Tag: supply-chain

20 Attack Reports | 0 Vulnerabilities

Attack reports

Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware

A highly targeted email-based campaign was identified, focusing on aviation and satellite communications organizations in the United Arab Emirates. The campaign utilized a compromised entity to send customized malicious messages, leading to the discovery of a new backdoor named Sosano. This malware…
backdoor
supply-chain
apt
targeted
2025-03-04
satellite
sosano
Published: March 4, 2025
Downloadable IOCs: 0

Targeted activity UAC-0212 against developers and suppliers of automation and process control solutions

In 2024-2025, UAC-0212, a subcluster of UAC-0002 (Sandworm), launched targeted cyberattacks against Ukrainian critical infrastructure and related industries. The actor employed new tactics, exploiting CVE-2024-38213 to deliver malware through PDF documents. Tools like SECONDBEST, EMPIREPAST, SPARK,…
sandworm
supply chain
CVE-2024-38213
2025-02-26
crookbag
Published: February 26, 2025
Downloadable IOCs: 112

Unpacking the BADBOX Botnet

The BADBOX botnet, a newly discovered threat, targets Android devices, including high-end models like Yandex 4K QLED TVs. Over 190,000 infected devices have been observed, with malware often pre-installed from the factory or further down the supply chain. Using Censys, a suspicious SSL/TLS certific…
android
supply chain
iot
botnet
badbox
firmware
2025-02-05
censys
ssh host key
ssl/tls certificate
Published: February 5, 2025
Downloadable IOCs: 19

Targeted supply chain attack against Chrome browser extensions

In December 2024, a threat actor successfully compromised around a dozen legitimate Chrome browser extensions by exploiting extension developers' permissions gained through phishing attacks. The malicious code injected into the compromised extensions aimed to harvest sensitive user data like API ke…
phishing
supply chain
credentials
browser extensions
2025-01-22
data harvesting
Published: January 22, 2025
Downloadable IOCs: 80

Supply chain of Korean VPN service compromised

ESET researchers have uncovered a supply-chain attack against a South Korean VPN provider by a previously unknown China-aligned APT group named PlushDaemon. The attackers replaced the legitimate VPN installer with a malicious version that deployed their SlowStepper backdoor, a feature-rich implant …
backdoor
supply-chain
apt
espionage
china
south korea
vpn
2025-01-22
slowstepper
Published: January 22, 2025
Downloadable IOCs: 0

North Korean group targets nuclear-related organization with new malware

The Lazarus group has evolved its infection chain by targeting employees of a nuclear-related organization with a combination of new and old malware. The attack involved delivering malicious archive files containing trojanized VNC utilities and various malware strains including Ranid Downloader, MI…
supply chain
modular malware
2024-12-19
lpeclient
wordpress c2
cookietime
deathnote campaign
rollmid
servicechanger
ranid downloader
charamel loader
nuclear
trojanized vnc
mistpen
cookieplus
Published: December 19, 2024
Downloadable IOCs: 1

BADBOX Botnet Is Back

The BADBOX botnet, previously thought to be contained, has resurfaced with increased scope and sophistication. Recent findings reveal over 192,000 infected devices, including high-end Yandex 4K QLED Smart TVs and Hisense smartphones, expanding beyond the initially targeted off-brand Android devices…
malware
android
supply chain
botnet
proxy
ad fraud
triada
2024-12-17
badbox
firmware
smart tv
Published: December 17, 2024
Downloadable IOCs: 22

An NPM and PyPI Malicious Campaign Targeting Windows Users

Datadog Security Research has uncovered an ongoing supply chain attack targeting both npm and PyPi package repositories, tracked as MUT-8694. This campaign uses malicious packages to deliver infostealer malware to Windows users, leveraging legitimate services like GitHub and repl.it for payload hos…
supply-chain
typosquatting
infostealer
npm
pypi
2024-11-26
roblox
Published: November 26, 2024
Downloadable IOCs: 11

Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack

Unit 42 researchers identified a North Korean IT worker activity cluster, CL-STA-0237, involved in phishing attacks using malware-infected video conference apps. The cluster likely operates from Laos and exploited a U.S.-based SMB IT services company to apply for other jobs, securing a position at …
phishing
north korea
supply chain
beavertail
contagious interview
invisibleferret
wagemole
2024-11-15
insider threat
fake it workers
Published: November 15, 2024
Downloadable IOCs: 6

Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware

A sophisticated supply chain attack has been discovered targeting the NPM ecosystem. The malicious package 'jest-fet-mock' impersonates popular testing utilities and uses Ethereum smart contracts for command-and-control operations. This cross-platform malware affects Windows, Linux, and macOS, exec…
supply-chain
typosquatting
c2
npm
multi-platform
2024-11-05
blockchain
development-tools
smart-contract
ethereum
jest-fet-mock
Published: November 5, 2024
Downloadable IOCs: 4

Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack

A sophisticated malware campaign targeting cryptocurrency enthusiasts has been uncovered, utilizing multiple attack vectors including a malicious Python package on PyPI and deceptive GitHub repositories. The multi-stage malware, disguised as cryptocurrency trading tools, aims to steal sensitive dat…
supply-chain
cryptocurrency
data-theft
social-engineering
pypi
github
2024-11-04
multi-stage
gui
cryptoaitools
Published: November 4, 2024
Downloadable IOCs: 2

BORN Group Supply Chain Breach: In-Depth Analysis of Jenkins Exploitation

This analysis examines a substantial supply chain assault on the IT service provider BORN Group. The cybercriminal Intelbroker leveraged a vulnerability (CVE-2024-23897) to breach BORN Group's infrastructure, leading to the exfiltration of sensitive information from various clients. Furthermore, In…
supply chain
github
2024-08-23
Published: August 23, 2024
Downloadable IOCs: 5

Persistent npm Campaign Shipping Trojanized jQuery

The report describes a persistent supply chain attack involving the distribution of a trojanized version of jQuery through various platforms like npm and GitHub. The malicious jQuery variant, containing a modified 'end' function, exfiltrates website form data by sending it to remote URLs controlled…
malware
supply chain
exfiltration
npm
github
2024-07-10
Published: July 10, 2024
Downloadable IOCs: 67

Exposing Attack Operations Utilizing PyPI Against Windows, Linux and macOS Platforms

The report details the APT-C-26 (Lazarus) group's recent attack campaign utilizing malicious Python packages hosted on the PyPI repository to deliver payloads targeting multiple platforms including Windows, Linux, and macOS. It analyzes the attack flow, delivery methods, and malware components invo…
malware
apt
supply chain
lazarus
2024-07-08
pypi
comebacker
cross-platform
Published: July 8, 2024
Downloadable IOCs: 28

Supply Chain Compromise Leads to Trojanized Installers

Rapid7 discovered that installers for Notezilla, RecentX, and Copywhiz hosted on conceptworld[.]com were trojanized to execute information-stealing malware. The malware can steal browser credentials, crypto wallet info, clipboard data, and keystrokes, as well as download additional payloads. Rapid7…
supply-chain
2024-07-01
notezilla
copywhiz
recentx
Published: July 1, 2024
Downloadable IOCs: 27

Polyfill supply chain attack hits 100K+ sites

A malicious Chinese entity acquired control over the popular Polyfill JS open-source project and has been injecting malware into over 100,000 websites that embed the polyfill.io content delivery network. The malware redirects mobile users to a fraudulent sports betting site hosted on a domain imper…
malvertising
supply chain
2024-06-27
polyfill.js
redirection
Published: June 27, 2024
Downloadable IOCs: 7

Malicious npm package targets AWS users

ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
backdoor
supply-chain
2024-06-27
npm
aws
Published: June 27, 2024
Downloadable IOCs: 3

Uncovering Espionage Operations

This comprehensive analysis delves into the intricate tactics employed by a suspected China-nexus cyber espionage actor, UNC3886. The report unveils the group's sophisticated exploitation of zero-day vulnerabilities and their deployment of rootkits like REPTILE and MEDUSA for persistent system acce…
espionage
rootkit
supply chain
zero-day
2024-06-24
CVE-2022-42475
CVE-2023-20867
CVE-2023-34048
CVE-2022-41328
CVE-2022-22948
virtualsphere
Published: June 24, 2024
Downloadable IOCs: 39

Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor

Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
backdoor
supply-chain
typosquatting
2024-06-06
cobaltstrike
malicious-installer
Published: June 6, 2024
Downloadable IOCs: 11

CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack

Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
backdoor
supply chain
CVE-2024-4978
2024-05-24
credential harvesting
installer
stealc infostealer
software
gatedoor/rustdoor
Published: May 24, 2024
Downloadable IOCs: 10
Click here to see more Attack Reports