Tag: systembc

20 Attack Reports | 0 Vulnerabilities

Attack reports

Malicious Infrastructure Finds Stability with aurologic GmbH

German hosting provider aurologic GmbH has become a central hub for high-risk hosting networks, providing upstream transit to multiple threat activity enablers. These include sanctioned entities like Aeza Group and other providers associated with cybercrime and disinformation campaigns. aurologic's…
cobalt strike
amadey
asyncrat
cybercrime
rhadamanthys stealer
vidar
phorpiex
dcrat
sliver
latrodectus
disinformation
bianlian
stealc
redline stealer
lumma
meduza stealer
infrastructure
quasarrat
systembc
remcos rat
risepro stealer
darkcomet
dark crystal rat
svcstealer
hosting
castleloader
2025-11-06
moobot
neutrality
transit
sanctions
thc hydra
upstream
tinyloader
abuse
aurologic
destiny stealer
aurotun
castlerat
Published: November 6, 2025
Downloadable IOCs: 23

Cloud Abuse at Scale

A large-scale attack infrastructure dubbed TruffleNet has been identified, built around the open-source tool TruffleHog. This infrastructure is used to systematically test compromised credentials and perform reconnaissance across AWS environments. The campaign involves over 800 unique hosts across …
xmrig
aws
bec
coroxy
systembc
trufflehog
credential abuse
cloud infrastructure
2025-11-01
identity compromise
portainer
trufflenet
ses
Published: November 1, 2025
Downloadable IOCs: 0

Uncovering Qilin attack methods exposed through multiple cases

The ransomware group Qilin has been highly active in 2025, publishing over 40 victim cases per month on its leak site. Manufacturing, professional services, and wholesale trade are the most affected sectors. Attackers likely originate from Eastern Europe or Russian-speaking regions. They use tools …
ransomware
cobalt strike
qilin
systembc
manufacturing
2025-10-27
Published: October 27, 2025
Downloadable IOCs: 17

SystemBC – Bringing the Noise

The SystemBC botnet, composed of over 80 C2s and 1,500 daily victims, primarily targets VPS systems from commercial providers. It creates proxies enabling high volumes of malicious traffic for various criminal threat groups. The network is used by multiple proxy services, including REM Proxy, which…
ransomware
icedid
botnet
cybercrime
proxy
infrastructure
ngioweb
systembc
morpheus
trickbot
transferloader
vps
2025-09-25
avoslocker
rem proxy
malicious traffic
Published: September 25, 2025
Downloadable IOCs: 158

Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

This intelligence report details a sophisticated cyber intrusion with links to three major ransomware groups: Play, RansomHub, and DragonForce. The attack began with a malicious file impersonating DeskSoft's EarthTime application, which deployed SectopRAT malware. The threat actors used various too…
ransomware
lateral movement
data exfiltration
sectoprat
systembc
grixba
2025-09-08
multi-group affiliation
betruger
multi-group operation
Published: September 8, 2025
Downloadable IOCs: 0

Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC

A financially motivated threat group dubbed Greedy Sponge has been targeting Mexican organizations since 2021 with a modified version of AllaKore RAT and SystemBC malware. The group uses spear-phishing and drive-by downloads to deliver custom packaged installers containing the RAT. Recent updates i…
allakore rat
financial fraud
credential theft
drive-by download
systembc
spear-phishing
geofencing
2025-08-21
mexico
Published: August 21, 2025
Downloadable IOCs: 0

Threat Actor Profile: Interlock Ransomware

Interlock, a relatively new ransomware group first observed in September 2024, has gained prominence in 2025 as an opportunistic ransomware operator. Unlike traditional Ransomware-as-a-Service models, Interlock operates without affiliates or public advertisements. The group conducts double extortio…
social engineering
ransomware
powershell
cobalt strike
clickfix
systembc
double extortion
trycloudflare
remote access trojan
compromised websites
interlock rat
2025-08-15
nodesnake rat
Published: August 15, 2025
Downloadable IOCs: 24

CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks

From September to December 2024, incidents involving CrossC2, an extension tool for Cobalt Strike Beacon on Linux, were confirmed. The attacker used CrossC2 along with other tools like PsExec, Plink, and Cobalt Strike to penetrate AD. A custom malware called ReadNimeLoader was used as a loader for …
linux
cobalt strike
macos
systembc
psexec
2025-08-15
readnimeloader
crossc2
ad
odinldr
Published: August 15, 2025
Downloadable IOCs: 0

StopRansomware: Play Ransomware

The Play ransomware group has been actively targeting businesses and critical infrastructure across North America, South America, and Europe since June 2022. They gain initial access through exploiting vulnerabilities, using stolen credentials, and leveraging remote access services. The group emplo…
ransomware
systembc
grixba
play
CVE-2024-57727
2025-06-05
CVE-2022-41040
CVE-2022-41082
CVE-2018-13379
CVE-2020-12812
Published: June 5, 2025
Linked vulnerabilities : CVE-2024-57727 (CVSS 7.5), CVE-2022-41082, CVE-2022-41040, CVE-2020-12812, CVE-2018-13379
Downloadable IOCs: 8

Danabot: Analyzing a fallen empire

ESET Research shares insights into Danabot, an infostealer recently disrupted by law enforcement. The malware, tracked since 2018, evolved from a banking trojan to a versatile tool for data theft and malware distribution. Operated as a malware-as-a-service, Danabot offered features like data steali…
infostealer
lockbit
data theft
darkgate
zloader
botnet
lumma stealer
matanbuchus
cybercrime
danabot
latrodectus
malware-as-a-service
smokeloader
banking trojan
systembc
buran
rescoms
recordbreaker
ursnif
2025-05-23
2025-05-25
nonransomware
proxy servers
crisis
c&c infrastructure
malware-as-service
Published: May 25, 2025
Downloadable IOCs: 1

Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure

This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multi…
apt
credential harvesting
lateral movement
systembc
havoc
custom malware
critical infrastructure
web shells
2025-05-06
credinterceptor
CVE-2023-38950
remoteinjector
hxlibrary
CVE-2023-38951
hanifnet
CVE-2023-38952
proxy chaining
neoexpressrat
Published: May 6, 2025
Downloadable IOCs: 35

DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists

The DragonForce ransomware group, initially a pro-Palestine hacktivist operation, has evolved into a profit-driven extortion enterprise targeting UK retailers and various global entities. Emerging in August 2023, the group now employs a multi-extortion model, threatening data leaks and reputational…
ransomware
extortion
cobalt strike
CVE-2024-21412
CVE-2021-44228
CVE-2024-21887
CVE-2023-46805
systembc
2025-05-03
CVE-2024-21893
multi-extortion
dragonforce ransomware
white-label
Published: May 3, 2025
Downloadable IOCs: 0

Shifting the sands of RansomHub's EDRKillShifter

ESET researchers analyze the ransomware ecosystem in 2024, focusing on the newly emerged RansomHub gang. They uncover connections between RansomHub affiliates and rival gangs Play, Medusa, and BianLian through the use of EDRKillShifter, a custom EDR killer developed by RansomHub. The researchers le…
ransomware
bianlian
medusa
edrkillshifter
systembc
grixba
byovd
play
2025-03-27
scransom
Published: March 27, 2025
Downloadable IOCs: 0

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. Th…
social engineering
ransomware
darkgate
black basta
lateral movement
privilege escalation
systembc
2025-03-03
cactus
backconnect
cloud storage abuse
onedrive exploitation
Published: March 3, 2025
Downloadable IOCs: 0

Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware

This report details an intrusion that began with the execution of a Cobalt Strike beacon masquerading as a Windows Media Configuration Utility. The threat actor used various tools for persistence, lateral movement, and data exfiltration, including SystemBC and GhostSOCKS proxies, Rclone, and PsExec…
ransomware
lockbit
cobalt strike
rclone
exfiltration
lateral movement
systembc
ghostsocks
2025-01-27
Published: January 27, 2025
Downloadable IOCs: 21

Threat Assessment: Distributors of BlackSuit Ransomware

Ignoble Scorpius, previously known as Royal ransomware, has rebranded as BlackSuit ransomware and increased its activity since March 2024. The group has targeted at least 93 victims globally, with a focus on the construction and manufacturing industries. Their initial ransom demands average 1.6% of…
ransomware
extortion
cobalt strike
credential theft
gootloader
lateral movement
mimikatz
data exfiltration
blacksuit
systembc
supply chain attack
2024-11-20
nanodump
Published: November 20, 2024
Downloadable IOCs: 2

New Ymir ransomware discovered used together with RustyStealer | Securelist

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…
ransomware
powershell
encryption
incident response
chacha20
systembc
2024-11-11
rustystealer
ymir
Published: November 11, 2024
Downloadable IOCs: 12

New Ymir ransomware discovered used together with RustyStealer

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The r…
ransomware
powershell
encryption
incident response
chacha20
systembc
2024-11-11
rustystealer
ymir
Published: November 11, 2024
Downloadable IOCs: 0

BlackSuit Ransomware

The report meticulously chronicles a sophisticated intrusion which began in December 2023 and culminated in the deployment of BlackSuit ransomware approximately 15 days later. The threat actor demonstrated an array of tactics, leveraging tools like Cobalt Strike, Sharphound, and SystemBC, alongside…
ransomware
cobalt strike
discovery
lateral movement
credential access
cobaltstrike
blacksuit
systembc
2024-08-27
sharphound
get-datainfo.ps1
rubeus
Published: August 27, 2024
Downloadable IOCs: 16

How Managed Detection and Response Pressed Pause on a Play Ransomware Attack

This report details how Trend Micro's Managed Detection and Response (MDR) service successfully thwarted a sophisticated ransomware attack orchestrated by the notorious Play ransomware group. Through continuous monitoring and expert analysis, the MDR team swiftly identified and contained the intrus…
ransomware
incident response
cybersecurity
threat analysis
2024-08-23
systembc
grixba
malware campaign
Published: August 23, 2024
Downloadable IOCs: 1
Click here to see more Attack Reports