ALERTS 2024  2026  2025  2024


HOME  AI  APT  BOTNET  CAMPAIGN  CRIME  CRYPTOCURRENCY  EXPLOIT  HACKING  GROUP  OPERATION  PHISHING  RANSOM  SPAM  VIRUS  VULNEREBILITY

2024 March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67) October(13) November(80) December(6) 


DATE

NAME

INFO

CATEGORY

SUBCATE

31.12.24

SpyMax Targets Uzbek Mobile Users Through Fake Uzum Apps In 2024, a malicious actor exploited Uzum's brand in a series of campaigns targeting mobile users in Uzbekistan. These campaigns utilized SpyMax, a well-known remote access trojan disguised as a fake Uzum Bank Android application, to compromise victims’ devices and steal sensitive data. ALERTS VIRUS

30.12.24

Ficora and Capsaicin botnets leverage old vulnerabilities for distribution According to the researchers from Fortinet, two Linux botnet variants Ficora and Capsaicin have been distributed in recently observed campaigns. The botnets leverage several old D-Link vulnerabilities affecting the HNAP (Home Network Administration Protocol) interface including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112. ALERTS BOTNET

28.12.24

Skuld Infostealer malware continues to target developers via npm registry A malware campaign deploying the Skuld infostealer via the npm registry has been reported, targeting developers with ambiguous packages. ALERTS VIRUS

28.12.24

Gosar - a new Golang-based variant of Quasar backdoor Gosar is a recently identified Golang-based variant of the Quasar backdoor. The malware is spread in campaigns leveraging .MSI installer files disguised as legitimate software packages (such as Telegram or Opera). ALERTS VIRUS

28.12.24

Latest XWorm distribution campaign targets the hospitality sector A new campaign distributing the XWorm commodity malware has been reported in the wild. The attack targets the hospitality sector in the UK. ALERTS VIRUS

28.12.24

Recent I2PRAT malware variant leverages anonymous peer-to-peer network communication The latest I2PRAT malware variant has been observed to leverage I2P anonymous peer-to-peer network for the purpose of C2 communication. ALERTS VIRUS

27.11.24

Multiple vulnerabilities affecting Palo Alto Networks Expedition Multiple vulnerabilities affecting Palo Alto Networks Expedition have been disclosed this month. The reported flaws (CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467) have been rated between CVSS 7.0 and CVSS 9.9 and include a mix of command injection, cross-site scripting (XSS), cleartext storage of sensitive information, missing authentication, and SQL injection vulnerabilities. ALERTS VULNEREBILITY

27.11.24

CVE-2024-47575 - Fortinet FortiManager Missing Authentication vulnerability CVE-2024-47575 is a Zero-day vulnerability affecting Fortinet FortiManager, that has been disclosed just this month. The vulnerability has been rated with a critical CVSS score of 9.8. If successfully exploited, it could allow remote unauthenticated attackers to execute arbitrary code via specially crafted requests. ALERTS VULNEREBILITY

27.11.24

Parano Stealer Parano Stealer is another "run-of-the-mill" infostealer variant recently observed in the wild. This Python-based malware has functionality to collect and exfiltrate various information from the compromised endpoints, including: credentials, cookies, miscellaneous data stored in web browsers, cryptocurrency wallets, system information or data from various 3rd party applications like Steam, Telegram or Discord. ALERTS VIRUS

27.11.24

Liberium RAT malware Liberium RAT (also known as ShadowRoot) is a malware variant recently advertised for sale on hacking forums. The malware has the capabilities allowing the attackers remote access to the vulnerable endpoints, file management operations, registry manipulation as well as theft of system related information and other confidential data. ALERTS VIRUS

27.11.24

CVE-2024-38094 - Microsoft SharePoint Deserialization vulnerability exploited in the wild CVE-2024-38094 is a deserialization vulnerability affecting Microsoft SharePoint, which was initially disclosed and patched back in July 2024. The flaw rated with a CVSS score of 7.2 arises from the product deserializing data without enough verification that the resulting data output will be valid. ALERTS VULNEREBILITY

27.11.24

Prometei botnet activity New Prometei botnet activity has been reported in the wild. The botnet has been historically used mostly for Monero cryptomining operations but with time the attackers behind it updated the botnet capabilities to conduct even more complex attacks, allowing for a full control over the infected machines a well as additional arbitrary payload deployments. ALERTS BOTNET

27.11.24

DarkComet Backdoor DarkComet is a powerful Remote Access Trojan (RAT) that remains a significant threat because of its stealthy operations and comprehensive functionality. It enables attackers to remotely control infected devices, exfiltrate sensitive data, and deploy further malware. ALERTS VIRUS

27.11.24

Threat actors distribute WarmCookie malware via various campaigns WarmCookie is malware that has been observed being distributed through various campaigns, including malicious emails. This malware provides initial access to a compromised victim and is used to establish persistence. ALERTS VIRUS

27.11.24

Crystal Rans0m: Rust-Based Hybrid Ransomware Crystal Rans0m is a Rust-based hybrid ransomware that combines file encryption with data-stealing capabilities that has been observed targeting Italy and Russia. The malware can steal browser data, Discord tokens, Steam files, Riot Games data and utilizes Discord webhooks for data exfiltration. ALERTS RANSOM

27.11.24

CVE-2024-9680 - Mozilla Firefox Remote Code Execution vulnerability CVE-2024-9680 is a recently disclosed Remote Code Execution (RCE) vulnerability affecting Mozilla Firefox and Thunderbird software. The vulnerability has been assigned a critical CVSS score of 9.8 and arises from a "use-after-free" flaw in the animation timeline component of the browser. ALERTS VULNEREBILITY

27.11.24

Phemedrone Stealer Phemedrone is an open-source infostealer variant observed being distributed in the wild this year. The malware is written in C# and has the functionality to collect and exfiltrate various sensitive information such as login credentials, data stored in browsers, cookies, credit card information, cryptocurrency wallets, files stored in "My Documents" folders or data from other 3rd party apps such as Steam, Discord or Telegram. ALERTS VIRUS

27.11.24

Phemedrone Stealer Earlier this year, Akira developed a new version of its ransomware encryptor and has since been observed using another novel iteration of the encryptor that targets both Windows and Linux systems. Akira typically employs a double-extortion tactic, exfiltrating critical data before encrypting the victim's systems. ALERTS VIRUS

27.11.24

Akira Ransomware Evolution: A move towards cross-platform adaptability Earlier this year, Akira developed a new version of its ransomware encryptor and has since been observed using another novel iteration of the encryptor that targets both Windows and Linux systems. Akira typically employs a double-extortion tactic, exfiltrating critical data before encrypting the victim's systems. ALERTS RANSOM

27.11.24

Ghostpulse Malware: Shifting tactics from PNGs to Pixel values According to recent reports, Ghostpulse malware has evolved its tactics by shifting from hiding its encrypted configuration and payload in the IDAT chunk of PNG files, to embedding it directly within the pixel values themselves to evade detection. ALERTS VIRUS

27.11.24

CVE-2024-28987 - SolarWinds Web Help Desk Hardcoded Credential vulnerability CVE-2024-28987 is a recently disclosed hardcoded credential vulnerability affecting the SolarWinds Web Help Desk (WHD) software. The flaw is rated as critical (CVSS score 9.1 and if successfully exploited could allow remote unauthenticated attackers to access internal software functionality and modify data. ALERTS VULNEREBILITY

27.11.24

Threat actors abusing open-source phishing framework to deliver RATS A recent report by (CTA) member Cisco Talos has recently disclosed a new phishing campaign abusing the open-source phishing readiness assessment framework named 'Gophish' to deploy one of two attack chains. ALERTS VIRUS

27.11.24

IcePeony: China-linked APT group targeting Southeast Asian governments A recently identified APT group linked to China dubbed IcePeony has been detected conducting malware campaigns targeting government agencies and institutions in countries such as India, Mauritius, and Vietnam. ALERTS APT

27.11.24

Lumma Stealer delivered via Fake CAPTCHA Researchers are monitoring an ongoing phishing campaign where attackers appear to have upped their tactics from traditional phishing to incorporating the use of fake CAPTCHA pages and exploiting legitimate software. The intention being to eventually lure users into executing a payload called Lumma Stealer. This infostealing malware is a MaaS (Malware-as-a-Service) variant that steals sensitive data such as passwords and cryptocurrency information. ALERTS VIRUS

27.11.24

Phishing Campaign Delivering Wiper Malware A recent campaign was observed by researchers where threat actors were seen targeting Israeli organizations, by impersonating a certain antivirus vendor and sending out phishing emails warning of state-backed threats. The emails include a link to a fake program that downloads a malware called Wiper, designed to erase data. ALERTS PHISHING

27.11.24

Phishing attack aims at Meta Ads Professionals with Quasar RAT A malware campaign targeting job seekers and digital marketing professionals has been reported. The campaign specifically focuses on Meta Ads professionals and is believed to be driven by a Vietnamese Threat Actor. ALERTS PHISHING

27.11.24

ClickFix Tactic: New malware campaigns preying on Google Meet users Various malware campaigns utilizing the emerging ClickFix tactic have been reported since June 2024.  One such campaign distributing infostealers through fake Google Meet pages, a popular video communication service has been reported in the wild. Users are lured by emails that appear to be legitimate Google Meet invitations for work meetings, conferences, or other significant events. ALERTS CAMPAIGN

27.11.24

Recent malicious activities attributed to the UAT-5647 threat group According to the report published by Cisco Talos, UAT-5647 threat group has been targeting entities in Ukraine and Poland in their most recent campaigns. The threat actors have been distributing two distinct downloader variants called RustyClaw and MeltingClaw, a new RomCom malware variant dubbed SingleCamper, as well as DustyHammock and ShadyHammock backdoors. ALERTS GROUP

27.11.24

Emerging Stealer Variants: Divulge, DedSec, and Duck Stealers Multiple stealers have been observed being advertised on hacker forums, GitHub, and Telegram, all developed and promoted by the same entity. Notable variants include Divulge Stealer (a copy of Umbral), DedSec Stealer (based on Doenerium), and Duck Stealer (a derivative of AZStealer). ALERTS VIRUS

27.11.24

TrickMo targeting Android users with fake lock-screen Security researchers have recently disclosed a new variant of TrickMo, a mobile banking trojan that targets Android and iOS users. This new variant comes with some new functionality in addition to the existing capabilities, such as screen recording, remote control, and permissions granting. ALERTS VIRUS

27.11.24

Lockbit ransomware pretender targets macOS and Windows environments for data theft A new campaign leveraging a malware variant disguised as Lockbit ransomware has been reported in the wild. The GO-based malware targets both macOS and Windows users in attempts to encrypt and exfiltrate confidential data. ALERTS RANSOM

27.11.24

Microsoft Windows Kernel TOCTOU Race Condition Vulnerability (CVE-2024-30088) CVE-2024-30088 is a Time-Of-Check Time-Of-Use (TOCTOU) race condition vulnerability in the Microsoft Windows Kernel. It arises when the state of a resource is modified between its validation (check) and actual use, allowing attackers to exploit the gap for privilege escalation. ALERTS VULNEREBILITY

27.11.24

Leafperforator APT group expands operations into the Middle East and Africa Researchers recently published a warning about the Telegram account '@reserveplusbot', linked to a specific application and serving as a contact for technical support. The suspicious messages urged users to install a ZIP file that contains malware. The executable file inside is a variant of Meduza Stealer, which steals files and evades detection by modifying Microsoft Defender settings. ALERTS APT

27.11.24

Meduza Stealer Researchers recently published a warning about the Telegram account '@reserveplusbot', linked to a specific application and serving as a contact for technical support. The suspicious messages urged users to install a ZIP file that contains malware. ALERTS VIRUS

27.11.24

New Linux variant of FASTCash malware discovered A new Linux variant of the FASTCash malware (a tool which CISA has attributed to North Korea) has been discovered. FASTCash is malware that is implanted within compromised networks and leveraged to perform unauthorized banking transactions. ALERTS VIRUS

27.11.24

CVE-2024-44849 - Qualitor Remote Code Execution (RCE) vulnerability CVE-2024-44849 is a critical (CVSS: 9.8) Remote Code Execution (RCE) vulnerability in Qualitor, which is a platform for managing customer service processes and centralizing services. This exploit allows remote code execution (RCE) through an arbitrary file upload in Qualitor version before 8.24. ALERTS VULNEREBILITY

27.11.24

ThunderKitty malware ThunderKitty is a GO-based open-source infostealer variant seen in the wild. The malware has the functionality to collect miscellaneous information from infected machines including banking details, Discord session tokens, cookies, browser history and other data stored in the browsers, etc. ALERTS VIRUS

27.11.24

CVE-2024-45519 - Remote Command Execution vulnerability in Zimbra Collaboration Suite CVE-2024-45519 is a recently disclosed Remote Code Execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS) affecting versions before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1. ALERTS VULNEREBILITY

27.11.24

INTERLOCK Ransomware A new ransomware actor, going by the name INTERLOCK, has recently emerged in the threat landscape. This group appears to employ a double-extortion tactic. On successful compromise, encrypted files are appended with the ".interlock" extension. ALERTS RANSOM

27.11.24

Attackers still using SHTML files to target recipients with phishing Symantec has recently observed a new phishing campaign using attached SHTML files disguised as import and or payment forms. The messages attempt to entice users to open the attached files to resolve import or billing issues. ALERTS PHISHING

27.11.24

MiyaRat: The latest tool from the Bitter APT group The Bitter APT group, recognized for its sophisticated cyber espionage activities targeting East and South Asia, has been observed deploying a new malware known as MiyaRat. This malware is capable of collecting system information, capturing screenshots, performing file uploads and downloads, and exfiltrating data to its command-and-control (C2) server, where it waits for further instructions. ALERTS VIRUS

27.11.24

CVE-2024-43363 - Cacti RCE vulnerability CVE-2024-43363 is a remote code execution (RCE) vulnerability in Cacti, a network monitoring and fault management framework. Successful flaw exploitation happens via log poisoning on the vulnerable instances. This exploitation could ultimately allow the attackers for arbitrary command execution. The vulnerability has been fixed in product version 1.2.28 or higher. ALERTS VULNEREBILITY

27.11.24

Abuse of Code-Signing Certificates in Lumma Stealer deployment via HijackLoader A malware campaign has been observed deploying Lumma Stealer using HijackLoader. The attack vector employs a "fake CAPTCHA" to lure users into executing a PowerShell payload that downloads a ZIP archive containing either a DLL or a signed HijackLoader binary. ALERTS VIRUS

27.11.24

CoreWarrior Malware Researchers investigated a malware named CoreWarrior and found that this variant aggressively spreads by creating numerous copies, connecting to various IP addresses, opening multiple backdoor access points, and intercepting Windows UI elements for surveillance purposes. ALERTS VIRUS

27.11.24

Core Werewolf utilizes AutoIt loader and Telegram for Cyber attacks The Core Werewolf threat actor group, which primarily targets Russia's defense industry and critical infrastructure, has been observed using new tools including an AutoIt loader and delivering malicious files via Telegram in addition to email. ALERTS VIRUS

27.11.24

ErrorFather Android Trojan Cerberus Android banking trojan came to light in 2019, and this variant utilizes a multi-stage dropper to deploy its payload and can execute financial fraud through remote attacks, keylogging, and overlay tactics. ALERTS VIRUS

27.11.24

Demodex targeting American telecommunications APT group 'Squash' has been reported to be utilizing Demodex to target American telecommunications providers.  Demodex, a rootkit, is used to establish persistence and then files with fake file headers (PNG, JPEG and WAV have been observed) are used to help evade detection and utilized to establish C2 communications. ALERTS VIRUS

27.11.24

CVE-2024-43573 - Microsoft Windows MSHTML Platform spoofing vulnerability CVE-2024-43573 is a spoofing vulnerability that has been recently disclosed as part of the October 2024 Patch Tuesday. The vulnerability is affecting Microsoft Windows MSHTML Platform. . ALERTS VULNEREBILITY

27.11.24

New Pronsis Loader malware leveraged for Lumma Stealer and Latrodectus delivery Pronsis Loader is a new malware variant leveraged recently in campaigns delivering Lumma Stealer and Latrodectus payloads. The malware utilizes executables compiled in JPHP programming language, which is a Java implementation of PHP. ALERTS VIRUS

27.11.24

LemonDuck: The evolving Multi-Platform cryptomining malware LemonDuck, a well-known cryptomining malware, has evolved into a multi-platform threat and has been observed exploiting SMB vulnerabilities, particularly EternalBlue, as part of its attack vector to gain network access. ALERTS VIRUS

27.11.24

CVE-2024-7954 - Remote Code Execution vulnerability in SPIP Porte Plume Plugin CVE-2024-7954 is a critical (CVSS score 9.8) Remote Code Execution (RCE) vulnerability in porte_plume plugin used by SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16. SPIP is free software content management system (CMS) for publishing websites. ALERTS VULNEREBILITY

27.11.24

Lynx ransomware - a formidable cyber-extortion threat A new research published by Palo Alto Networks Unit 42 indicates that the ransomware variant known as Lynx shares a significant portion of its source code with the INC ransomware. The threat operators of Lynx have actively targeted organizations in various sectors (architecture, real estate, retail, and financial/environmental services) in the U.S. and UK. ALERTS RANSOM

27.11.24

CVE-2024-43572 - Microsoft Windows Management Console RCE vulnerability CVE-2024-43572 is a Microsoft Windows Management Console remote code execution (RCE) vulnerability recently disclosed and patched as part of the October 2024 Patch Tuesday. The vulnerability is exploited through execution of specially crafted malicious Microsoft Saved Console (MSC) files. ALERTS VULNEREBILITY

27.11.24

Perfctl malware campaign exploiting RocketMQ vulnerability hits Linux Servers worldwide A Perfctl malware campaign targeting millions of Linux servers worldwide has been observed. The campaign exploits the CVE-2023-33246 RocketMQ vulnerability. The malware employs rootkits for stealth and process masquerading along with TOR for command and control (C2) communication. ALERTS VULNEREBILITY

27.11.24

Kransom ransomware targets gamers by imitating Honkai: Star Rail installer Reports indicate that Honkai: Star Rail, a popular role-playing game, is being exploited by a new ransomware dubbed Kransom. This ransomware spreads through drive-by-download campaigns, enticing victims by masquerading the malicious binary as a legitimate StarRail game installer and employing valid digital certificates. ALERTS RANSOM

27.11.24

Havoc Framework Researchers have found that cybercriminals are increasingly leveraging pen testing tools like the Havoc framework to evade security systems. This tool is less recognized than others, such as Cobalt Strike or Metasploit, which makes it harder to spot. ALERTS VIRUS

27.11.24

CleanUpLoader Leveraged By Rhysida A recent report shed light on a loader/backdoor known as "CleanUpLoader," used by the double-extortion ransomware actor "Rhysida" as an initial vector of infection. It is typically disguised as software installers like Microsoft Teams or Google Chrome. ALERTS VIRUS

27.11.24

New Ivanti CSA vulnerabilities exploited in the wild Ivanti has published a new security advisory regarding three recently disclosed Ivanti CSA (Cloud Services Application) vulnerabilities. The reported vulnerabilities are as follows. ALERTS VULNEREBILITY

27.11.24

Lua-based malware variants target the educational sector There has been a recent surge in Lua-based malware targeting students, specifically targeted attacks capitalizing on popular games within the student gamer community who are searching for gaming cheats. ALERTS VIRUS

27.11.24

Horus Protector A new malware distribution service has been uncovered called Horus Protector that claims to be a Fully Undetectable (FUD) crypter and distributes various malware families, including AgentTesla, Remcos, Snake, and NjRat. The service distributes malware using a .zip file that contains a VBE script and gathers information from users' machines to transmit to its server. ALERTS VIRUS

27.11.24

Threat actors associated with North Korea target tech job seekers with malware The Contagious Interview campaign started in 2023 and is perpetuated by threat actors associated with North Korea. Recent activity has been observed that can be tied to this campaign with threat actors posing as job recruiters and luring victims into supposed interviews. ALERTS APT

27.11.24

A Recent PhantomLoader Campaign PhantomLoader is a malware that disguises itself as a legitimate 32-bit DLL for a certain antivirus software and was recently found posing as “PatchUp.exe,” a genuine component of the software. The malicious loader was observed using binary patching and self-modifying techniques to load rust-based malware dubbed SSLoad into memory. ALERTS VIRUS

27.11.24

Malvertising campaign leads to malicious Windows and Mac payloads A recently published report identified a campaign whereby advertisers are pushing ads for utility software, such as Slack or Notion, which lead to downloads of malicious payloads. The advertisers registered under existing businesses and distributed ads that target both Windows and Mac users. ALERTS VIRUS

27.11.24

Yunit Stealer - an infostealing malware with geofencing capabilities Yunit Stealer is a malware variant recently distributed in the wild. Yunit has extensive infostealing capabilities including theft and exfiltration of credentials, credit card data, cryptocurrency wallets, cookies, auto-fill data and others. The collected information is exfiltrated via Discord or Telegram webhooks back to the attackers. ALERTS VIRUS

27.11.24

Vilsa Stealer Vilsa Stealer is a new infostealer malware variant identified in the wild. The malware has the functionality to exfiltrate miscellaneous confidential data from the infected machine including: browser data, credentials, autofill data, cookies, banking information, cryptocurrency wallets, Discord tokens and Telegram data, among others. ALERTS VIRUS

27.11.24

Falcon Keylogger Falcon is a keylogger variant recently active in the wild. Older samples of this malware date back even to 2019 while the latest observed are from just last month. Falcon has the functionality to record keystrokes on the infected machine, collect system information, screenshots, etc. ALERTS VIRUS

27.11.24

Nunu Stealer malware Nunu Stealer is a recently discovered Python-based infostealing malware variant which is based off an older Akira Stealer strain. ALERTS VIRUS

27.11.24

VeilShell: A new threat from North Korea's Vedalia APT group According to reports, threat actors linked to North Korea have been deploying a previously undocumented backdoor and remote access trojan (RAT) called VeilShell in a campaign targeting Southeast Asian countries. This activity is attributed to the Vedalia APT group (aka APT37, ScarCruft, Reaper) ALERTS APT

27.11.24

SmartLoader Delivering Lumma Stealer SmartLoader has been traced back to July 2024, involving a private GitHub account called "user-attachments." It starts with a zip archive containing four files: compiler.exe, conf.txt, Launcher.bat, and lua51.dll. ALERTS VIRUS

27.11.24

Key Group: Targeting Russian users with evolving ransomware The Key Group is a financially motivated ransomware group that primarily targets Russian users and is known for negotiating with victims via Telegram. Like other groups that leverage leaked ransomware builders, Key Group predominantly utilizes the Chaos ransomware builder, among others, and operates a GitHub repository for its command and control (C2) infrastructure. ALERTS RANSOM

27.11.24

BabyLockerKZ - MedusaLocker Ransomware variant BabyLockerKZ ransomware is a variant of MedusaLocker which has been active since 2023. This variant uses many of the same TTPs as seen in previous MedusaLocker attacks (publicly available tools, custom tools, lolbins, chat and leak sites). ALERTS RANSOM

27.11.24

Silver Oryx Blade - a new banking malware targeting Brazil Silver Oryx Blade is a new banking trojan discovered by the researchers from Scitum. The malware prevalently targets victims from Brazil and attempts to steal banking information from the compromised machines. The infection chain is initiated via phishing emails leveraging financial or tax related lures. ALERTS VIRUS

27.11.24

Gorilla Botnet: A new global threat based on Mirai code Reports indicate a surge in activity from a new botnet family called Gorilla Botnet, which is targeting telecommunications, universities, and the gaming industry worldwide. ALERTS BOTNET

27.11.24

CeranaKeeper APT Campaign A recent CeranaKeeper APT campaign was observed by researchers. This China-linked threat actor targets government entities in Thailand, Myanmar, the Philippines, Japan, and Taiwan. ALERTS APT

27.11.24

Fake Update Campaign Delivering WarmCookie Malware A new campaign in France is using compromised websites to distribute the WarmCookie backdoor through fake update prompts for popular applications like Google Chrome and Java. ALERTS CAMPAIGN

27.11.24

Defi Ransomware Defi is the newest malware variant from the Makop ransomware family. The malware encrypts user files and appends .defi1328 to them, alongside of a developers' email address and a victim's unique ID. The ransom note is dropped in form of text file called "README-WARNING.txt" within various on the disk. ALERTS RANSOM

27.11.24

Stonefly threat group continues to launch extortion attacks against US targets Symantec’s Threat Hunter Team has found evidence that the North Korean Stonefly group (aka Andariel, APT45, Silent Chollima, Onyx Sleet) is continuing to mount financially motivated attacks against organizations in the U.S., despite being the subject of an indictment and a multi-million dollar reward.  ALERTS GROUP

27.11.24

K4Spreader and Hadooken Latest Attacks Recent research identified an infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities (CVE-2017-10271 and CVE-2020-14883). The attacker used Python and Bash scripts to deploy K4Spreader malware, which delivered the Tsunami backdoor and a cryptominer. ALERTS VULNEREBILITY

27.11.24

New Rast ransomware threat targets Chinese government entities A new ransomware threat called Rast has been identified, specifically targeting Chinese government entities. The attack vector includes RDP brute-forcing and exploiting N-day vulnerabilities to gain access to border servers, followed by the manual deployment of ransomware components. ALERTS RANSOM

27.11.24

Active malware campaign targeting Russian energy companies and Electronics suppliers A new malware campaign targeting Russian energy companies and electronic component suppliers has been observed. The malware spreads through email attachments or Yandex Disk links, using RAR archives that contain LNK files to download and execute malicious HTA files. ALERTS CAMPAIGN

27.11.24

CVE-2024-43461 - Windows MSHTML Platform Spoofing vulnerability exploited in the wild CVE-2024-43461 is a Windows MSHTML spoofing vulnerability recently disclosed as part of the September 2024 Patch Tuesday. ALERTS VULNEREBILITY

27.11.24

North Korean hackers target Cryptocurrency users on LinkedIn with RustDoor malware In early September, the FBI warned of North Korean threat actors targeting the crypto industry. ALERTS CRYPTOCURRENCY

27.11.24

CVE-2024-6670 - Progress WhatsUp Gold SQL Injection vulnerability CVE-2024-6670 is a recently disclosed SQL Injection vulnerability affecting Progress WhatsUp Gold, which is a well known network monitoring software. Successful exploitation of this flaw could allow an unauthenticated attacker to retrieve the user's encrypted passwords. ALERTS VULNEREBILITY

27.11.24

Vulnerabilities in the Common UNIX Printing System (CUPS) Symantec is aware of multiple vulnerabilities in the Common UNIX Printing System (CUPS) on UNIX-based systems, where an attacker could exploit certain configurations to gain unauthorized access and perform remote code execution (RCE), particularly by leveraging the cups-browsed service.  ALERTS VULNEREBILITY

27.11.24

Advanced Rhadamanthys Infostealer: AI-Driven threats to Cryptocurrency security A new version of Rhadamanthys Infostealer with advanced features including the use of artificial intelligence (AI) for optical character recognition (OCR) has been reported. ALERTS VIRUS

27.11.24

DCRat (aka Dark Crystal RAT) Trojan Malware DCRat (aka Dark Crystal RAT) is a modular remote access Trojan available as malware-as-a-service since 2018. It can execute commands, log keystrokes, and exfiltrate data. Recently, it was delivered using HTML smuggling, which embeds and obfuscates the payload within HTML to evade security measures. ALERTS VIRUS

1.10.24

New variant of FakeCall Android malware A new variant of the Android malware called FakeCall has been observed in the wild. The attackers behind this malware employ voice phishing (vishing) techniques in order to trick victims into disclosing sensitive information such as credentials or banking information. ALERTS VIRUS

1.10.24

Sauron - a new ransomware variant in the wild Sauron is a new ransomware variant recently found in the wild. The malware appends ".sauron" extension to the encrypted files. The ransom note is dropped in form of a text file called "#HowToRecover.txt" on the affected machines. ALERTS RANSOM

1.10.24

UNC5812 campaigns against Ukraine with Android and Windows malware A recent report highlighted activity attributed to a suspected Russian threat actor identified as UNC5812. The activity involved distributions of Android and Windows malware targeting Ukranian military recruits. The intent of the campaign was not only to engage in espionage but also attempt to negatively influence support for pro-Ukranian forces. ALERTS GROUP

1.10.24

A possible Bumblebee Loader resurgence A new campaign delivering the Bumblebee loader has been reported this month. Bumblebee is a highly sophisticated downloader variant discovered initially back in 2022. The malware has been spread across a multitude of malicious campaigns and used for the delivery and execution of miscellaneous payloads such as Cobalt Strike, ransomware, etc. ALERTS VIRUS

1.10.24

CVE-2024-40711 - Veeam Backup and Replication deserialization vulnerability exploited by ransomware actors CVE-2024-40711 is a recently disclosed critical (CVSS score 9.8) deserialization vulnerability affecting the Veeam Backup and Replication software in version 12.1.2.172 or older. If successfully exploited the flaw might provide unauthenticated attackers with remote code execution (RCE) on the vulnerable systems. ALERTS VULNEREBILITY

1.10.24

Malicious "Lounge Pass" app targets air travelers in India A campaign involving a malicious Android app called "Lounge Pass" targeting air travelers at Indian airports has been observed. Distributed through fake domains, the app intercepts and forwards SMS messages from victims' devices to cybercriminals, leading to significant financial losses. ALERTS VIRUS

1.10.24

Adware Campaign uses Fake CAPTCHA to deliver Lumma and Amadey malware Threat actors are increasingly using fake CAPTCHA as an initial attack vector. A recent adware campaign is targeting online users by presenting them with fake CAPTCHA or update prompts. Attackers are leveraging ad networks to redirect victims to compromised sites that host these social engineering lures. ALERTS VIRUS

1.10.24

TeamTNT targets cloud-native environments in new Cryptojacking campaign A new campaign by the cryptojacking group TeamTNT has been reported targeting cloud-native environments for cryptocurrency mining and reselling compromised servers. ALERTS CRYPTOCURRENCY

1.10.24

Rekoobe malware found potentially targeting TradingView users An open directory has been discovered hosting Rekoobe malware, potentially aimed at targeting TradingView users along with other cyber espionage campaigns. Rekoobe is a versatile backdoor previously deployed by APT31 and other adversaries engaged in cyber espionage and data theft. ALERTS VIRUS

1.10.24

Daggerfly targets Taiwanese entities with new CloudScout Toolset China-linked threat actor Daggerfly (also known as Evasive Panda) has been reported targeting a government entity and a religious organization in Taiwan with a previously undocumented post-compromise toolset called CloudScout. ALERTS APT

1.10.24

Daggerfly targets Taiwanese entities with new CloudScout Toolset Researchers have recently uncovered a malicious campaign spreading the XWorm RAT trojan via fake emails posing as official communications from Namirial, a software and service company. The emails prompt users to open a password-protected PDF, and if it fails, directs them to a Dropbox link that downloads a ZIP file containing a URL that would connect to the attacker's servers and download additional malicious scripts, enabling control over the victim's machine. ALERTS VIRUS

1.10.24

Phishing Campaign Distributing XWorm RAT Researchers have recently uncovered a malicious campaign spreading the XWorm RAT trojan via fake emails posing as official communications from Namirial, a software and service company. The emails prompt users to open a password-protected PDF, and if it fails, directs them to a Dropbox link that downloads a ZIP file containing a URL that would connect to the attacker's servers and download additional malicious scripts, enabling control over the victim's machine. ALERTS PHISHING

1.10.24

HeptaX Cyberattack Operations A researcher recently identified a multi-stage cyberattack targeting the healthcare industry, initiated through a ZIP file containing a malicious shortcut (.lnk) file, likely spread via phishing emails. When executed, the LNK file runs a PowerShell command that downloads additional payloads including scripts and BAT files from a remote server. ALERTS OPERATION
28.09.24 CVE-2024-8190 - Ivanti Cloud Service Appliance Command Injection vulnerability CVE-2024-8190 is a high severity (CVSS score 7.2) OS Command Injection vulnerability affecting Ivanti Cloud Services Appliance (CSA) versions 4.6 Patch 518 or older. ALERTS VULNEREBILITY
28.09.24 Vidar malware spreads via PEC Mail and Telegram profiles CERT-AGID has identified a new campaign distributing Vidar through PEC mailboxes. ALERTS VIRUS
28.09.24 Louse APT Group launches malware campaign targeting Chinese entities The Louse APT group (also known as Patchwork and Dropping Elephant) has reportedly launched a malware campaign targeting Chinese entities. ALERTS APT
27.09.24 Malspam campaign targeting transportation industry Researchers have recently disclosed a malspam campaign targeting organizations in the transportation industry. ALERTS CAMPAIGN
27.09.24 SloppyLemming: Phishing campaigns targeting South and East Asia organizations Reports indicate that a threat actor known as SloppyLemming has been actively targeting organizations in South and East Asia, particularly in Pakistan and Bangladesh.
This actor employs open-source adversary emulation frameworks such as Cobalt Strike and Havoc. 
ALERTS CAMPAIGN
27.09.24 New DragonForce ransomware variant targets Global Industries with LockBit and Conti modifications New variants of DragonForce ransomware, featuring modified versions of LockBit and Conti, have been observed targeting the manufacturing, real estate,
 and transportation industries worldwide.
ALERTS RANSOM
27.09.24 Twelve attack group aims to destroy Established in 2023 in response to the Russian-Ukrainian conflict, the attack group known as Twelve has been observed targeting Russian government organizations. ALERTS HACKING
27.09.24 New KLogExe and FPSpy New keylogger malware KLogExe and backdoor variant FPSpy have been used by Sparkling Pisces (aka Kimsuky, THALLIUM, Velvet Chollima) threat group. ALERTS VIRUS
25.09.24 Foxtrot Ransomware - a new MedusaLocker variant Foxtrot is a latest ransomware variant from the MedusaLocker family. The malware encrypts user files and appends .foxtrot70 to them. ALERTS RANSOM
25.09.24 PDiddySploit Trojan Malware A recent research study has revealed that the scandal surrounding Sean 'Diddy' Combs, also known as P. Diddy, has been exploited. ALERTS VIRUS
25.09.24 Turkey and Bulgaria Targeted in Remcos RAT Attacks  Symantec has recently observed two ongoing Remcos RAT campaigns from the same actor, targeting companies in Bulgaria and Turkey. ALERTS VIRUS
25.09.24 Nanocore RAT Spreads Through Fake XLS Invoice Nanocore RAT was highly prevalent many years ago and since has drastically dwindled but some groups and individuals continue to leverage this remote access trojan
 in their campaigns.
ALERTS VIRUS
25.09.24 SnipBot - a new variant of the RomCom malware  Researchers from Palo Alto reported on a new variant of the RomCom malware dubbed SnipBot. ALERTS VIRUS
25.09.24 New Octo2 mobile malware variant observed in the wild New variant of the Octo Android malware dubbed Octo2 has been identified in the wild. ALERTS VIRUS
24.09.24 SectopRAT malware masqueraded as Notion installer in a recent distribution campaign A new campaign spreading SectopRAT malware has been identified in the wild. ALERTS VIRUS
24.09.24 Android Malware: Necro Trojan The latest version of the Necro Trojan has infected various popular applications, including game mods available on Google Play, affecting over 11 million Android devices. ALERTS VIRUS
24.09.24 Earth Baxia: Targeting Asia-Pacific region by exploiting GeoServer vulnerability According to a recent report from Trend Micro, the threat actor known as Earth Baxia has been targeting government, telecommunications, and energy organizations in the Asia-Pacific region through spear-phishing emails and the exploitation of the GeoServer vulnerability CVE-2024-36401. ALERTS CAMPAIGN
24.09.24 SambaSpy malware targeting Italian users SambaSpy RAT has been distributed in a new malicious campaign targeting users from Italy. The campaign has several stages within it's infection chain and
is leveraging either malware downloaders or droppers depending on the observed run.
ALERTS VIRUS
24.09.24 Go Injector Campaign Deploys Lumma Stealer Researchers have identified a campaign using Go Injector to deploy Lumma Stealer, a malware designed to steal sensitive information. ALERTS VIRUS
20.09.24 North Korean APT group Appleworm delivers PondRAT via poisoned Python packages An ongoing campaign involving poisoned Python packages delivering backdoors for Linux and macOS, dubbed PondRAT, has been reported. ALERTS APT
20.09.24 New campaign targets GitHub users with Lumma Stealer malware via phishing emails CERT-AGID has reported a new campaign delivering Lumma Stealer malware. ALERTS CAMPAIGN
18.09.24 New variant of the Gomorrah Stealer identified in the wild A new variant of the infostealing malware known as Gomorrah Stealer has been identified in the wild. ALERTS VIRUS
17.09.24 Fireant (APT31) unveils new tools in recent campaign against Asia-Pacific government entities The China-linked threat actor known as Fireant (also referred to as Mustang Panda or APT31) has recently been observed using new tools, including PUBLOAD, FDMTP, and PTSOCKET, in espionage attacks targeting government entities in the Asia-Pacific region.  ALERTS APT
17.09.24 Ajina mobile banking trojan Ajina is a recently identified mobile banking trojan variant heavily targeting the Central Asia region. ALERTS VIRUS
17.09.24 Stealthy malware targets US-Taiwan Defense Industry conference attendees A malware campaign targeting entities linked to the upcoming US-Taiwan Defense Industry Conference has been reported. ALERTS VIRUS
13.09.24 Mekotio and Mispadu malware distributed during Gecko Assault campaign A new malicious campaign dubbed Gecko Assault has been reported by the researchers from SCILabs. ALERTS VIRUS
13.09.24 AutoIt-based credential flusher leveraged alongside StealC infostealer A new campaign delivering the StealC infostealer malware has been observed in the wild. ALERTS VIRUS
13.09.24 Hadooken - Linux malware targeting Weblogic servers  Hadooken is a new Linux malware variant targeting Oracle Weblogic servers. ALERTS VIRUS
13.09.24 ShrinkLocker Ransomware: Leveraging BitLocker for encryption and system disruption ShrinkLocker is a recently discovered ransomware that exploits BitLocker, a legitimate Windows feature, to encrypt data and lock users out of their systems. ALERTS RANSOM
13.09.24 New Phishing Campaign Exploiting CapCut CapCut, a popular video editor, is being exploited in phishing attacks. The latest campaign involves a malicious package that includes a legitimate CapCut app, JamPlus build utility, and a harmful ".lua" script.. ALERTS PHISHING
13.09.24 Veaty and Spearal: Emerging malware in recent campaign against Iraqi Government A new malware family, Veaty and Spearal, has been reported by Check Point, a CTA member, as being used in a campaign targeting Iraqi government infrastructure. ALERTS VIRUS
13.09.24 Yet Another Silly Stealer (YASS) Infostealer A new infostealer, being referred to as 'Yet Another Silly Stealer' (YASS), has been observed. While it shares some features with CryptBot, YASS also has distinct characteristics. ALERTS VIRUS
13.09.24 BLX (aka XLABB) Stealer activity BLX Stealer known also as XLABB Stealer is a malware variant initially discovered back last year. New activity attributed to this infostealer has been observed in the wild. ALERTS VIRUS
13.09.24 SEO manipulation leveraged for PlugX and BadIIS malware delivery A new malicious campaign attributed to the DragonRank threat group has been discovered by researchers from Cisco Talos. ALERTS VIRUS
13.09.24 Ransomware activity surge observed in second quarter of 2024 Ransomware activity increased markedly in the second quarter of 2024 as attackers seemingly recovered their momentum following the disruption experienced in late 2023 and early 2024. ALERTS RANSOM
13.09.24 Linux SSH servers targeted by new SuperShell malware variant SuperShell malware variant has been observed in a recent campaign targeted at vulnerable or otherwise misconfigured Linux SSH servers. ALERTS VIRUS
13.09.24 ScRansom Ransomware Researchers have found that the CosmicBeetle group is now using a new ransomware dubbed ScRansom, replacing their old Scarab ransomware. ALERTS RANSOM
13.09.24 VSCode abused by Chinese APT group Stately Taurus, a Chinese APT group that carries out cyber-espionage attacks, has abused Visual Studio Code software in espionage operations targeting government entities in Southeast Asia. ALERTS APT
13.09.24 New variant of Cicada3301 ransomware found in the wild According to a recent report from Palo Alto, Repellent Scorpius is a new ransomware-as-a-service (RaaS) group responsible for the delivery of a ransomware variant dubbed Cicada3301. The threat actors have been observed to leverage a variety of Living-Off-the-Land (LOTL) tools in their attacks. ALERTS RANSOM
13.09.24 Mekotio and BBTok malware remain active among the banking trojans targeting LATAM Mekotio and BBTok malware variants remain active among the banking trojan families distributed lately across the Latin America region. ALERTS VIRUS
13.09.24 Threat actors spoof An Post Ireland services to steal credentials Symantec has identified a new wave of phishing attacks that impersonate An Post Ireland services to steal credentials. ALERTS CRIME
13.09.24 SpyAgent: Mobile malware stealing cryptocurrency wallets through image scanning A new mobile malware called SpyAgent has been identified targeting mnemonic keys by scanning for images on your device that might contain them. ALERTS VIRUS
13.09.24 Emerging Loki Backdoor variant employs Mythic Framework and Havoc Techniques A new version of the Loki backdoor has been discovered targeting Russian organizations. ALERTS VIRUS
11.09.24 Latrodectus campaign impersonates Antivirus software to deploy remote payloads A campaign deploying Latrodectus malware, disguised as a legitimate antivirus vendor, has been reported. ALERTS CAMPAIGN
11.09.24 CVE-2024-45195: Remote Code Execution (RCE) vulnerability in Apache OFBiz CVE-2024-45195 is a high-severity (CVSS: 7.5) Remote Code Execution (RCE) vulnerability in Apache OFBiz, a comprehensive suite of business applications. ALERTS VULNEREBILITY
11.09.24 Ongoing exploitation of CVE-2024-36401 in OSGeo GeoServer GeoTools Multiple campaigns are exploiting a recently disclosed security flaw in OSGeo GeoServer GeoTools. The vulnerability, identified as CVE-2024-36401 (with a CVSS score of 9.8), is a critical remote code execution bug that allows malicious actors to take control of affected instances. ALERTS VULNEREBILITY
11.09.24 TIDRONE activities in Taiwan In recent news, the TIDRONE group has been targeting Taiwan's military and satellite industries, focusing on drone manufacturers. ALERTS GROUP
11.09.24 Babylon open-source RAT targets Malaysia Babylon RAT is an open-source malware variant recently distributed to users in Malaysia. ALERTS VIRUS
11.09.24 ToneShell Backdoor Targets IISS Summit A cyber espionage campaign involving the ToneShell backdoor, attributed to Mustang Panda, has been reported targeting attendees of the 2024 IISS Defense Summit in Prague. ALERTS VIRUS
11.09.24 BlindEagle strikes Colombia's Insurance sector with Quasar RAT variant BlindEagle, an advanced persistent threat actor, has been observed targeting Colombia’s insurance sector with the BlotchyQuasar Remote Access Trojan (RAT). ALERTS VIRUS
06.09.24 Tropic Trooper unleashes new China Chopper variant and Crowdoor loader Tropic Trooper, a Chinese-speaking APT group, has been reported targeting Middle Eastern government entities in a cyber espionage campaign. ALERTS APT
06.09.24 Spammers abusing uncommon TLDs Symantec has recently observed a new phishing campaign being delivered from recently created domains designed to steal credentials and/or banking information. ALERTS SPAM
06.09.24 Formbook Targets Global Sectors with Fake RFQ from Chemical-Oil Joint Venture Symantec has recently observed a Formbook actor impersonating a major joint venture between a global chemical company based in Germany and a national oil and gas company from Malaysia. In this malicious email campaign, they're targeting companies across multiple countries and various industry sectors, including: ALERTS VIRUS
06.09.24 Acab Infostealer Acab is a Python-based infostealing malware variant recently observed in the wild. The malware shows some code similarities to another variant known as 1312 Stealer. ALERTS VIRUS
06.09.24 CVE-2024-5932 - GiveWP WordPress Plugin vulnerability CVE-2024-5932 is a recently disclosed vulnerability affecting GiveWP plugin, which is a Donation and Fundraising Platform plugin for WordPress. ALERTS VULNEREBILITY
06.09.24 MacroPack generated payloads distributed in latest campaigns A payload generation framework called MacroPack has been leveraged to create miscellaneous payloads in a series of malicious activities recently observed by the researchers from Cisco Talos. ALERTS CAMPAIGN
06.09.24 KTLVdoor backdoor leveraged by the Funnelweb APT A new Golang-based backdoor dubbed KTLVdoor has been discovered by researchers from Trend Micro. ALERTS VIRUS
06.09.24 SLOW#TEMPEST campaign targets Chinese entities A recently identified malware campaign named SLOW#TEMPEST was uncovered targeting Chinese entities. ALERTS CAMPAIGN
06.09.24 Latrodectus 1.4: New version unveiled with advanced capabilities A newer version of the Latrodectus downloader has been observed, featuring enhancements like a new string deobfuscation method, a revised C2 endpoint, and two additional backdoor commands. ALERTS VIRUS
05.09.24 Emansrepo infostealer Researchers from Fortinet reported on a new Python-based infostealer variant dubbed Emansrepo. ALERTS VIRUS
05.09.24 Zharkbot malware Zharkbot is a C++based malware loader variant being dropped by Amadey trojan in some recently observed campaigns. ALERTS VIRUS
05.09.24 CVE-2024-24809 & CVE-2024-31214 vulnerabilities affecting Traccar 5 CVE-2024-24809 and CVE-2024-31214 are recently disclosed vulnerabilities affecting Traccar 5 which is an open-source GPS tracking system. ALERTS VULNEREBILITY
05.09.24 CVE-2024-22319 - JNDI Injection Vulnerability in IBM Operational Decision Manager CVE-2024-22319 is a critical (CVSS: 9.8) JNDI injection vulnerability in IBM Operational Decision Manager. ALERTS VULNEREBILITY
05.09.24 Stone Wolf campaign targets Russian firms with Meduza Stealer malware A malicious campaign by the Stone Wolf threat actor targeting Russian firms has been reported. ALERTS CAMPAIGN
05.09.24 WailingCrab: A WikiLoader variant exploiting VPN Spoofs A recent report from Palo Alto reveals that WailingCrab, a variant of WikiLoader, is being distributed through SEO poisoning and spoofed GlobalProtect VPN software. ALERTS VIRUS
05.09.24 Luxy Infostealer Luxy is a recently discovered malware variant with both infostealing and ransomware capabilities. ALERTS VIRUS
05.09.24 Cybercriminals Target Malaysia’s Digital Lifestyle with SpyNote Around the world, E-commerce (shopping), service-oriented (food delivery, ride-hailing, and on-demand services), digital payment and deal aggregator android applications are highly popular. ALERTS VIRUS
05.09.24 CVE-2024-7593 - Ivanti Virtual Traffic Manager (vTM) Authentication Bypass vulnerability CVE-2024-7593 is a critical (CVSS score 9.8) XML authentication bypass vulnerability affecting Ivanti Virtual Traffic Manager (vTM). ALERTS VULNEREBILITY
05.09.24 RAZR Ransomware RAZR is a recently identified ransomware variant that abuses web hosting service called PythonAnywhere for hosting the malicious binaries. ALERTS RANSOM

31.8.24

Corona Mirai variant distributed via vulnerability exploitation Mirai malware variant dubbed Corona has been recently distributed via exploitation of a command injection vulnerability (CVE-2024-7029) in AVTECH IP camera devices. The botnet also attempts to exploit some older vulnerabilities including CVE-2017-17215 in Huawei Routers and CVE-2014-8361 affecting Realtek. ALERTS BOTNET

31.8.24

LummaC2 Stealer variant spread via PowerShell execution LummaC2 infostealer has been reported as being distributed in a recent campaign leveraging obfuscated PowerShell commands. LummaC2 is a C-based infostealing malware often sold under the Malware-as-a-Service (MaaS) model. This malware primary functionality is to steal confidential data from the infected endpoints and exfiltrate it to the C2 servers controlled by the attackers. ALERTS VIRUS

31.8.24

Middle East targeted by malware using fake Palo Alto VPN A malware campaign targeting organizations in the Middle East has been reported, where attackers use a fake Palo Alto GlobalProtect VPN client to deceive users. This malware employs advanced techniques, including a cleverly disguised command-and-control (C2) infrastructure and tools like Interactsh to communicate with specific hostnames and monitor infection progress. ALERTS VIRUS

31.8.24

X-FILES is a stealer malware written in C that is actively advertised on underground forums, with ongoing enhancements. Like many other infostealers, it aims to steal and exfiltrate sensitive information from infected systems including browser data, cookies, passwords, autofill data, credit card information, and cryptocurrency wallet details. ALERTS VIRUS

31.8.24

CVE-2024-38653 - XXE vulnerability in Ivanti Avalanche CVE-2024-38653 is a high severity (CVSS score 7.5) XML External Entity (XXE) vulnerability affecting SmartDeviceServer in Ivanti Avalanche, which is an enterprise endpoint management solution allowing for centralized device management within an organization. ALERTS VULNEREBILITY

31.8.24

Iranian threat actor Elfin deploys 'Tickler' backdoor Iranian threat actor Elfin (aka APT33, Peach Sandstorm) has been observed deploying a new custom multi-stage backdoor dubbed Tickler. This malware has targeted government, defense, satellite, and oil and gas sectors in the U.S. and the United Arab Emirates (UAE). ALERTS VIRUS

31.8.24

Phishing campaign targets Japan Labor Union Workers A phishing campaign targeting Japanese workers affiliated with labor unions has been observed. The e-crime actor is impersonating 労働金庫 (Rōdō Kinko), commonly known as Rokin, and the 全国労働金庫協会 (National Association of Labour Banks or Zenkoku Rōdō Kinko Kyōkai), which are part of Japan's unique financial system designed to serve the financial needs of workers. ALERTS PHISHING

29.8.24

A new Snake Keylogger variant A new Snake Keylogger malware variant has been reported by the researchers from Fortinet. The malware is spread via phishing in form of malicious .xls attachments. The distributed Excel files contain an exploit for an old WordPad RTF vulnerability CVE-2017-0199. ALERTS VIRUS

29.8.24

Advanced dropper distributes 'Angry Stealer' infostealer via Telegram An advanced dropper binary has been identified, designed to deploy an information stealer known as 'Angry Stealer,' which is actively promoted on Telegram and other online platforms. Angry Stealer targets sensitive data such as browser information, cryptocurrency wallets, VPN credentials, and system details, exfiltrating this data via Telegram. ALERTS VIRUS

29.8.24

Godzilla webshell deployment campaign A new Godzilla webshell deployment campaign has been reported in the wild. The attackers are targeting organizations running ASP.NET instances with vulnerable environment settings and leverage ViewState function to distribute malicious webshells into the victim's environment. Godzilla webshell is delivered in form of a .jar file and is used to execute remote commands or shellcode and to download additional payloads. ALERTS CAMPAIGN

29.8.24

Czech Republic officials hit by malware campaign using NATO-themed lures A malware campaign targeting government and military officials in the Czech Republic has been reported. The threat actor behind this operation is believed to have Russian origins and heavily relied on open-source offensive tools. ALERTS VIRUS

29.8.24

Critical vulnerability CVE-2023-22527 exploited for cryptomining activities According to reports, the critical vulnerability CVE-2023-22527 is actively being exploited in the wild. This vulnerability is a severe OGNL injection flaw in Atlassian Confluence Data Center and Server. Threat actors are exploiting it for cryptojacking, transforming compromised systems into cryptomining networks. ALERTS VULNEREBILITY

29.8.24

US voters targeted in phishing campaign With the US Presidential Election just a few months away and the press reporting allegations of cyber intrusions affecting the campaigns, we reviewed new domains registered between 1 May and 12 August 2024 containing strings "harris", "walz", or "trump" in the domain. ALERTS PHISHING

29.8.24

Rocinante mobile malware Rocinante is a malware variant observed prevalently in campaigns targeted at mobile users in Brazil. Functionality-wise Rocinante has the ability to steal information via keylogging, initiate remote access sessions, simulate swipe movements or touche events on the infected device. ALERTS

VIRUS

29.8.24

Emerging loader Emmental spreads malware via disguised binaries A loader called Emmental has been detected in use, being distributed in disguised Windows binaries since February 2024. This loader employs HTA files and utilizes traditional email phishing tactics, including fake videos, to target organizations worldwide. ALERTS VIRUS

29.8.24

New macOS variant of the HZ RAT backdoor emerges A new macOS variant of the HZ RAT backdoor has been discovered in the wild. According to recent reports, the malware is targeting users of the enterprise messenger DingTalk and the messaging platform WeChat. The malware has some basic functionality to collect information about the infected machines, user information from WeChat and DingTalk applications as well as user data stored in the Google Password Manager, among others. ALERTS VIRUS

27.8.24

Phishing campaign targeting users in Asia Pacific regions Symantec has recently observed a phishing campaign targeting users in Asia Pacific regions. This campaign utilizes HTML files that post the ill-gotten credentials to 3rd party hosting services, in this case nocodeform[.]io. The messages are delivered from either a 'postmaster' or 'MAILER-DAEMON' address in an effort to obscure themselves. ALERTS CAMPAIGN

27.8.24

SVG-Based Phishing Campaign Hits LATAM Industries Email Credentials In early August, Symantec observed an actor targeting multiple companies in Latin America across the retail, legal, dairy, finance, energy, and automobile manufacturing sectors. The goal was to collect email credentials, which are likely to fuel the initial access broker markets and lead to further compromises with varying impacts, including financial theft, cyber espionage, and ransomware attacks. ALERTS CAMPAIGN

27.8.24

Phishing campaign targets VPN users with Cheana Infostealer malware A phishing campaign targeting users downloading VPN software has been reported. As part of the campaign, a phishing site masquerading as a WarpVPN provider is hosted to distribute stealer malware for different operating system platforms. ALERTS CAMPAIGN

27.8.24

Dolphin Loader: The new malware-as-a-service threat exploiting RMM tools Dolphin Loader is a new Malware-as-a-Service (MaaS) loader that was first observed in July 2024 being sold on Telegram. It is used to distribute various malware payloads, such as  SectopRAT, LummaC2, and Redline, primarily through drive-by downloads. ALERTS VIRUS

27.8.24

Attackers Spreading Malware via Infected Websites Researchers have discovered malware that spreads by disguising itself as a browser update on infected websites. When users visit these sites, they are prompted to download a malicious file posing as a browser update for Chrome or Firefox. These files can be in various formats like EXE, ZIP, APPX, or VHD. The VHD file contains a hidden shortcut (LNK) that executes PowerShell commands and connects to the attacker's C2 server. ALERTS VIRUS

27.8.24

SpyNote Variant Lurks In South Africa Impersonating Two Major Banks Symantec has recently identified a variant of the SpyNote Android Remote Access Trojan in South Africa's mobile threat landscape. A threat actor is impersonating two major financial institutions, Nedbank and Absa, in an attempt to lure users into installing the malware on their devices, leading to financial losses due to unauthorized transactions, identity theft, and the compromise of sensitive personal information. ALERTS VIRUS

27.8.24

Cthulhu Stealer Researchers have recently observed another malware-as-a-service (MaaS) that targets Mac users dubbed Cthulhu. This malware gets delivered as a disk image (DMG) with platform-specific binaries and developed in GoLang. It masquerades as legitimate software to trick users into opening the DMG, then uses macOS's 'osascript' tool to prompt for their password and gain unauthorized access. ALERTS VIRUS

24.8.24

Peaklight downloader malware activity reported Peaklight is a new PowerShell-based downloader variant identified by researchers from Mandiant. The malware has been used in recent campaigns distributing various payloads including Lumma infostealer, ShadowLadder and CryptBot. The attackers leverage malicious .lnk files disguised as video files as well as JavaScript droppers within the multi-staged attack chain. ALERTS VIRUS

24.8.24

CVE-2024-4885 - Progress Software WhatsUp Gold RCE vulnerability CVE-2024-4885 is a recently disclosed critical (CVSS score 9.8) unauthenticated remote code vulnerability affecting Progress Software WhatsUp Gold, which is a network monitoring software. The exploitation of the bug might allow unauthenticated attackers to execute arbitrary commands with iisapppool/nmconsole privileges. ALERTS VULNEREBILITY

24.8.24

Sedexp Linux malware uses udev rules for persistence Sedexp is a recently identified threat affecting Linux environments. Sedexp malware has been reported to leverage udev rules for the purpose of establishing persistence on the infected machine. Udev is a device manager system on Linux that allows for management of device nodes in the /dev directory. ALERTS VIRUS

24.8.24

PG_MEM - malware targeting PostgreSQL servers for cryptomining PG_MEM is a new malware variant observed recently in the wild. The campaign distributing this malware leverages brute force attacks against vulnerable PostgreSQL database servers. Once the attackers obtain access to the server, an attempt is made to establish persistence by creating a new privileged account. Later on, the threat actors initiate system discovery and deliver the PG_MEM dropper payload that ultimately delivers a XMRig cryptominer to the infected machine. ALERTS VIRUS

23.8.24

CMoon: A .NET-based malware worm in Russian gas sector CMoon, a .NET-based malware worm, was discovered on the website of a compromised Russian gasification and gas supply company. This malware disguises itself as legitimate regulatory documents and replaces various website links with links to malicious executables. ALERTS VIRUS

23.8.24

Casbaneiro in the UAE: Impersonating Sharjah Ports Authority In cybersecurity, ports and related authorities are high-value targets for threat actors due to their integral roles in global supply chains and connections to industries such as transportation, logistics, energy, and government sectors. Crooks often disguise themselves as port authorities to lure other industries into phishing scams or social engineering attacks. ALERTS GROUP

23.8.24

NGate - a novel Android malware able to relay NFC data to the attackers A new campaign leveraging Android malware dubbed NGate has been targeting users of Czech banks. NGate uses a novel technique to relay NFC (near field communication) data from the victims' payment cards via the compromised Android phones and over to the attackers' devices. ALERTS VIRUS

23.8.24

North Korean group puNK exploits Windows shortcuts to deploy Lilith RAT A previously unidentified North Korean threat actor group dubbed puNK has been detected using Windows shortcut (LNK) files to distribute malware. When executed, these LNK files download AutoIt scripts from the attacker’s server, which subsequently fetch the final payload, the Lilith RAT. The Lilith RAT, written in C++, is an open-source remote control software that facilitates additional remote operations. ALERTS VIRUS

23.8.24

Insom ransomware Insom malware is the latest variant from the Makop ransomware family. The malware encrypts user files and appends .Insom extension to the renamed file names. A unique victim ID and a malware developers' email address is also appended to the file name. The malware has the functionality to remove volume shadow copies from the infected endpoint. ALERTS RANSOM

23.8.24

Toll Road Smishing Scams Increasingly Target U.S. Drivers The U.S. has an extensive network of toll roads, bridges, and tunnels, and toll services are used to fund the maintenance and development of infrastructure without relying solely on state and federal taxes. ALERTS PHISHING

23.8.24

TodoSwift: New macOS threat masquerading as a PDF A new macOS malware dubbed TodoSwift has been identified as disguising itself as a PDF download. The threat actor, likely from North Korea, employs a dropper application developed using Swift/SwiftUI. The dropper deceives users by presenting a seemingly legitimate PDF related to Bitcoin pricing. ALERTS VIRUS

23.8.24

North Korean-based threat actor develops MoonPeak RAT MoonPeak is a somewhat recently discovered remote access Trojan (RAT) which has been attributed to North Korean-based threat actors. This RAT is a variant of the open-source XenoRAT malware and has seen multiple evolutions. Cisco Talos researchers have published an analysis of MoonPeak along with related threat actor infrastructure. ALERTS VIRUS

21.8.24

Quasar RAT (aka BlotchyQuasar) Malspam Targeting Italian Banks Threat researchers have recently observed an email spam campaign spreading Quasar RAT malware which is primarily targeting Italy. The campaign uses deceptive emails that mimic official communications from the Ministry of the Interior, complete with their logos. While the malware and C2 servers remain the same, the URLs for downloading the malicious files have been updated. The malware specifically targets users of certain Italian banks. ALERTS VIRUS

21.8.24

Cybercriminals' Relentless Use of Fake CVs to Breach Corporate Defenses There is a long list of social engineering tactics in the cybersecurity world, and while it is always fluctuating, some methods are well-established such as sending fake CVs. This tactic involves emailing a fake Curriculum Vitae (CV) and motivation letter, often targeting HR departments or managers. ALERTS CRIME

21.8.24

QWERTY Stealer: New infostealer variant QWERTY is a newly discovered infostealer variant observed being hosted on a Linux-based virtual private server located in Germany with limited service exposure. The malware is capable of performing various checks for the presence of debugging or virtualized environments before execution and has the capability to download additional payloads. ALERTS VIRUS

21.8.24

Styx Stealer malware Styx Stealer is a new infostealing malware variant discovered by the researchers from Checkpoint. The malware has the functionality to exfiltrate various data from Chromium-based browsers including cookies, credentials, banking details, cryptocurrency wallets, files with pre-defined extensions, Telegram and Discord sessions, among others. ALERTS VIRUS

21.8.24

New Msupedge backdoor employs communication via DNS traffic A previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique was deployed in an attack against a university in Taiwan. The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic. While the technique is known and has been used by multiple threat actors, it is nevertheless something that is not often seen. ALERTS VIRUS

21.8.24

A new and emerging malware dubbed UULoader Recent research has observed a malware campaign with an increase in the use of malicious .msi files, which, while not common, are known as a method of malware distribution. The new malware strain identified is 'UULoader,' used to deliver next-stage payloads such as Gh0st RAT and Mimikatz. It is distributed through malicious installers disguised as legitimate applications, primarily targeting Korean and Chinese-speaking users. ALERTS VIRUS

20.8.24

RedLine Stealer Impersonates Oil and Gas Company, Targets Key Sectors in Vietnam Symantec has recently observed a RedLine Stealer malspam campaign in which an actor is impersonating a leading oil and gas company in Vietnam specializing in exploration and production activities. Both local and international companies in Vietnam across various sectors - including oil and gas, industrial, electrical and HVAC manufacturers, paint, chemical, and hotel industries - are being targeted. ALERTS VIRUS

20.8.24

Ailurophile Infostealer Ailurophile is a new PHP-based infostealer variant recently identified in the wild. The malware is advertised online and sold via a subscription model. Ailurophiles' capabilities include theft of data stored in browsers including auto-fill information, cookies, credentials, banking details, browsing history and cryptocurrency wallets. The infostealer can also exfiltrate data files from the compromised machines according to a predefined search criteria such as keywords in filenames or specific extensions. ALERTS VIRUS

20.8.24

Fake Apps target Indian government's PM Kisan Yojana beneficiaries The PM Kisan Yojana is a historic initiative by the Indian government that is currently benefiting around eight crore farmers across India. Every year, eligible farmers receive a total of INR 6,000, which is distributed in three equal installments of INR 2,000 each. ALERTS VIRUS

20.8.24

Hawk Eye Ransomware A ransomware actor that goes by the name "Hawk Eye" has been observed in the wild. Files that have been successfully encrypted are appended with a random 4-character extension. The ransom note (read_it.txt) is dropped in various folders, and the desktop wallpaper is changed to a white hawk on a black background. ALERTS RANSOM

20.8.24

Crypto Investment Scams Posing as Tesla A recent report reveals that attackers are exploiting Tesla's name to promote cryptocurrency scams. These scammers have registered domains containing 'Tesla' to deceive users into visiting malicious links. The links lead to the download of a harmful Android application, which is promoted on social platforms such as YouTube and Telegram. ALERTS CRYPTOCURRENCY

20.8.24

Threat actor Damselfly conducts campaigns against the U.S. and Israel Damselfy (aka APT42, Charming Kitten) is a well established Iranian-based threat actor. The group has routinely attacked high value targets in both the U.S. and Israel. The main goal of these attacks is to steal credentials from entities such as NGOs and academic, government, and defense/military organizations to further Iran's own military and political ideals. ALERTS APT

20.8.24

BANSHEE Infostealer Just this month, a new macOS malware called "BANSHEE Stealer" was discovered, created by Russian threat actors. It affects both x86_64 and ARM64 macOS systems and poses a significant threat by targeting crucial system information, browser data, and cryptocurrency wallets. ALERTS VIRUS

20.8.24

New Gafgyt botnet variant observed in the wild A new Gafgyt botnet variant has been observed in the wild. The malware is spread in a distribution campaign targeting endpoints with weak SSH credentials that deploys two distinct ELF binaries. One of the files is a Go-based Gafgyt binary with various capabilities including system discovery, command execution, scan for exposed SSH/Telnet access and brute force attack execution against the targeted systems. The second binary is a XMRig cryptominer used to mine the Monero cryptocurrency. ALERTS BOTNET

20.8.24

New ValleyRAT malware distribution campaign A new ValleyRAT malware distribution campaign targeted at Chinese speakers has been reported by researchers from Fortinet. The attackers behind this campaign rely on various components including shellcode being executed for reflective DLL loading and a beaconing module used for fetching of additional components. ALERTS VIRUS

20.8.24

Cyclops Go-based malware Cyclops is a recently identified Go-based malware implant and a likely successor to the BellaCiao malware family. The known malware binary masquerades as "Microsoft SqlServer.exe" executable in an attempt to impersonate SQL server update file and to possibly be deployed on otherwise vulnerable server instances. ALERTS VIRUS

16.8.24

Pupy RAT distributed in recent UTG-Q-010 APT campaign Pupy RAT malware has been reported to be distributed in a new campaign attributed to the UTG-Q-010 threat group. The attackers leverage phishing messages containing cryptocurrency lures or emails masqueraded as job resumes. The attack chain involves the use of malicious .lnk files with an embedded DLL loader, ending up in Pupy RAT payload deployment. ALERTS VIRUS

16.8.24

Discovery of tools and batch scripts targeting Windows and Linux systems According to a recent DFIR report, a range of threat actor tools has been found that can bypass security defenses like Windows Defender and Malwarebytes, delete backups, and disable systems. Among the discovered tools were Ngrok for proxy services and SystemBC, along with two well-known command-and-control frameworks: Sliver and PoshC2. The most recent activity was detected in August 2024. ALERTS HACKING

16.8.24

Malspam attacks target AnyDesk and Microsoft Teams Researchers recently found another campaign which starts with an email bomb and then involves a phone call via Microsoft Teams. The attacker persuades victims to download AnyDesk, a remote access tool, which allows them to take control of the victim's computer. Once they have control, the attacker runs malicious payloads and steals data from the system. ALERTS VIRUS

16.8.24

New macOS malware uses SwiftUI and OpenDirectory API for credential theft
A new multi-stage macOS stealer malware has been recently reported. The malware exhibits many traits such as the following:
ALERTS VIRUS

16.8.24

.shop gTLD becomes a new favorite to spread waves of cryptocurrency spam emails Lately, .shop gTLD has been heavily abused by threat actors to spread cryptocurrency spam emails. Shop gTLD (generic top-level domain) was launched in 2016 and is specially designed for online shopping or e-commerce platforms and can be used by retailers and e-commerce stores, among others. Symantec has observed persistent spam waves that entice email users to click on shortened URLs which in turn redirect to fake .shop gTLD domains hosting cryptocurrency related content. ALERTS SPAM

16.8.24

Datablack ransomware Datablack is a new ransomware variant observed in the wild. The malware exhibits similarities to ransomware strains from the Proton malware family. Datablack encrypts user files and appends .Datablack extension to the renamed file name. ALERTS RANSOM

16.8.24

Gigabud mobile malware shows links to the Golddigger trojan A new variant of the Gigabud Android malware has been observed in the wild. While the initial strain of this malware has been known since at least 2023, the distribution of the new variant has expanded and now it targets various countries across the world. ALERTS VIRUS

16.8.24

CVE-2024-38856 - Apache OFBiz Pre-Authentication RCE vulnerability CVE-2024-38856 is a recently disclosed critical (CVSS score 9.8) pre-authentication remote code execution vulnerability affecting Apache OFBiz versions up to 18.12.14. The vulnerability originates from a flaw in the override view functionality. Once exploited it allows unauthenticated attackers with remote code execution via crafted requests. ALERTS VULNEREBILITY

16.8.24

Allarich Ransomware A new ransomware dubbed Allarich has emerged recently in the ransomware landscape. It encrypts files, appending the ".allarich" extension to them, and changes the desktop wallpaper. After completing the encryption process, the ransomware generates a ransom note titled "README.txt." ALERTS RANSOM

16.8.24

Phishing campaign impersonates Google Safety Centre A phishing campaign reportedly impersonating the Google Safety Centre is deceiving users into downloading a malicious file disguised as Google Authenticator. This file installs two types of malware: Latrodectus, a downloader that executes commands from a C&C server, and ACR Stealer, which employs Dead Drop Resolver to obscure its C&C server details. The campaign showcases advanced evasion techniques amid ongoing efforts to refine the malware. ALERTS CAMPAIGN

16.8.24

Actor240524's spear-phishing campaign targets Azerbaijan and Israel with ABCloader A spear-phishing campaign by a new threat actor, Actor240524, targeting Azerbaijan and Israel has been observed. Users are lured with disguised government official documents containing embedded VBA macros that deliver the ABCloader payload upon execution. ABCloader decrypts and loads an ABCsync DLL, which then communicates with the C2 server for remote commands. The malware employs anti-sandbox and anti-debug techniques to evade detection. ALERTS GROUP

16.8.24

Phishing Attack Delivers 0bj3ctivity Stealer via Discord CDN A phishing attack has been reported involving the 0bj3ctivity Stealer, facilitated by the Ande Loader. The attack uses a Discord CDN link containing a malicious JavaScript file with an embedded PowerShell script to deploy additional payloads. The Ande Loader is used for both initial infection and persistence. The stealer exfiltrates sensitive data from browsers to either Telegram or a C2 server and includes anti-debug and anti-VM capabilities. ALERTS PHISHING

16.8.24

Grayfly evolves its attack vectors with new loaders and tactics Grayfly(also known as Earth Baku) has been observed expanding its reach from the Indo-Pacific region to a global scale, targeting sectors such as healthcare, media, government, education, and more. In a recent campaign, the threat actor leveraged public-facing applications like IIS servers for initial access and deployed the Godzilla webshell for control. ALERTS VIRUS

16.8.24

DeathGrip: Emergence of a new Ransomware-as-a-Service A new Ransomware-as-a-Service (RaaS) called DeathGrip ransomware has emerged in the expanding ransomware threat landscape. Promoted through Telegram and other underground forums, DeathGrip RaaS offers aspiring threat actors on the dark web sophisticated ransomware tools, including LockBit 3.0 and Chaos builders. ALERTS RANSOM

16.8.24

Spoofed Australian Taxation Office (ATO) email notifications appear in phish runs The Australian Taxation Office (ATO) is Government of Australia's revenue collection authority. Recently, Symantec has observed phishing attempts mimicking ATO, enticing users to open fake notification emails. The email mentions that a notice of assessment requires user's immediate attention due to an ongoing scheduled maintenance. ALERTS SPAM

16.8.24

CVE-2024-40628/CVE-2024-40629 - JumpServer File Read and Upload vulnerabilities CVE-2024-40628  and CVE-2024-40629 are recently disclosed file reading and uploading vulnerabilities affecting the JumpServer Ansible module. Successful exploitation of the flaw might allow low-privilege accounts with access to read/write files in the Celery container, posing both risk of sensitive information disclosure as well as potential arbitrary code execution within the context of the affected application. ALERTS VULNEREBILITY

16.8.24

Phishers targeting users in South Korea with tax receipts Symantec has observed a phishing campaign targeting users in South Korea. The attack attempts to impersonate major account firms sending tax receipts/invoices in order to lure recipients into opening the attachment. The attachment, likely in a bid to fool intended victims, also shares a name with the Nation Tax Service in South Korea, 'NTS_eTaxInvoice.html' ALERTS PHISHING

9.8.24

English-Spanish Speaking Ransomware Actor Targets Linux Machines Symantec has recently observed a Linux Ransomware variant binary that appears to be connected to a English and Spanish-speaking Double-extortion Ransomware actor. At this time, their modus-operandi remains unclear, but the ransomware exhibits the following behavior.  ALERTS RANSOM

9.8.24

Cryptocurrency-themed lure sites used for phishing attacks Threat actors are creating thousands of cryptocurrency-themed lure sites used for phishing attacks that target users of cryptocurrency wallet brands like MetaMask, WalletConnect, Coinbase, Trezor, Ledger, Bitget, Exodus, Phantom, and others. ALERTS CRYPTOCURRENCY

9.8.24

New malspam campaigns delivering multiple Trojans A number of malspam campaigns were seen which delivered various Trojans by attempting to exploit an old Microsoft Office vulnerability. CVE-2017-0199 is still targeted to allow for execution of remote code from within an XLS file. The campaigns delivered a malicious XLS file with a link from which a remote HTA or RTF file would be executed to download the final payload. We observed GuLoader, Remcos RAT, and Sankeloader infostealer as payloads. ALERTS SPAM

9.8.24

Sora AI-themed branding used to distribute malware Threat Actors have created various phishing sites that impersonate official Sora platforms to lure victims into downloading files disguised as legitimate Sora software in order to distribute harmful payloads, including data stealers and cryptocurrency miners. When users attempt to install what is believed to be authentic application(s), the files trigger malicious processes that compromise the victim’s system. ALERTS AI 

9.8.24

Phish emails impersonate UK's Health and Safety Executive (HSE) to lure email users Health and Safety Executive (HSE) is a British public provider of health and safety solutions to various professionals and organizations. Lately, Symantec has observed phish runs that impersonate Health and Safety Executive (HSE) guidelines, especially the strategy outlined for 2022-2032, to steal credentials. ALERTS PHISHING

9.8.24

New file-less ransomware variant Cronus discovered A new file-less ransomware variant dubbed Cronus has been reported as part of a malware campaign. Users are lured with documents masquerading as PayPal receipts. These documents contain malicious embedded VBA macros that, when executed, download a PowerShell loader. The loader then uses reflective DLL loading to deploy the ransomware DLL, aiming to evade detection. ALERTS RANSOM

9.8.24

RHADAMANTHYS Stealer Targeting Users in Israel RHADAMANTHYS stealer, active since 2013 and offered as Malware-as-a-Service, recently began targeting Israeli users with Hebrew phishing emails containing a malicious RAR attachment. The RAR file, posing as a notification from "Calcalist" or "Mako," (two prominent businesses in Israel) extracts three components - a malicious executable, a DLL file, and a support file. ALERTS VIRUS

8.8.24

SbaProxy leveraged to hijack legitimate antivirus software A recent report detailed how threat actors are leveraging a tool dubbed 'SbaProxy' disguised as a legitimate anti-virus software component to be able to create a proxy connection through a C2 server. The tool is distributed with malicious intent and in multiple formats such as DLLs, EXEs, and PowerShell scripts, which makes it challenging to detect due to its authentic look and advanced functionality.  ALERTS EXPLOIT

8.8.24

Lynx Ransomware Lynx is another double-extortion ransomware actor that has been fairly active in recent weeks and has claimed multiple companies as victims on their website. They claim to have a strict policy against targeting governmental organizations, hospitals, non-profits, and other sectors vital to society. ALERTS RANSOM

8.8.24

Malware campaign exploits secureserver.net domain to deploy banking trojan A new banking trojan malware campaign is exploiting the secureserver.net domain to target Spanish and Portuguese-speaking regions. The multistage attack begins with malicious URLs leading to an archive containing an obfuscated .hta file. ALERTS CAMPAIGN

8.8.24

Chameleon trojan targets hospitality Industry A new Chameleon mobile banking Trojan campaign has been reported targeting the hospitality industry. Employees of a Canadian restaurant chain with international operations were lured by a deceptive app masquerading as a legitimate CRM application. ALERTS VIRUS

8.8.24

Zola - a new Proton ransomware variant Zola is a recently discovered variant from the Proton ransomware family. The ransomware is written in C++ and employs a multi-threaded encryption process. Upon encryption the malware appends .zola extension to the encrypted files. Zola will also attempt to encrypt files on any network devices if present. ALERTS RANSOM

8.8.24

How Malicious Actors Are Leveraging Cloud Services The number of threat actors leveraging legitimate cloud services in their attacks has grown this year as attackers have begun to realize their potential to provide low-key and low-cost infrastructure. Traffic to and from well known, trusted services such as Microsoft OneDrive or Google Drive may be less likely to raise red flags than communications with attacker-controlled infrastructure. ALERTS GROUP

8.8.24

Italian campaign targeting certified email users delivers Vidar infostealer The Vidar infostealer has been observed as the payload of a recent malspam campaign targeting users in Italy. The campaign was distributed to users of certified email mailboxes and delivered a JavaScript downloader via a link in the email. The JavaScript was responsible for downloading and executing a PowerShell script which in turn leads to the final payload. ALERTS CAMPAIGN

8.8.24

Mispadu (aka URSA) Trojan Malware Mispadu Stealer (aka Ursa) was recently observed in another malspam campaign targeting systems configured with Spanish or Portuguese as their language settings. Similar to their previous campaigns, a spam email themed as an overdue invoice serves as the initial vector, it then lures users to download a malicious ZIP file. ALERTS VIRUS

7.8.24

XDSpy phishing campaign targets organizations in Russia and Moldova A phishing malware campaign by a threat actor dubbed XDSpy has been reported targeting organizations in Russia and Moldova. The attack chains typically use spear-phishing emails with archive attachments containing agreement-related lures to deploy a primary malware module called XDDown. ALERTS PHISHING

7.8.24

Spike in activity delivering Magniber ransomware A spike in activity leading up to the infection with the Magniber ransomware has been observed in the wild. Attackers spreading this malware variant are known to leverage various delivery methods including malvertisements, delivery via cracked software installers or exploitation of known vulnerabilities, etc. ALERTS RANSOM

7.8.24

OSX and Windows malware spread under the disguise of meeting or productivity software Ongoing campaigns spreading malware under the disguise of meeting or productivity applications have been reported in the wild. Some recent examples include attacks masquerading under the productivity app called Wasper or the Clusee meeting application. ALERTS VIRUS

7.8.24

HeadLace backdoor distributed by the Swallowtail APT The latest research from Palo Alto reports on recent HeadLace backdoor distribution campaign being attributed to the Swallowtail APT (aka Fighting Ursa, APT28). The attackers have been leveraging car-for-sale phishing lures in efforts to distribute the malicious payloads. ALERTS VIRUS

7.8.24

Persistent IRATA attacks in Italy Their modus operandi hasn't changed much over that period; they mainly leverage malicious SMS (smishing) messages containing URL redirections to their malicious apps as the vector of infection. They constantly rotate their social engineering tactics, with Symantec having observed multiple Italian financial services being abused for masquerading purposes. ALERTS SPAM

7.8.24

Are faxes still relevant? This credential harvesting campaign thinks so Symantec has recently observed a phishing campaign impersonating fax notifications. These notifications include subjects similar to 'Incoming Fax Delivered for user**@****.com' and instructs users to open the attached HTML and enter their credentials in order to view the fax. ALERTS CAMPAIGN

7.8.24

Lumma Stealer via Social Media and AI-Related Lure There's been reports of a malvertising scam in which cybercriminals hijacked social media pages to promote fake AI photo editors, ultimately tricking users into downloading a prevalent but run-of-the-mill stealer known as Lumma. ALERTS VIRUS

7.8.24

Trust (Crypto) Wallet users targeted with a new phishing wave Trust Wallet is a crypto wallet that provides its users services such as buying, selling, storing, swapping and managing their cryptocurrencies. Lately, Symantec has observed phish runs that impersonate Trust Wallet services and entice users to open fake notification emails. ALERTS CRYPTOCURRENCY

7.8.24

BITSLOTH Backdoor BITSLOTH is a Windows backdoor that researcher have uncovered in Latin America that exploits the Background Intelligent Transfer Service (BITS) for command-and-control operations. According to the report, it has been developed over several years, can log keystrokes, capture screens, and gather extensive data. ALERTS VIRUS

3.8.24

BlankBot Mobile banking trojan targeting Turkish users BlankBot is a new mobile banking Trojan variant that has emerged on the threat landscape, primarily targeting Turkish users. BlankBot abuses Android Accessibility services to gain full control over and collect information from the infected device. ALERTS VIRUS

3.8.24

NetSupport RAT Campaign NetSupport Manager has been weaponized by threat actors to perform malicious activities and executes as a Remote Access Trojan (RAT). Over time various campaigns have been identified each instance building on the previous in attempts to evolve evasion techniques through multiple obfuscation updates.  ALERTS VIRUS

3.8.24

AutoIT scripts leveraged by the latest Konni RAT malware Konni RAT malware observed in a recent distribution campaign has been leveraging AutoIT scripts for detection evasion. The attack chain includes the use of .LNK files contained within .zip archives. The .lnk shortcut files are often disguised as documents and have double extensions present, for example ".hwp.lnk". ALERTS VIRUS

3.8.24

Spike of activity observed for the Neshuta malware During the last month Symantec observed a spike of activity attributed to the Neshuta (aka Neshta) malware family. Neshuta is an older file infector variant that's been observed in the threat landscape space as early as 2005. It's main function is to prepend virus code to executable files and collect basic system information. ALERTS VIRUS

3.8.24

Grayfly (aka APT41) threat group deploying ShadowPad and Cobalt Strike in a recent attacks As reported by researchers from Cisco Talos, Grayfly threat group (also known as APT41) has been deploying ShadowPad malware and Cobalt Strike beacons in a recent distribution campaign observed in Taiwan. The attackers have been reported to exploit an old and vulnerable version of Microsoft Office IME file (imecmnt.exe) for the purpose of second-stage loader and payload execution. ALERTS APT

3.8.24

Bloody Wolf delivers STRRAT malware A malware campaign by the APT group dubbed Bloody Wolf targeting organizations in Kazakhstan has been reported. The attackers are sending phishing emails that impersonate the Ministry of Finance of the Republic of Kazakhstan and other agencies. ALERTS VIRUS

3.8.24

Mandrake mobile spyware A new variant of the Mandrake mobile spyware has been distributed via several apps hosted on the Google Play store. The oldest of the apps called AirFS was first uploaded to the store back in 2022 and remained available for download up until March this year. ALERTS VIRUS

3.8.24

TgRAT malware returns with a Linux variant TgRAT is a malware variant discovered back in 2022 and initially targeting the Windows systems. Earlier this month a Linux version of this RAT has been observed as being distributed in the wild. Upon infection of the targeted machine the malware is used to execute arbitrary commands/scripts, collect screenshots or extract user files from the compromised host. TgRAT is controlled by the attackers via a Telegram bot ALERTS VIRUS

2.8.24

SARA Android Ransomware Targets Vietnamese Mobile Users in Fake App Scheme Android lockers and ransomware were prevalent a couple of years ago, especially during the RansomLock craze. Today, while they remain in the mobile threat landscape, their prevalence has dwindled. These threats typically lock users out of their devices and display a ransom message, demanding payment to regain access with an unlock code. ALERTS RANSOM

2.8.24

DeerStealer malware spread via fake Google Authenticator websites A new malicious campaign distributing infostealer variant dubbed DeerStealer has been identified in the wild. The malware is spread under the disguise of fake Google Authenticator app and the malicious binary is hosted on the Github repository. ALERTS VIRUS

2.8.24

SMS Stealer - extensive Android malware distribution campaign An ongoing large-scale operation distributing a Android malware variant called SMS Stealer has been reported to infect mobile devices across the world. The campaign has been active since at least 2022 and targeting victims in 113 countries. ALERTS VIRUS

2.8.24

ModiLoader malware campaign targeting Small and Medium-Sized Business (SMB) in Poland Modiloader (aka DBatLoader) malware has been deployed in a recent campaigns targeting Small and Medium-Sized Business (SMB) in Poland, Italy and Romania. Modiloader has been spread via malicious email attachments in various file formats such as .img, .tar, .rar or .iso. Modiloader is a Delphi-based malware used to download and execute final payloads delivered to the compromised machines. The payload usually varies and the reported campaigns have been executing malware from Agent Tesla, Remcos or Formbook families. ALERTS VIRUS

2.8.24

DoNot APT Targeting Pakistani Android Mobile Users APT-C-35 (aka DoNot APT Group) has been active in conducting cyberattacks since at least 2013. Recently, they have targeted Pakistani Android mobile users. Their attacks typically start with phishing campaigns, leading to the deployment of Android malware known as StealJob. ALERTS APT

2.8.24

Protection Highlight: Ransomware-as-a-Service Evolution, Impact, Mitigation Malware evolution in the threat landscape is the singular reason cybersecurity professionals can’t rest, and Ransomware-as-a-Service (RaaS) is no different. From its first known form in 2012 as Reveton to the most recent inception of Eldorado ransomware, with early incidents reportedly raking in amounts of $400K USD a month to modern-day data breaches costing over $1M and sometimes far in excess of that figure. ALERTS RANSOM

2.8.24

Leafperforator campaign exploits Pakistan’s Maritime Affairs documents to spread JavaScript malware A new malware campaign by the Leafperforator (also known as SideWinder) threat actor, utilizing enhanced tactics and techniques has been reported. This threat actor relies on spear-phishing emails and targets Asian countries. In the latest campaign, users are tricked with documents related to employee termination or salary cuts, leading them to open a disguised file. ALERTS CAMPAIGN

2.8.24

Phishing Campaign: Malicious HTML attachment mimics OneDrive to deploy malware Scripts A new phishing campaign using image files that mimic a Microsoft OneDrive page has been reported. Users are targeted through phishing emails with HTML attachments. When these attachments are opened, they display an image resembling a OneDrive page and show an error indicating a connection issue with the OneDrive cloud service. ALERTS PHISHING

2.8.24

Recent activities attributed to the UNC4393 threat group The threat actor dubbed UNC4393 has been active in the threat landscape since at least 2022. The group has been known to leverage a wide variety of malware variants and custom tools in their attacks including Basta ransomware, KnotWrap dropper, KnotRock tool, DawnCry dropper or the PortYard tunneler. ALERTS GROUP

2.8.24

Exela Stealer continues to be distributed in the wild Exela Stealer is a Python-based malware initially discovered in the threat landscape just last year. New campaigns distributing this infostealer continue to be observed in the wild in recent weeks. ALERTS VIRUS

2.8.24

Flame Stealer malware Flame Stealer is a new C/C++based infostealing malware variant advertised for sale on Discord and Telegram. The malware has the functionality to collect and exfiltrate various information about the infected machine, Discord tokens, clipboard data, credentials, banking information and browser cookies, among others. ALERTS VIRUS

29.7.24

Hive0137 threat group leverages LLM in recent attacks The threat actor known as Hive0137 has been leveraging Large Language Models (LLM) in their recent attacks. LLM is a form of generative AI designed to understand and generate human-like text. The Hive0137 group is known for their malware distribution attacks that often lead to ransomware infections. ALERTS AI

29.7.24

CVE-2024-40348 - Bazaar Directory Traversal vulnerability CVE-2024-40348 is a recently disclosed directory traversal vulnerability affecting Bazaar (version 1.4.3) which is an open source version control software. Successful exploitation of the flaw might allow unauthenticated attackers to perform directory traversal on the vulnerable system, leading to unauthorized access to system directories and sensitive files. ALERTS VULNEREBILITY

29.7.24

Scammers exploit Hamster Kombat’s popularity with malicious farm bot tools With the rise in popularity of the Telegram clicker game Hamster Kombat, scamsters are increasingly targeting players. Enthusiasts are attracted by the promise of significant rewards linked to the introduction of a new cryptocoin by the game's creators. ALERTS SPAM

29.7.24

OceanSpy Ransomware A ransomware actor calling themselves OceanCorp has been observed in the wild targeting single machines. At this time, according to their ransom note (OceanCorp.txt), this actor does not perform double-extortion tactics, meaning they do not threaten to leak or sell data. ALERTS RANSOM

29.7.24

Vietnam campaign: Android Spyware Masquerades as Techcombank Groups and individuals around the world have been using SpyNote, a popular Android remote access trojan, for the past few years, and its prevalence shows no signs of decreasing. E-crime and targeted campaigns against both enterprises and consumers are observed on a daily basis. ALERTS CAMPAIGN

27.7.24

Threat Actor uses MSHTML flaw to distribute Atlantida InfoStealer A malware campaign conducted by the threat actor known as Void Banshee, which distributes the Atlantida InfoStealer, has been reported. The attack exploits CVE-2024-38112, an MSHTML vulnerability, by abusing .URL files to execute through disabled Internet Explorer. ALERTS VIRUS

27.7.24

SeleniumGreed cryptomining operation SeleniumGreed is a recently disclosed cryptomining operation observed in the wild. The campaign targets exposed versions of Selenium Grid which is a component in Selenium open-source automation framework used for testing web applications. ALERTS CRYPTOCURRENCY

27.7.24

Zilla Ransomware - a recent Crysis variant Zilla is the latest Crysis/Dharma ransomware observed in the threat landscape. The malware encrypts user data and appends .ZILLA extension to the encrypted files. Alongside this custom extension, also a unique ID and the email address of the threat actors is added. ALERTS RANSOM

27.7.24

Phishing campaign targeted at users in India attributed to the Smishing Triad group Fortinet researchers reported on a recent phishing operation targeting mobile users in India. The attack has been attributed to a threat group known as the Smishing Triad, known previously to be targeting various countries across the world with similar smishing runs. ALERTS PHISHING

27.7.24

Continuous espionage activities attributed to the Stonefly APT Symantec Security Response is aware of the recent joint alert from CISA, FBI and several other partners concerning a number of recent targeted activities attributed to the Stonefly APT group (also known as Andariel or DarkSeoul). ALERTS APT

27.7.24

Malware campaign exploits SEO poisoning to target W2 Form seekers A malware campaign has been reported targeting users searching for W2 forms through SEO poisoning techniques. Victims are redirected to spoofed IRS websites, where they are lured into downloading a masqueraded JS file disguised as a W2 form. ALERTS EXPLOIT

27.7.24

Russian-linked malware campaign targeting Indian political entities A malware campaign believed to be orchestrated by a Russian-linked threat actor is reportedly targeting entities interested in Indian political affairs. Victims are lured with .LNK files disguised as genuine office documents. ALERTS VIRUS

26.7.24

RADAR Ransomware Another ransomware group that employs double-extortion tactics has been making the rounds in the already crowded ransomware threat landscape. Calling themselves RADAR, the group compromises machines, encrypts the files, and appends them with a .[random8characters] extension. ALERTS RANSOM

26.7.24

Smishing in Japan – Utilities, financial services and shipping top lures Smishing, or SMS phishing, is increasingly becoming a favored tactic for cybercriminals due to the widespread use of mobile devices and generally high open rates of SMS messages compared to emails. Campaigns continue to proliferate around the world, and in some countries such as Japan, they are increasing exponentially with actors using utilities, financial services, and shipping as top lures. ALERTS SPAM

26.7.24

Atlantida Stealer among the malware variants spread by Stargazer Goblin threat group Atlantida Stealer has been determined as one of several malware payloads spread recently in a malware distribution campaign attributed to the threat actor known as Stargazer Goblin. Other payloads spread via this malware delivery service dubbed as Stargazers Ghost Network included RedLine, Lumma Stealer, Rhadamanthys and RisePro. As reported by researchers from Checkpoint, the attackers responsible for this operation have been leveraging compromised Github repositories and Wordpress sites to distribute archives containing the malicious binaries. ALERTS VIRUS

26.7.24

The increasing incidence of threats utilizing AI There has been a rise in cyber attacks using Large Language Models (LLMs) to generate malicious code. Symantec's Team has observed phishing campaigns where LLM-generated scripts download harmful payloads like Rhadamanthys, NetSupport, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot, and Dunihi (H-Worm). This highlights the misuse of LLMs in cybercrime. ALERTS AI

26.7.24

PicassoLoader Malware There was a recent surge in activity from the group called UAC-0057 (aka GhostWriter). In this campaign, attackers are distributing Word documents that are macro-enabled with the intention of launching a malware loader known as PicassoLoader. This malicious loader is capable of deploying a Cobalt Strike Beacon onto the victim's machine. ALERTS VIRUS

25.7.24

New Linux Play ransomware targets ESXi servers As recently reported by researchers from Trend Micro, a new Linux variant of the infamous Play ransomware has been observed to target the ESXi servers. Prior to execution, the malware runs checks to confirm that it is running within an ESXi environment. Play ransomware will also attempt to power off all running ESXi virtual machines before proceeding with the encryption process. .PLAY extension is added to the encrypted files and ransomware note is dropped in the VM's root directories. Some of the network infrastructure used by this Linux Play variant has been previously observed in attacks attributed to the threat actor known as Prolific Puma. ALERTS RANSOM

25.7.24

LummaC2 variant exploiting Steam for dynamic C2 domains A new variant of LummaC2 has been observed exploiting the 'Steam' gaming platform. This variant now obtains dynamic C2 domains on demand, a departure from its previous technique of embedding C2 details within the sample itself. The malware stores a Steam URL, specifically a Steam account profile page, as executable code. Upon accessing this page, it parses a specific <tag> to extract a string, which is then decrypted to reveal the C2 domain. ALERTS VIRUS

25.7.24

New variant of the Jellyfish Loader observed in the wild A new variant of the .NET-based Jellyfish Loader malware has been found in the wild. The malware has been reported as being distributed via a malicious .LNK file execution. ALERTS VIRUS

25.7.24

CVE-2024-4879 - ServiceNow Jelly Template Injection vulnerability CVE-2024-4879 is a recently disclosed critical template injection vulnerability (CVSS score 9.3) affecting ServiceNow, which is a popular platform for digital business transformation. Successful exploitation of the flaw might allow the unauthenticated remote attackers to gain access and execute arbitrary code within the context of the Now Platform. The vulnerability has been already addressed in the patched software versions released by the application vendor. ALERTS VULNEREBILITY

25.7.24

BianLian Ransomware changes strategy BianLian is a ransomware threat actor that has been active since mid-2022, specifically targeting the infrastructure sector in the US and Australia. As part of its attack vector, the threat actor typically exploits RDP credentials acquired through third parties or phishing to gain initial access. They deploy custom malware written in the Go programming language and utilize remote management and access software such as AnyDesk, Atera Agent, TeamViewer, etc., for persistence. ALERTS RANSOM

25.7.24

Threat Actors continue to exploit CVE-2024-21412 Threat actors continue to exploit CVE-2024-21412, a security bypass vulnerability in Microsoft Windows SmartScreen that was reported and patched in February 2024. ALERTS VULNEREBILITY

24.7.24

Malware-laden Word Document Delivering Daolpu Stealer Following the recent outage which affected computers running Microsoft operating systems across the globe, attackers are continuously exploiting the incident to lure users into accessing malicious links or launching malware-laden files. A new attack linked to this incident has been discovered involving a Word document containing macros that execute and download an unidentified stealer dubbed Daolpu. ALERTS VIRUS

24.7.24

Protection Highlight: ScriptNN Phishing is an all-too-common type of social engineering attack that attempts to steal user data by sending fraudulent communications, usually via email or SMS, which appear to come from a legitimate source. Phishing is predominantly employed at the first stage in a malware attack, whether the ultimate objective is reconnaissance or compromise. ALERTS PHISHING

24.7.24

Braodo: A new Python-based Infostealer in the cyber threat landscape A new infostealer, named Braodo, has been observed circulating in the ever-evolving threat landscape. It is distributed through an archive file that includes a BAT file. When executed, this BAT file connects to GitHub to download a secondary BAT file and a ZIP archive containing the final Braodo infostealer payload. ALERTS VIRUS

24.7.24

Daggerfly group updates their toolset The Daggerfly (aka Evasive Panda, Bronze Highland) threat group, which has been active for at least a decade, has made some significant updates to their toolset. Symantec’s Threat Hunter Team has published a report providing details regarding Daggerfly tools such as the modular malware framework MgBot, Macma, a modular macOS backdoor, and a recently observed multi-stage backdoor identified as Suzafk. ALERTS GROUP

24.7.24

FIN7 has a versatile attack arsenal Threat Actor FIN7 (also tracked under the names Carbon Spider, the Carbanak Group, and Sangria Tempest) is known for its proficiency in sophisticated campaigns and engineering attacks to gain initial access to corporate networks. ALERTS GROUP

24.7.24

BlackSuit Ransomware poses as fake Antivirus Installer New variants of BlackSuit ransomware have been observed in the wild, employing deceptive tactics to evade detection. Recently, they masqueraded as fake Qihoo 360 antivirus installers to deceive victims. Once installed, the malware encrypts user files and appends the .blacksuit extension. ALERTS RANSOM

24.7.24

CyberVolk Ransomware A new strain of ransomware dubbed CyberVolk has been reported. This ransomware is written in C/C++ and features a unique encryption algorithm developed entirely by the group behind the malware. ALERTS RANSOM

24.7.24

RA World Ransomware group Researchers at Palo Alto Networks have provided an analysis of the RA World Ransomware group. This group has been active since 2023 and has targeted victims worldwide across multiple industries. ALERTS RANSOM

24.7.24

RA World Ransomware group In recent weeks, mobile users of several major financial institutions in South Korea were targeted by a FakeApp/FakeBank Android campaign. ALERTS RANSOM

24.7.24

FakeApp Campaign: South Korea's Financial Institutions' Mobile Users Targeted In recent weeks, mobile users of several major financial institutions in South Korea were targeted by a FakeApp/FakeBank Android campaign. ALERTS CAMPAIGN

24.7.24

New backdoor spreading in Seedworm malspam campaign Recently the APT group Seedworm has been observed deploying a previously undocumented backdoor named Bugsleep, primarily via a phishing campaign with PDFs containing malicious links targeting organizations in the Middle East. Once deployed this new backdoor allows attackers to execute remote commands and exfiltrate files to the C&C server. ALERTS CAMPAIGN

24.7.24

Tag-100: Emerging threat actor exploiting appliance vulnerabilities A new threat actor, dubbed Tag-100, has been reported targeting government and private sector entities worldwide. This threat actor exploits vulnerabilities in appliances to initiate its attacks and has been observed exploiting known vulnerabilities in appliances such as Citrix NetScaler. ALERTS GROUP

24.7.24

Copybara Android malware Copybara is a banking Trojan affecting Android mobile devices and has been observed targeting users in Italy. Threat actors use previously obtained contact details and portray themselves as bank employees to socially engineer victims into downloading the malicious application by way of SMS phishing and voice phishing, also known as smishing and vishing respectively. ALERTS VIRUS

24.7.24

NullBulge exploiting code repositories in AI and Gaming Sectors n response to the threat actors exploiting security vulnerabilities in AI and gaming-focused entities, a new group dubbed NullBulge has been reported. ALERTS AI

24.7.24

Health Insurance Fund (NEAK) Targeted with Lokibot Malware A recent report has revealed that the National Health Insurance Fund (NEAK) based in Hungary was targeted by attackers who aimed to deploy Lokibot malware. ALERTS VIRUS

24.7.24

Grayfly is targeting and compromising multiple sectors Over the past few weeks, multiple campaigns have been reported, carried out by the China-linked APT group Grayfly also known as APT41. ALERTS APT

19.7.24

New variant of BeaverTail malware targets job seekers A new variant of the BeaverTail malware has been reported, distributed via a macOS DMG file that mimics the legitimate video call service MiroTalk. This campaign is linked to North Korean hackers targeting job seekers. The updated malware is a native Mach-O executable capable of stealing sensitive data from web browsers and cryptocurrency wallets. ALERTS VIRUS

19.7.24

APT17 Campaign: New variants of 9002 RAT targeting Italian government entities A malware campaign by the APT17 group has been reported, distributing newer variants of 9002 RAT. The campaign specifically targets government entities and Italian companies. Users are lured with a link to a masqueraded Italian government domain, purportedly to download a Skype installer. ALERTS APT

19.7.24

UAC-0180 Phishing Campaign Targeting Ukrainian A recent phishing campaign was observed by researchers targeting Ukrainian defense enterprises on the topic of Unmanned Aerial Vehicle (UAV) purchasing. The distributed email includes a ZIP attachment with a PDF file containing a malicious link. ALERTS GROUP

19.7.24

RDPWrapper and Tailscale leveraged in recent malspam campaign Researchers have uncovered a multi-stage cyberattack campaign starting with a malicious zip file containing a .lnk shortcut file that was likely spread via phishing emails. Upon execution, the .lnk file downloads a PowerShell script enabling threat actors access via RDP. ALERTS CAMPAIGN

19.7.24

ShadowRoot Ransomware Threat researchers have identified a new ransomware called ShadowRoot which targets businesses in Turkey. The attack starts with a PDF attachment sent via suspicious emails from the "internet[.]ru" domain. If a user clicks on the embedded links within the PDF, it triggers the download of an executable payload that proceeds to encrypt files. Encrypted files have their extensions changed to ".shadowroot". ALERTS RANSOM

19.7.24

Phishing malware campaign targeting Ukrainian Government entities linked to Russian Threat Actor UNC4814 Symantec has observed a phishing malware campaign targeting government entities in Ukraine. Based on the attack vector and behavior, Symantec believes UNC4814, a suspected Russian threat actor, is responsible for the campaign. The threat actor initiates attacks by sending phishing emails with HTA files attached, masquerading as bills and payment notifications.  ALERTS PHISHING

19.7.24

Zero-Day Exploit: Malicious .url Files Leveraging CVE-2024-38112 on Windows An ongoing campaign targeting Windows users has been observed. Threat actors distribute phishing emails containing Windows Internet Shortcut files with a .url extension. ALERTS EXPLOIT

18.7.24

Killer Ultra Malware A tool used in Qilin ransomware attacks known as "Killer Ultra" was recently uncovered by researchers. It disables endpoint detection and response (EDR) and antivirus (AV) tools, using a Zemana driver to terminate their processes. ALERTS VIRUS

18.7.24

Noxious Stealer A new stealer malware dubbed Noxious Stealer was recently identified by researchers. This Python-based open-source tool, currently hosted on GitHub, possesses several capabilities such as collecting sensitive user data including billing details, emails, phone numbers, tokens, as well as system information such as cookies, browsing history, and WiFi passwords. ALERTS VIRUS

18.7.24

Specially crafted HTML files allow for abuse of Windows search Attackers have been recently observed abusing Windows search in order to redirect users to malware. The attack begins by sending the targets malspam with specially crafted HTML files that are designed to abuse the built-in Windows search functionality, once these files are opened they redirect to an externally hosted site to download malware of the attackers choice. ALERTS SPAM

18.7.24

Jenkings Script Console exploited for cryptocurrency mining Improperly configured Jenkins Script Console instances (such as Jenkins Groovy plugin) have been weaponized by attackers leading to criminal activities such as the deployment of cryptocurrency miners, and backdoors to gather sensitive information. ALERTS CRYPTOCURRENCY

18.7.24

Phishing campaign impersonating Afrihost services Afrihost is a South African Internet Service Provider (ISP) that offers services such as ADSL broadband, wireless, mobile services, and web hosting. Recently, Symantec has observed phishing campaigns impersonating Afrihost services. These campaigns involve fake notification emails that urge recipients to update their payment methods to avoid service interruption. ALERTS CAMPAIGN

18.7.24

CVE-2024-36401: Vulnerability in OSGeo GeoServer GeoTools CVE-2024-36401 (CVSS score: 9.8) is a vulnerability in OSGeo GeoServer GeoTools, with evidence of active exploitation. GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data. ALERTS VULNEREBILITY

18.7.24

Malware disguised as cracked versions of MS Office Threat researchers discovered malware disguised as cracked versions of MS Office. It spreads through downloads and torrents, enabling attackers to control infected systems via updates. The malware adapts installation methods based on the presence of V3 security software. It uses the task scheduler for persistence, ensuring it remains active even if detected. ALERTS VIRUS

18.7.24

BadPack method used in Android malware BadPack is a method observed in malware which targets Android mobile devices. The authors of BadPack manipulate header information of the APK file format which effectively breaks the file and prevents manual analysis. ALERTS VIRUS

16.7.24

Quasar RAT delivered via Home Trading System Threat researchers have identified Quasar RAT malware being distributed via a private Home Trading System (HTS), a tool that allows investors to trade from their own PCs. However, the HTS (aka HPlus) used in these attacks is unsearchable and its provider remains unknown. ALERTS VIRUS

16.7.24

Malicious Word Document Spreading Stealer Malware An ongoing campaign has revealed a stealer malware initially distributed through Word documents. This malware infects computers, retrieves the device’s IP address, and subsequently sends the user’s browser information to a dedicated command-and-control (C2) server operated by the attackers, with the data customized for different countries. ALERTS VIRUS

16.7.24

CVE-2024-36991 - Path Traversal vulnerability in Splunk Enterprise CVE-2024-36991 (CVSS: 7.5 High) is a path traversal vulnerability in Splunk Enterprise, a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data, helping organizations derive insights from this data. ALERTS VULNEREBILITY

15.7.24

Poco RAT phishing campaign targeting Spanish speakers Since early 2024, an ongoing phishing campaign has been targeting Spanish speakers, distributing a new remote access trojan (RAT) known as Poco RAT. ALERTS VIRUS

15.7.24

CRYSTALRAY's Ongoing Operations Leveraging SSH-Snake Since February 2024, researchers have been tracking the evolving threat actor CRYSTALRAY. The group was observed to leverage the use of a network mapping tool called SSH-Snake, a self-modifying worm malware which exploits compromised SSH credentials to spread through networks. ALERTS GROUP

12.7.24

OilAlpha targets Arabic-speaking humanitarian NGOs in Yemen OilAlpha continues to target Arabic-speaking entities, as well as those interested in humanitarian organizations and NGOs operating in Yemen. According to reports, users are lured to a deceptive web portal that mimics the generic login interfaces of humanitarian organizations such as CARE International and the Norwegian Refugee Council, with the aim of stealing credentials. ALERTS APT

12.7.24

Vultur Campaign: Clothing Retailer Brand Abused in Fake App Scheme Brands of all genres are constantly abused by cybercriminals to target specific demographics, and financial institutions are usually the ones most impersonated. ALERTS CAMPAIGN

12.7.24

DodgeBox Loader Loading MoonWalk Backdoor Threat researchers recently discovered a new loader dubbed DodgeBox. This loader shares significant traits with StealthVector, which is associated with the Chinese APT group APT41 / Earth Baku. ALERTS VIRUS

12.7.24

Tax-Themed Android Malware Targeting Uzbekistan Mobile Users Taxes have been and continue to be prevalently used in social engineering tactics around the world to trick users (both consumers and enterprises) into deploying malware on their machines, entangling themselves in BEC scams, inputting sensitive data into phishing websites, and more. ALERTS VIRUS

11.7.24

Despite group disruptions, ransomware activity not decreasing In a newly released report, Symantec’s Threat Hunter Team shares insight into observed ransomware activity. The data shows that despite disruptions affecting Lockbit and Noberus groups and a downward trend between the last quarter of 2023 and the first quarter of 2024, activity is still on the rise. ALERTS RANSOM

11.7.24

ViperSoftX: Evolving tactics from Torrent software lures to eBook disguises ViperSoftX is an infostealer that continues to evolve and enhance its tactics and techniques. Initially, attackers leveraged pirated versions of popular software to lure users, often distributed through torrent sites. ALERTS VIRUS

11.7.24

GuardZoo: Android spyware targeting middle eastern defense entities An Android spyware dubbed GuardZoo has been observed targeting defense entities in the Middle East. It is believed to be associated with the Houthi rebel faction in Yemen. ALERTS VIRUS

11.7.24

Ghostscript (CVE-2024-29510) Symantec is aware of a remote code execution vulnerability (CVE-2024-29510) in the "Ghostscript" document conversion toolkit used on Linux systems. ALERTS VULNEREBILITY

10.7.24

Water Sigbin exploits vulnerabilities to deliver cryptocurrency miner The threat actor Water Sigbin (aka 8220 Gang) has exploited vulnerabilities in the Oracle WebLogic Server ( CVE-2017-3506 and CVE-2023-21839) to deliver a cryptocurrency miner called XMRing to the compromised systems. ALERTS CRYPTOCURRENCY

10.7.24

Protection Highlight: Recent Sideloading Attacks In this bulletin however we'll talk about sideloading as it relates to the cybersecurity field. MITRE defines sideloading attacks in T1574.002 as a type of (search order) Hijack Execution Flow, which exploits the way Windows applications load DLLs. ALERTS HACKING

9.7.24

Popular sticky-note installers trojanized to push malware A recent report by (CTA) member Rapid7 has recently disclosed that popular sticky-note app 'Notezilla' installers have been trojanized in order to deliver malware. ALERTS VIRUS

9.7.24

Recent Water Hydra APT Activity Exploiting CVE-2024-21412 In early 2024, threat researchers exposed the DarkGate campaign, exploiting CVE-2024-21412 via fake software installers. Afterwards, the APT group Water Hydra used the same vulnerability to target financial traders with the DarkMe RAT, bypassing SmartScreen. ALERTS APT

8.7.24

Zergeca: A new Golang botnet with advanced capabilities A new botnet, dubbed Zergeca and written in Golang, has been observed in the wild. In addition to conducting distributed denial-of-service (DDoS) attacks, the botnet includes several other features such as proxy-based obfuscation. ALERTS BOTNET

8.7.24

Beware of Orcinius trojan's multi-stage attack via Dropbox and Google docs Beware of the Orcinius trojan malware! It's a multi-stage trojan reported to utilize Dropbox and Google Docs as part of its attack vector for downloading secondary payloads. ALERTS VIRUS

8.7.24

Neptune Stealer A new malware strain dubbed Neptune Stealer has been uncovered by researchers. This malware quietly infiltrates systems to extract passwords and financial data, operating discreetly and customizing itself to evade detection. ALERTS VIRUS

5.7.24

Mekotio malware targets banking users in Latin America Mekotio is a banking trojan active in the threat landscape since at least 2015 and targeting predominantly the Latin America region. ALERTS VIRUS

5.7.24

Religion as Bait: AndroRAT Targets Nigerian Mobile Users Nigeria features a vibrant religious landscape with multiple different faiths shaping the country. ALERTS VIRUS

5.7.24

Fake Sex Tapes of Turkish Celebrities Fuel SpyNote Spread Fake sex tapes remain a common social engineering lure used by malware actors due to their ability to evoke strong emotions potentially resulting in impulsive actions. ALERTS VIRUS

5.7.24

CVE-2024-37051 - JetBrains IntelliJ IDEs vulnerability CVE-2024-37051 is a recently disclosed critical vulnerability impacting Jetbrains IntelliJ integrated development environment (IDE) apps. ALERTS VULNEREBILITY

5.7.24

LukaLocker ransomware distributed by Volcano Demon group LukaLocker is a newly seen offering from a ransomware group dubbed Volcano Demon. Recently observed attacks were prefaced by exfiltration of data using harvested credentials. ALERTS RANSOM

4.7.24

Disguised e-book delivering AsyncRAT Former reports detailed how AsyncRAT malware is usually distributed via file extensions such as .chm, .wsf, and .lnk. Attackers disguise malware as 'survey' content in document files and more recently as e-books. ALERTS VIRUS

4.7.24

CosmicSting (CVE-2024-34102) - XXE vulnerability is targeting Adobe Commerce and Magento CVE-2024-34102 is a critical (CVSS: 9.8) XML External Entity Reference (XXE) vulnerability in Adobe commerce and Magento, which are popular E-commerce platforms. ALERTS VULNEREBILITY

4.7.24

CVE-2024-29849 - Veeam Backup Enterprise Manager authentication bypass vulnerability CVE-2024-29849 is a recently disclosed critical authentication bypass vulnerability (CVSS score 9.8) affecting Veeam Backup Enterprise Manager. ALERTS VULNEREBILITY

4.7.24

CVE-2024-36104 - Path Traversal vulnerability in Apache OFBiz CVE-2024-36104 is a Path traversal vulnerability in Apache OFBiz, which is a comprehensive suite of business applications. ALERTS VULNEREBILITY

4.7.24

k4spreader: New malware tool used by '8220' Chinese threat actor group A new malware tool known as k4spreader has been observed being used by the '8220' Chinese threat actor group in recent campaigns. ALERTS GROUP

3.7.24

RegreSSHion (CVE-2024-6387) Symantec is aware of the "regreSSHion" vulnerability (CVE-2024-6387), which is a critical remote code execution (RCE) flaw in OpenSSH. ALERTS VULNEREBILITY

3.7.24

Protection Highlight: CVE-2024-4577 PHP-CGI Argument Injection Vulnerability PHP is a general-purpose server scripting language and a powerful scripting tool for making dynamic and interactive Web pages. CVE-2024-4577 is a high-severity (CVSS: 9.8) argument injection vulnerability affecting PHP when running in CGI mode. ALERTS VULNEREBILITY

3.7.24

Apple IDs Targeted in US Smishing Campaign Phishing actors continue to target Apple IDs due to their widespread use, which offers access to a vast pool of potential victims. ALERTS HACKING

3.7.24

CVE-2024-31982 - XWiki RCE vulnerability CVE-2024-31982 is a recently disclosed remote code execution (RCE) vulnerability affecting XWiki, which is a popular open-source and Java-based wiki platform. ALERTS VULNEREBILITY

2.7.24

Datebug APT continues to spread CapraRAT Android malware Renewed malicious activity associated to the Datebug APT (aka. Transparent Tribe or APT36) has been reported by researchers from Sentinel One. ALERTS APT

2.7.24

Poseidon infostealer targeting macOS Poseidon is a new infostealer variant targeting the macOS platform. The malware is an evolution of the older variant known as RodStealer. ALERTS VIRUS

2.7.24

MerkSpy malware payload delivered through exploitation of CVE-2021-40444 vulnerability Researchers from Fortinet have reported on a new campaign delivering the MerkSpy malware. The threat actors behind this campaign have been leveraging an older Microsoft MSHTML RCE vulnerability - CVE-2021-40444 for payload distribution. ALERTS VIRUS

2.7.24

Kematian Stealer Researchers have reported a new stealer-type malware dubbed Kematian. This PowerShell-based tool is used for covertly accessing and transferring data from Windows systems. ALERTS VIRUS

2.7.24

Fake ZainCash App Steals Mobile User Data ZainCash, a comprehensive mobile wallet service licensed under the Central Bank of Iraq, designed to provide a variety of digital financial services, has become one of the latest Fintech brands abused by cybercriminals. ALERTS VIRUS
28.6.24 Unfurling Hemlock: Deploying malware cluster bomb for multi-malware infections The threat actor known as Unfurling Hemlock has been identified employing a method called "malware cluster bomb" to infect target systems with multiple malwares simultaneously. ALERTS VIRUS
28.6.24 Latrodectus malware campaign: Phishing with Firebase URLs and remote access tactics Latrodectus is a popular loader utilized by threat actors to download payloads and execute arbitrary commands. Phishing emails are the most common attack vector for distributing the Latrodectus malware. ALERTS PHISHING
28.6.24 Ransomware used as cover for suspected China-backed APT group ChamelGang activities According to a recently published report, a suspected China-backed APT group named ChamelGang (aka CamoFei) has been disguising its cyberespionage operations by also incorporating ransomware. ALERTS RANSOM
28.6.24 Threat Actor UAC-0184 using XWorm RAT Threat Actor group UAC-0184 has targeted Ukraine using a malware campaign to deliver a RAT known as XWorm. Using evasive techniques and through the use of Python-related files the XWorm malware compromises systems. ALERTS VIRUS
28.6.24 0bj3ctivity infostealer targeting Italy 0bj3ctivity is an infostealer variant first observed last year in campaigns targeting Italy. A new campaign delivering this malware yet again to Italian users has been reported by CERT-AGID. ALERTS VIRUS
28.6.24 Latest P2Pinfect malware variant spreads ransomware and coinminers A new P2Pinfect variant has been reported to spread both ransomware and Monero coinminer payloads in recent campaigns. P2Pinfect is a Rust-based botnet leveraging peer-to-peer (P2P) communication as C&C mechanism. ALERTS VIRUS
28.6.24 CVE-2024-4358 & CVE-2024-1800 - vulnerabilities in Telerik Report Server CVE-2024-4358 and CVE-2024-1800 are two recently disclosed vulnerabilities affecting the Telerik Report Server. ALERTS VULNEREBILITY
28.6.24 Threat actor Boolka compromising websites with BMANAGER malware Threat actor Boolka has been carrying out opportunistic SQL inection attacks against websites. When unsuspecting visitors land on the infected site(s) the JS inserted into the site(s) collects and exfiltrates the users inputs and interactions (such as credentials and other personal information). ALERTS VIRUS
28.6.24 New Medusa Android malware variant Medusa malware for Android, also known as Tanglebot, has re-emerged in a new distribution campaign. The activity has been reported to target various countries across the world including he United States, Canada, France, Italy, Spain, the United Kingdom, and Turkey. ALERTS VIRUS
26.6.24 New Medusa Android malware variant Medusa malware for Android, also known as Tanglebot, has re-emerged in a new distribution campaign. The activity has been reported to target various countries across the world including he United States, Canada, France, Italy, Spain, the United Kingdom, and Turkey. ALERTS VIRUS
26.6.24 Unstable and Condi botnets abusing cloud services for malicious activities As recently reported by researchers from Fortinet, Unstable and Condi botnets have been abusing various cloud services for storage and distribution of malware binaries as well as C2 communication purposes ALERTS VIRUS
26.6.24 CVE-2024-23692 - Rejetto HTTP File Server Server Side Template Injection vulnerability CVE-2024-23692 is a recently disclosed critical template injection vulnerability affecting Rejetto HTTP File Server (HFS) version 2.3m. Rejetto HFS is a web-based file sharing solution allowing sending and receiving files over HTTP. ALERTS VULNEREBILITY
26.6.24 ClickFix: Exploiting social engineering via PowerShell for malware deployment There is a growing cybersecurity trend where users are deceived into copying and pasting malicious PowerShell scripts into an administrative PowerShell terminal window, leading to malware installation. ALERTS VIRUS
26.6.24 Stego-Campaign exploiting documents to deploy Remcos RAT A phishing email campaign utilizing a URL shortener in a Microsoft Word file attachment, exploiting the CVE-2017-0199 vulnerability, has been reported in the wild. The URL redirect enticed users to download a variant of Equation Editor malware in RTF format. ALERTS VIRUS
26.6.24 SpiceRAT malware SpiceRAT is a new malware variant identified by Cisco Talos. The malware has been attributed to a threat actor known as SneakyChef that has been conducting malicious campaigns against governmental entities in EMEA. ALERTS VIRUS
26.6.24 SpyMax mobile malware targets Telegram users A new variant of the Android malware SpyMax has been observed in recent campaigns targeting Telegram users. The malicious .apk binaries are spread via a website masqueraded as a legitimate Telegram app download portal. ALERTS VIRUS
26.6.24 ExCobalt cyber espionage campaign targets Russian organizations with GoRed backdoor A cyber espionage campaign targeting Russian organizations by the ExCobalt threat actor has been observed. This campaign specifically targets government entities and IT firms. ALERTS CAMPAIGN
26.6.24 CVE-2024-29824 - SQL Injection Vulnerability in Ivanti Endpoint Manager CVE-2024-29824 is a critical SQL Injection vulnerability in Core server of Ivanti Endpoint Manager, which is an enterprise endpoint management solution that allows for centralized management of devices within an organization. ALERTS VULNEREBILITY
26.6.24 PHANTOM#SPIKE campaign makes use of .chm files to deliver custom backdoors PHANTOM#SPIKE is a recent malicious campaign identified in the wild. The attackers leverage phishing lures with password protected .rar and .zip archives. ALERTS CAMPAIGN
26.6.24 Red Mongoose Daemon malware Red Mongoose Daemon is a new banking malware variant identified by researchers from Scitum. The malware has been observed in campaigns targeting banking users and organizations in Brazil. ALERTS VIRUS
26.6.24 Apache HTTP Server CVE-2021-41773 vulnerability under active exploitation CVE-2021-41773 is a critical (CVSS score 7.5) path traversal and file disclosure vulnerability affecting Apache HTTP Server. If successfully exploited, this vulnerability enables unauthorized access of sensitive information. ALERTS VULNEREBILITY
26.6.24 Web Shell attack used for deployment of XMrig coinminer Web shell attacks are a common technique used by attackers to maintain persistence and remotely access web servers during cyberattacks. ALERTS CRYPTOCURRENCY
26.6.24 Rafel RAT mobile malware Rafel RAT is an open-source mobile malware observed in some recent campaigns targeting Android users. As reported by Checkpoint, the malware is a versatile tool that allows the attackers both data exfiltration as well as remote control over the infected device. ALERTS VIRUS
26.6.24 Satanstealer Infostealer Satanstealer is a new open source infostealing malware shared on GitHub. ALERTS VIRUS
26.6.24 QR Code-Embedded PDFs exploit Financial Institutions via ONNX Store A new phishing campaign involving embedded QR codes in PDF attachments has been reported. ONNX Store, a known Phishing-as-a-Service (PhaaS) platform, has been used to orchestrate this campaign targeting financial institutions. ALERTS EXPLOIT
26.6.24 SquidLoader - new loader in the threat landscape A new loader malware dubbed SquidLoader has been reported as being active distributed via phishing campaigns targeting Chinese-speaking users. The malware employs various evasion and decoy techniques in order to stay under the radar and avoid detection. ALERTS VIRUS
26.6.24 Fake Employee evaluation reports from Human Resources (HR) appear in new phish run Threat actors continue masquerading as members of Human resources (HR) department in efforts to spread a new wave of phish emails. ALERTS PHISHING
26.6.24 Telcos in Asian country targeted by Chinese espionage tools In a newly released report, Symantec’s Threat Hunter Team provide an analysis of activity observed impacting telecommunications operators in a specific Asian country. ALERTS CAMPAIGN
26.6.24 TA571 slips malicious scripts on to user's clipboards TA571 has recently been observed utilizing malicious HTML files in malspam campaigns. These files, once opened, copy a malicious PowerShell script to the user's clipboard while displaying an image that states the attached document is broken, ALERTS GROUP
26.6.24 Fickle Stealer Fickle Stealer is a recently observed malware written in Rust. Attackers leverage multiple delivery methods in a multi-stage attack chain to distribute the payload. ALERTS VIRUS
19.6.24 AzzaSec Ransomware AzzaSec is another run-of-the-mill ransomware variant found being distributed in the wild. The malware encrypts user files and appends .AzzaSec extension to them. ALERTS RANSOM
19.6.24 New strain of Diamorphine Linux rootkit A new variant of an open-source LKM (Loadable Kernel Module) rootkit dubbed Diamorphine has been found in the wild. ALERTS VIRUS
19.6.24 Malvertising Campaign Targets Users With Fake Software Installers A malvertising campaign has been observed, enticing users to download masqueraded installers disguised as popular software such as Google Chrome and Microsoft Teams. ALERTS VIRUS
19.6.24 Hijack Loader and Vidar Stealer targeting Cisco Webex users Malware campaigns affecting users in Latin America and the Asia Pacific regions have recently been reported. ALERTS VIRUS
19.6.24 Rogue Raticate Malspam Campaign: Malicious PDFs Lead to NetSupport RAT The cybercriminal group known as Rogue Raticate (aka RATicate) has been active for a few years now and is well-known for targeting enterprises using malicious emails and remote access trojans. ALERTS VIRUS
18.6.24 Vortax: MacOS Malware Campaign Unveiled A recent malware campaign targeting macOS vulnerabilities to distribute infostealers has surfaced. The threat actor, identified as markopolo, is actively aiming at cryptocurrency users. ALERTS VIRUS
18.6.24 Cryptojacking campaign exploiting Docker engine vulnerabilities A new cryptojacking campaign targeting publicly exposed Docker Engine hosts has been observed. It is presumed to be associated with the threat actors behind the previously seen malware campaign dubbed Spinning YARN. ALERTS CRYPTOCURRENCY
18.6.24 Rapax Ransomware Rapax is a ransomware whose binaries have recently been submitted to a public malware analysis and detection platform. ALERTS RANSOM
17.6.24 Limpopo ransomware targets ESXi servers Limpopo is new ransomware variant targeting the vulnerable ESXi servers, as reported by Fortinet. This malware variant is believed to be based on the leaked Babuk ransomware source code and related to other ransomware strains such as Socotra and Formosa. ALERTS RANSOM
17.6.24 CVE-2024-28995 - SolarWinds Serv-U Directory Traversal vulnerability CVE-2024-28995 is a recently disclosed Directory Traversal vulnerability affecting Serv-U managed file transfer (MFT) server solution. If successfully exploited the flaw could allow attackers with read access to sensitive information on the vulnerable host machine. ALERTS VULNEREBILITY
17.6.24 Brain Cipher Ransomware Ransomware actors continue to sprout from left and right, and in this protection bulletin, we'll briefly discuss one which uses a Lockbit variant having recently emerged in the threat landscape. ALERTS RANSOM
17.6.24 Chaos ransomware actors pose as Lockbit to add pressure Symantec has recently observed a Chaos ransomware actor making the rounds - encrypting single machines and claiming to be 'Lockbit' in dropped ransom notes (readme.txt). In this case, they are demanding $180 USD worth of Bitcoin be paid to a specified crypto wallet. ALERTS RANSOM
17.6.24 DISGOMOJI: Discord-based malware campaign targeting government organizations A new innovative malware campaign has emerged, utilizing Discord for Command and Control (C2) operations and employing an emoji-based protocol where the threat actor communicates commands to the malware through emojis in the command channel. ALERTS VIRUS
14.6.24 OPIX Ransomware OPIX is a newly discovered ransomware variant typically spread through social engineering tactics such as phishing emails and drive-by downloads. ALERTS RANSOM
14.6.24 Malspam Campaign Delivering Koi Loader/Koi Stealer In a recent malspam campaign attackers appear to have altered their tactics in order to avoid detection. Instead of the typical approach of sending direct emails with malicious links, in this case they began with benign emails discussing a random scenario. ALERTS VIRUS
14.6.24 El Dorado Ransomware: Increased Attacks El Dorado is a double-extortion ransomware actor who has recently claimed multiple victims on their website. Once they gain access to a company, they search for machines with valuable data to exfiltrate and encrypt, appending .00000001 to encrypted files ALERTS RANSOM
14.6.24 Operation Celestial Force A new malicious campaign dubbed 'Operation Celestial Force' has been reported by the researchers from Cisco Talos. The campaign has been active since at least 2018 and targeting Indian organizations from the defense, government and technology sectors. ALERTS OPERATION
14.6.24 As part of June's patch Tuesday, Microsoft has patched a critical (CVSS score 9.8) Message Queuing (MSMQ) vulnerability CVE-2024-30080. ALERTS VULNEREBILITY
14.6.24 CVE-2024-4701 - Netflix Genie job orchestration engine vulnerability CVE-2024-4701 is a recently disclosed critical (CVSS score 9.9) path traversal vulnerability affecting Netflix' Genie job orchestration engine for big data applications. ALERTS VULNEREBILITY
14.6.24 CVE-2024-2194 - WP Statistics Plugin XSS vulnerability CVE-2024-2194 is a recently disclosed stored cross-site scripting vulnerability affecting WP Statistics plugin for WordPress in versions up to 14.5 ALERTS VULNEREBILITY
13.6.24 Noodle RAT malware supports both Windows and Linux deployments Noodle RAT is a malware variant recently identified by researchers from Trend Micro. This RAT has been reported as being used in targeted campaigns in the Asia-Pacific region.Drop and MicroLoad malwares prior to final payload deployment. Next to the Windows variant of this malware, a Linux strain has also been identified. It features capabilities to download/upload arbitrary files, reverse shell execution as well as SOCKS tunneling. ALERTS VIRUS
13.6.24 Adwind (aka jRAT) distributed in recent campaigns targeting users in Italy Adwind malware (also known as jRAT or njRAT) has been observed in recent campaigns targeting users in Italy. The attack chain includes malspam emails containing .zip attachments. ALERTS VIRUS
13.6.24 WarmCookie backdoor WarmCookie is a new backdoor variant distributed in phishing campaigns advertising fake job offers. The attack chain leverages malicious JS scripts executing PowerShell commands that in turn lead to the download of WarmCookie DLL payloads. ALERTS VIRUS
13.6.24 Black Basta attackers leveraging CVE-2024-26169 vulnerability as a Zero-day In a newly released report, Symantec’s Threat Hunter Team reviewed evidence that suggests that attackers linked to Black Basta ransomware compiled CVE-2024-26169 exploit prior to patching. ALERTS VIRUS
13.6.24 Malware campaign unveils new ValleyRAT variant A malware campaign has been observed delivering a newer version of ValleyRAT as the final payload. The attack vector involves a downloader with an injected shellcode that dynamically resolves APIs and establishes a connection with the C2 server ALERTS VIRUS
12.6.24 Remcos RAT delivered via UUEncoding (UUE) File A recent phishing campaign spreading Remcos RAT employs themed documents related to shipping or quotations. The attack commences with a UUE-encoded VBS script, leading to the another obfuscated VBS script upon decoding. ALERTS VIRUS
12.6.24 Protection Highlight: Phishers Ramp Up Exploitation of Telegram Bot API Over the past few months, more and more phishing actors via malicious HTML have been following in the footsteps of Infostealers and RATs, and are now also abusing the Telegram Bot API to harvest users' credentials and other sensitive information such as credit cards details. ALERTS PHISHING
12.6.24 TellYouThePass ransomware exploiting CVE-2024-4577 Argument Injection Vulnerability in PHP CVE-2024-4577 - is a high-severity (CVSS: 9.8) argument injection vulnerability in PHP, which is a popular scripting tool. This vulnerability affects PHP when it runs in CGI mode. ALERTS VULNEREBILITY
12.6.24 Fog Ransomware A new ransomware variant dubbed Fog has been recently distributed in the wild. The attackers behind this malware have been leveraging compromised VPN credentials to attack vulnerable networks of US organizations from the education and recreation sector. ALERTS RANSOM
12.6.24 AZStealer - a Python-based infostealer AZStealer is a recently discovered Python-based infostealer variant. It has the functionality to steal a wide variety of information from the compromised endpoints including ALERTS VIRUS
12.6.24 Fireant APT targets Vietnamese entities with LNK file malware campaign A malware campaign conducted by the Fireant (also known as Mustang Panda) APT group using Windows shortcut (LNK) files has been reported ALERTS APT
12.6.24 Beware of malicious Python packages on PyPI repository Numerous malicious Python packages have been observed on the Python Package Index (PyPI) repository, aimed at exploiting typosquatting to target users of legitimate packages. ALERTS VIRUS
12.6.24 DERO cryptojacking operation targeting Kubernetes infrastructure Dero, a cryptocurrency, offers better privacy, anonymity and faster rewards than Monero, and is often used in cryptojacking according to a March 2023 report. ALERTS CRYPTOCURRENCY
11.6.24 SSLoader malware using PhantomLoader SSLoader malware uses PhantomLoader (an effective tool for deploying malware) to enhance its elusive and stealthy behavior. ALERTS VIRUS
11.6.24 Yet another JScript RAT spreads via phishing campaign It is generally known that JScript-based RATs are often spread via phishing campaigns, and a recent attack was spotted using the same technique as former runs where an initial loader script connects ALERTS VIRUS
11.6.24 Abusing Google Ads to distribute backdoor malware masquerading as Advanced IP Scanner A malicious backdoor malware, masquerading as an Advanced IP Scanner, has been observed in the wild ALERTS VIRUS
11.6.24 New Grandoreiro banking trojan campaign masquerading as government entities through spear-phishing A new campaign involving the Grandoreiro banking trojan has been observed in the wild. The threat actors are leveraging spear-phishing emails masquerading as correspondence from government entities to lure recipients into downloading ZIP files ALERTS VIRUS
11.6.24 Agent Tesla sending malicious XLA files Agent Tesla, an infostealing .Net based RAT, has recently been observed sending Spanish language malspam with attached XLA files. ALERTS VIRUS
10.6.24 Fake 'KMSPico Activator Tool' Utilized to Deliver Vidar InfoStealer Researchers recently identified another drive-by download campaign, wherein users are deceived into downloading a malware-laden application named 'KMSPico activator tool.' ALERTS GROUP
8.6.24 Sticky Werewolf APT Sticky Werewolf is a threat group initially discovered over a year ago. The attackers have been known to target various organizations, most recently the pharmaceutical and aviation sectors. ALERTS APT
8.6.24 Seidr Stealer Seidr is another recent infostealer variant found in the wild and sold via illicit marketplaces. The malware is C++ based with modular architecture. Functionality-wise Seidr steals various information from the compromised endpoints including, ALERTS VIRUS
8.6.24 DORRA Ransomware DORRA is a recently found ransomware variant from the Makop malware family. The malware encrypts user files, appending the ".DORRA" extension, a unique ID and the developer's email address to them. ALERTS RANSOM
8.6.24 Apache RocketMQ targeted in Muhstik botnet campaign A recent campaign targeting Apache RocketMQ platforms, exploiting a known vulnerability (CVE-2023-33246) for remote code execution, has been observed. ALERTS BOTNET
8.6.24 Enhanced version of Vidar Stealer emerges An updated version of the Vidar Stealer has been observed in the wild. This customizable malware is being sold on the dark web and ALERTS VIRUS
8.6.24 CashRansomware - a new arrival to the threat landscape CashRansomware (aka CashCrypt) is a newly identified Ransomware‑as‑a‑Service (RaaS) variant. As reported by researchers from Tehtris, the malware appears to be still in active development ALERTS RANSOM
8.6.24 UNC1151 APT targets the Ukrainian Ministry of Defence with malicious Excel campaign The UNC1151 APT group has been observed conducting a malware campaign utilizing a malicious Excel document. This group is known for targeting Eastern European countries. ALERTS APT

6.6.24

CVE-2024-32113 - Path Traversal vulnerability in Apache OFBiz CVE-2024-32113 is a recently disclosed path traversal vulnerability affecting Apache OFBiz, which is an open source enterprise resource planning (ERP) system ALERTS VULNEREBILITY

6.6.24

Rising trend of exploiting Packer apps in targeted attacks An increasing trend of abusing Packer apps as a technique to deploy malware payloads has been observed in the wild. Numerous known malware families, primarily related to RATs and stealers, have been exploiting commercial ALERTS VIRUS

6.6.24

The rise of Kiteshield packer in the ever-evolving landscape of Linux malware Threat actors are constantly seeking out new tactics and platforms to evade detection and carry out their espionage activities. ALERTS VIRUS

6.6.24

CoinMiner's Proxy Server Suffers Unlucky Ransomware Attack Reports have described what seems to be an accidental cyber threat activity where a CoinMiner's proxy server was exposed to the Internet and became the target of a ransomware threat actor's RDP scan attack. ALERTS RANSOM

6.6.24

SenSayQ: Emerging Ransomware Group SenSayQ is an emerging ransomware actor who has recently been observed in the threat landscape. ALERTS RANSOM

6.6.24

New Linux variant of the TargetCompany ransomware A new Linux variant belonging to the TargetRansomware (aka Mallox) malware family has been found in the wild. ALERTS RANSOM

6.6.24

Updated Cuckoo malware variant spotted in the wild Cuckoo is an infostealing macOS malware initially discovered earlier this year. A new variant of it has just recently been observed in the wild. ALERTS VIRUS

6.6.24

RansomHub Ransomware In a newly released report, Symantec’s Threat Hunter Team provide an analysis of the highly active RansomHub ransomware and its similarity to the now defunct Knight ransomware. ALERTS RANSOM

6.6.24

DarkCrystal RAT Delivered via Signal Messenger The messaging application 'Signal' is famous among the military and is currently being exploited to deliver DarkCrystal RAT malware to government officials, military personnel, and representatives of defense enterprises in Ukraine. ALERTS VIRUS

6.6.24

Cobalt Strike campaign targets Ukraine using malicious Excel files A new campaign targeting Ukraine with Cobalt Strike payloads has been observed by researchers from Fortinet. ALERTS CAMPAIGN

6.6.24

Android Spyware Targets Brazilian Mobile Users in Nubank Masquerade Nubank, a leading digital bank in Latin America known for its no-fee credit card and mobile banking services, has been one of the latest financial companies to have its brand abused in social engineering schemes aimed at luring mobile users in Brazil ALERTS VIRUS

6.6.24

CVE-2024-24919 - Check Point Security Gateway Information Disclosure Vulnerability CVE-2024-24919 is an information disclosure vulnerability in Check Point Security Gateway. Check Point Security Gateway is an integrated software solution that connects corporate networks, branch offices, and business partners via a secure channel. ALERTS VULNEREBILITY

6.6.24

CVE-2024–27348 - Remote Code Execution vulnerability in Apache HugeGraph Server Recently, a critical remote code execution (RCE) vulnerability has been discovered in Apache HugeGraph-Server, identified as CVE-2024-27348 (CVSS: 9.8). ALERTS VULNEREBILITY

6.6.24

Underground Ransomware Remains Active Over the past year the Ransomware actor known as "Underground" has been less active than other groups, yet they remain in the threat landscape and continue to target industries of various size. ALERTS RANSOM

6.6.24

Botnet malware campaign distributing NiceRAT malware A botnet malware campaign has been reported distributing the NiceRAT malware, disguising itself as Windows or Office genuine authentication tools or free game servers, through domestic file-sharing sites or blogs. ALERTS VIRUS

6.6.24

LummaC2 Infostealer Delivered via a Recent ClearFake Campaign ClearFake, a JavaScript framework, utilizes both drive-by-downloads and social engineering tactics, often in fake "browser update" campaigns. ALERTS VIRUS

6.6.24

Brazilian banking trojan CarnavalHeist A recent campaign has seen Brazilian users being targeted by a banking Trojan dubbed CarnavalHeist. The infection chain begins with a financial themed mail through which the recipient is lured into downloading an invoice (named as "Nota Fiscal" ALERTS VIRUS

6.6.24

RedTail cryptomining malware exploiting PAN-OS vulnerability RedTail cryptocurrency mining malware has added PAN-OS vulnerability to its exploit arsenal. PAN-OS CVE-2024-3400 is a now patched vulnerability that allows an attacker to execute an arbitrary code file with root user privileges. ALERTS CRYPTOCURRENCY

31.5.24

Malicious activity by LilacSquid threat group A recently disclosed infostealing campaign attributed to the threat group known as LilacSquid has been active since at least 2021. ALERTS GROUP

31.5.24

Unveiling cryptocurrency mining tactic of the 8220 Gang The 8220 Gang, a widely recognized threat actor based in China and driven by financial motives, has been active since 2017. ALERTS CRYPTOCURRENCY

31.5.24

SmallTiger malware campaign reported targeting Korean companies A malware campaign distributing SmallTiger malware has been reported targeting Korean companies in the defence, automobile parts, and semiconductor manufacturing sectors. ALERTS CAMPAIGN

30.5.24

BitRAT and Lumma Stealer spread as fake browser updates A new campaign delivering BitRAT and Lumma Stealer malware has been observed in the wild. The malware is spread via fake browser updates. ALERTS VIRUS

30.5.24

Metamorfo Banking Trojan Metamorfo is a banking Trojan malware (aka Casbaneiro) that is spread through malspam campaigns luring users to click on HTML attachments. ALERTS VIRUS

30.5.24

Datebug updating toolkits with Golang to be cross-platform APT group Datebug, in operation since 2013, has been observed updating their toolkit with a new data exfiltration tool written in Golang created with the goal of targeting APAC governments and defense sectors. ALERTS APT

30.5.24

NSIS-based packer usage observed in many common malware families The Nullsoft Scriptable Install System (NSIS) is a commonly seen open source software used by cybercriminals for generating malware. ALERTS VIRUS

30.5.24

CatDDoS: A rising threat across multiple sectors A rise in activity involving a Mirai distributed denial-of-service (DDoS) botnet variant called CatDDoS has been observed. ALERTS BOTNET

30.5.24

Mexican Telecom Continuously Impersonated by SpyNote Actor Since at least October 2023, a SpyNote actor has been abusing the brand of a well-known and prominent telecommunications company in Mexico that operates extensively across Latin America and the Caribbean, serving millions of customers ALERTS VIRUS

30.5.24

AllaSenha - new AllaKore malware variant AllaSenha is a new banking malware variant from the AllaKore RAT family that has recently been used in distribution campaigns targeted at banking users in Brazil. ALERTS VIRUS

30.5.24

Zonix Ransomware Zonix is a recently discovered ransomware variant from the Xorist malware family. The malware encrypts user files and appends the ".ZoN" extensions to them. ALERTS RANSOM

30.5.24

CVE-2024-32640 - SQL Injection vulnerability in Mura/Masa CMS CVE-2024-32640 is a recently disclosed SQL injection vulnerability affecting Mura/Masa CMS, which is an open source enterprise content management system. ALERTS VULNEREBILITY

30.5.24

Emergence of a new North Korean threat actor dubbed Moonstone Sleet A recent emergence in the threat landscape involves a new North Korean actor dubbed Moonstone Sleet. ALERTS APT

30.5.24

Fraudulent PDF Viewer Login Pages Phishing for User Credentials A phishing campaign was recently observed where a malicious HTML attachment masquerading as a PDF Viewer login page prompts users to verify their password to access a document. ALERTS PHISHING

30.5.24

Agent Tesla: The Uninvited Guest at Indonesia's GEMASTIK 2024 Event Symantec has recently observed a peculiar malspam campaign in Indonesia where the actor is running a sophisticated email scheme impersonating the School of Electrical Engineering and Informatics (STEI) at the Institut Teknologi Bandung (ITB) in Indonesia. ALERTS VIRUS

30.5.24

Red Akodon threat group recent activities According to recent report published by SCITUM, Red Akodon is a new threat group conducting its malicious activities prevalently in Colombia since at least April 2024. ALERTS VIRUS

30.5.24

TXZ file extension: Evolution of malware distribution in email campaigns Threat actors usually send malicious emails with attachments carrying a malicious payload, or they send out containers which include files like archives. ALERTS VIRUS

30.5.24

Gipy malware distributed under the disguise of AI voice generator tools A new malicious campaign spreading infostealing malware dubbed Gipy has been observed in the wild. ALERTS VIRUS

28.5.24

Embargo Ransomware Embargo is a new Rust-based ransomware variant identified in the wild. The malware encrypts user files and appends “.564ba1” extension to them. ALERTS RANSOM

28.5.24

Rising popularity of Arc browser overshadowed by malvertising campaign The Arc browser, developed by The Browser Company, has been gaining a lot of popularity in the market, promising to personalize the way users browse the internet. ALERTS CAMPAIGN

28.5.24

Phishing campaign targeting financial institutions impersonates medical center A phishing campaign targeting European and US financial institutions has been reported. The attacks involve sending emails impersonating a medical center, with SCR files disguised as financial documents to trick victims into downloading and executing them. ALERTS PHISHING

28.5.24

Iluria Stealer There have been reports of in-the-wild activity for a run-of-the-mill stealer known as Iluria. Like many other forks and variants of Discord Stealers, it is capable of stealing tokens, browser credentials, and payment information. ALERTS VIRUS

28.5.24

Rise of Fake AV websites hosting advanced malware Recently, there has been an increase in the number of fake antivirus (AV) websites pretending to be legitimate solutions. ALERTS VIRUS

28.5.24

CVE-2024-30268: XSS Vulnerability in Cacti CVE-2024-30268 is a reflected cross-site scripting vulnerability in Cacti, a network monitoring and fault management framework. ALERTS VULNEREBILITY

28.5.24

CVE-2024-21793 and CVE-2024-26026 - two recent vulnerabilities affecting F5 BIG-IP Next Central Manager CVE-2024-21793 and CVE-2024-26026 are two recently identified high severity vulnerabilities affecting the F5 BIG-IP Next Central Manager. ALERTS VULNEREBILITY

28.5.24

CVE-2020-17519: Directory Traversal Vulnerability in Apache Flink The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a three-year-old directory traversal vulnerability (CVE-2020-17519) in Apache Flink to the Known Exploited Vulnerabilities Catalog ALERTS VULNEREBILITY

28.5.24

Android Bankbot impersonates Uzbekistan banks In recent days, mobile users in Uzbekistan have been targeted by an Android BankBot campaign where actors are disguising their malware as fictitious banking apps (Xalq Banki Credit.apk & Bank Ipak.apk) ALERTS VIRUS

25.5.24

Path Traversal Vulnerability in Nexus Repository CVE-2024-4956 CVE-2024-4956 is a path traversal vulnerability in Sonatype Nexus Repository 3. Nexus Repository is a widely used artifact repository manager. ALERTS VULNEREBILITY

25.5.24

Operation Diplomatic Specter: A Chinese APT campaign targeting political entities in multiple regions An ongoing campaign dubbed Operation Diplomatic Specter, targeting political entities in the Middle East, Africa, and Asia, has been reported. A Chinese APT group behind the campaign has been leveraging rare email exfiltration techniques against compromised servers. ALERTS APT

25.5.24

RustDoor malware exploits JAVS Viewer vulnerability in courtroom software A Windows-based malware named RustDoor has been observed being distributed via a compromised audio-visual recording software package used in courtroom environments ALERTS VIRUS

23.5.24

Expanded operations of the Sharp Dragon APT As reported by Checkpoint, Sharp Dragon APT group (also formerly known as Sharp Panda) has been expanding its operations towards targets in Africa and in the Caribbean. ALERTS APT

23.5.24

CVE-2024-29895 - Command Injection Vulnerability in Cacti CVE-2024-29895 is a critical (CVSS score 10) command injection vulnerability affecting Cacti, which is a network monitoring and fault management framework. ALERTS VULNEREBILITY

23.5.24

Waltuhium Grabber Waltuhium is an open-source infostealer that has been observed being shared in dark web forums. It is claimed to have features such as ALERTS HACKING

23.5.24

GuLoader Impersonates an Italian Seafood Distributor GuLoader, an advanced downloader, is showing no signs of stopping, and its prevalence continues to increase with more and more campaigns observed around the world. ALERTS VIRUS

23.5.24

CLOUD#REVERSER campaign leverages cloud storage for malware delivery A new campaign dubbed CLOUD#REVERSER has been reported to abuse various cloud storage repositories such as Dropbox or Google Drive for malware delivery and C&C purposes. ALERTS CAMPAIGN

23.5.24

Acrid infostealer leverages “Heaven’s Gate” technique Acrid is a recently identified C++-based infostealing malware. In its functionality, it is very similar to other infostealer variants present currently in the threat landscape ALERTS VIRUS

23.5.24

CVE-2023-43208 - NextGen Healthcare Mirth Connect RCE vulnerability exploited in the wild CVE-2023-43208 is a Remote Code Execution (RCE) vulnerability disclosed in October last year. The vulnerability affects NextGen Healthcare Mirth Connect prior to version 4.4.1, ALERTS VULNEREBILITY

23.5.24

GhostEngine malware terminates EDR agents and deploys coin miner A multimodule malware dubbed GhostEngine has been observed in the wild. This malware leverages vulnerable drivers to terminate and delete known Endpoint Detection and Response (EDR) agents that would likely interfere with the deployed coin miner. ALERTS VIRUS

22.5.24

Smishing: Fake IRS Scare Tactic to Snatch Cryptowallets' 12-Word Recovery Phrases Symantec has recently observed a malicious SMS campaign in the US targeting mobile users' cryptowallet 12-word recovery phrases. The actors are impersonating the IRS and using a scare tactic related to cryptocurrency holdings declaration.  ALERTS PHISHING 

22.5.24

XWorm v5.6 malware A new v5.6 variant of the XWorm malware has been observed in the wild. The malware is distributed under the disguise of various applications, games or adult content, with the binaries spread through either online sharing repositories or via torrent downloads. ALERTS VIRUS

22.5.24

Malware campaign uses LNK files and MSBuild to likely deliver TinyTurla backdoor A malware campaign utilizing malicious LNK files has been observed. The threat actors behind the campaign are using human rights seminar invitations and public advisories to lure users. Once lured, MSBuild is used to execute and deliver a fileless final payload. ALERTS VIRUS

22.5.24

Keyplug backdoor distributed against organizations in Italy A new campaign attributed to the Grayfly threat group (aka APT41) has been distributing the Keyplug modular malware to various organizations in Italy. As reported by Yoroi, this C++based malware comes in variants supporting both Windows and Linux platforms. ALERTS VIRUS

21.5.24

Deuterbear RAT targets Asia-Pacific in advanced cyber espionage campaign A cyber espionage campaign has been reported targeting the Asia-Pacific region, involving the deployment of a remote access trojan (RAT) called Deuterbear ALERTS VIRUS

21.5.24

SamsStealer malware Reports have emerged of a new infostealer, dubbed SamsStealer, circulating in the threat landscape. ALERTS VIRUS

21.5.24

Bank Mellat Users in Various Countries Targeted by FakeBank Campaign Symantec has observed an Android FakeBank campaign targeting mobile users of a private Iranian bank known as Mellat, by posing as a fictitious banking app (Mellat.apk). ALERTS CAMPAIGN

21.5.24

Vultur Malware Poses as Antivirus Recently, a Vultur campaign has been observed in which the actor is disguising it as a known antivirus mobile application (<company name>_Security.apk). ALERTS VIRUS

21.5.24

HiJackLoader gets new modules to lay low HijackLoader is a multi-stage loader that has recently seen some updates. ALERTS VIRUS

21.5.24

Antidot mobile malware Antidot is a recently discovered banking trojan for Android. The malware is distributed under the disguise of a Google Play update app. ALERTS VIRUS

21.5.24

Chaos Ransomware Lures Gamers with Fake Free Discord Nitro As the Chaos Ransomware builder is widely available to the public, instances are observed on a daily basis around the world with both consumers and enterprises being targeted. ALERTS RANSOM

21.5.24

Synapse Ransomware Synapse is a ransomware written in C that can encrypt local files, files on removable drives, and files stored on network shares, with the capability of propagating to other systems on a network. Encrypted files will have the extension ALERTS RANSOM

21.5.24

Storm-1811 threat actor conducts Vishing attack via Quick Assist tool Threat actor Storm-1811 has been reported carrying out a vishing (voice phishing) attack using the client management tool Quick Assist. ALERTS GROUP

21.5.24

Springtail threat group uses new Linux backdoor in attacks In a newly released report, Symantec’s Threat Hunter Team sheds light on a recently discovered Linux backdoor developed by the North-Korean Springtail espionage group (aka Kimsuky). ALERTS APT

16.5.24

New malware Cuttlefish A new malware dubbed Cuttlefish was reported to infect small office/home office and enterprise grade routers with the intent to monitor passing data traffic and discreetly exfiltrating only authentication related information such as usernames, ALERTS VIRUS

16.5.24

Remcos RAT expands functionality with PrivateLoader module Remcos RAT, a remote access Trojan, enables unauthorized remote control and surveillance of compromised systems. Recently, Remcos RAT was observed leveraging a PrivateLoader module to augment its functionality and persistence on the victim's machine. ALERTS VIRUS

16.5.24

Malicious Minecraft mod harvests data from Windows system Many gamers prefer to enhance their gaming experience with custom mods, such as those offering the Windows Borderless feature. This feature enables multitasking and seamless switching between applications, facilitating tasks like game recording. ALERTS VIRUS

16.5.24

Atomic Stealer (AMOS) among the malware variants spread in the GitCaught operation A recent malicious campaign dubbed GitCaught has been reported to spread multiple infostealing payloads targeted at various platforms including macOS. ALERTS VIRUS

16.5.24

PureCrypter malware used in Mallox ransomware distribution campaign PureCrypter loader has been used in a recent malicious campaign leading up to the delivery of Mallox ransomware payloads ALERTS VIRUS

16.5.24

Malicious Word Document Dropping DanaBot Malware A recent Danabot malspam campaign was observed being delivered via a Word document containing a malicious external link which if clicked will launch a series of events where additional executable files will get downloaded including a command prompt ALERTS VIRUS

15.5.24

Phorpiex botnet distributes LockBit Black Ransomware via email campaign A high-volume email campaign facilitated by the Phorpiex botnet, delivering LockBit Black ransomware, has been reported. ALERTS BOTNET

15.5.24

Dracula (Samurai) Stealer Dracula (also known as Samurai Stealer) is an infostealing malware variant attributed to the threat group known as the Amnesia Team (aka Cerberus). ALERTS VIRUS

15.5.24

WaveStealer: New malware distributed on messaging platforms WaveStealer, a newly emerged sophisticated malware tool, is being distributed on platforms like Telegram and Discord for purchase at a low cost. ALERTS VIRUS

15.5.24

FIN7 malware campaign exploiting Google Ads A malware campaign exploiting Google Ads, attributed to the threat actor FIN7, has been reported in the wild. ALERTS VIRUS

15.5.24

Beast Ransomware and Vidar Infostealer delivered via disguised documents Documents like copyright violation warnings and resumes were leveraged in a recent campaign to deliver ransomware and infostealer. ALERTS RANSOM

15.5.24

GCash Users Targeted in Latest Smishing Scam Mobile wallets have transformed the financial landscape by providing convenience and accessibility, but they also present lucrative targets for cybercriminals as Symantec continues to observe a flurry of smishing around the world.  ALERTS SPAM

15.5.24

Trinity Ransomware According to a recent research published by Cyble, Trinity is a newly identified ransomware variant believed to be an updated version of the “2023Lock” ransomware. ALERTS RANSOM

15.5.24

Malspam campaign delivers ASyncRAT by way of multiple scripts In a recently observed campaign, multiple scripts were used to deliver the ASyncRAT payload. Initiated by an HTML email attachment, victims would be compromised by various non-PE files to deliver and establish persistence of ASyncRAT. ALERTS VIRUS

15.5.24

Black Basta ransomware attacks target the healthcare sector Symantec Security Response is aware of the recent joint alert from CISA, the FBI, Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) regarding a number of targeted activities observed for the Black Basta ransomware ALERTS RANSOM

15.5.24

A Mining Trojan called Hidden Shovel Researchers uncovered a new mining trojan dubbed "Hidden Shovel", discovered through network security monitoring. ALERTS VIRUS

12.5.24

CVE-2024-24506 - LimeSurvey Community Edition XSS vulnerability CVE-2024-24506 is a recently disclosed Cross Site Scripting (XSS) vulnerability affecting LimeSurvey Community Edition version 5.3.32. ALERTS VULNEREBILITY

12.5.24

CVE-2024-1313 - BOLA vulnerability in Grafana CVE-2024-1313 is a recently disclosed Broken Object-Level Authorization (BOLA) vulnerability affecting Grafana, which is a open-source data visualization web application. ALERTS VULNEREBILITY

10.5.24

Exploitation of Ivanti Pulse Secure vulnerabilities for Mirai botnet delivery In January of this year, Ivanti reported two vulnerabilities, CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection), affecting Ivanti Connect Secure and Ivanti Policy Secure Gateways. ALERTS EXPLOIT

10.5.24

Malware campaign targeting Windows and MS Office users via software cracks A malware campaign distributing RATs and coinminers via cracks for popular software, specifically targeting users of Windows and MS Office software, has been observed. ALERTS VIRUS

10.5.24

Coper Actors Abuse LiveChat CDN in Ongoing Fake Chrome Tactic Symantec continues to observe daily instances of Coper malware disguised as a fake Chrome Android application. This tactic is not new having been in use for some time now. ALERTS VIRUS

10.5.24

Malspam campaign: Password protected archive hosted on GitHub leads to AsyncRAT
Over the past two weeks, Symantec has observed an actor leveraging a peculiar attack chain to distribute highly obfuscated payload onto compromised systems. The attacks start with malicious emails containing a malicious PDF, DOCX, or SVG file (REMITIRA A TRAVES DEL SERVICIO POSTAL AUTORIZADO.docx, Radicado juridico 23156484.svg, and 99-DEMANDA .docx).
ALERTS CAMPAIGN

10.5.24

Russian bulletproof hosting services exploited for malicious activities, SocGholish malware campaigns The use of Russian bulletproof hosting services for hosting malicious activities, including command-and-control (C2) servers and phishing pages distributing SocGholish malware, has been reported. ALERTS EXPLOIT

10.5.24

Malicious Minecraft Mods: zEus stealer targets gamers A malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. ALERTS VIRUS
9.5.24 Malicious Minecraft Mods: zEus stealer targets gamers A malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. ALERTS VIRUS
9.5.24 Continuous Distribution of RokRAT Malware APT37 (ScarCruft) continues to distribute RokRAT malware via LNK files particularly targeting South Korean users. The malware, disguised within a genuine document will execute PowerShell commands after activation. ALERTS VIRUS
9.5.24 Gadfly buzzes inboxes with new phishing campaign Symantec has recently observed an uptick in phishing campaigns being delivered out of Gadfly (aka TA577). ALERTS CAMPAIGN
9.5.24 Hunt Ransomware - another Dharma/Crysis variant Hunt is another Dharma/Crysis ransomware variant discovered recently in the wild. The malware encrypts user files and appends .hunt extension to them alongside of a unique victim ID and the threat actor email address. ALERTS RANSOM
9.5.24 CVE-2024-27956 - WP-Automatic Plugin SQL Injection vulnerability exploited in the wild CVE-2024-27956 is a recently disclosed critical (CVSS score 9.8) SQL injection (SQLi) vulnerability in WP-Automatic plugin prior to version 3.92.1. ALERTS VULNEREBILITY
9.5.24 Shinra Ransomware Shinra, a recently discovered ransomware variant from the Proton malware family, encrypts files and appends the ".SHINRA3" extension while renaming file names to random strings. ALERTS RANSOM 
9.5.24 CVE-2024-2389 - Command Injection vulnerability affecting Progress Flowmon CVE-2024-2389, a recently disclosed critical vulnerability with a CVSS score of 10, affects Progress Flowmon, a widely used network performance monitoring tool. ALERTS VULNEREBILITY
9.5.24 Increase of Lockbit ransomware attacks Earlier in February this year the Lockbit ransomware family was targeted in a coordinated disruption operation called "Operation Cronos" that saw multiple members of this ransomware gang arrested, assets taken and a decryption tool released publicly. ALERTS RANSOM
7.5.24 CVE-2024-4040 - CrushFTP vulnerability exploited in the wild CVE-2024-1852 is a recently disclosed injection vulnerability affecting CrushFTP versions before 10.7.1 and 11.1.0. ALERTS VULNEREBILITY
7.5.24 Counterfeit Revenue Agency page distributing VBlogger malware A malware campaign involving a counterfeit Revenue Agency webpage hosted on an Italian domain has been reported. ALERTS VIRUS
7.5.24 Cuckoo: A new macOS malware targeting music ripping applications A new macOS malware dubbed Cuckoo has been reported. This malware is distributed through websites that offer applications for ripping music from streaming services. ALERTS VIRUS
7.5.24 Android malware used in targeted attack against Indian defense forces A socially engineered delivery through WhatsApp was leveraged to reportedly target Indian defense forces with a new Android malware by presenting itself as a defense-related application. ALERTS VIRUS

3.5.24

NiceCurl and TameCat custom backdoors leveraged by Damselfly APT NiceCurl and TameCat are two custom backdoor variants recently leveraged in malicious campaigns attributed to the Damselfly APT (also known as APT42). ALERTS APT

3.5.24

TesseractStealer malware leverages OCR engine for information extraction TesseractStealer is an infostealer recently distributed by variants of the ViperSoftX malware. This malware leverages Tesseract (an open source OCR engine) in an effort to extract text from user image files. ALERTS VIRUS

3.5.24

A recent Darkgate malspam campaign The infection chain for this campaign initiates from an email file with an HTML attachment. ALERTS CAMPAIGN

3.5.24

Latest macOS Adload variant focuses on detection evasion A recent report by SentinelOne outlines changes observed to a recent macOS malware Adload. The most recent variants of this malware family come with capabilities allowing it to evade the latest Apple XProtect signatures. ALERTS VIRUS

3.5.24

Old dogs teaching new tricks to ZLoader ZLoader, a modular trojan, has implemented anti-analysis capabilities that appear to be lifted from the ZeuS source code. ALERTS VIRUS

3.5.24

Goldoon botnet According to a recent report from FortiGuard Labs, a new botnet variant dubbed Goldoon has been observed in the wild. ALERTS BOTNET

3.5.24

BirdyClient malware leverages Microsoft Graph API for C&C communication An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services. ALERTS VIRUS

3.5.24

DarkGate loader continues to be actively distributed DarkGate loader malware has been a very actively distributed within the last year. Numerous email campaigns have leveraged various attack chains to deliver the DarkGate payload. ALERTS VIRUS

3.5.24

Dwphon mobile malware Dwphon is a recently identified malware variant targeting the Android platform.  ALERTS VIRUS

3.5.24

SpyNote using Central Bank of Kazakhstan as a lure No countries or financial institutions are exempt from having their brands abused to lure mobile users into installing Android malware—a trend that continues to grow. ALERTS VIRUS

3.5.24

GuLoader campaign targeting industries in Russian-speaking countries An actor has been observed running two email campaigns with different social engineering tactics that lead to Guloader. Both campaigns target industries in Russian-speaking countries such as Russia, Belarus, Kyrgyzstan, and Kazakhstan. ALERTS CAMPAIGN
30.4.24 New DragonForce Ransomware variant A new variant of ransomware called DragonForce has been observed using a leaked ransomware builder from the LockBit ransomware group. ALERTS RANSOM
30.4.24 Security vendor applications impersonated in recent malware campaign Impersonating legitimate applications is a common tactic observed in attack campaigns. Among the simpler methods of impersonation is to convince a victim to execute content by leveraging a legitimate filename. ALERTS VIRUS
30.4.24 Ziraat Stealer disguised as data recovery tool The Ziraat Stealer, a .NET infostealer, has been discovered masquerading as a Data Recovery tool. This malware is capable of extracting passwords and credentials from browsers, social media platforms, ALERTS VIRUS
30.4.24 Rising trend of FakeBat malware campaigns, exploiting MSIX installers and malvertising Many campaigns involving the FakeBat malware have been reported recently, showing an increasing trend. FakeBat utilizes multiple delivery tactics, with malvertising being the primary strategy. ALERTS VIRUS
27.4.24 Multiple vulnerabilities in OpenMetadata OpenMetadata is an open source metadata platform that can be used for data discovery, cataloging and collaboration. ALERTS VULNEREBILITY
27.4.24 KageNoHitobito ransomware KageNoHitobito ransomware came on the scene in March 2024. This is a no frills ransomware with basic old school functionality; file encryption (only on the local drive), drops ransom notes, and requires interaction with the attack group via Tor. ALERTS RANSOM
27.4.24 Brokewell mobile malware Brokewell is a new mobile malware variant discovered in the wild. According to a recent report, the malware is delivered to Android users via a fake Google Chrome browser update package. ALERTS VIRUS
27.4.24 Amadey malware family remains an active threat in the landscape Amadey is an infostealer variant enriched with additional functionalities allowing it to download and execute malicious payloads such as ransomware. ALERTS VIRUS
25.4.24 SSLoad and Cobalt Strike leveraged in compromised "Contact Form" campaign A new loader has emerged called SSLoad, distinct from SLoad. Reports reveal a campaign where attackers were observed abusing and sending malicious links via contact forms. ALERTS APT
25.4.24 SpyNote campaign using Vietnam's National Public Service as bait SpyNote remote access trojan and its variants are proliferating globally, with groups and individuals employing various social engineering tactics to target mobile users. ALERTS APT
25.4.24 APT43 exploits Dropbox in TutorialRAT distribution campaign The APT43 group has been observed distributing TutorialRAT by actively exploiting Dropbox cloud storage as a base for their attacks to evade threat monitoring. ALERTS APT
25.4.24 CryptBot among the infostealer variants distributed in latest CoralRaider campaign According to a recent report, three distinct infostealers variants Cryptbot, LummaC2 and Rhadamanthys have been distributed in a newly discovered campaign attributed to the threat actor known as CoralRaider. ALERTS VIRUS
25.4.24 Seedworm exploits Atera Agent in a spear-phishing Campaign Seedworm (also known as MuddyWater), is actively exploiting the legitimate remote monitoring and management (RMM) tool Atera Agent in its spear-phishing campaign. ALERTS CAMPAIGN
25.4.24 Fake Job App Steals SMS Messages From Oil Industry Job Seekers Symantec has recently observed a malicious actor targeting mobile users who are looking for jobs in the oil industry. ALERTS GROUP
25.4.24 More Fake MetaMask Android Apps Circulating, Targeting Users' Wallets More fake MetaMask Android applications have been observed targeting mobile users' wallet via phishing tactics, all of which are being hosted on malicious domains mimicking MetaMask and leveraging typosquatting techniques. ALERTS VIRUS
25.4.24 GooseEgg, a post-explotation malware Researchers at Microsoft have reported on ongoing activities of the Russian-based threat actor Forest Blizzard identified by Symantec as Swallowtail (aka STRONTIUM) utilizing a custom tool dubbed GooseEgg. ALERTS VIRUS
23.4.24 Kapeka backdoor Kapeka is a recently identified backdoor variant leveraged in malicious campaigns targeted at various entities from Eastern Europe since at least 2022. ALERTS VIRUS
23.4.24 Sharpil RAT malware - possible precursor to Sharp Stealer Sharpil is a new Remote Access Trojan (RAT) discovered in the threat landscape. This C#-based malware features basic infostealing functionality including system info collection and data gathering from various web browsers. ALERTS VIRUS
22.4.24 Core Werewolf APT group targets Russian defense organizations in espionage campaign Espionage activity of the Core Werewolf APT group targeting Russian defense organizations was observed around mid-April. ALERTS APT
22.4.24 Megazord Ransomware Megazord ransomware is a Rust-based malware that targets healthcare, education, and government entities. ALERTS RANSOM
22.4.24 OfflRouter observed infecting Ukrainian DOC files Threat researchers have recently discovered OfflRouter infections in various DOC files observed in the wild. ALERTS VIRUS
20.4.24 Coreid (aka Fin7) uses backdoor against US Automaker victims A recent report provided details of activity by the Coreid (aka Fin7) threat group in which victims in the US automaker industry were targeted. ALERTS APT
20.4.24 APT Group exploits Web3 gaming hype in campaign for cryptocurrency earnings A campaign centered around imitating web3 gaming projects has been observed, likely operated by a Russian-language APT group aiming for potential cryptocurrency earnings by leveraging the allure of blockchain-based gaming. ALERTS APT
20.4.24 Akira ransomware remains an active threat on the landscape Symantec Security Response is aware of the recent joint alert from CISA, the FBI, Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL) ALERTS RANSOM
20.4.24 XAgent spyware targeting iOS devices An XAgent spyware targeting iOS devices has been identified, linked to the Swallowtail group (APT28). Primarily targeting political and government entities in Western Europe ALERTS VIRUS
19.4.24 Malware campaign distributing MadMxShell backdoor via masquerade websites A new backdoor called MadMxShell has surfaced as part of a malware campaign. The threat actors responsible for the campaign are hosting masquerade websites that impersonate legitimate IP scanner software sites. ALERTS CAMPAIGN
19.4.24 CR4T malware implant distributed in the DuneQuixote campaign Malicious campaign dubbed DuneQuixote has been reported to distribute new variants of the CR4T malware implant. The campaign targets various organizations and entities in the Middle East. ALERTS VIRUS
19.4.24 Mamont Android banking trojan Mamont is a recently identified banking trojan for Android. The malware has been distributed disguised as a Google Chrome installer package. ALERTS VIRUS
18.4.24 Google Firebase and Clearbit abused in Phishing campaigns Phishing actors employ a plethora of tactics to make their phishing attempts more persuasive, ranging from hosting services to social engineering. ALERTS CAMPAIGN
18.4.24 TP-Link Archer AX21 CVE-2023-1389 still being exploited by botnets Last year an unauthenticated command injection vulnerability, CVE-2023-1389, was disclosed for the web management interface of the TP-Link Archer AX21 (AX1800) router. ALERTS VULNEREBILITY
17.4.24 CVE-2024-1852 - WordPress WP-Members Membership Plugin vulnerability CVE-2024-1852 is a high severity cross-site scripting (XSS) vulnerability affecting WordPress WP-Members Membership Plugin. ALERTS VULNEREBILITY
17.4.24 SoumniBot - Android banking malware SoumniBot is a new banking malware variant for Android. ALERTS VIRUS
17.4.24 Rincrypt Ransomware Rincrypt is one more run-of-the-mill ransomware variant recently observed on the threat landscape. When executed, it targets files with the specific extensions according to a pre-defined list. The malware appends the encrypted files with “.rincrypt” extension. ALERTS RANSOM
17.4.24 Tax-Themed phishing campaign deploys XWorm RAT An email phishing campaign has been reported deploying the Remote Access Trojan (RAT) XWorm. ALERTS VIRUS
17.4.24 Risen Ransomware A ransomware actor known as "Risen" has been detected in the wild. According to their ransom note ($Risen_Note.txt and $risen_guide.hta), the threat actors appear to employ double-extortion tactics by threatening to sell or leak stolen information if the ransom payment is not made. ALERTS RANSOM
16.4.24 SteganoAmor campaign attributed to TA558 threat group A new malicious campaign dubbed as SteganoAmor has been attributed to the TA558 threat actor. ALERTS GROUP
16.4.24 L00KUPRU Ransomware L00KUPRU is a new Xorist ransomware variant recently discovered in the wild. The malware encrypts user files and adds the .L00KUPRU extension to them. ALERTS RANSOM
16.4.24 SolarMarker malware campaign adapts with PyInstaller for obfuscation A SolarMarker malware campaign has been observed utilizing PyInstaller to obfuscate first-stage PowerShell scripts instead of Inno Setup and PS2EXE, showcasing the adaptability of threat actors in evading detection mechanisms targeting SolarMarker. ALERTS VIRUS
16.4.24 Hive0051c malware campaign distributing GammaLoad in Ukraine Hive0051c has been observed conducting a malware campaign distributing the GammaLoad malware in Ukraine. ALERTS VIRUS
16.4.24 FatalRAT Distributed Through Fake Cryptocurrency App Website A new malicious campaign has been identified where the attackers attempt to distribute FatalRAT malware via a webpage masqueraded as a legitimate cryptocurrency application download website specifically designed for Chinese users. ALERTS VIRUS
16.4.24 Fake Anti Radar App SpyNote RAT Targets French Drivers Speed cameras are quite prevalent in France, and their numbers have increased significantly over the years as part of road safety measures. ALERTS VIRUS
16.4.24 XploitSPY Android malware An active malicious campaign dubbed "eXotic Visit" has been recently spreading a customized variant of the XploitSPY Android malware. ALERTS VIRUS
13.4.24 Signed backdoor found in screen mirroring software A recent report identified a signed backdoor present in LaiXi Android screen mirroring software. According to the report, attackers abused the Microsoft Windows Hardware Compatibility Program to get the malware signed. ALERTS VIRUS
12.4.24 LightSpy malware implant LightSpy is a modular surveillance tool with variants supporting both Android and iOS platforms. ALERTS VIRUS
12.4.24 Rhadamanthys malware deployments attributed to TA547 A new Rhadamanthys infostealer deployment campaign attributed to the TA547 threat actor has been discovered in the wild. The campaign targets a wide range of industries in Germany. ALERTS VIRUS
11.4.24 Pupy RAT continues to be used in attacks against Linux systems Pupy RAT continues to be leveraged in attacks conducted by miscellaneous threat operators. ALERTS VIRUS
11.4.24 Metasploit Meterpreter observed in attacks targeting vulnerable Redis servers Meterpreter is an advanced Metasploit attack payload leveraged in penetration testing that uses in-memory DLL injection stagers. ALERTS HACKING
11.4.24 Nitrogen malware delivery campaign A new malicious campaign spreading the Nitrogen malware has been observed in the wild. The attack leverages malvertising techniques via Google Ads and the malware binaries are masqueraded as PuTTY or FileZilla software installers. ALERTS CAMPAIGN
9.4.24 SpyNote mobile malware spread under the disguise of INPS Mobile application A recent campaign targeted at mobile users in Italy has been distributing SpyNote malware under the disguise of the INPS Mobile application. ALERTS VIRUS
9.4.24 Nova Stealer among the malware variants distributed via Facebook ads advertising fake AI services A new infostealer distribution campaign has been reported in the wild with attackers leveraging compromised Facebook accounts to advertise fake AI services impersonating well-known brands such as MidJourney, SORA AI, Evoto, ChatGPT-5 and DALL-E 3. ALERTS VIRUS
8.4.24 CVE-2023-7102, New Zero-Day vulnerability in Barracuda's ESG Appliance exploited A Chinese threat actor, UNC4841, has been reported exploiting a new zero-day vulnerability identified as CVE-2023-7102 in Barracuda Email Security Gateway (ESG) appliances. ALERTS VULNEREBILITY
8.4.24 New phishing run spoofs International Card Services (ICS)
Symantec has observed a new wave of phish runs spoofing International Card Services BV to steal credentials. In this run, threat actors have not hyperlinked the phishing URL but included it in plain text along with the email content.
ALERTS PHISHING
8.4.24 TISAK Ransomware TISAK is a new ransomware variant observed in the wild. The malware appears to be a strain of the Proxima/BlackShadow ransomware family. It encrypts user data and appends .Tisak extension to the files. ALERTS RANSOM
8.4.24 Spoofed Adobe Creative Cloud email notifications appear in phish runs Adobe Creative Cloud provides a collection of applications for graphic design, video editing, web development, photography and more. ALERTS PHISHING
8.4.24 CVE-2023-41266 A path traversal vulnerability in Qlik Sense Enterprise under active exploitation CVE-2023-41266 is a path traversal vulnerability affecting Qlik Sense Enterprise. If successfully exploited, this vulnerability allows an unauthenticated remote attacker to generate an anonymous session. ALERTS VULNEREBILITY
8.4.24 Xamalicious Android malware Xamalicious is a backdoor malware targeting the Android platform. The malware is built using Xamarin framework which is an open source platform for creating apps with .NET and C#. ALERTS VIRUS
8.4.24 Binance Turkey Users Lured with MASAK Audit Scare More Binance smishing is being observed around the world, and in a recent example, Symantec has observed an actor targeting Turkish Binance users. ALERTS CRIME
8.4.24 Continuous activities of UAC-0099 threat group against Ukraine "UAC-0099" is a threat group known to be targeting Ukraine since at least mid-2022. In some of the recent campaigns the attackers have been leveraging self extracting RAR .SFX archives ALERTS GROUP
8.4.24 Bandook malware - an older threat remains active in the wild
Bandook is a remote access trojan discovered way back in 2007. While it is quite an old malware family, new variants of Bandook reemerge in the wild with new distribution campaigns to this day.
ALERTS VIRUS
8.4.24 Malicious SMS Targets BDO Unibank users Banco De Oro (BDO) Unibank is the largest bank in the Philippines and among the top 20 banks in Southeast Asia. Over the past few weeks, ALERTS VIRUS
8.4.24 No Christmas Break for Agent Tesla: Riyad Bank Impersonated in a Malspam Campaign Usually over Christmas there is somewhat less malware activity, but that does not mean there isn't any. Attacks from all fronts (e.g., email, drive downloads, vulnerabilities, etc.) keep on going ALERTS VIRUS
8.4.24 Truist Bank users targeted with new phishing emails Truist Bank is one of the top U.S. commercial banks headquartered in Charlotte, North Carolina. Recently, Symantec has observed a new wave of phish runs spoofing Truist Bank services with fake account notifications. ALERTS PHISHING
8.4.24 MetaStealer distributed via malvertising MetaStealer is an infostealer variant discovered back in 2022. It is known to be delivered via malspam campaigns as well as bundled with pirated software. ALERTS VIRUS
8.4.24 New variant of Chameleon Android malware allows for biometric authentication bypass Chameleon is an Android banking malware that first emerged at the beginning of 2023 ALERTS VIRUS
8.4.24 Operation HamsaUpdate Operation HamsaUpdate is a recently identified campaign targeting Israeli customers using F5’s network devices. ALERTS OPERATION
8.4.24 Fictitious OnlyFans premium mobile app revealed as SpyNote OnlyFans' popularity worldwide has grown exponentially over the past few years. Positioned as a social media service, it has become a lucrative means of livelihood for many individuals. ALERTS VIRUS
8.4.24 Old MS Office vulnerability CVE-2017-11882 still leveraged for Agent Tesla delivery CVE-2017-11882 is an older vulnerability affecting the Equation Editor component in Microsoft Office. Successful exploitation of this flaw might allow attackers for remote code execution on the infected machines. ALERTS VULNEREBILITY
8.4.24 Movable Type API CVE-2021-20837 vulnerability under active exploitation CVE-2021-20837 is a critical (CVSS score 9.8) command injection vulnerability affecting Movable Type API. If successfully exploited, this vulnerability enables remote code execution. ALERTS VULNEREBILITY
8.4.24 GuLoader campaign: From Seoul to Brussels GuLoader's prevalence remains unwavering, and Symantec continues to observe actors conducting campaigns worldwide. One particular case has caught our attention, as the actor exhibits behavior reminiscent of a locust colony, traversing from field to field. ALERTS VIRUS
8.4.24 Xray Ransomware Xray is yet another ransomware actor that has been observed in the threat landscape, targeting companies' servers and clients. Capability-wise, it's a generic ransomware that allows the actor to determine which folders to encrypt and which to skip. ALERTS RANSOM
8.4.24 New phishing run spoofs Mexican Postal Service (Correos de Mexico) Symantec has observed a new wave of phish runs spoofing Mexican Postal Service (Correos de Mexico) to steal credentials. The email content is kept specific and mentions an undelivered package. ALERTS PHISHING
8.4.24 TA544 activities involving IDAT Loader A new set of malicious activities attributed to the TA544 (aka Narwal Spider) threat group has been reported in the wild. This threat actor has been known to target various Italian organizations and entities in the past. ALERTS VIRUS
8.4.24 JaskaGO infostealer for Windows and macOS JaskaGO is a new Go-based infostealer developed for both Windows and macOS platforms. The malware collects a wide range of data from the compromised machines including credentials, cookies, browser history, files from local folders, ALERTS VIRUS
8.4.24 Splunk Remote Code Execution (RCE) vulnerability CVE-2023-46214 CVE-2023-46214 is a recently disclosed remote code execution (RCE) vulnerability affecting Splunk Enterprise platform. Due to a flaw in processing of user-supplied extensible stylesheet language transformations (XSLT), ALERTS VULNEREBILITY
8.4.24 Zimbra Collaboration XSS vulnerability CVE-2023-37580 CVE-2023-37580 is a recently disclosed 0-day (CVSS score: 6.1) Cross-Site Scripting vulnerability affecting Zimbra Collaboration suite. ALERTS VULNEREBILITY
8.4.24 Play Ransomware - latest attacks against enterprises Symantec Security Response is aware of the recent CISA, FBI and ASD's ACSC alert regarding a number of recent targeted activities observed for the Play (aka PlayCrypt) ransomware. ALERTS RANSOM
8.4.24 "No One Was Home" themed Evri phishing emails are making the rounds Evri is a parcel delivery company based in United Kingdom. As the holiday season has started, spoofed emails masqueraded as Evri parcel notifications have been observed. ALERTS PHISHING
8.4.24 CVE-2023-49070 Apache OFBiz RCE vulnerability CVE-2023-49070 is a critical (CVSS score 9.8) pre-auth remote code execution vulnerability in Apache OFBiz. ALERTS VULNEREBILITY
8.4.24 African based telecommunications organizations targeted by Iranian Seedworm group The Symantec Threat Hunter Team, part of Broadcom, observed a recent campaign by the Seedworm threat actor group, targeting telecommunications organizations in North and East Africa. This activity, ALERTS APT
8.4.24 Fake NordVPN Installer Delivering SecTopRAT While monitoring for new stealers, Symantec has observed an actor who has set up a Telegram channel for a stealer dubbed Vortex. After following breadcrumbs, it appears that there are ongoing test-related activities. ALERTS VIRUS
5.4.24 New JsOutProx malware variant observed in campaigns targeted at financial sector A new JsOutProx malware variant has been observed in recent campaigns targeted at financial sector in the Africa, the Middle East, South Asia, and Southeast Asia. JsOutProx RAT is attributed to a threat group known as Solar Spider. ALERTS VIRUS
5.4.24 Byakugan malware Byakugan is a modular infostealer variant observed recently in the wild. The malware has been distributed under the disguise of a Adobe Reader installer. ALERTS VIRUS
5.4.24 Phorpiex malware campaign targets finance sector in Europe and North America A malware campaign distributing Phorpiex botnet has been observed targeting entities in the finance sector across Europe and North America. ALERTS VIRUS
5.4.24 Indonesia – Wedding invites used as lure by an SMS thief In mid-2023, an actor have been observed sending SMS messages to mobile users in Indonesia, enticing them to install an application posing as a wedding invitation. ALERTS SPAM
5.4.24 Latrodectus malware Latrodectus loader is a malware variant first discovered in November 2023. The malware has been recently distributed in malicious campaigns attributed to the TA577 and TA578 threat groups. ALERTS VIRUS
5.4.24 Backdoor code found in XZ Utils library On March 29th a security alert was issued warning users about malicious backdoor code embedded in certain versions of XZ Utils, a popular library of data compression tools that is present in nearly every Linux distribution. ALERTS VIRUS
5.4.24 MacOS Users targeted with Infostealers MacOS users continue to be targeted with infostealers via malicious advertisements and fake websites. In a recent campaign, a counterfeit website offering free group meeting scheduling software was observed. ALERTS VIRUS
5.4.24 TA588 continues espionage activities in Latin America The TA558 group, known for targeting various sectors across Latin America, has recently been observed employing spam emails with malicious attachments to distribute Venom RAT, a remote access trojan derived from Quasar RAT. ALERTS GROUP
5.4.24 YouTube Hijacking: Rise in Attack Campaigns Distributing Infostealers An increase in attack campaigns utilizing YouTube has been observed, with threat actors hijacking existing popular YouTube accounts to distribute Vidar and LummaC2 Infostealer malwares. ALERTS HACKING
3.4.24 Napoli Ransomware Napoli, a variant of Chaos ransomware, has recently been discovered in the wild. The malware encrypts user files, adds the .napoli extension and also changes the desktop wallpaper on the infected endpoints. ALERTS RANSOM
3.4.24 Emergence of new Vultur banking trojan variant in mobile threat landscape A newer version of the Vultur banking trojan for Android has been observed in the wild. This version features enhanced evasion techniques and advanced remote control capabilities. ALERTS VIRUS
3.4.24 Indonesian Businesses Targeted in an Agent Tesla Campaign Symantec has recently observed an individual or group running a targeted malspam campaign against Indonesian organizations, although instances have been seen in neighboring countries. ALERTS VIRUS
30.3.24 CVE-2024-20767 - Adobe ColdFusion vulnerability CVE-2024-20767 is a directory traversal vulnerability in Adobe ColdFusion, which is a development platform for building and deploying web and mobile applications. ALERTS VULNEREBILITY
30.3.24 Sync-Scheduler Infostealer A Infostealer dubbed as Sync-Scheduler, written in C++, has been reported as being distributed concealed within Office document files. ALERTS VIRUS
30.3.24 WarzoneRAT malware re-emerges with new samples WarzoneRAT (also known as AveMaria) is a commodity Remote Access Trojan variant used by various threat groups in recent years. ALERTS VIRUS
30.3.24 TheMoon malware targets thousands of insecure routers A new malicious campaign featuring an updated version of TheMoon, a notorious malware family has been reported. This latest variant of TheMoon appears to target insecure outdated home routers, ALERTS VIRUS
30.3.24 Beware of FlightNight A new threat actor has been observed using similar Tactics, Techniques and Procedures (TTPs) to recent Go-Stealer campaigns targeting Indian government entities. ALERTS VIRUS
28.3.24 Dropper disguised as legitimate PuTTy Software A threat actor has been reported purchasing an ad claiming to be the PuTTY homepage. This ad appeared at the top of the Google search results page, although it has since been removed. It appeared just before the official PuTTY website ALERTS VIRUS
28.3.24 Mispadu Stealer extends its reach Mispadu Stealer (known also as Ursa) has shown some increased activity in recent distribution campaigns. ALERTS VIRUS
28.3.24 Qilin ransomware remains an active threat in the landscape Qilin, also known as Agenda, is a Rust-based ransomware variant discovered in 2022. The malware has been spreading actively in the wild in recent months, with ongoing developments evident in new versions. ALERTS RANSOM
28.3.24 SnowLight downloader spread in campaigns exploiting F5 BIG-IP and ScreenConnect vulnerabilities Recent malicious campaigns attributed to the UNC5174 threat group have been reported to exploit F5 BIG-IP (CVE-2023-46747) and Connectwise ScreenConnect (CVE-2024-1709) vulnerabilities for malware delivery. ALERTS VIRUS
27.3.24 Stately Taurus APT Campaign Targeting Asian Countries Researchers observed a recent Stately Taurus (aka Mustang Panda) APT campaign during an ASEAN-Australia Special Summit held just this month targeting Asian countries. ALERTS APT
27.3.24 VCURMS and STRRAT being delivered via links in spam messages A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. ALERTS VIRUS
26.3.24 VCURMS and STRAT being delivered via links in spam messages A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. ALERTS VIRUS
26.3.24 VCURMS and STRRAT being delivered via links in spam messages A java downloader has been discovered delivering VCURMS and STRRAT remote access trojans. This downloader is deployed via email with links to malicious JAR files. These two RATs will then download a modified Rude Stealer and keylogger for data exfiltration. ALERTS VIRUS
26.3.24 New backdoor WineLoader Phishing attacks impersonating political parties with an invite lure to diplomats for a wine-tasting event has been used to deploy WineLoader malware. ALERTS VIRUS
26.3.24 New remote control backdoor leveraging malicious drivers emerges in China In a recent campaign observed in China, a new remote control backdoor was distributed. ALERTS VIRUS
26.3.24 Emergence of Mirai Nomi in the Threat Landscape A new Mirai botnet variant, named Mirai Nomi, has emerged in the threat landscape. This variant features modified UPX packing, a time-dependent Domain Generation Algorithm (DGA) for command and control, and multiple encryption and hashing algorithms. ALERTS BOTNET