Tag: windows

40 Attack Reports | 0 Vulnerabilities

Attack reports

Windows Shortcut (LNK) Malware Strategies

This article provides an in-depth analysis of Windows shortcut (LNK) file malware, based on the examination of 30,000 recent samples. The research reveals four main categories of LNK malware: exploit execution, file on disk execution, in-argument scripts execution, and overlay execution. Each techn…
exploit
windows
lnk files
shortcut
2025-07-02
execution techniques
Published: July 2, 2025
Linked vulnerabilities : CVE-2023-36884, CVE-2010-2568
Downloadable IOCs: 12

Decrement by one to rule them all: AsIO3.sys driver exploitation

The article details the discovery and exploitation of two critical vulnerabilities in the AsIO3.sys driver, used by ASUS Armory Crate and AI Suite applications. The vulnerabilities, a stack-based buffer overflow and an authorization bypass, were found in the IRP_MJ_CREATE handler. The author demons…
windows
vulnerability
privilege escalation
asus
driver exploitation
CVE-2025-1533
CVE-2025-3464
2025-06-26
kernel exploitation
asio3.sys
Published: June 26, 2025
Linked vulnerabilities : CVE-2025-1533 (CVSS 8.2), CVE-2025-3464 (CVSS 8.4)
Downloadable IOCs: 0

BERT RANSOMWARE - THE RAVEN FILE

BERT Ransomware, active since March 2025, has expanded its operations to target both Windows and Linux environments. The group uses phishing for initial access and communicates via the dark web and Sessions for negotiations. Victims span multiple countries, primarily affecting service and manufactu…
linux
phishing
ransomware
powershell
windows
encryption
revil
sodinokibi
dark web
2025-06-20
bert ransomware
Published: June 20, 2025
Downloadable IOCs: 11

Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang

Sarcoma Ransomware, first detected in October 2024, has rapidly become a major cybersecurity threat, targeting high-value companies across industries. It uses advanced tactics like zero-day exploits and RMM tools for network discovery and credential theft. The group has impacted organizations in va…
linux
windows
encryption
chacha20
2025-05-20
hypervisor
sarcoma ransomware
rsa
network propagation
Published: May 20, 2025
Downloadable IOCs: 2

Additional Features of OtterCookie Malware Used by WaterPlum

The article discusses updates to the OtterCookie malware utilized by the North Korea-linked attack group WaterPlum. The malware has evolved through four versions, with v3 and v4 being the focus. OtterCookie v3 introduced Windows support and enhanced file collection capabilities. Version 4 added new…
north korea
windows
cryptocurrency
stealer
macos
credential theft
beavertail
invisibleferret
ottercookie
2025-05-11
financial institutions
Published: May 11, 2025
Downloadable IOCs: 0

Latest Mustang Panda Arsenal: Toneshell, StarProxy, PAKLOG, CorKLOG, and SplatCloak

Mustang Panda, a threat actor group, has developed new tools including two keyloggers (PAKLOG and CorKLOG) and an EDR evasion driver (SplatCloak). PAKLOG monitors keystrokes and clipboard data, using a custom encoding scheme. CorKLOG captures keystrokes, encrypts data with RC4, and establishes pers…
windows
toneshell
2025-04-16
splatcloak
corklog
starproxy
paklog
Published: April 16, 2025
Downloadable IOCs: 23

Exploitation of CLFS zero-day leads to ransomware activity

A zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS) has been exploited against targets in IT, real estate, finance, software, and retail sectors across multiple countries. The exploit, deployed by PipeMagic malware and attributed to Storm-2460, enables privilege…
ransomware
windows
zero-day
privilege escalation
ransomexx
CVE-2025-24983
CVE-2025-29824
2025-04-09
clfs
pipemagic
Published: April 9, 2025
Linked vulnerabilities : CVE-2025-24983 (CVSS 7.0), CVE-2025-29814 (CVSS 9.3), CVE-2025-29824 (CVSS 7.8)
Downloadable IOCs: 0

Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques

Konni RAT, a sophisticated remote access Trojan targeting Windows systems, employs a multi-stage attack process using batch files, PowerShell scripts, and VBScript. It exploits Windows Explorer limitations, obfuscates file paths, dynamically generates URLs, and uses temporary files to erase activit…
windows
persistence
anti-analysis
data exfiltration
multi-stage attack
stealth techniques
remote access trojan
2025-04-01
konni rat
Published: April 1, 2025
Downloadable IOCs: 0

TURNING AID INTO ATTACK: EXPLOITATION OF PAKISTAN’S YOUTH LAPTOP SCHEME TO TARGET INDIA

A Pakistan-based APT group, assessed with medium confidence as APT36, who created a fake IndiaPost website to target and infect both Windows and Android users.
python
android
windows
crimson rat
pakistan
india
defense
rust
discord
clickfix
apt36
2025-03-27
html code
india post
bootreceiver
mywire
Published: March 27, 2025
Downloadable IOCs: 5

CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin

Trend Research uncovered a campaign by the Russian threat actor Water Gamayun that exploits a zero-day vulnerability in the Microsoft Management Console framework to execute malicious code, named MSC EvilTwin (CVE-2025-26633).
backdoor
windows
infostealer
zero-day
github
trojanspy
sha256
detection
CVE-2025-26633
2025-03-25
disease vector
msc eviltwin
filename
water gamayun
files
related
domain
description
encrypthub
Published: March 25, 2025
Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)
Downloadable IOCs: 58

Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns

A Windows .lnk file vulnerability, ZDI-CAN-25373, has been extensively exploited by state-sponsored and cybercriminal groups. The vulnerability allows hidden command execution through crafted shortcut files, exposing organizations to data theft and cyber espionage risks. Nearly 1,000 malicious .lnk…
apt
espionage
windows
vulnerability
data theft
zero-day
lnk
raspberry robin
command execution
2025-03-18
shortcut
Published: March 18, 2025
Downloadable IOCs: 851

Analysis of Lazarus Group's Attack Targeting Windows Web Servers

The Lazarus group has been targeting Windows web servers, particularly in South Korea, installing webshells and C2 scripts to use compromised servers as proxies. The attacks involve multiple stages, including the use of LazarLoader malware and privilege escalation tools. The C2 scripts act as proxi…
windows
privilege escalation
webshell
iis
uac bypass
web servers
2025-03-11
c2 proxy
lazarloader
Published: March 11, 2025
Downloadable IOCs: 0

The Evolution of Dark Caracal Tools: Campaign Analysis Using the Poco RAT

Attacks using the Poco RAT are a continuation of the Dark Caracal group's campaign. This campaign was launched in 2022 and is aimed at Spanish-speaking countries in Latin America.
rat
phishing
windows
2025-03-05
vmware
bandook
poco rat
ultimate packer
executables
virtualbox
dark caracal
poco c++
Published: March 5, 2025
Downloadable IOCs: 41

Vgod RANSOMWARE

A new ransomware strain called Vgod has been observed targeting Windows systems. It encrypts files, appending the '.Vgod' extension, and leaves a ransom note titled 'Decryption Instructions.txt'. The ransomware changes the desktop wallpaper and employs a double extortion model, threatening data exp…
ransomware
evasion
windows
persistence
encryption
double extortion
2025-02-18
file extension
vgod
Published: February 18, 2025
Downloadable IOCs: 1

Ransomware Roundup – Lynx

The Lynx ransomware, first detected in July 2024, is a Windows-targeting malware that encrypts files and demands ransom for decryption. It shares similarities with the INC ransomware but offers more granular control. Lynx encrypts files with a .LYNX extension, changes desktop backgrounds, and print…
ransomware
windows
encryption
construction
data leak
manufacturing
2025-02-17
brave prince
lynx
Published: February 17, 2025
Downloadable IOCs: 9

From South America to Southeast Asia: The Fragile Web of REF7707

While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices.
linux
powershell
windows
persistence
siestagraph
certutil
scheduled task
2025-02-12
lolbas
southeast asia
finaldraft
ref7707
guidloader
pathloader
typo squatting
lolbin
remote admin
Published: February 12, 2025
Downloadable IOCs: 40

Malware Analysis: A Kernel Land Rootkit Loader for FK_Undead

This analysis delves into a Windows rootkit loader for the FK_Undead malware family, known for intercepting user network traffic through proxy manipulation. The loader, signed with a valid Microsoft certificate, installs itself as a system service and employs various evasion techniques. It download…
rootkit
evasion
windows
proxy
kernel
2024-12-11
vmprotect
driver
deaddrop
fk_undead
Published: December 11, 2024
Downloadable IOCs: 20

Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows

A sophisticated scam targeting Web3 professionals has been identified, involving the Realst crypto stealer malware with variants for both macOS and Windows. The threat actors have created fake companies using AI-generated content to appear legitimate, cycling through various names like Meetio, Clus…
windows
macos
social-engineering
information theft
cross-platform
ai-generated content
web3
2024-12-07
meeten
electron application
crypto-stealer
realst
Published: December 7, 2024
Downloadable IOCs: 0

Helldown Ransomware: an overview of this emerging threat

Helldown is a new and highly active ransomware group that has claimed 31 victims in three months. It employs custom ransomware for Windows and Linux systems, engages in double extortion, and exploits vulnerabilities in Zyxel firewalls for initial access. The group exfiltrates large volumes of data,…
linux
ransomware
windows
data exfiltration
CVE-2024-42057
double extortion
2024-11-20
helldown
emerging threat
zyxel vulnerability
vmware esx
Published: November 20, 2024
Downloadable IOCs: 0

Fake AI video generators infect Windows, macOS with infostealers

Threat actors are using fake AI image and video generators to distribute Lumma Stealer and AMOS information-stealing malware on Windows and macOS. These malicious programs masquerade as an AI application called EditProAI, targeting users through search results and social media advertisements. The m…
social engineering
windows
infostealer
macos
lumma stealer
credential theft
ai
2024-11-16
deepfake
Published: November 16, 2024
Downloadable IOCs: 0

Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

A newly discovered vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian hackers in cyber attacks against Ukraine. The flaw, identified as CVE-2024-43451, allows attackers to steal NTLMv2 hashes through minimal user interaction with malicious files. The exploit chai…
rat
phishing
windows
russia
ukraine
zero-day
CVE-2024-43451
2024-11-14
ntlm
spark rat
pass-the-hash
hash stealing
Published: November 14, 2024
Downloadable IOCs: 24

SmokeBuster Tool

ThreatLabz has developed SmokeBuster, a tool to detect, analyze, and remove SmokeLoader malware from infected systems. Despite Operation Endgame's disruption in May 2024, SmokeLoader continues to be used by threat groups. SmokeBuster supports various SmokeLoader versions and Windows systems, offeri…
windows
smokeloader
operation endgame
malware analysis
2024-10-31
thread manipulation
system performance
memory injection
dofoil
smokebuster
Published: October 31, 2024
Downloadable IOCs: 0

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Russian hackers, identified as UNC5812, are targeting the Ukrainian military through a sophisticated cyber operation. The attackers use a deceptive Telegram channel and website posing as a civil defense service to distribute malware for both Windows and Android devices. The Windows attack deploys P…
malware
social engineering
android
windows
russia
ukraine
information theft
telegram
cyber-espionage
pronsis loader
sunspinner
craxsrat
purestealer
2024-10-31
Published: October 31, 2024
Downloadable IOCs: 7

Akira ransomware continues to evolve

Akira ransomware has established itself as a prominent threat, constantly evolving its tactics. Initially employing double-extortion, it shifted focus to data exfiltration in early 2024. The group developed a Rust variant of their ESXi encryptor, moving away from C++. Recently, Akira has returned t…
linux
ransomware
windows
rust
CVE-2024-37085
vulnerability exploitation
akira
CVE-2023-27532
esxi
CVE-2024-40766
CVE-2023-48788
double-extortion
CVE-2024-40711
CVE-2023-20269
2024-10-22
CVE-2020-3259
CVE-2023-20263
chacha8
megazord
Published: October 22, 2024
Linked vulnerabilities : CVE-2024-37085 (CVSS 6.8), CVE-2024-40766 (CVSS 9.8), CVE-2024-40711 (CVSS 9.8), CVE-2023-27532, CVE-2023-20269, CVE-2020-3259, CVE-2023-48788, CVE-2023-20263
Downloadable IOCs: 37

Fog Ransomware – Technical Analysis

A new ransomware called Fog has been identified, affecting education and recreation centers in the United States. The threat actors gain access through compromised VPN credentials, disable Windows Defender, and deploy the ransomware. Fog is a 32-bit EXE file compiled using Microsoft Visual C/C++. I…
ransomware
windows
encryption
vpn
cryptography
2024-10-21
fog ransomware
file-encryption
multi-threading
process-termination
service-stopping
Published: October 21, 2024
Downloadable IOCs: 1

THREAT ANALYSIS: Beast Ransomware

The Beast Ransomware group, active since 2022, offers a Ransomware-as-a-Service (RaaS) platform with constant updates. It supports Windows, Linux, and ESXi systems, providing affiliates with customizable binary options. Beast employs advanced encryption methods, including Elliptic-curve and ChaCha2…
linux
windows
encryption
esxi
raas
2024-10-19
geofencing
file-targeting
multithreading
beast ransomware
self-propagation
monster
Published: October 19, 2024
Downloadable IOCs: 0

Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

Threat actors are using fake Google Meet web pages as part of the ClickFix campaign to deliver infostealers targeting Windows and macOS systems. The attackers display fake error messages in web browsers, tricking users into executing malicious PowerShell code. The campaign has expanded to impersona…
social engineering
powershell
windows
rhadamanthys
stealer
macos
infostealers
stealc
clickfix
2024-10-18
google meet
atomic
Published: October 18, 2024
Downloadable IOCs: 0

Kernel shellcode persistence technique in APT attacks and CTF challenge

A security flaw in Windows 7 and Server 2008 R2 allows kernel shellcode to be hidden in the registry and executed during boot, despite patches. This vulnerability was exploited in a 2018 targeted attack. The SAS CTF challenge involved analyzing this technique, which uses buffer overflows in DirectX…
windows
persistence
shellcode
2024-10-17
drivers
ctf
buffer overflow
CVE-2010-4398
directx
kernel
registry
Published: October 17, 2024
Downloadable IOCs: 0

Unmasking CVE-2024-38178: The Silent Threat of Windows Scripting Engine

CVE-2024-38178 is a type confusion vulnerability in JScript9.dll, patched by Microsoft in August 2024. It allows bypassing the CVE-2022-41128 patch through incorrect JIT engine optimizations. APT37, a North Korean threat group, exploited this vulnerability in June 2024 against South Korean targets.…
windows
vulnerability
zero-day
rokrat
remote code execution
CVE-2024-38178
2024-10-17
apt37
CVE-2022-41128
type confusion
jscript9.dll
Published: October 17, 2024
Downloadable IOCs: 0

FASTCash for Linux

A newly identified variant of FASTCash "payment switch" malware specifically targets the Linux operating system, as well as Microsoft Windows, according to CISA and the Department of Homeland Security (DHS).
malware
linux
windows
code
cisa
2024-10-15
bluenoroff
fastcash
linux variant
ubuntu linux
atms
lira
linux sample
atmpos
triton
format
aix
Published: October 15, 2024
Downloadable IOCs: 12

Technical Analysis of a Novel IMEEX Framework

The IMEEX framework is a newly discovered, custom-built malware targeting Windows systems. Delivered as a 64-bit DLL, it offers extensive control over compromised machines, featuring execution of additional modules, file manipulation, process management, registry modification, and remote command ex…
malware
windows
persistence
infrastructure
stealth
2024-10-14
imeex
Published: October 14, 2024
Downloadable IOCs: 9

Lynx Ransomware: A Rebranding of INC Ransomware

Lynx ransomware, discovered in July 2024, is a successor to INC ransomware targeting organizations in retail, real estate, architecture, and financial services in the U.S. and UK. It shares significant source code with INC and operates as a ransomware-as-a-service model. Lynx employs double extorti…
linux
ransomware
windows
encryption
data leak
raas
double extortion
2024-10-14
lynx ransomware
inc ransomware
Published: October 14, 2024
Downloadable IOCs: 44

Ransomware Roundup - Underground

The Underground ransomware, first observed in July 2023, targets Windows machines by encrypting files and demanding ransom. Attributed to the Russia-based RomCom group, it exploits CVE-2023-36884 and other common infection vectors. The ransomware deletes shadow copies, modifies RemoteDesktop settin…
windows
encryption
2024-09-02
romcom
data leak
CVE-2023-36884
storm-0978
underground
Published: September 2, 2024
Linked vulnerabilities : CVE-2023-36884
Downloadable IOCs: 4

Analysis of two arbitrary code execution vulnerabilities affecting WPS Office

ESET researchers discovered two code execution vulnerabilities in WPS Office for Windows. CVE-2024-7262 was exploited by APT-C-60, a South Korea-aligned cyberespionage group, to target East Asian countries. The vulnerability allowed arbitrary code execution via a malicious hyperlink in a spreadshee…
windows
vulnerability
plugin
CVE-2024-7262
CVE-2024-7263
2024-08-30
wps office
taskcontroler.dll
hyperlink
spyglace
spreadsheet
code execution
Published: August 30, 2024
Linked vulnerabilities : CVE-2024-7262, CVE-2024-7263, CVE-2024-7672 (CVSS 7.8), CVE-2924-7263, CVE-2022-24934
Downloadable IOCs: 5

AppDomainManager Injection Technique Used to Execute Malware on Windows

Cybersecurity specialists have observed an escalation in attacks employing the AppDomainManager Injection technique, which exploits the .NET Framework's version redirection feature to manipulate legitimate EXE files and load malicious DLLs. These attacks commonly begin with a ZIP file containing a …
windows
javascript
2024-08-26
msc
remote execution
appdomainmanager
Published: August 26, 2024
Downloadable IOCs: 9

Exploiting CVE-2024-21412: A Stealer Campaign Unleashed

This report details a malicious campaign exploiting the CVE-2024-21412 vulnerability in Microsoft Windows SmartScreen to bypass security warnings and deliver malware. Attackers employ crafted links, LNK files, and HTA scripts to download decoy PDFs and shell code injectors, ultimately injecting ste…
malware
evasion
windows
stealer
CVE-2024-21412
injection
pdf
meduza stealer
2024-07-24
acr stealer
Published: July 24, 2024
Linked vulnerabilities : CVE-2024-21412
Downloadable IOCs: 27

MoonWalk

This blog post examines MoonWalk, a new backdoor employed by APT41, a China-based threat actor known for campaigns in Southeast Asia. MoonWalk utilizes numerous evasion techniques, including DLL hollowing, call stack spoofing, and the abuse of Windows Fibers to evade security solutions. It also lev…
backdoor
evasion
windows
moonwalk
nationstate
dodgebox
2024-07-12
googledrive
Published: July 12, 2024
Downloadable IOCs: 3

Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)

Check Point Research discovered threat actors leveraging novel techniques to execute malicious code on Windows systems by exploiting Internet Explorer's vulnerabilities. The attackers utilized specially crafted .url files that, when opened, would launch IE and visit attacker-controlled URLs. Additi…
social engineering
windows
zero-day
CVE-2023-36025
exploitation
CVE-2021-40444
CVE-2024-38112
2024-07-10
internet explorer
malicious files
Published: July 10, 2024
Linked vulnerabilities : CVE-2024-38112 (CVSS 7.5), CVE-2021-40444, CVE-2023-36025
Downloadable IOCs: 7

Guntior - the story of an advanced bootkit that doesn't rely on Windows disk drivers

Amid the rise of bootkits at the time, a dropper was captured in-the-wild and posted on a malware tracker. The malware was called "Guntior", named after the device object its authors had chosen for it (\Device\Guntior). The name also appears in AV detections.
rootkit
windows
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
explorer
dll path
ntfs
payload dll
ime file
ioctl
ata bus
tdl4
rovnix
mebroot
tidserv
findwindow
mbr
guntior
Published: May 8, 2024
Downloadable IOCs: 6

Ransomware Roundup (April 29, 2024)

This concise report provides insights into the evolving ransomware landscape, covering the KageNoHitobito and DoNex variants. It analyzes their infection vectors, victimology, attack methods, and associated indicators of compromise (IoCs). The report also highlights Fortinet's protections against t…
ransomware
windows
data theft
ransom
darkrace
donex
encryption
kagenohitobito
Published: April 29, 2024
Downloadable IOCs: 7
Click here to see more Attack Reports