Tag: process injection

14 Attack Reports | 0 Vulnerabilities

Attack reports

Operation DupeHike: Targeting Russian employees with DUPERUNNER and AdaptixC2

A campaign targeting Russian corporate entities, particularly HR, payroll, and administrative departments, has been uncovered. The attack uses realistic decoy documents themed around employee bonuses and financial policies. The malware ecosystem involves a malicious LNK file leading to an implant d…
process injection
c2 communication
spear-phishing
adaptixc2
2025-12-03
employee bonus lure
duperunner
russian corporate
Published: December 3, 2025
Downloadable IOCs: 12

Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

Trend Research observed a resurgence in Lumma Stealer activity since October 20, 2025, accompanied by new behaviors and C&C techniques. The malware now employs browser fingerprinting as part of its command-and-control tactics, collecting and exfiltrating system, network, hardware, and browser data …
infostealer
lumma stealer
data exfiltration
process injection
evasion techniques
command-and-control
ghostsocks
browser fingerprinting
2025-11-14
cybercriminal activity
Published: November 14, 2025
Downloadable IOCs: 3

Getting to the Crux (Ransomware) of the Matter

A new ransomware variant named Crux has been identified, claiming association with the BlackByte group. Observed in three separate incidents, Crux encrypts files with a .crux extension and leaves ransom notes. Initial access appears to involve Remote Desktop Protocol (RDP) using valid credentials. …
ransomware
rclone
rdp
svchost
data exfiltration
process injection
2025-07-21
bcdedit
crux
Published: July 21, 2025
Downloadable IOCs: 3

macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism le…
cryptocurrency
macos
process injection
web3
applescript
websocket
2025-07-04
nimdoor
Published: July 4, 2025
Downloadable IOCs: 9

Malware Analysis Report: UMBRELLA STAND - Malware targeting Fortinet devices

UMBRELLA STAND is a sophisticated malware targeting FortiGate 100D series firewalls produced by Fortinet. It contains remote shell execution functionality, configurable beacon frequency, and AES-encrypted C2 communications. The malware uses fake TLS on port 443 to beacon to its C2 server and has th…
persistence
c2
process injection
aes encryption
defense evasion
fortinet
firewall
2025-06-23
shoe rack
remote shell
umbrella stand
Published: June 23, 2025
Downloadable IOCs: 11

Inside the BlueNoroff Web3 macOS Intrusion Analysis

A detailed analysis of a sophisticated intrusion targeting a cryptocurrency foundation employee is presented. The attack, attributed to the North Korean APT group BlueNoroff, began with a social engineering lure via Telegram, leading to the installation of malicious software disguised as a Zoom ext…
apt
social engineering
cryptocurrency
stealer
macos
dprk
process injection
web3
2025-06-19
root troy v4
injectwithdyld
xscreen
cryptobot
telegram 2
Published: June 19, 2025
Downloadable IOCs: 18

Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer

Cybercriminals are exploiting the US tax season to deploy Stealerium malware, targeting citizens through sophisticated phishing campaigns. The attack utilizes deceptive email attachments with malicious LNK files, leading to the execution of PowerShell scripts and the download of a PyInstaller-packa…
powershell
anti-analysis
information stealing
process injection
2025-04-30
tax-season phishing
stealerium
Published: April 30, 2025
Downloadable IOCs: 0

Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers

Mandiant discovered China-nexus espionage group UNC3886 deploying custom backdoors on Juniper Networks' Junos OS routers in mid-2024. The actor used TINYSHELL-based backdoors with various capabilities, including active and passive functions and log disabling. UNC3886 demonstrated advanced system kn…
espionage
china
persistence
medusa
backdoors
routers
process injection
gobrat
china-nexus
2025-03-12
CVE-2025-21590
reptile
tinyshell
pithook
network infrastructure
juniper
seaelf
busybox
ghosttown
2025-04-11
Published: April 11, 2025
Linked vulnerabilities : CVE-2025-21590 (CVSS 4.4), CVE-2022-41328, CVE-2025-22457 (CVSS 9.0)
Downloadable IOCs: 14

AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again

A new AsyncRAT malware campaign has been identified, utilizing malicious payloads delivered through TryCloudflare quick tunnels and Python packages. The attack chain begins with a phishing email containing a Dropbox URL, leading to a ZIP file with an internet shortcut. This triggers a series of dow…
xworm
phishing
python
dropbox
asyncrat
venomrat
process injection
evasion techniques
trycloudflare
remote access trojan
2025-02-01
Published: February 1, 2025
Downloadable IOCs: 0

Technical Analysis of Xloader Versions 6 and 7

This analysis examines the latest versions of Xloader malware, focusing on its advanced obfuscation techniques. Xloader, successor to Formbook, is an information stealer targeting browsers, email clients, and FTP applications. The malware employs complex encryption layers to protect critical code a…
obfuscation
encryption
formbook
information stealer
process injection
xloader
2025-01-28
api resolution
ntdll hook evasion
Published: January 28, 2025
Downloadable IOCs: 261

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red f…
phishing
autoit
credential harvesting
formbook
keylogging
data exfiltration
process injection
2024-12-06
holiday-themed
Published: December 6, 2024
Downloadable IOCs: 0

Threat Actor Targets Manufacturing Industry With Malware

A sophisticated cyberattack campaign targeting the manufacturing industry has been identified, utilizing a deceptive LNK file disguised as a PDF document. The attack leverages multiple Living-off-the-Land Binaries and Google Accelerated Mobile Pages to evade detection. The threat actor employs vari…
powershell
lumma stealer
dll sideloading
lnk file
process injection
manufacturing
code injection
2024-12-05
amadey bot
amp url
Published: December 5, 2024
Downloadable IOCs: 0

XWorm: Analysis of Latest Version and Execution Flow

XWorm, a versatile tool discovered in 2022, enables attackers to access sensitive information, gain remote access, and deploy additional malware. The latest version's infection chain begins with a Windows Script File downloading a PowerShell script from paste.ee. This script creates multiple files,…
xworm
infection chain
remote access
process injection
2024-10-03
evasion techniques
reflective loading
telegram notification
Published: October 3, 2024
Downloadable IOCs: 8

Deep Analysis of Snake Keylogger’s New Variant

FortiGuard Labs recently caught a phishing campaign delivering a new variant of Snake Keylogger, a keylogger malware that can steal sensitive data like saved credentials, keystrokes, and screenshots. The analysis examines the phishing email, malicious Excel document, and techniques used by the malw…
phishing
persistence
credential theft
CVE-2017-0199
keylogger
2024-08-30
process injection
snake keylogger
Published: August 30, 2024
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 8
Click here to see more Attack Reports