30.6.24

Unfurling Hemlock: New threat group uses cluster bomb campaign to distribute malware

GROUP

GROUP

30.6.24

Service Outages on Multiple Websites of the KADOKAWA Gro

GROUP

GROUP

28.6.24

The threat actor known as Unfurling Hemlock has been identified employing a method called "malware cluster bomb" to infect target systems with multiple malwares simultaneously.

ALERTS

VIRUS

28.6.24

Latrodectus is a popular loader utilized by threat actors to download payloads and execute arbitrary commands. Phishing emails are the most common attack vector for distributing the Latrodectus malware.

ALERTS

PHISHING

28.6.24

According to a recently published report, a suspected China-backed APT group named ChamelGang (aka CamoFei) has been disguising its cyberespionage operations by also incorporating ransomware.

ALERTS

RANSOM

28.6.24

Threat Actor group UAC-0184 has targeted Ukraine using a malware campaign to deliver a RAT known as XWorm. Using evasive techniques and through the use of Python-related files the XWorm malware compromises systems.

ALERTS

VIRUS

28.6.24

0bj3ctivity is an infostealer variant first observed last year in campaigns targeting Italy. A new campaign delivering this malware yet again to Italian users has been reported by CERT-AGID.

ALERTS

VIRUS

28.6.24

A new P2Pinfect variant has been reported to spread both ransomware and Monero coinminer payloads in recent campaigns. P2Pinfect is a Rust-based botnet leveraging peer-to-peer (P2P) communication as C&C mechanism.

ALERTS

VIRUS

28.6.24

CVE-2024-4358 and CVE-2024-1800 are two recently disclosed vulnerabilities affecting the Telerik Report Server.

ALERTS

VULNEREBILITY

28.6.24

Threat actor Boolka has been carrying out opportunistic SQL inection attacks against websites. When unsuspecting visitors land on the infected site(s) the JS inserted into the site(s) collects and exfiltrates the users inputs and interactions (such as credentials and other personal information).

ALERTS

VIRUS

28.6.24

Medusa malware for Android, also known as Tanglebot, has re-emerged in a new distribution campaign. The activity has been reported to target various countries across the world including he United States, Canada, France, Italy, Spain, the United Kingdom, and Turkey.

ALERTS

VIRUS

26.6.24

Medusa malware for Android, also known as Tanglebot, has re-emerged in a new distribution campaign. The activity has been reported to target various countries across the world including he United States, Canada, France, Italy, Spain, the United Kingdom, and Turkey.

ALERTS

VIRUS

26.6.24

As recently reported by researchers from Fortinet, Unstable and Condi botnets have been abusing various cloud services for storage and distribution of malware binaries as well as C2 communication purposes

ALERTS

VIRUS

26.6.24

CVE-2024-23692 is a recently disclosed critical template injection vulnerability affecting Rejetto HTTP File Server (HFS) version 2.3m. Rejetto HFS is a web-based file sharing solution allowing sending and receiving files over HTTP.

ALERTS

VULNEREBILITY

26.6.24

There is a growing cybersecurity trend where users are deceived into copying and pasting malicious PowerShell scripts into an administrative PowerShell terminal window, leading to malware installation.

ALERTS

VIRUS

26.6.24

A phishing email campaign utilizing a URL shortener in a Microsoft Word file attachment, exploiting the CVE-2017-0199 vulnerability, has been reported in the wild. The URL redirect enticed users to download a variant of Equation Editor malware in RTF format.

ALERTS

VIRUS

26.6.24

SpiceRAT is a new malware variant identified by Cisco Talos. The malware has been attributed to a threat actor known as SneakyChef that has been conducting malicious campaigns against governmental entities in EMEA.

ALERTS

VIRUS

26.6.24

A new variant of the Android malware SpyMax has been observed in recent campaigns targeting Telegram users. The malicious .apk binaries are spread via a website masqueraded as a legitimate Telegram app download portal.

ALERTS

VIRUS

26.6.24

A cyber espionage campaign targeting Russian organizations by the ExCobalt threat actor has been observed. This campaign specifically targets government entities and IT firms.

ALERTS

CAMPAIGN

26.6.24

CVE-2024-29824 is a critical SQL Injection vulnerability in Core server of Ivanti Endpoint Manager, which is an enterprise endpoint management solution that allows for centralized management of devices within an organization.

ALERTS

VULNEREBILITY

26.6.24

PHANTOM#SPIKE is a recent malicious campaign identified in the wild. The attackers leverage phishing lures with password protected .rar and .zip archives.

ALERTS

CAMPAIGN

26.6.24

Red Mongoose Daemon is a new banking malware variant identified by researchers from Scitum. The malware has been observed in campaigns targeting banking users and organizations in Brazil.

ALERTS

VIRUS

26.6.24

CVE-2021-41773 is a critical (CVSS score 7.5) path traversal and file disclosure vulnerability affecting Apache HTTP Server. If successfully exploited, this vulnerability enables unauthorized access of sensitive information.

ALERTS

VULNEREBILITY

26.6.24

Web shell attacks are a common technique used by attackers to maintain persistence and remotely access web servers during cyberattacks.

ALERTS

CRYPTOCURRENCY

26.6.24

Rafel RAT is an open-source mobile malware observed in some recent campaigns targeting Android users. As reported by Checkpoint, the malware is a versatile tool that allows the attackers both data exfiltration as well as remote control over the infected device.

ALERTS

VIRUS

26.6.24

Satanstealer is a new open source infostealing malware shared on GitHub.

ALERTS

VIRUS

26.6.24

A new phishing campaign involving embedded QR codes in PDF attachments has been reported. ONNX Store, a known Phishing-as-a-Service (PhaaS) platform, has been used to orchestrate this campaign targeting financial institutions.

ALERTS

EXPLOIT

26.6.24

A new loader malware dubbed SquidLoader has been reported as being active distributed via phishing campaigns targeting Chinese-speaking users. The malware employs various evasion and decoy techniques in order to stay under the radar and avoid detection.

ALERTS

VIRUS

26.6.24

Threat actors continue masquerading as members of Human resources (HR) department in efforts to spread a new wave of phish emails.

ALERTS

PHISHING

26.6.24

In a newly released report, Symantec’s Threat Hunter Team provide an analysis of activity observed impacting telecommunications operators in a specific Asian country.

ALERTS

CAMPAIGN

26.6.24

TA571 has recently been observed utilizing malicious HTML files in malspam campaigns. These files, once opened, copy a malicious PowerShell script to the user's clipboard while displaying an image that states the attached document is broken,

ALERTS

GROUP

26.6.24

Fickle Stealer is a recently observed malware written in Rust. Attackers leverage multiple delivery methods in a multi-stage attack chain to distribute the payload.

ALERTS

VIRUS

27.6.24

ChamelGang & Friends | Cyberespionage Groups Attacking Critical Infrastructure with Ransomware

Group

Gang

26.6.24

Inside the DEA Tool Hackers Allegedly Used to Extort Targets

GROUP

APT

26.6.24

ExCobalt: GoRed, the hidden-tunnel technique

GROUP

Cyber Gang

20.6.24

Sustained Campaign Using Chinese Espionage Tools Targets Telcos

CAMPAIGN

CAMPAIGN

19.6.24

The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications

CRYPTOCURRENCY

Scam

19.6.24

AzzaSec is another run-of-the-mill ransomware variant found being distributed in the wild. The malware encrypts user files and appends .AzzaSec extension to them. The attackers behind this variant leave a ransom note demanding payment in Bitcoin for the file decryption.  

ALERTS

RANSOM

19.6.24

A new variant of an open-source LKM (Loadable Kernel Module) rootkit dubbed Diamorphine has been found in the wild.

ALERTS

VIRUS

19.6.24

A malvertising campaign has been observed, enticing users to download masqueraded installers disguised as popular software such as Google Chrome and Microsoft Teams.

ALERTS

VIRUS

19.6.24

Malware campaigns affecting users in Latin America and the Asia Pacific regions have recently been reported. These campaigns target users of popular commercial software such as the Cisco Webex Meetings App, enticing them to download password-protected archive files containing trojanized software copies.

ALERTS

VIRUS

19.6.24

The cybercriminal group known as Rogue Raticate (aka RATicate) has been active for a few years now and is well-known for targeting enterprises using malicious emails and remote access trojans. This week another one of their campaigns was observed.

ALERTS

VIRUS

19.6.24

Cloaked and Covert: Uncovering UNC3886 Espionage Operations

GROUP

CAMPAIGN

19.6.24

Behind the Great Wall: Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 C&C Framework

CAMPAIGN

Malware

19.6.24

The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications

CRYPTOCURRENCY

Scam

18.6.24

Proofpoint researchers identified an increasingly popular technique leveraging unique social engineering to run PowerShell and install malware.

HACKING

PowerShell

18.6.24

A recent malware campaign targeting macOS vulnerabilities to distribute infostealers has surfaced. The threat actor, identified as markopolo, is actively aiming at cryptocurrency users.

ALERTS

VIRUS

18.6.24

A new cryptojacking campaign targeting publicly exposed Docker Engine hosts has been observed. It is presumed to be associated with the threat actors behind the previously seen malware campaign dubbed Spinning YARN. The attack vector starts by scanning for open port 2375 and deploying an Alpine Linux container.

ALERTS

CRYPTOCURRENCY

18.6.24

Rapax is a ransomware whose binaries have recently been submitted to a public malware analysis and detection platform. The ransom note found on compromised machines (instruction.txt) reveals that the author focuses solely on encrypting files rather than employing exfiltration and double-extortion tactics, demanding a ransom of 5,000 US dollars in Bitcoin for decryption.

ALERTS

RANSOM

18.6.24

Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion

MALWARE

Loader

18.6.24

Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence

CAMPAIGN

Malware

18.6.24

Multiple VMware vCenter Server Flaws Allow Remote Code Execution

VULNEREBILITY

CVE

17.6.24

Ministry of Defence of the Netherlands uncovers COATHANGER,a stealthy Chinese FortiGate RAT

MALWARE

RAT

17.6.24

Limpopo is new ransomware variant targeting the vulnerable ESXi servers, as reported by Fortinet.

ALERTS

RANSOM

17.6.24

CVE-2024-28995 is a recently disclosed Directory Traversal vulnerability affecting Serv-U managed file transfer (MFT) server solution.

ALERTS

VULNEREBILITY

17.6.24

Deep Dive into the Unfading Sea Haze A technical look at a threat actor’s ever-evolving tools and tactics

REPORT

REPORT

17.6.24

The vulnerable edge of enterprise security

PAPERS

PAPERS

17.6.24

China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence

OPERATION

OPERATION

17.6.24

Unfading Sea Haze: New Espionage Campaign in the South China Sea

OPERATION

OPERATION

17.6.24

Certain models of ASUS routers have buffer overflow vulnerabilities, allowing remote attackers with administrative privileges to execute arbitrary commands on the device.

VULNEREBILITY

CVE

17.6.24

Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device.

VULNEREBILITY

CVE

17.6.24

TIKTAG: Breaking ARM’s Memory Tagging Extension with Speculative Executi

PAPERS

PAPERS

17.6.24

TIKTAG: Breaking ARM’s Memory Tagging Extension with Speculative Executi

ATTACK

ARM CPU

17.6.24

Backdoor BadSpace delivered by high-ranking infected websites

MALWARE

Backdoor

17.6.24

Botnet Installing NiceRAT Malware

MALWARE

RAT

16.6.24

PHP

Exploit

WebApps

16.6.24

Multiple

Exploit

WebApps

16.6.24

PHP

Exploit

WebApps

16.6.24

Hardware

Exploit

Remote

16.6.24

PHP

Exploit

WebApps

16.6.24

PHP

Exploit

WebApps

16.6.24

PHP

Exploit

WebApps

16.6.24

PHP

Exploit

WebApps

16.6.24

PHP

Exploit

WebApps

16.6.24

PHP

Exploit

WebApps

16.6.24

PHP

Exploit

WebApps

15.6.24

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

MALWARE TRAFFIC

MALWARE TRAFFIC

15.6.24

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

MALWARE TRAFFIC

MALWARE TRAFFIC

15.6.24

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

MALWARE TRAFFIC

MALWARE TRAFFIC

15.6.24

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

MALWARE TRAFFIC

MALWARE TRAFFIC

15.6.24

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

MALWARE TRAFFIC

MALWARE TRAFFIC

15.6.24

DISGOMOJI Malware Used to Target Indian Government

MALWARE

Linux

15.6.24

Smishing Triad Is Targeting Pakistan To Defraud Banking Customers At Scale

MALWARE

Banking

14.6.24

(CVSS score: 4.6) - An SQL injection flaw when displaying a QR code into the device's camera by passing a specially crafted request containing a quotation mark, thereby allowing an attacker to authenticate as any user in the database

VULNEREBILITY

CVE

14.6.24

(CVSS score: 10.0) - A set of command injection flaws that allows for execution of arbitrary OS commands with root privileges

VULNEREBILITY

CVE

14.6.24

(CVSS score: 7.5) - A set of arbitrary file read flaws that allows an attacker to bypass security checks and access any file on the system, including sensitive user data and system settings

VULNEREBILITY

CVE

14.6.24

(CVSS score: 10.0) - A set of arbitrary file write flaws that allows an attacker to write any file on the system with root privileges, including altering the user database to add rogue users

VULNEREBILITY

CVE

14.6.24

(CVSS score: 7.5) - A set of SQL injection flaws that allows an attacker to inject malicious SQL code and perform unauthorized database operations and siphon sensitive data

VULNEREBILITY

CVE

14.6.24

(CVSS score: 10.0) - A set of stack-based buffer overflow flaws that allows an attacker to execute arbitrary code

VULNEREBILITY

CVE

14.6.24

Insights on Cyber Threats Targeting Users and Enterprises in Brazil

GROUP

GROUP

14.6.24

Exploiting ML models with pickle file attacks: Part 2

HACKING

ML

14.6.24

Exploiting ML models with pickle file attacks: Part 1

HACKING

ML

14.6.24

Arid Viper poisons Android apps with AridSpy

APT

APT

14.6.24

Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices

APT

APT

14.6.24

Operation Celestial Force employs mobile and desktop malware to target Indian entities

OPERATION

OPERATION

14.6.24

In Bad Company: JScript RAT and CobaltStrike

MALWARE

RAT

14.6.24

Dissecting SSLoad Malware: A Comprehensive Technical Analysis

MALWARE

Loader

14.6.24

there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Vulnerebility

CVE

14.6.24

OPIX is a newly discovered ransomware variant typically spread through social engineering tactics such as phishing emails and drive-by downloads. The malware modifies user files by encrypting them with a random character string and appending a ".OPIX" extension. For example, a file called "test.txt" becomes something like "B532D3Q9.OPIX".

ALERTS

RANSOM 

14.6.24

In a recent malspam campaign attackers appear to have altered their tactics in order to avoid detection. Instead of the typical approach of sending direct emails with malicious links, in this case they began with benign emails discussing a random scenario.

ALERTS

Virus

14.6.24

El Dorado is a double-extortion ransomware actor who has recently claimed multiple victims on their website. Once they gain access to a company, they search for machines with valuable data to exfiltrate and encrypt, appending .00000001 to encrypted files.

ALERTS

RANSOM 

14.6.24

A new malicious campaign dubbed 'Operation Celestial Force' has been reported by the researchers from Cisco Talos. The campaign has been active since at least 2018 and targeting Indian organizations from the defense, government and technology sectors.

ALERTS

OPERATION

14.6.24

As part of June's patch Tuesday, Microsoft has patched a critical (CVSS score 9.8) Message Queuing (MSMQ) vulnerability CVE-2024-30080. By sending specially crafted malicious MSMQ packets to the vulnerable servers and thus exploiting the vulnerability, the attackers might achieve remote code execution and take over the unpatched server.

ALERTS

VULNEREBILITY 

14.6.24

CVE-2024-4701 is a recently disclosed critical (CVSS score 9.9) path traversal vulnerability affecting Netflix' Genie job orchestration engine for big data applications. If successfully exploited the vulnerability might allow remote attackers arbitrary code execution within the vulnerable applications as well as sensitive information exposure. The vulnerability has been already patched in Genie OSS version 4.3.18.

ALERTS

VULNEREBILITY 

14.6.24

CVE-2024-2194 is a recently disclosed stored cross-site scripting vulnerability affecting WP Statistics plugin for WordPress in versions up to 14.5. If successfully exploited the vulnerability might allow unauthenticated attackers to inject arbitrary web scripts in pages.

ALERTS

VULNEREBILITY 

13.6.24

Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups

MALWARE

RAT

13.6.24

Pause off my cluster: DERO cryptojacking takes a new shape

CRYPTOCURRENCY

CRYPTOCURRENCY

13.6.24

Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day

RANSOMWARE

RANSOMWARE

13.6.24

Windows Error Reporting Service Elevation of Privilege Vulnerability

Vulnerebility

CVE

13.6.24

Dipping into Danger: The WARMCOOKIE backdoor

MALWARE

Backdoor

13.6.24

Noodle RAT is a malware variant recently identified by researchers from Trend Micro. This RAT has been reported as being used in targeted campaigns in the Asia-Pacific region. Noodle RAT is a modular malware with relatively straightforward capabilities and displays several code overlaps with Gh0st RAT and Rekoobe malware families.

ALERTS

Virus

13.6.24

Adwind malware (also known as jRAT or njRAT) has been observed in recent campaigns targeting users in Italy. The attack chain includes malspam emails containing .zip attachments. Upon extraction the user is served with .HTML files such as INVOICE.html or DOCUMENT.html that lead to malicious .jar files.

ALERTS

Virus

13.6.24

WarmCookie is a new backdoor variant distributed in phishing campaigns advertising fake job offers. The attack chain leverages malicious JS scripts executing PowerShell commands that in turn lead to the download of WarmCookie DLL payloads. The attackers abuse the Background Intelligent Transfer Service (BITS) to download the malicious payloads.

ALERTS

Virus

13.6.24

In a newly released report, Symantec’s Threat Hunter Team reviewed evidence that suggests that attackers linked to Black Basta ransomware compiled CVE-2024-26169 exploit prior to patching. The vulnerability CVE-2024-26169 is a Windows Error Reporting Service exploit that can permit an attacker to elevate their privileges.

ALERTS

Virus

13.6.24

A malware campaign has been observed delivering a newer version of ValleyRAT as the final payload. The attack vector involves a downloader with an injected shellcode that dynamically resolves APIs and establishes a connection with the C2 server to download the next stage malware.

ALERTS

Virus

12.6.24

A recent phishing campaign spreading Remcos RAT employs themed documents related to shipping or quotations. The attack commences with a UUE-encoded VBS script, leading to the another obfuscated VBS script upon decoding. This script facilitates the saving and execution of a PowerShell script, which in turn connects to a link to download an additional obfuscated PowerShell script. The purpose of this obfuscation chain is to evade detection.

ALERTS

Virus

12.6.24

Over the past few months, more and more phishing actors via malicious HTML have been following in the footsteps of Infostealers and RATs, and are now also abusing the Telegram Bot API to harvest users' credentials and other sensitive information such as credit cards details.

ALERTS

PHISHING 

12.6.24

CVE-2024-4577 - is a high-severity (CVSS: 9.8) argument injection vulnerability in PHP, which is a popular scripting tool. This vulnerability affects PHP when it runs in CGI mode. A successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the vulnerable PHP server, leading to complete system compromise and deliver malware including ransomware.

ALERTS

VULNEREBILITY 

12.6.24

A new ransomware variant dubbed Fog has been recently distributed in the wild. The attackers behind this malware have been leveraging compromised VPN credentials to attack vulnerable networks of US organizations from the education and recreation sector.

ALERTS

RANSOM 

12.6.24

AZStealer is a recently discovered Python-based infostealer variant. It has the functionality to steal a wide variety of information from the compromised endpoints including: data stored in browsers (cookies, history, bookmarks, passwords, saved credit card info and autofill data), Discord tokens, login sessions from miscellaneous applications including Steam, Uplay, Tiktok, Telegram, Twitch, Spotify, Reddit or Roblox.

ALERTS

Virus

12.6.24

A malware campaign conducted by the Fireant (also known as Mustang Panda) APT group using Windows shortcut (LNK) files has been reported. The threat actor targets Vietnamese entities with lures related to the education sector and tax compliance. The attack vector involves phishing emails with archive (zip, rar) attachments containing malicious LNK files. The final payload is believed to be the PlugX RAT, which helps the attackers to remotely execute various commands on the compromised system.

ALERTS

APT 

12.6.24

Numerous malicious Python packages have been observed on the Python Package Index (PyPI) repository, aimed at exploiting typosquatting to target users of legitimate packages. For instance one such package, 'crytic-compilers', masquerades as the legitimate library 'crytic-compile' and is designed to distribute the Lumma stealer. Similarly, another malicious PyPI package, 'pytoileur', is capable of downloading and installing trojanized Windows binaries for purposes such as surveillance, persistence, and crypto theft.

ALERTS

Virus

12.6.24

Dero, a cryptocurrency, offers better privacy, anonymity and faster rewards than Monero, and is often used in cryptojacking according to a March 2023 report. A recent report from a threat researcher discussed the cryptojacking campaign's evolution, where the attack vector involves exploiting an externally accessible Kubernetes API server with anonymous authentication enabled.

CRYPTOCURRENCY 

12.6.24

Win32k Elevation of Privilege Vulnerability

Vulnerebility

CVE

12.6.24

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Vulnerebility

CVE

12.6.24

Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability

Vulnerebility

CVE

12.6.24

Windows Wi-Fi Driver Remote Code Execution Vulnerability

Vulnerebility

CVE

12.6.24

Microsoft Outlook Remote Code Execution Vulnerability

Vulnerebility

CVE

12.6.24

Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability New

Vulnerebility

CVE

12.6.24

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue.

Vulnerebility

CVE

12.6.24

WHAT A SHOW! AN AMPLIFIED INTERNET SCALE DNS PROBING OPERATION

OPERATION

OPERATION

12.6.24

Technical Analysis of the Latest Variant of ValleyRAT

MALWARE

RAT

11.6.24

More_eggs Activity Persists Via Fake Job Applicant Lures

MALWARE

Backdoor

11.6.24

UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion

GROUP

GROUP

11.6.24

Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r34p0 through r40p0; Valhall GPU Kernel Driver: from r34p0 through r40p0.

Vulnerebility

CVE

11.6.24

SSLoader malware uses PhantomLoader (an effective tool for deploying malware) to enhance its elusive and stealthy behavior. This malware infiltrates via phishing mail campaigns, performs reconnaissance while evading detection, and exfiltrates data back to threat actors while delivering payloads through various techniques. 

ALERTS

Virus

11.6.24

It is generally known that JScript-based RATs are often spread via phishing campaigns, and a recent attack was spotted using the same technique as former runs where an initial loader script connects to a C&C server triggering the transmission of a new malicious script, known as the second stage loader. This loader then fetches a JScript RAT component from the server, enabling persistent operation and execution of commands received from the server.

ALERTS

Virus

11.6.24

A malicious backdoor malware, masquerading as an Advanced IP Scanner, has been observed in the wild. Advanced IP Scanner is a free network scanner for Windows, primarily used by IT administrators to analyze local area networks (LANs) and gather information about connected devices.

ALERTS

Virus

11.6.24

A new campaign involving the Grandoreiro banking trojan has been observed in the wild. The threat actors are leveraging spear-phishing emails masquerading as correspondence from government entities to lure recipients into downloading ZIP files infected with malware.

ALERTS

Virus

11.6.24

Agent Tesla, an infostealing .Net based RAT, has recently been observed sending Spanish language malspam with attached XLA files. These files are crafted to take advantage of multiple old vulnerabilities in Office documents (CVE-2017-11882 and CVE-2017-0199) which causes Excel to automatically download and open remotely stored malicious RTF and JS files, which eventually leads to an Agent Tesla infection.

ALERTS

Virus

10.6.24

Researchers recently identified another drive-by download campaign, wherein users are deceived into downloading a malware-laden application named 'KMSPico activator tool.' This tool, is marketed as a "universal activator" for Windows, but no longer maintained.

ALERTS

GROUP 

10.6.24

Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks

GROUP

GROUP

9.6.24

CVE-2024-4577: Proof of Concept Available for PHP-CGI Argument Injection Vulnerability

Vulnerebility

CVE

8.6.24

Sticky Werewolf is a threat group initially discovered over a year ago. The attackers have been known to target various organizations, most recently the pharmaceutical and aviation sectors. In their attacks the threat actors leverage malicious .lnk files disguised as .docx documents, decoy .pdf files, malicious Batch and AutoIT scripts, among others.

ALERTS

APT 

8.6.24

Seidr is another recent infostealer variant found in the wild and sold via illicit marketplaces. The malware is C++ based with modular architecture. Functionality-wise Seidr steals various information from the compromised endpoints including, OS-related information, data collected from system browsers via keylogging, cryptocurrency wallets etc.

ALERTS

Virus

8.6.24

DORRA is a recently found ransomware variant from the Makop malware family. The malware encrypts user files, appending the ".DORRA" extension, a unique ID and the developer's email address to them. The ransomware drops a ransom note as a text file called "README-WARNING.txt" where the victims are asked to contact the attackers via provided email for further instructions regarding the data decryption.

ALERTS

RANSOM 

8.6.24

A recent campaign targeting Apache RocketMQ platforms, exploiting a known vulnerability (CVE-2023-33246) for remote code execution, has been observed. As part of the campaign, threat actors are deploying the Muhstik botnet, known for denial-of-service (DDoS) attacks. Muhstik provides persistence, evades detection, performs lateral movement, and communicates through an IRC command-and-control server. The malware can be used for cryptocurrency mining and launching distributed denial-of-service attacks.

ALERTS

BOTNET 

8.6.24

An updated version of the Vidar Stealer has been observed in the wild. This customizable malware is being sold on the dark web and Telegram channels as malware-as-a-service, leveraging social media platforms as part of its command-and-control infrastructure, and collaborating with other malware strains such as STOP/Djvu ransomware and SmokeLoader backdoor.

ALERTS

Virus

8.6.24

CashRansomware (aka CashCrypt) is a newly identified Ransomware‑as‑a‑Service (RaaS) variant. As reported by researchers from Tehtris, the malware appears to be still in active development. CashRansomware is C#-based malware that leverages time‑stomping techniques to detect its execution within a sandbox or a virtualized environment.

ALERTS

RANSOM 

8.6.24

The UNC1151 APT group has been observed conducting a malware campaign utilizing a malicious Excel document. This group is known for targeting Eastern European countries. In the recent campaign, UNC1151 has been observed targeting the Ukrainian Ministry of Defence, utilizing a malicious Excel document as a lure.

ALERTS

APT 

7.6.24

PHP

Exploit

WebApps

7.6.24

PHP

Exploit

WebApps

7.6.24

PHP

Exploit

WebApps

7.6.24

PHP

Exploit

WebApps

7.6.24

PHP

Exploit

WebApps

7.6.24

PHP

Exploit

WebApps

7.6.24

Multiple

Exploit

WebApps

7.6.24

Veeam’s goal is to relentlessly advance data and cyber resilience to keep your business running.

REPORT

REPORT

7.6.24

Renewed Info Stealer Campaign Targets Ukrainian Military

CAMPAIGN

CAMPAIGN

7.6.24

SPECTR Malware Targets Ukraine Defense Forces in SickSync Campaign

MALWARE

Stealer

7.6.24

Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.

GROUP

GROUP

7.6.24

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

GROUP

Cryptojacking

7.6.24

Muhstik Malware Targets Message Queuing Services Applications

MALWARE

Trojan

6.6.24

BoxedApp products are general packers built on top of its SDK, which provides the ability to create Virtual Storage (Virtual File System, Virtual Registry), Virtual Processes, and a universal instrumentation system (WIN/NT API hooking).

MALWARE

App

6.6.24

Russia-linked 'Lumma' crypto stealer now targets Python devs

MALWARE

Stealer

6.6.24

CVE-2024-32113 is a recently disclosed path traversal vulnerability affecting Apache OFBiz, which is an open source enterprise resource planning (ERP) system. If successfully exploited the vulnerability might lead to remote code execution in the context of the affected service account. The vulnerability has been patched in Apache OFBiz product version 18.12.13 or above.

ALERTS

VULNEREBILITY 

6.6.24

An increasing trend of abusing Packer apps as a technique to deploy malware payloads has been observed in the wild. Numerous known malware families, primarily related to RATs and stealers, have been exploiting commercial Packer apps, targeting financial institutions and government organizations. BoxedApp packer is one such utility that offers features like virtual storage, virtual processes, and a virtual registry, making it harder for endpoint protection systems to detect or analyze malware.

ALERTS

Virus

6.6.24

Threat actors are constantly seeking out new tactics and platforms to evade detection and carry out their espionage activities. Most recently, an increasing trend in targeting the Linux platform has been observed, resulting in a surge of Linux malware. Threat actors are leveraging the Kiteshield packer to evade detection on Linux platforms.

ALERTS

Virus

6.6.24

Reports have described what seems to be an accidental cyber threat activity where a CoinMiner's proxy server was exposed to the Internet and became the target of a ransomware threat actor's RDP scan attack. This kind of practice, if it becomes more common, may complicate threat analysis as it blurs the lines between different attack groups and their intentions.

ALERTS

RANSOM 

6.6.24

SenSayQ is an emerging ransomware actor who has recently been observed in the threat landscape. At this time, their modus operandi remains shrouded, but they employ double-extortion tactics, exfiltrating data from companies' environments and encrypting their files. This group uses a Lockbit variant to conduct encryption and it drops ransom notes in most folders ([randomID].README.txt) whose content starts with "---Welcome! Your are locked by SenSayQ!---". Similar to other ransomware actors, victims are pressured to make contact within 72 hours or else their stolen data will be published on the attacker’s website.

ALERTS

RANSOM 

6.6.24

A new Linux variant belonging to the TargetRansomware (aka Mallox) malware family has been found in the wild. As called out in the recent report published by Trend Micro, the threat group leveraging this latest Linux variant is actively conducting attacks against ESXi environments. The attackers are also using a custom shell script for the purpose of payload delivery and victim's information exfiltration. The malware encrypts user data and appends .locked extension to the encrypted files. Upon completed encryption a ransom note in form of a text file called "HOW TO DECRYPT.txt" is dropped onto the victim's machine.

ALERTS

RANSOM 

6.6.24

Cuckoo is an infostealing macOS malware initially discovered earlier this year. A new variant of it has just recently been observed in the wild. This variant has been distributed via a fake Homebrew macOS package manager website. The malware has the usual infostealing features allowing it to steal confidential information, credentials, browser cookies, cryptocurrency wallets and exfiltrate the collected data to C2 servers controlled by the attackers. The new Cuckoo variant has also added some VM environment detection capabilities.

ALERTS

Virus

6.6.24

In a newly released report, Symantec’s Threat Hunter Team provide an analysis of the highly active RansomHub ransomware and its similarity to the now defunct Knight ransomware. Analysis indicates that the developers of RansomHub are different from those that developed Knight, but based on a significant overlap of code, it's assumed the RansomHub developers likely purchased Knight source code which was offered for sale in early 2024. As with others, RansomHub attacks involve vulnerability exploitation and dual-use tools to aid in distribution.

ALERTS

RANSOM 

6.6.24

The messaging application 'Signal' is famous among the military and is currently being exploited to deliver DarkCrystal RAT malware to government officials, military personnel, and representatives of defense enterprises in Ukraine. The infection chain begins when the victim receives a message with an archive, password, and instructions to open it. Inside the archive is an executable file (".pif" or ".exe"), which is a RARSFX archive containing a VBE file, a BAT file, and an EXE file. Running these files infects the computer with DarkCrystal RAT malware, granting attackers unauthorized access.

ALERTS

Virus

6.6.24

A new campaign targeting Ukraine with Cobalt Strike payloads has been observed by researchers from Fortinet. The attackers leverage a multi-staged approach while delivering Excel files containing malicious VBA macros, as well as DLL downloaders and injectors in later attack stages. The Cobalt Strike payloads allow the attackers to establish communication with command and control (C2) servers and execute arbitrary commands.

ALERTS

CAMPAIGN 

6.6.24

Nubank, a leading digital bank in Latin America known for its no-fee credit card and mobile banking services, has been one of the latest financial companies to have its brand abused in social engineering schemes aimed at luring mobile users in Brazil. An actor has fabricated malicious Android applications (Nubank.apk) to appear related to Nubank. These applications are likely being distributed via malicious SMS or other social platforms. If a user is successfully lured and installs the fake Nubank app on their mobile device, they will end up with a well-known remote access trojan known as SpyNote.

ALERTS

Virus

6.6.24

CVE-2024-24919 is an information disclosure vulnerability in Check Point Security Gateway. Check Point Security Gateway is an integrated software solution that connects corporate networks, branch offices, and business partners via a secure channel. Successful exploitation of this vulnerability may allow an attacker to access certain information on internet-connected Gateways, which have been configured with IPSec VPN, remote access VPN, or mobile access software blade. Symantec's network protection technology, Intrusion Prevention System (IPS), blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.

ALERTS

VULNEREBILITY 

6.6.24

Recently, a critical remote code execution (RCE) vulnerability has been discovered in Apache HugeGraph-Server, identified as CVE-2024-27348 (CVSS: 9.8). Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. The vulnerability affects versions 1.0.0 to 1.3.0 in Java8 and Java11. This vulnerability allows an attacker to execute arbitrary commands on the server.  If successfully exploited, the impact of this vulnerability can be severe, as it can allow unauthorized access to attackers to gain full control over the server, data manipulation, and potential compromise of the entire system. Symantec's network protection technology, Intrusion Prevention System (IPS) blocks these vulnerability exploitation attempts to prevent further infection/damage to the system.

ALERTS

VULNEREBILITY 

6.6.24

Over the past year the Ransomware actor known as "Underground" has been less active than other groups, yet they remain in the threat landscape and continue to target industries of various size. They are known to generate a lengthy ransom note (!!READ_ME!!.txt) with detailed information that has been exfiltrated. Victims are provided with an ID and a password that allow them to connect with the ransomware group through a website on the TOR network. 

ALERTS

RANSOM 

6.6.24

A botnet malware campaign has been reported distributing the NiceRAT malware, disguising itself as Windows or Office genuine authentication tools or free game servers, through domestic file-sharing sites or blogs. NiceRAT is a Python-based open-source program with anti-debugging and anti-virtual machine capabilities. It collects system information, browser information, and cryptocurrency data from compromised systems and exfiltrates the collected data to threat actors' Discord channel, used as a Command and Control (C&C) server.

ALERTS

Virus

6.6.24

ClearFake, a JavaScript framework, utilizes both drive-by-downloads and social engineering tactics, often in fake "browser update" campaigns. Recently, researchers uncovered a new strategy by ClearFake, where users are deceived into manually executing malicious code in PowerShell. This differs from previous tactics where users were typically lured into unwittingly downloading a malicious payload. The change aims to evade security measures and eventually install LummaC2 infostealer malware.

ALERTS

Virus

6.6.24

A recent campaign has seen Brazilian users being targeted by a banking Trojan dubbed CarnavalHeist. The infection chain begins with a financial themed mail through which the recipient is lured into downloading an invoice (named as "Nota Fiscal" which is Portuguese for invoice). The actual download is a malicious LNK file which leads to further downloads and executions of script components which are responsible for delivering the final malicious payload. Details regarding the campaign and suspected attacker information were made available in a newly published report by Cisco Talos.

ALERTS

Virus

6.6.24

RedTail cryptocurrency mining malware has added PAN-OS vulnerability to its exploit arsenal. PAN-OS CVE-2024-3400 is a now patched vulnerability that allows an attacker to execute an arbitrary code file with root user privileges. Exploiting this PAN-OS vulnerability and executing the commands successfully can lead to the downloading of the RedTail payload. This malware employs advanced evasion and persistence techniques. RedTail has also used other propagation mechanisms involving other vulnerability exploits (such as CVE-2023-46805 and CVE-2024-21887).

ALERTS

CRYPTOCURRENCY 

5.6.24

OPERATION

OPERATION

5.6.24

HACKING

HACKING

5.6.24

RANSOMWARE

RANSOMWARE

5.6.24

Vulnerebility

CVE

5.6.24

Vulnerebility

CVE

5.6.24

Vulnerebility

CVE

5.6.24

Vulnerebility

CVE

5.6.24

Vulnerebility

CVE

5.6.24

OPERATION

RAT

5.6.24

OPERATION

RAT

5.6.24

Vulnerebility

CVE

5.6.24

Malware

RAT

5.6.24

Vulnerebility

CVE

5.6.24

Malware

RAT

3.6.24

ANALÝZA

Malware

3.6.24

Malware

3.6.24

ANALÝZA

Malware

3.6.24

Hacking Millions of Modems (and Investigating Who Hacked My Modem)

HACKING

Hardware

3.6.24

Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group)

GROUP

APT

3.6.24

Fake Browser Updates delivering BitRAT and Lumma Stealer

Malware

Stealer

3.6.24

Fake Browser Updates delivering BitRAT and Lumma Stealer

Malware

RAT

1.6.24

PHP

Exploit

WebApps

1.6.24

Hardware

Exploit

Remote

1.6.24

Windows

Exploit

Remote

1.6.24

PHP

Exploit

WebApps

1.6.24

PHP

Exploit

WebApps

1.6.24

Hardware

Exploit

WebApps

1.6.24

Hardware

Exploit

WebApps

1.6.24

Multiple

Exploit

WebApps

1.6.24

PHP

Exploit

WebApps

1.6.24

PHP

Exploit

WebApps

1.6.24

PHP

Exploit

WebApps

1.6.24

Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP).

HACKING

Hardware