ALERTS GROUP
HOME APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
DATE | NAME | CATEGORY | SUBCATE | INFO |
23.8.24 | Casbaneiro in the UAE: Impersonating Sharjah Ports Authority | GROUP | In cybersecurity, ports and related authorities are high-value targets for threat actors due to their integral roles in global supply chains and connections to industries such as transportation, logistics, energy, and government sectors. Crooks often disguise themselves as port authorities to lure other industries into phishing scams or social engineering attacks. | |
16.8.24 | Actor240524's spear-phishing campaign targets Azerbaijan and Israel with ABCloader | GROUP | A spear-phishing campaign by a new threat actor, Actor240524, targeting Azerbaijan and Israel has been observed. Users are lured with disguised government official documents containing embedded VBA macros that deliver the ABCloader payload upon execution. ABCloader decrypts and loads an ABCsync DLL, which then communicates with the C2 server for remote commands. The malware employs anti-sandbox and anti-debug techniques to evade detection. | |
8.8.24 | How Malicious Actors Are Leveraging Cloud Services | GROUP | The number of threat actors leveraging legitimate cloud services in their attacks has grown this year as attackers have begun to realize their potential to provide low-key and low-cost infrastructure. Traffic to and from well known, trusted services such as Microsoft OneDrive or Google Drive may be less likely to raise red flags than communications with attacker-controlled infrastructure. | |
2.8.24 | Recent activities attributed to the UNC4393 threat group | GROUP | The threat actor dubbed UNC4393 has been active in the threat landscape since at least 2022. The group has been known to leverage a wide variety of malware variants and custom tools in their attacks including Basta ransomware, KnotWrap dropper, KnotRock tool, DawnCry dropper or the PortYard tunneler. | |
24.7.24 | Daggerfly group updates their toolset | ALERTS | GROUP | The Daggerfly (aka Evasive Panda, Bronze Highland) threat group, which has been active for at least a decade, has made some significant updates to their toolset. Symantec’s Threat Hunter Team has published a report providing details regarding Daggerfly tools such as the modular malware framework MgBot, Macma, a modular macOS backdoor, and a recently observed multi-stage backdoor identified as Suzafk. |
24.7.24 | FIN7 has a versatile attack arsenal | ALERTS | GROUP | Threat Actor FIN7 (also tracked under the names Carbon Spider, the Carbanak Group, and Sangria Tempest) is known for its proficiency in sophisticated campaigns and engineering attacks to gain initial access to corporate networks. |
24.7.24 | Tag-100: Emerging threat actor exploiting appliance vulnerabilities | ALERTS | GROUP | A new threat actor, dubbed Tag-100, has been reported targeting government and private sector entities worldwide. This threat actor exploits vulnerabilities in appliances to initiate its attacks and has been observed exploiting known vulnerabilities in appliances such as Citrix NetScaler. |
19.7.24 | UAC-0180 Phishing Campaign Targeting Ukrainian | ALERTS | GROUP | A recent phishing campaign was observed by researchers targeting Ukrainian defense enterprises on the topic of Unmanned Aerial Vehicle (UAV) purchasing. The distributed email includes a ZIP attachment with a PDF file containing a malicious link. |
15.7.24 | CRYSTALRAY's Ongoing Operations Leveraging SSH-Snake | ALERTS | GROUP | Since February 2024, researchers have been tracking the evolving threat actor CRYSTALRAY. The group was observed to leverage the use of a network mapping tool called SSH-Snake, a self-modifying worm malware which exploits compromised SSH credentials to spread through networks. |
4.7.24 | k4spreader: New malware tool used by '8220' Chinese threat actor group | ALERTS | GROUP | A new malware tool known as k4spreader has been observed being used by the '8220' Chinese threat actor group in recent campaigns. Written in cgo, k4spreader includes features such as system persistence, self-downloading and updating capabilities, as well as the deployment of other malware such as the Tsunami DDoS botnet and the PwnRig mining program which are downloaded from Command-and-Control (C2) servers. K4spreader appears to still be undergoing enhancements, with three versions observed so far. |
| 26.6.24 | TA571 slips malicious scripts on to user's clipboards | ALERTS | GROUP | TA571 has recently been observed utilizing malicious HTML files in malspam campaigns. These files, once opened, copy a malicious PowerShell script to the user's clipboard while displaying an image that states the attached document is broken, and that the user needs to follow the provided steps. These steps request the user open PowerShell, paste and then run a malicious script that deploys a second stage infection. |
| 10.6.24 | Fake 'KMSPico Activator Tool' Utilized to Deliver Vidar InfoStealer | ALERTS | GROUP | Researchers recently identified another drive-by download campaign, wherein users are deceived into downloading a malware-laden application named 'KMSPico activator tool.' This tool, is marketed as a "universal activator" for Windows, but no longer maintained. The attack exploited Java dependencies and a malicious AutoIt script to disable Windows Defender, ultimately decrypting the Vidar payload through shellcode. Vidar's primary function is to steal sensitive user data from browsers and digital wallets. However, this infostealer can also serve as a downloader for ransomware. |
31.5.24 | Malicious activity by LilacSquid threat group | ALERTS | GROUP | A recently disclosed infostealing campaign attributed to the threat group known as LilacSquid has been active since at least 2021. As reported by Cisco Talos, the attackers have been targeting vulnerable public-facing servers and leveraging compromised RDP credentials to deploy a wide range of tools and malware in their attacks. LilacSquid has been observed to use an open-source remote management tool MeshAgent, customized variant of the QuasarRAT malware dubbed PurpleInk and other malware loaders such as InkBox or InkLoader. The deployed PurpleInk payload allows the attackers to collect various information from the compromised endpoint, enumerate, read or delete files, execute remote shells and forward data to C2 servers controlled by the attackers, among others. |
21.5.24 | Storm-1811 threat actor conducts Vishing attack via Quick Assist tool | ALERTS | GROUP | Threat actor Storm-1811 has been reported carrying out a vishing (voice phishing) attack using the client management tool Quick Assist. Quick Assist is an application that enables a user to share their system with another person over a remote connection to resolve issues. Once the user grants full control, the threat actor executes scripts that lead to the download of batch files with the aim of deploying Black Basta ransomware as the final payload throughout the network. |
| 16.4.24 | SteganoAmor campaign attributed to TA558 threat group | ALERTS | Group | A new malicious campaign dubbed as SteganoAmor has been attributed to the TA558 threat actor. The attackers have been leveraging steganography techniques by concealing malicious code inside image files. TA558 is a threat group know to target tourism and hospitality sectors with extensive focus on targets located in Latin America. In their attacks the group continues to leverage an old Microsoft Office Equation Editor vulnerability from 2017 - CVE-2017-11882. The observed delivered payloads might vary and include malware from Remcos, Agent Tesla, Formbook, Guloader, Lokibot, Xworm and several other families. |
| 8.4.24 | Continuous activities of UAC-0099 threat group against Ukraine | ALERTS | Group | "UAC-0099" is a threat group known to be targeting Ukraine since at least mid-2022. In some of the recent campaigns the attackers have been leveraging self extracting RAR .SFX archives, .LNK files masqueraded as WordPad documents as well as PowerShell scripts and a LoanPage VBS malware payload. UAC-0099 has also been observed to leverage exploitation of a known WinRAR CVE-2023-38831 vulnerability within the infection chain of their attacks. |
| 5.4.24 | TA588 continues espionage activities in Latin America | ALERTS | Group | The TA558 group, known for targeting various sectors across Latin America, has recently been observed employing spam emails with malicious attachments to distribute Venom RAT, a remote access trojan derived from Quasar RAT. This malware is equipped with functionalities for harvesting sensitive data and gaining remote control over compromised systems. |