Tag: process injection

7 Attack Reports | 0 Vulnerabilities

Attack reports

Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers

Mandiant discovered China-nexus espionage group UNC3886 deploying custom backdoors on Juniper Networks' Junos OS routers in mid-2024. The actor used TINYSHELL-based backdoors with various capabilities, including active and passive functions and log disabling. UNC3886 demonstrated advanced system kn…
espionage
china
persistence
medusa
backdoors
routers
process injection
gobrat
china-nexus
2025-03-12
CVE-2025-21590
reptile
tinyshell
pithook
network infrastructure
juniper
seaelf
busybox
ghosttown
2025-04-11
Published: April 11, 2025
Linked vulnerabilities : CVE-2025-21590 (CVSS 4.4), CVE-2022-41328, CVE-2025-22457 (CVSS 9.0)
Downloadable IOCs: 14

AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again

A new AsyncRAT malware campaign has been identified, utilizing malicious payloads delivered through TryCloudflare quick tunnels and Python packages. The attack chain begins with a phishing email containing a Dropbox URL, leading to a ZIP file with an internet shortcut. This triggers a series of dow…
xworm
phishing
python
dropbox
asyncrat
venomrat
process injection
evasion techniques
trycloudflare
remote access trojan
2025-02-01
Published: February 1, 2025
Downloadable IOCs: 0

Technical Analysis of Xloader Versions 6 and 7

This analysis examines the latest versions of Xloader malware, focusing on its advanced obfuscation techniques. Xloader, successor to Formbook, is an information stealer targeting browsers, email clients, and FTP applications. The malware employs complex encryption layers to protect critical code a…
obfuscation
encryption
formbook
information stealer
process injection
xloader
2025-01-28
api resolution
ntdll hook evasion
Published: January 28, 2025
Downloadable IOCs: 261

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red f…
phishing
autoit
credential harvesting
formbook
keylogging
data exfiltration
process injection
2024-12-06
holiday-themed
Published: December 6, 2024
Downloadable IOCs: 0

Threat Actor Targets Manufacturing Industry With Malware

A sophisticated cyberattack campaign targeting the manufacturing industry has been identified, utilizing a deceptive LNK file disguised as a PDF document. The attack leverages multiple Living-off-the-Land Binaries and Google Accelerated Mobile Pages to evade detection. The threat actor employs vari…
powershell
lumma stealer
dll sideloading
lnk file
process injection
manufacturing
code injection
2024-12-05
amadey bot
amp url
Published: December 5, 2024
Downloadable IOCs: 0

XWorm: Analysis of Latest Version and Execution Flow

XWorm, a versatile tool discovered in 2022, enables attackers to access sensitive information, gain remote access, and deploy additional malware. The latest version's infection chain begins with a Windows Script File downloading a PowerShell script from paste.ee. This script creates multiple files,…
xworm
infection chain
remote access
process injection
2024-10-03
evasion techniques
reflective loading
telegram notification
Published: October 3, 2024
Downloadable IOCs: 8

Deep Analysis of Snake Keylogger’s New Variant

FortiGuard Labs recently caught a phishing campaign delivering a new variant of Snake Keylogger, a keylogger malware that can steal sensitive data like saved credentials, keystrokes, and screenshots. The analysis examines the phishing email, malicious Excel document, and techniques used by the malw…
phishing
persistence
credential theft
CVE-2017-0199
keylogger
2024-08-30
process injection
snake keylogger
Published: August 30, 2024
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 8
Click here to see more Attack Reports