign utilizing Remcos RAT has been detected. The attack begins with an email containing a malicious Excel document that exploits CVE-2017-0199. When opened, it downloads and executes an HTA file, which in turn downloads and runs a malicious EXE. This EXE uses PowerShell to load and e…

Published: November 8, 2024

Downloadable IOCs: 2

Analysis of AsyncRAT's Infection Tactics via Open Directories

This analysis explores two distinct methods used to infect systems with AsyncRAT through open directories. The first technique involves a multi-stage process using various obfuscated scripts (VBS, BAT, PowerShell) and disguised files to download and execute the AsyncRAT payload. The second method e…

multi-stage infection

Published: November 7, 2024

Downloadable IOCs: 15

Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign

A new Gootloader variant has been discovered using search engine optimization (SEO) poisoning to target Australian Bengal cat enthusiasts. The campaign uses Google search results for 'Are Bengal Cats legal in Australia?' to deliver malicious payloads. When users click on compromised links, a zip fi…

Published: November 6, 2024

Downloadable IOCs: 14

InfoStealer Malware Attacking Meta Business Page To Steal Logins

A sophisticated malvertising campaign is distributing the SYS01 infostealer malware through Meta's advertising platform. The attackers impersonate trusted brands and popular software, targeting primarily senior male demographics. The malware, designed to steal personal data and credentials, is dist…

Strela Stealer Targets Europe Stealthily Via WebDav

Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users thr…

Published: October 30, 2024

Downloadable IOCs: 103

Unauthorized RDP Connections For Cyberespionage Operations

Cyble Research and Intelligence Labs uncovered an ongoing cyberattack campaign utilizing malicious LNK files to gain unauthorized Remote Desktop access on compromised systems. The sophisticated multi-stage attack chain employs PowerShell and BAT scripts to evade detection, create administrative acc…

Published: October 26, 2024

Downloadable IOCs: 0

Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA

Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…

Published: October 21, 2024

Downloadable IOCs: 23

Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…

Published: October 18, 2024

Downloadable IOCs: 0

Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA

A zero-day vulnerability exploited by an advanced adversary to gain access to a victim’s network, according to research by FortiGuard Labs and the Centre for Strategic Intelligence (CISA).

zero-day vulnerability

Published: October 15, 2024

Downloadable IOCs: 17

HijackLoader evolution: abusing genuine signing certificates

A report by HarfangLab EDR and MITRE ATT&CK on the threat posed by the Lumma Stealer malware, published on 11 October, 2024, outlines the tactics used to deploy the malware.

Published: October 15, 2024

Downloadable IOCs: 69

Malware by the (Bit)Bucket: Uncovering AsyncRAT

A sophisticated attack campaign using Bitbucket as a legitimate platform to deliver AsyncRAT has been uncovered. The multi-stage approach involves a VBScript obfuscation layer, followed by a PowerShell payload delivery mechanism, and culminates in the execution of AsyncRAT. The attackers exploit Bi…

Published: October 10, 2024

Downloadable IOCs: 0

Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines

Over the past year, the delivery of Lua malware appears to have undergone simplification, possibly to reduce exposure to detection mechanisms. The malware is frequently delivered using obfuscated Lua scripts instead of compiled Lua bytecode, as the latter can trigger suspicion more easily.

Published: October 9, 2024

Downloadable IOCs: 18

Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware

A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…

Published: October 4, 2024

Downloadable IOCs: 15

PowerShell Keylogger

A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…

Published: September 4, 2024

Downloadable IOCs: 3

Exploring AsyncRAT and Infostealer Plugin Delivery Through…

This analysis details an AsyncRAT infection observed in August 2024, delivered via email. The attack chain involves a Windows Script File that downloads and executes various scripts, ultimately leading to the installation of AsyncRAT with an infostealer plugin. The malware targets multiple browsers…

cryptocurrency wallets

browser data theft

Published: September 2, 2024

Linked vulnerabilities : CVE-2024-7593 (CVSS 9.8), CVE-2024-28986

Downloadable IOCs: 8

Analyzing the Mekotio Trojan

The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…

Published: August 30, 2024

Downloadable IOCs: 2

Decoding the Stealthy Memory-Only Malware

This intelligence report provides an in-depth analysis of a complex, multi-stage malware campaign called PEAKLIGHT. It details the infection chain, starting with movie lure ZIP files containing malicious LNK files that initiate a JavaScript dropper. This dropper then executes a PowerShell downloade…

Published: August 23, 2024

Downloadable IOCs: 23

Report on Ukraine government attack campaign

Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…

Published: August 23, 2024

Downloadable IOCs: 33

Multiple Malware Dropped Through MSI Package

An analysis reveals the distribution of malware through an MSI package, specifically SectopRat and Redline stealer. The malware employs techniques like executing malicious scripts, disabling security measures, and establishing persistence through scheduled tasks. It communicates with command-and-co…

Published: August 14, 2024

Downloadable IOCs: 11

Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell

The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This load…

Published: August 7, 2024

Downloadable IOCs: 8

Detecting evolving threats: NetSupport RAT campaign

This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…

Published: August 2, 2024

Downloadable IOCs: 3

Distribution of AsyncRAT Disguised as Ebook

This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …

Published: July 10, 2024

Downloadable IOCs: 5

Kimsuky Group’s New Backdoor (HappyDoor)

This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…

Published: July 8, 2024

Downloadable IOCs: 7

Turla: A Master of Deception

This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features…

Published: July 8, 2024

Downloadable IOCs: 10

ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America

This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…

Published: July 5, 2024

Downloadable IOCs: 4

Malvertising Campaign Leads to Execution of Oyster Backdoor

Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams.

Published: June 24, 2024

Downloadable IOCs: 13

AdsExhaust, a Newly Discovered Adware MasqueradingOculus…

In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.

Published: June 24, 2024

Downloadable IOCs: 17

FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy

This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (…

Published: June 19, 2024

Downloadable IOCs: 5

From Clipboard to Compromise: A PowerShell Self-Pwn

This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…

Published: June 17, 2024

Downloadable IOCs: 14

APT Attacks Using Cloud Storage

The report describes a malicious campaign where threat actors utilize cloud services like Google Drive, OneDrive, and Dropbox to distribute malware and collect user information. The attack process starts with a malicious shortcut file (LNK) that executes PowerShell scripts to download decoy documen…

Published: June 11, 2024

Downloadable IOCs: 1

Warning Against Phishing Emails Prompting Execution of Commands via Paste

This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exerci…

Published: June 6, 2024

Downloadable IOCs: 15

Decoding Water Sigbin's Latest Obfuscation Tricks

The China-based threat group Water Sigbin, known for deploying cryptocurrency-mining malware, exhibited new techniques to evade detection. It exploited CVE-2017-3506 and CVE-2023-21839 to deploy a PowerShell script executing a miner. The script utilized complex encoding, environment variables to hi…

Published: May 30, 2024

Linked vulnerabilities : CVE-2023-21839, CVE-2017-3506

Downloadable IOCs: 9

Gootloader walkthrough

The analysis delves into the intricate workings of the Gootloader malware campaign. Through a meticulously crafted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resour…

Published: May 24, 2024

Downloadable IOCs: 12

Spring Exacerbation: UAC-0006 increased cyberattacks

This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …

Published: May 22, 2024

Downloadable IOCs: 31

Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware

Securonix Threat Research has uncovered a sophisticated malware campaign, dubbed CLOUD#REVERSER, that leverages popular cloud storage services like Google Drive and Dropbox for malware delivery, command execution, and data exfiltration. The infection chain starts with a phishing email containing a …

Published: May 22, 2024

Downloadable IOCs: 16

Exploring the Metamorfo Banking Trojan

This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…

Published: May 17, 2024

Downloadable IOCs: 39

Mallox ranomware affiliate leverages PureCrypter in MS-SQL exploitation campaigns

A team from security firm Sekoia has observed a series of attacks targeting vulnerable assets, including MS-SQL, and Mallox ransomware, using techniques similar to that of the PureCrypter ransomware.

Published: May 14, 2024

Downloadable IOCs: 10

Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself

Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…

Published: April 29, 2024

Downloadable IOCs: 34

From IcedID to Dagon Locker Ransomware in 29 Days

This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.

Published: April 29, 2024

Downloadable IOCs: 33

Tag: powershell

Attack reports

A new campaign by the ForumTroll APT group

BlindEagle Targets Colombian Government Agency with Caminho and DCRAT

Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia

Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp

The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations

Water APT Multi-Stage Attack Uncovered

Stories from the SOC: Mystery of the postponed proxyware install

Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats

New Tools and Techniques of ToddyCat APT

The Tsundere botnet uses the Ethereum blockchain to infect its targets

Sophisticated Tuoni C2 Attack on U.S. Real Estate Firm Thwarted

EVALUSION Campaign Delivers Amatera Stealer and NetSupport...

A Closer Look at Outlook Macros and More

Analyzing the Link Between Two Evolving Brazilian Banking Trojans

Operation Peek-a-Baku: Silent Lynx APT Targets Dushanbe with Espionage Campaign

Evasion and Persistence via Hidden Hyper-V Virtual Machines

Operation Peek-a-Baku: APT Targets Dushanbe with Espionage Campaign

Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus

Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

PhantomCaptcha: Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

APT Meets GPT: Targeted Operations with Untamed LLMs

Shuyal Stealer: Advanced Infostealer Targeting 19 Browsers

XWorm V6: Exploring Pivotal Plugins

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users

Analysis: AI-powered Ransomware from APT Group

Updates Arsenal with BAITSWITCH and SIMPLEFIX

NodeJS backdoors delivering proxyware and monetization schemes

CountLoader: New Malware Loader Being Served in 3 Different Versions

AppSuite, OneStart & ManualFinder: The Nexus of Deception

August 2025 APT Attack Trends Report

Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign

Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

Operation BarrelFire: Targeting Kazakhstan Oil & Gas

Analysis of APT-C-53 (Gamaredon) Attack on Ukrainian Government Agencies

Operation HanKook Phantom: Spear-Phishing Campaign

Threat Actor Profile: Interlock Ransomware

What happened in Vegas (that you actually want to know about)

When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub's Expanding Arsenal

Silent Watcher: Dissecting Cmimai Stealer's VBS Payload

CastleLoader Analysis

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

From ClickFix to Command: A Full PowerShell Attack Chain

CoinMiner Attacks Exploiting GeoServer Vulnerability

Unveiling a New Variant of the DarkCloud Campaign

From Reconnaissance to Control: The Operational Blueprint of Kimsuky APT for Cyber Espionage

Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal

LNK Trojan delivers REMCOS

Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode

Fix the Click: Preventing the ClickFix Attack Vector

Digging Gold with a Spoon – Resurgence of Monero-mining Malware

BERT Ransomware Group Targets Asia and Europe on Multiple Platforms

Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

Analysis of the threat case of kimsuky group using 'ClickFix' tactic

BERT RANSOMWARE - THE RAVEN FILE

Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation

Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users

More Steganography!

Analysis of the Triple Combo Threat of the Kimsuky Group

Operation Phantom Enigma

Cybercriminals camouflaging threats as AI tool installers

Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns

Russian Unit 26165 Targets Western Logistics and Technology Companies

Caught in the CAPTCHA: How ClickFix is Weaponizing Verification Fatigue to Deliver RATs & Infostealers

Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT

Excel(ent) Obfuscation: Regex Gone Rogue

New 'Chihuahua Stealer' Targets Browser Data and Crypto Wallets

TA406 Pivots to the Front

A New Breed of Infostealer

Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information

COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs

Lampion Is Back With ClickFix Lures

Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer

Introducing ToyMaker

DOGE Binary Loader Indicators of Compromise

How Lumma Stealer sneaks into organizations

Two sides of the same coin

Shuckworm Targets Foreign Military Mission Based in Ukraine