Tag: process injection

19 Attack Reports | 0 Vulnerabilities

Attack reports

Reloaded in a modern Remcos RAT Infection

Analysts discovered a new Remcos RAT infection chain starting with a batch file executing encoded commands that creates hidden directories and retrieves encrypted payloads. Unlike earlier campaigns relying on PowerShell-hosted .NET loaders, this variant incorporates DonutLoader shellcode and AutoIt…
phishing
shellcode
autoit
in-memory execution
process injection
remcos rat
lolbins
donutloader
2026-05-30
Published: May 30, 2026
Downloadable IOCs: 4

Using KATA and KEDR to detect the AdaptixC2 agent

AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command…
credential harvesting
lateral movement
edr
coolclient
mgbot
process injection
toneshell
command-and-control
vbcloud
vbshower
adaptixc2
powershower
cloudatlas
2026-04-17
network detection
post-exploitation framework
Published: April 17, 2026
Downloadable IOCs: 0

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

Multiple campaigns are distributing NWHStealer through diverse delivery methods including fake VPN downloads, hardware utilities, and gaming modifications. The malware collects browser data, saved passwords, and cryptocurrency wallet information. Distribution occurs via fake websites impersonating …
infostealer
cryptocurrency theft
process injection
browser data theft
dll hijacking
uac bypass
fake websites
2026-04-15
nwhstealer
2026-04-17
cryptocurrency wallet theft
fake vpn
Published: April 17, 2026
Downloadable IOCs: 3

How ClickFix Opens the Door to Stealthy StealC Information Stealer

This analysis examines a sophisticated attack chain targeting Windows systems through social engineering. It uses fake CAPTCHA verification pages to trick users into executing malicious PowerShell commands. The multi-stage infection process ultimately deploys the StealC information stealer, a commo…
social engineering
credential theft
stealc
clickfix
information stealer
process injection
multi-stage infection
fileless execution
2026-02-17
Published: February 17, 2026
Downloadable IOCs: 9

The game is over: when “free” comes at too high a price. What we know about RenEngine

A widespread campaign is distributing the RenEngine loader malware disguised as pirated games and software. The loader uses a modified Ren'Py game engine to deliver payloads like Lumma and ACR stealers. It employs sophisticated techniques including sandbox evasion, process injection, and modular de…
loader
stealer
vidar
hijackloader
lumma
acr stealer
process injection
2026-02-11
pirated games
ren'py
renengine
Published: February 11, 2026
Downloadable IOCs: 0

Operation DupeHike: Targeting Russian employees with DUPERUNNER and AdaptixC2

A campaign targeting Russian corporate entities, particularly HR, payroll, and administrative departments, has been uncovered. The attack uses realistic decoy documents themed around employee bonuses and financial policies. The malware ecosystem involves a malicious LNK file leading to an implant d…
process injection
c2 communication
spear-phishing
adaptixc2
2025-12-03
employee bonus lure
duperunner
russian corporate
Published: December 3, 2025
Downloadable IOCs: 12

Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics

Trend Research observed a resurgence in Lumma Stealer activity since October 20, 2025, accompanied by new behaviors and C&C techniques. The malware now employs browser fingerprinting as part of its command-and-control tactics, collecting and exfiltrating system, network, hardware, and browser data …
infostealer
lumma stealer
data exfiltration
process injection
evasion techniques
command-and-control
ghostsocks
browser fingerprinting
2025-11-14
cybercriminal activity
Published: November 14, 2025
Downloadable IOCs: 3

Getting to the Crux (Ransomware) of the Matter

A new ransomware variant named Crux has been identified, claiming association with the BlackByte group. Observed in three separate incidents, Crux encrypts files with a .crux extension and leaves ransom notes. Initial access appears to involve Remote Desktop Protocol (RDP) using valid credentials. …
ransomware
rclone
rdp
svchost
data exfiltration
process injection
2025-07-21
bcdedit
crux
Published: July 21, 2025
Downloadable IOCs: 3

macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism le…
cryptocurrency
macos
process injection
web3
applescript
websocket
2025-07-04
nimdoor
Published: July 4, 2025
Downloadable IOCs: 9

Malware Analysis Report: UMBRELLA STAND - Malware targeting Fortinet devices

UMBRELLA STAND is a sophisticated malware targeting FortiGate 100D series firewalls produced by Fortinet. It contains remote shell execution functionality, configurable beacon frequency, and AES-encrypted C2 communications. The malware uses fake TLS on port 443 to beacon to its C2 server and has th…
persistence
c2
process injection
aes encryption
defense evasion
fortinet
firewall
2025-06-23
shoe rack
remote shell
umbrella stand
Published: June 23, 2025
Downloadable IOCs: 11

Inside the BlueNoroff Web3 macOS Intrusion Analysis

A detailed analysis of a sophisticated intrusion targeting a cryptocurrency foundation employee is presented. The attack, attributed to the North Korean APT group BlueNoroff, began with a social engineering lure via Telegram, leading to the installation of malicious software disguised as a Zoom ext…
apt
social engineering
cryptocurrency
stealer
macos
dprk
process injection
web3
2025-06-19
root troy v4
injectwithdyld
xscreen
cryptobot
telegram 2
Published: June 19, 2025
Downloadable IOCs: 18

Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer

Cybercriminals are exploiting the US tax season to deploy Stealerium malware, targeting citizens through sophisticated phishing campaigns. The attack utilizes deceptive email attachments with malicious LNK files, leading to the execution of PowerShell scripts and the download of a PyInstaller-packa…
powershell
anti-analysis
information stealing
process injection
2025-04-30
tax-season phishing
stealerium
Published: April 30, 2025
Downloadable IOCs: 0

Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers

Mandiant discovered China-nexus espionage group UNC3886 deploying custom backdoors on Juniper Networks' Junos OS routers in mid-2024. The actor used TINYSHELL-based backdoors with various capabilities, including active and passive functions and log disabling. UNC3886 demonstrated advanced system kn…
espionage
china
persistence
medusa
backdoors
routers
process injection
gobrat
china-nexus
2025-03-12
CVE-2025-21590
reptile
tinyshell
pithook
network infrastructure
juniper
seaelf
busybox
ghosttown
2025-04-11
Published: April 11, 2025
Linked vulnerabilities : CVE-2025-21590 (CVSS 4.4), CVE-2022-41328, CVE-2025-22457 (CVSS 9.0)
Downloadable IOCs: 14

AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again

A new AsyncRAT malware campaign has been identified, utilizing malicious payloads delivered through TryCloudflare quick tunnels and Python packages. The attack chain begins with a phishing email containing a Dropbox URL, leading to a ZIP file with an internet shortcut. This triggers a series of dow…
xworm
phishing
python
dropbox
asyncrat
venomrat
process injection
evasion techniques
trycloudflare
remote access trojan
2025-02-01
Published: February 1, 2025
Downloadable IOCs: 0

Technical Analysis of Xloader Versions 6 and 7

This analysis examines the latest versions of Xloader malware, focusing on its advanced obfuscation techniques. Xloader, successor to Formbook, is an information stealer targeting browsers, email clients, and FTP applications. The malware employs complex encryption layers to protect critical code a…
obfuscation
encryption
formbook
information stealer
process injection
xloader
2025-01-28
api resolution
ntdll hook evasion
Published: January 28, 2025
Downloadable IOCs: 261

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red f…
phishing
autoit
credential harvesting
formbook
keylogging
data exfiltration
process injection
2024-12-06
holiday-themed
Published: December 6, 2024
Downloadable IOCs: 0

Threat Actor Targets Manufacturing Industry With Malware

A sophisticated cyberattack campaign targeting the manufacturing industry has been identified, utilizing a deceptive LNK file disguised as a PDF document. The attack leverages multiple Living-off-the-Land Binaries and Google Accelerated Mobile Pages to evade detection. The threat actor employs vari…
powershell
lumma stealer
dll sideloading
lnk file
process injection
manufacturing
code injection
2024-12-05
amadey bot
amp url
Published: December 5, 2024
Downloadable IOCs: 0

XWorm: Analysis of Latest Version and Execution Flow

XWorm, a versatile tool discovered in 2022, enables attackers to access sensitive information, gain remote access, and deploy additional malware. The latest version's infection chain begins with a Windows Script File downloading a PowerShell script from paste.ee. This script creates multiple files,…
xworm
infection chain
remote access
process injection
2024-10-03
evasion techniques
reflective loading
telegram notification
Published: October 3, 2024
Downloadable IOCs: 8

Deep Analysis of Snake Keylogger’s New Variant

FortiGuard Labs recently caught a phishing campaign delivering a new variant of Snake Keylogger, a keylogger malware that can steal sensitive data like saved credentials, keystrokes, and screenshots. The analysis examines the phishing email, malicious Excel document, and techniques used by the malw…
phishing
persistence
credential theft
CVE-2017-0199
keylogger
2024-08-30
process injection
snake keylogger
Published: August 30, 2024
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 8
Click here to see more Attack Reports