ALERTS CAMPAIGN
HOME APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
DATE | NAME | CATEGORY | SUBCATE | INFO |
6.9.24 | MacroPack generated payloads distributed in latest campaigns | CAMPAIGN | A payload generation framework called MacroPack has been leveraged to create miscellaneous payloads in a series of malicious activities recently observed by the researchers from Cisco Talos. The attackers have been using Word, Excel or PowerPoint lures that once opened run malicious MacroPack VBA code that ultimately leads to the final payload delivery and execution. Among the distributed payloads were Brute Ratel and Havoc post-exploitation tools as well as a new variant of the PhantomCore RAT. | |
6.9.24 | SLOW#TEMPEST campaign targets Chinese entities | CAMPAIGN | A recently identified malware campaign named SLOW#TEMPEST was uncovered targeting Chinese entities. The attack chain starts by way of malspam attachments in the form of zip files which are bundled with a shortcut lnk file in addition to dll/exe files. Successful execution of the available content leads to the establishment of a foothold in the targeted environment. Through this position, the attackers can execute further TTPs to accomplish their goals (such as credential harvesting, lateral movement, persistence and privilege escalation). | |
5.9.24 | Stone Wolf campaign targets Russian firms with Meduza Stealer malware | CAMPAIGN | A malicious campaign by the Stone Wolf threat actor targeting Russian firms has been reported. The attackers use phishing emails impersonating a legitimate industrial automation provider to deliver the Meduza Stealer malware. The attack vector involves an archive containing a legitimate document alongside a malicious link to download and execute the Stealer payload. This malware collects and exfiltrates credentials, system information, and application data from compromised systems. | |
29.8.24 | Godzilla webshell deployment campaign | CAMPAIGN | A new Godzilla webshell deployment campaign has been reported in the wild. The attackers are targeting organizations running ASP.NET instances with vulnerable environment settings and leverage ViewState function to distribute malicious webshells into the victim's environment. Godzilla webshell is delivered in form of a .jar file and is used to execute remote commands or shellcode and to download additional payloads. | |
27.8.24 | Phishing campaign targeting users in Asia Pacific regions | CAMPAIGN | Symantec has recently observed a phishing campaign targeting users in Asia Pacific regions. This campaign utilizes HTML files that post the ill-gotten credentials to 3rd party hosting services, in this case nocodeform[.]io. The messages are delivered from either a 'postmaster' or 'MAILER-DAEMON' address in an effort to obscure themselves. | |
27.8.24 | SVG-Based Phishing Campaign Hits LATAM Industries Email Credentials | CAMPAIGN | In early August, Symantec observed an actor targeting multiple companies in Latin America across the retail, legal, dairy, finance, energy, and automobile manufacturing sectors. The goal was to collect email credentials, which are likely to fuel the initial access broker markets and lead to further compromises with varying impacts, including financial theft, cyber espionage, and ransomware attacks. | |
27.8.24 | Phishing campaign targets VPN users with Cheana Infostealer malware | CAMPAIGN | A phishing campaign targeting users downloading VPN software has been reported. As part of the campaign, a phishing site masquerading as a WarpVPN provider is hosted to distribute stealer malware for different operating system platforms. The malware, dubbed Cheana Stealer, collects and exfiltrates various types of information such as in-browser stored data, cookies, passwords, cryptocurrency wallets, and cryptocurrency browser extensions. The Linux and macOS versions have the additional capability of stealing SSH keys and Keychain data. | |
16.8.24 | Phishing campaign impersonates Google Safety Centre | CAMPAIGN | A phishing campaign reportedly impersonating the Google Safety Centre is deceiving users into downloading a malicious file disguised as Google Authenticator. This file installs two types of malware: Latrodectus, a downloader that executes commands from a C&C server, and ACR Stealer, which employs Dead Drop Resolver to obscure its C&C server details. The campaign showcases advanced evasion techniques amid ongoing efforts to refine the malware. | |
8.8.24 | Malware campaign exploits secureserver.net domain to deploy banking trojan | CAMPAIGN | A new banking trojan malware campaign is exploiting the secureserver.net domain to target Spanish and Portuguese-speaking regions. The multistage attack begins with malicious URLs leading to an archive containing an obfuscated .hta file. | |
8.8.24 | Italian campaign targeting certified email users delivers Vidar infostealer | CAMPAIGN | The Vidar infostealer has been observed as the payload of a recent malspam campaign targeting users in Italy. The campaign was distributed to users of certified email mailboxes and delivered a JavaScript downloader via a link in the email. The JavaScript was responsible for downloading and executing a PowerShell script which in turn leads to the final payload. | |
7.8.24 | Are faxes still relevant? This credential harvesting campaign thinks so | CAMPAIGN | Symantec has recently observed a phishing campaign impersonating fax notifications. These notifications include subjects similar to 'Incoming Fax Delivered for user**@****.com' and instructs users to open the attached HTML and enter their credentials in order to view the fax. | |
2.8.24 | Leafperforator campaign exploits Pakistan’s Maritime Affairs documents to spread JavaScript malware | CAMPAIGN | A new malware campaign by the Leafperforator (also known as SideWinder) threat actor, utilizing enhanced tactics and techniques has been reported. This threat actor relies on spear-phishing emails and targets Asian countries. In the latest campaign, users are tricked with documents related to employee termination or salary cuts, leading them to open a disguised file. This file exploits a known security flaw (CVE-2017-0199) to establish contact with a malicious domain masquerading as Pakistan's Directorate General Ports and Shipping. The domain then retrieves an RTF file exploiting CVE-2017-11882, leading to the delivery of JavaScript malware. | |
29.7.24 | Vietnam campaign: Android Spyware Masquerades as Techcombank | ALERTS | CAMPAIGN | Groups and individuals around the world have been using SpyNote, a popular Android remote access trojan, for the past few years, and its prevalence shows no signs of decreasing. E-crime and targeted campaigns against both enterprises and consumers are observed on a daily basis. |
24.7.24 | FakeApp Campaign: South Korea's Financial Institutions' Mobile Users Targeted | ALERTS | CAMPAIGN | In recent weeks, mobile users of several major financial institutions in South Korea were targeted by a FakeApp/FakeBank Android campaign. |
24.7.24 | New backdoor spreading in Seedworm malspam campaign | ALERTS | CAMPAIGN | Recently the APT group Seedworm has been observed deploying a previously undocumented backdoor named Bugsleep, primarily via a phishing campaign with PDFs containing malicious links targeting organizations in the Middle East. Once deployed this new backdoor allows attackers to execute remote commands and exfiltrate files to the C&C server. |
19.7.24 | RDPWrapper and Tailscale leveraged in recent malspam campaign | ALERTS | CAMPAIGN | Researchers have uncovered a multi-stage cyberattack campaign starting with a malicious zip file containing a .lnk shortcut file that was likely spread via phishing emails. Upon execution, the .lnk file downloads a PowerShell script enabling threat actors access via RDP. |
18.7.24 | Phishing campaign impersonating Afrihost services | ALERTS | CAMPAIGN | Afrihost is a South African Internet Service Provider (ISP) that offers services such as ADSL broadband, wireless, mobile services, and web hosting. Recently, Symantec has observed phishing campaigns impersonating Afrihost services. These campaigns involve fake notification emails that urge recipients to update their payment methods to avoid service interruption. |
12.7.24 | Vultur Campaign: Clothing Retailer Brand Abused in Fake App Scheme | ALERTS | CAMPAIGN | Brands of all genres are constantly abused by cybercriminals to target specific demographics, and financial institutions are usually the ones most impersonated. |
| 26.6.24 | ExCobalt cyber espionage campaign targets Russian organizations with GoRed backdoor | ALERTS | CAMPAIGN | A cyber espionage campaign targeting Russian organizations by the ExCobalt threat actor has been observed. This campaign specifically targets government entities and IT firms. As part of their tactics, the threat actors are distributing a new backdoor named GoRed, developed in Golang. They employ advanced tools such as Metasploit and Mimikatz post-exploitation to extract and exfiltrate sensitive information. |
| 26.6.24 | PHANTOM#SPIKE campaign makes use of .chm files to deliver custom backdoors | ALERTS | CAMPAIGN | PHANTOM#SPIKE is a recent malicious campaign identified in the wild. The attackers leverage phishing lures with password protected .rar and .zip archives. Upon extraction the victims are served with a hidden malicious executable and a .chm file which is Microsoft Compiled HTML Help file type. The delivered payload is a custom backdoor that once deployed will first attempt to establish connection with attackers' C2 servers, collect system information from the compromised endpoint and wait for further commands for execution. |
| 26.6.24 | Telcos in Asian country targeted by Chinese espionage tools | ALERTS | CAMPAIGN | In a newly released report, Symantec’s Threat Hunter Team provide an analysis of activity observed impacting telecommunications operators in a specific Asian country. In a sustained campaign which may have started as early as 2020, custom espionage tools associated with Chinese attack groups were identified. Backdoors such as Coolclient, Quickheal, and Rainyday, along with other tools used for credential theft, keylogging and port scanning, were leveraged as part of the attacks. |
6.6.24 | Cobalt Strike campaign targets Ukraine using malicious Excel files | ALERTS | CAMPAIGN | A new campaign targeting Ukraine with Cobalt Strike payloads has been observed by researchers from Fortinet. The attackers leverage a multi-staged approach while delivering Excel files containing malicious VBA macros, as well as DLL downloaders and injectors in later attack stages. The Cobalt Strike payloads allow the attackers to establish communication with command and control (C2) servers and execute arbitrary commands. |
31.5.24 | SmallTiger malware campaign reported targeting Korean companies | ALERTS | CAMPAIGN | A malware campaign distributing SmallTiger malware has been reported targeting Korean companies in the defence, automobile parts, and semiconductor manufacturing sectors. This malware acts as a downloader, connecting to the attackers' C&C server to fetch and execute the final payload in memory. As part of the attack chain, the attackers install Mimikatz and ProcDump on the compromised systems. The ProcDump tool is used to dump the memory of the LSASS process, thereby stealing credentials from the infected systems. Additionally, a command-line tool is utilised to extract and display account information and web browser history. |
28.5.24 | Rising popularity of Arc browser overshadowed by malvertising campaign | ALERTS | CAMPAIGN | The Arc browser, developed by The Browser Company, has been gaining a lot of popularity in the market, promising to personalize the way users browse the internet. With its innovative user interface design that sets it apart from traditional browsers, it started receiving even more attention after becoming available for Windows, whereas previously it was only intended for macOS systems. |
23.5.24 | CLOUD#REVERSER campaign leverages cloud storage for malware delivery | ALERTS | CAMPAIGN | A new campaign dubbed CLOUD#REVERSER has been reported to abuse various cloud storage repositories such as Dropbox or Google Drive for malware delivery and C&C purposes. The attackers leverage phishing emails with malicious attachments in the initial attack stages and several VBScript and PowerShell-based payload executions in later stages. The dropped malware has the functionality to exfiltrate user data, execute arbitrary commands and scripts received from the attackers as well as download additional binaries and execute them on the infected endpoints. |
21.5.24 | Bank Mellat Users in Various Countries Targeted by FakeBank Campaign | ALERTS | CAMPAIGN | Symantec has observed an Android FakeBank campaign targeting mobile users of a private Iranian bank known as Mellat, by posing as a fictitious banking app (Mellat.apk). Bank Mellat, also known as "Bank of the Nation", has a number of offices and branches both domestically within Iran and internationally. |
10.5.24 | Malspam campaign: Password protected archive hosted on GitHub leads to AsyncRAT | ALERTS | CAMPAIGN | Over the past two weeks, Symantec has observed an actor leveraging a peculiar attack chain to distribute highly obfuscated payload onto compromised systems. The attacks start with malicious emails containing a malicious PDF, DOCX, or SVG file (REMITIRA A TRAVES DEL SERVICIO POSTAL AUTORIZADO.docx, Radicado juridico 23156484.svg, and 99-DEMANDA .docx). |
| 9.5.24 | Gadfly buzzes inboxes with new phishing campaign | ALERTS | CAMPAIGN | Symantec has recently observed an uptick in phishing campaigns being delivered out of Gadfly (aka TA577). This campaign entices users to open the attached PDF, named with a Latin word, containing a link utilizing typo squatted subdomains for Microsoft login services, with the end goal being credential theft for later use. |
3.5.24 | A recent Darkgate malspam campaign | ALERTS | CAMPAIGN | The infection chain for this campaign initiates from an email file with an HTML attachment. This HTML file uses a background image that resembles what looks like a blank Microsoft Document file, where instructions on how to fix the offline viewing of the file can be seen. This is an attempt to trick victims into pasting malicious PowerShell code into a Windows Terminal. Once the code is executed, an HTA file will be downloaded and will continue to execute, eventually downloading a follow-up ZIP file. Once extracted, it will launch an open-source automation engine called AutoIt to execute a malicious AutoIt script named script.a3x that will eventually load the Darkgate trojan. |
3.5.24 | GuLoader campaign targeting industries in Russian-speaking countries | ALERTS | CAMPAIGN | An actor has been observed running two email campaigns with different social engineering tactics that lead to Guloader. Both campaigns target industries in Russian-speaking countries such as Russia, Belarus, Kyrgyzstan, and Kazakhstan. |
| 25.4.24 | Seedworm exploits Atera Agent in a spear-phishing Campaign | ALERTS | CAMPAIGN | Seedworm (also known as MuddyWater), is actively exploiting the legitimate remote monitoring and management (RMM) tool Atera Agent in its spear-phishing campaign. The actor leverages Atera's 30-day free trial offers to create agents registered with compromised email accounts, enabling remote access to targeted systems without establishing their own command-and-control (C2) infrastructure. Atera offers extensive remote control capabilities via its web UI, including file upload/download, interactive shell access, and AI-powered command assistance. The threat actor utilizes free file hosting platforms to host their RMM installers, distributing them via spear-phishing emails. |
| 19.4.24 | Malware campaign distributing MadMxShell backdoor via masquerade websites | ALERTS | CAMPAIGN | A new backdoor called MadMxShell has surfaced as part of a malware campaign. The threat actors responsible for the campaign are hosting masquerade websites that impersonate legitimate IP scanner software sites. Employing tactics such as typosquatting and SEO poisoning, they attract users through Google Ads. The backdoor utilizes DNS MX queries for command and control (C2) communication, aiming to evade memory forensics security solutions. The malware provides attackers with unauthorized access to compromised systems, allowing them to execute commands, exfiltrate data, and carry out other malicious activities. |
| 18.4.24 | Google Firebase and Clearbit abused in Phishing campaigns | ALERTS | CAMPAIGN | Phishing actors employ a plethora of tactics to make their phishing attempts more persuasive, ranging from hosting services to social engineering. Among host services, abusing Google Firebase has been prevalent due to its ease of use, free hosting, scalability, and domain customization features. These attributes make it an appealing platform for phishing actors seeking to host and distribute fraudulent content with minimal effort and cost. |
| 11.4.24 | Nitrogen malware delivery campaign | ALERTS | CAMPAIGN | A new malicious campaign spreading the Nitrogen malware has been observed in the wild. The attack leverages malvertising techniques via Google Ads and the malware binaries are masqueraded as PuTTY or FileZilla software installers. Nitrogen uses DLL sideloading to infect the targeted system. Once deployed this malware is generally used to gain initial access allowing network compromise and additional arbitrary payload deployments. |