Tag: python
13 attack reports | 0 vulnerabilities
Attack reports
Beware of phishing emails impersonating major domestic entertainment agencies
ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
Downloadable IOCs 0
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
Downloadable IOCs 7
North Korea Still Attacking Developers via npm
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
Downloadable IOCs 12
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
The Abuse of ITarian RMM by Dolphin Loader
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
Downloadable IOCs 24
MINT STEALER: Running by a BulletProof Hoster
This article provides an analysis of the Mint Stealer, a Python-based information stealer capable of harvesting sensitive data from infected machines. It delves into the stealer's functionality, history, and the infrastructure behind its operations, including its link to a bulletproof hosting servi…
Downloadable IOCs 20
Who You Gonna Call? AndroxGh0st Busters!
This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
Downloadable IOCs 7
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Downloadable IOCs 5
Ongoing Malvertising Campaign leads to Ransomware
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
Downloadable IOCs 78
Zloader Learns Old Tricks
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
Downloadable IOCs 8
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7
Beware of phishing emails impersonating major domestic entertainment agencies
ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
Downloadable IOCs 0
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
Downloadable IOCs 7
North Korea Still Attacking Developers via npm
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
Downloadable IOCs 12
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
The Abuse of ITarian RMM by Dolphin Loader
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
Downloadable IOCs 24
MINT STEALER: Running by a BulletProof Hoster
This article provides an analysis of the Mint Stealer, a Python-based information stealer capable of harvesting sensitive data from infected machines. It delves into the stealer's functionality, history, and the infrastructure behind its operations, including its link to a bulletproof hosting servi…
Downloadable IOCs 20
Who You Gonna Call? AndroxGh0st Busters!
This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
Downloadable IOCs 7
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Downloadable IOCs 5
Ongoing Malvertising Campaign leads to Ransomware
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
Downloadable IOCs 78
Zloader Learns Old Tricks
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
Downloadable IOCs 8
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7
Beware of phishing emails impersonating major domestic entertainment agencies
ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
Downloadable IOCs 0
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
Downloadable IOCs 7
North Korea Still Attacking Developers via npm
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
Downloadable IOCs 12
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
The Abuse of ITarian RMM by Dolphin Loader
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
Downloadable IOCs 24
MINT STEALER: Running by a BulletProof Hoster
This article provides an analysis of the Mint Stealer, a Python-based information stealer capable of harvesting sensitive data from infected machines. It delves into the stealer's functionality, history, and the infrastructure behind its operations, including its link to a bulletproof hosting servi…
Downloadable IOCs 20
Who You Gonna Call? AndroxGh0st Busters!
This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
Downloadable IOCs 7
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Downloadable IOCs 5
Ongoing Malvertising Campaign leads to Ransomware
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
Downloadable IOCs 78
Zloader Learns Old Tricks
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
Downloadable IOCs 8
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7
Beware of phishing emails impersonating major domestic entertainment agencies
ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
Downloadable IOCs 0
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
Downloadable IOCs 7
North Korea Still Attacking Developers via npm
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
Downloadable IOCs 12
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
The Abuse of ITarian RMM by Dolphin Loader
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
Downloadable IOCs 24
MINT STEALER: Running by a BulletProof Hoster
This article provides an analysis of the Mint Stealer, a Python-based information stealer capable of harvesting sensitive data from infected machines. It delves into the stealer's functionality, history, and the infrastructure behind its operations, including its link to a bulletproof hosting servi…
Downloadable IOCs 20
Who You Gonna Call? AndroxGh0st Busters!
This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
Downloadable IOCs 7
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Downloadable IOCs 5
Ongoing Malvertising Campaign leads to Ransomware
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
Downloadable IOCs 78
Zloader Learns Old Tricks
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
Downloadable IOCs 8
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7
Beware of phishing emails impersonating major domestic entertainment agencies
ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
Downloadable IOCs 0
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
Downloadable IOCs 7
North Korea Still Attacking Developers via npm
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
Downloadable IOCs 12
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
The Abuse of ITarian RMM by Dolphin Loader
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
Downloadable IOCs 24
MINT STEALER: Running by a BulletProof Hoster
This article provides an analysis of the Mint Stealer, a Python-based information stealer capable of harvesting sensitive data from infected machines. It delves into the stealer's functionality, history, and the infrastructure behind its operations, including its link to a bulletproof hosting servi…
Downloadable IOCs 20
Who You Gonna Call? AndroxGh0st Busters!
This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
Downloadable IOCs 7
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Downloadable IOCs 5
Ongoing Malvertising Campaign leads to Ransomware
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
Downloadable IOCs 78
Zloader Learns Old Tricks
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
Downloadable IOCs 8
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7
Beware of phishing emails impersonating major domestic entertainment agencies
ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
Downloadable IOCs 0
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
Downloadable IOCs 7
North Korea Still Attacking Developers via npm
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
Downloadable IOCs 12
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
The Abuse of ITarian RMM by Dolphin Loader
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
Downloadable IOCs 24
MINT STEALER: Running by a BulletProof Hoster
This article provides an analysis of the Mint Stealer, a Python-based information stealer capable of harvesting sensitive data from infected machines. It delves into the stealer's functionality, history, and the infrastructure behind its operations, including its link to a bulletproof hosting servi…
Downloadable IOCs 20
Who You Gonna Call? AndroxGh0st Busters!
This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
Downloadable IOCs 7
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Downloadable IOCs 5
Ongoing Malvertising Campaign leads to Ransomware
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
Downloadable IOCs 78
Zloader Learns Old Tricks
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
Downloadable IOCs 8
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7
Beware of phishing emails impersonating major domestic entertainment agencies
ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
Downloadable IOCs 0
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
Downloadable IOCs 7
North Korea Still Attacking Developers via npm
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
Downloadable IOCs 12
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
The Abuse of ITarian RMM by Dolphin Loader
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
Downloadable IOCs 24
MINT STEALER: Running by a BulletProof Hoster
This article provides an analysis of the Mint Stealer, a Python-based information stealer capable of harvesting sensitive data from infected machines. It delves into the stealer's functionality, history, and the infrastructure behind its operations, including its link to a bulletproof hosting servi…
Downloadable IOCs 20
Who You Gonna Call? AndroxGh0st Busters!
This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
Downloadable IOCs 7
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Downloadable IOCs 5
Ongoing Malvertising Campaign leads to Ransomware
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
Downloadable IOCs 78
Zloader Learns Old Tricks
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
Downloadable IOCs 8
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7
Beware of phishing emails impersonating major domestic entertainment agencies
ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
Downloadable IOCs 0
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
Downloadable IOCs 7
North Korea Still Attacking Developers via npm
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
Downloadable IOCs 12
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
The Abuse of ITarian RMM by Dolphin Loader
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
Downloadable IOCs 24
MINT STEALER: Running by a BulletProof Hoster
This article provides an analysis of the Mint Stealer, a Python-based information stealer capable of harvesting sensitive data from infected machines. It delves into the stealer's functionality, history, and the infrastructure behind its operations, including its link to a bulletproof hosting servi…
Downloadable IOCs 20
Who You Gonna Call? AndroxGh0st Busters!
This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
Downloadable IOCs 7
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Downloadable IOCs 5
Ongoing Malvertising Campaign leads to Ransomware
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
Downloadable IOCs 78
Zloader Learns Old Tricks
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
Downloadable IOCs 8
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7
Beware of phishing emails impersonating major domestic entertainment agencies
ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
Downloadable IOCs 0
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
Downloadable IOCs 7
North Korea Still Attacking Developers via npm
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
Downloadable IOCs 12
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
The Abuse of ITarian RMM by Dolphin Loader
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
Downloadable IOCs 24
MINT STEALER: Running by a BulletProof Hoster
This article provides an analysis of the Mint Stealer, a Python-based information stealer capable of harvesting sensitive data from infected machines. It delves into the stealer's functionality, history, and the infrastructure behind its operations, including its link to a bulletproof hosting servi…
Downloadable IOCs 20
Who You Gonna Call? AndroxGh0st Busters!
This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
Downloadable IOCs 7
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Downloadable IOCs 5
Ongoing Malvertising Campaign leads to Ransomware
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
Downloadable IOCs 78
Zloader Learns Old Tricks
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
Downloadable IOCs 8
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7
Beware of phishing emails impersonating major domestic entertainment agencies
ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
Downloadable IOCs 0
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
Downloadable IOCs 7
North Korea Still Attacking Developers via npm
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
Downloadable IOCs 12
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
The Abuse of ITarian RMM by Dolphin Loader
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
Downloadable IOCs 24
MINT STEALER: Running by a BulletProof Hoster
This article provides an analysis of the Mint Stealer, a Python-based information stealer capable of harvesting sensitive data from infected machines. It delves into the stealer's functionality, history, and the infrastructure behind its operations, including its link to a bulletproof hosting servi…
Downloadable IOCs 20
Who You Gonna Call? AndroxGh0st Busters!
This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
Downloadable IOCs 7
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Downloadable IOCs 5
Ongoing Malvertising Campaign leads to Ransomware
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
Downloadable IOCs 78
Zloader Learns Old Tricks
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
Downloadable IOCs 8
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7
Beware of phishing emails impersonating major domestic entertainment agencies
ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
Downloadable IOCs 0
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
Downloadable IOCs 7
North Korea Still Attacking Developers via npm
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
Downloadable IOCs 12
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
The Abuse of ITarian RMM by Dolphin Loader
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
Downloadable IOCs 24
MINT STEALER: Running by a BulletProof Hoster
This article provides an analysis of the Mint Stealer, a Python-based information stealer capable of harvesting sensitive data from infected machines. It delves into the stealer's functionality, history, and the infrastructure behind its operations, including its link to a bulletproof hosting servi…
Downloadable IOCs 20
Who You Gonna Call? AndroxGh0st Busters!
This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
Downloadable IOCs 7
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Downloadable IOCs 5
Ongoing Malvertising Campaign leads to Ransomware
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
Downloadable IOCs 78
Zloader Learns Old Tricks
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
Downloadable IOCs 8
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7
Beware of phishing emails impersonating major domestic entertainment agencies
ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
Downloadable IOCs 0
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
Downloadable IOCs 7
North Korea Still Attacking Developers via npm
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
Downloadable IOCs 12
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
The Abuse of ITarian RMM by Dolphin Loader
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
Downloadable IOCs 24
MINT STEALER: Running by a BulletProof Hoster
This article provides an analysis of the Mint Stealer, a Python-based information stealer capable of harvesting sensitive data from infected machines. It delves into the stealer's functionality, history, and the infrastructure behind its operations, including its link to a bulletproof hosting servi…
Downloadable IOCs 20
Who You Gonna Call? AndroxGh0st Busters!
This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
Downloadable IOCs 7
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Downloadable IOCs 5
Ongoing Malvertising Campaign leads to Ransomware
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
Downloadable IOCs 78
Zloader Learns Old Tricks
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
Downloadable IOCs 8
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7
Beware of phishing emails impersonating major domestic entertainment agencies
ASEC (AhnLab Security Intelligence Center) has recently confirmed that phishing emails impersonating large domestic entertainment agencies are being distributed domestically.
Downloadable IOCs 0
Tweaking AsyncRAT: Using Python and TryCloudflare to Deploy Malware
A new AsyncRAT malware campaign utilizes TryCloudflare quick tunnels and Python packages to deliver malicious payloads. The attack chain involves HTML attachments with 'search-ms' URI protocol handlers, leading to LNK files that download BAT files. These BAT files then retrieve and execute Python s…
Downloadable IOCs 15
Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access
A sophisticated attack has been uncovered that exploits Visual Studio Code's remote tunnel capabilities for unauthorized access. The attack begins with a .LNK file, disguised as a legitimate setup, which downloads a Python package and executes a malicious script. This script establishes persistence…
Downloadable IOCs 7
North Korea Still Attacking Developers via npm
Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
Downloadable IOCs 12
Predator Spyware Infrastructure Returns Following Exposure and Sanctions
Predator spyware's infrastructure has resurfaced with modifications to evade detection and anonymize users, despite previous exposure and sanctions. The spyware continues to pose significant risks, especially to high-profile individuals in countries like the Democratic Republic of the Congo and Ang…
Downloadable IOCs 16
The Abuse of ITarian RMM by Dolphin Loader
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
Downloadable IOCs 24
MINT STEALER: Running by a BulletProof Hoster
This article provides an analysis of the Mint Stealer, a Python-based information stealer capable of harvesting sensitive data from infected machines. It delves into the stealer's functionality, history, and the infrastructure behind its operations, including its link to a bulletproof hosting servi…
Downloadable IOCs 20
Who You Gonna Call? AndroxGh0st Busters!
This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env f…
Downloadable IOCs 7
ProxyLogon and ProxyShell Used to Target Government Mail Servers in Asia, Europe, and South America
This analysis describes the identification of a server likely exploiting ProxyLogon and ProxyShell vulnerabilities to gain unauthorized access to government email servers across Asia, Europe, and South America. The threat actor leveraged open-source exploit code to infiltrate systems and steal sens…
Downloadable IOCs 4
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
Downloadable IOCs 5
Ongoing Malvertising Campaign leads to Ransomware
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat act…
Downloadable IOCs 78
Zloader Learns Old Tricks
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. Zloader has continued to evolve since its resurrection around September 2023 after an almost two-year hiatus. The latest version, 2.4.1.0, introduces a feature to prevent execution on machines t…
Downloadable IOCs 8
Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors
This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT dis…
Downloadable IOCs 7