Malware Blog 2024- 2026 2025 2024 2023 2022 2021 2020 2019 2018
APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
|
22.12.24 | Python-Based NodeStealer Version Targets Facebook Ads Manager | In this blog entry, Trend Micro’s Managed XDR team discuss their investigation into how the latest variant of NodeStealer is delivered through spear-phishing attacks, potentially leading to malware execution, data theft, and the exfiltration of sensitive information via Telegram. | Malware blog | |
|
22.12.24 | Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation | This article analyzes a new packer-as-a-service (PaaS) called HeartCrypt, which is used to protect malware. It has been in development since July 2023 and began sales in February 2024. We have identified examples of malware samples created by this service based on strings found in several development samples the operators used to test their work. | Malware blog | |
|
22.12.24 | Strela Stealer Targeting Ukraine Alongside Other European Countries | OverviewThe SonicWall Capture Labs threat research team has been tracking Strela Stealer for a long time. Our research shows that Strela Stealer remained active throughout 2024. We recently identified... | Malware blog | |
|
22.12.24 | Trojan Disguised as VPN Client Exploits Users with Fake Cisco AnyConnect Installer | This week, the SonicWall Capture Labs threat research team analyzed a PDF file with a link to download a copy of a well-known VPN client. This PDF file appears to have been distributed via spam email and has a link to download Cisco AnyConnect. However, no VPN client was installed upon execution – instead, it downloaded a Trojan that constantly connected to various remote servers. | Malware blog | |
|
22.12.24 | Gaming Engines: An Undetected Playground for Malware Loaders | Check Point Research discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal. | Malware blog | |
|
22.12.24 | Malware Spotlight: A Deep-Dive Analysis of WezRat | Check Point Research (CPR) provides a comprehensive analysis of a custom modular infostealer, tracked as WezRat, after the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD) released a joint Cybersecurity Advisory and attributed the malware to the Iranian cyber group Emennet Pasargad. The group has been held responsible for several recent cyber operations in the US, France, Sweden, and Israel. | Malware blog | |
|
22.12.24 | CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits | Check Point Research is tracking an ongoing, large scale and sophisticated phishing campaign deploying the newest version of the Rhadamanthys stealer (0.7). We dubbed this campaign CopyRh(ight)adamantys. | Malware blog | |
|
21.12.24 |
Your Data Is Under New Lummanagement: The Rise of LummaStealer |
In this Threat Analysis report, Cybereason investigates the rising activity of the malware LummaStealer. | ||
|
21.12.24 |
In this Threat Analysis report, Cybereason investigates incidents relating to the Andromeda backdoor and a new cluster of C2 servers | |||
|
21.12.24 |
During proactive hunting, Trellix Advanced Research Center found samples belonging to Celestial Stealer, a JavaScript-based infostealer which is packaged either as an Electron application or as a NodeJS single application for Windows 10 and Windows 11 operating system. It is a Malware-as-a-Service (MaaS) advertised on the Telegram platform. The stealer is marketed as a FUD (fully undetectable). | |||
|
21.12.24 |
When Guardians Become Predators: How Malware Corrupts the Protectors |
We often trust our security software to stand as an unbreakable wall against malware and attacks, but what happens when that very wall is weaponized against us? | ||
|
2.11.24 | Attackers Target Exposed Docker Remote API Servers With perfctl Malware | We observed an unknown threat actor abusing exposed Docker remote API servers to deploy the perfctl malware. | Malware blog | |
|
2.11.24 | A Look Into Embargo Ransomware, Another Rust-based Ransomware | Embargo is a relatively new ransomware group that emerged in 2024. This group is known for using Rust-based malware and operating under a ransomware-as-a-service (Raas) model. Like many modern ransomware groups, Embargo employs double extortion tactics where they first exfiltrate sensitive data from their victims before encrypting their files. They then threaten to release the stolen data unless a ransom Is paid. | Malware blog | SonicWall |
|
2.11.24 | HORUS Protector Part 1: The New Malware Distribution Service | Recently, the SonicWall threat research team came across a new malware distribution service called Horus Protector. Horus Protector is claiming to be a Fully Undetectable (FUD) crypter. We have observed a variety of malware families propagated by Horus Protector including AgentTesla, Remcos, Snake, NjRat and many others. | Malware blog | SonicWall |
|
2.11.24 | Threat Spotlight: WarmCookie/BadSpace | WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. | Malware blog | Cisco Blog |
|
2.11.24 | Threat actor abuses Gophish to deliver new PowerRAT and DCRAT | Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. | Malware blog | Cisco Blog |
|
2.11.24 | Ghidra data type archive for Windows driver functions | Cisco Talos is releasing a GDT file on GitHub that contains various definitions for functions and data types. | Malware blog | Cisco Blog |
28.9.24 | Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors | Unit 42 researchers have been tracking the activity of an ongoing poisoned Python packages campaign delivering Linux and macOS backdoors via infected Python software packages. We’ve named these infected software packages PondRAT. We’ve also found Linux variants of POOLRAT, a known macOS remote administration tool (RAT) previously attributed to Gleaming Pisces (aka Citrine Sleet, distributor of AppleJeus). Based on our research into both RAT families, we assess that the new PondRAT is a lighter version of POOLRAT. | Malware blog | Palo Alto |
28.9.24 | Inside SnipBot: The Latest RomCom Malware Variant | We recently discovered a novel version of the RomCom malware family called SnipBot and, for the first time, show post-infection activity from the attacker on a victim system. This new strain makes use of new tricks and unique code obfuscation methods in addition to those seen in previous versions of RomCom 3.0 and PEAPOD (RomCom 4.0). | Malware blog | Palo Alto |
28.9.24 | Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy | Unit 42 researchers discovered two malware samples used by the Sparkling Pisces (aka Kimsuky) threat group. This includes an undocumented keylogger, called KLogEXE by its authors, and an undocumented variant of a backdoor dubbed FPSpy. These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the group’s continuous evolution and increasing capabilities. | Malware blog | Palo Alto |
21.9.24 | Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware | Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are... | Malware blog | |
21.9.24 | ESET Research Podcast: EvilVideo | ESET researchers discuss how they uncovered a zero-day Telegram for Android exploit that allowed attackers to send malicious files posing as videos | Malware blog | |
14.9.24 | Earth Preta Evolves its Attacks with New Malware and Strategies | In this blog entry, we discuss our analysis of Earth Preta’s enhancements in their attacks by introducing new tools, malware variants and strategies to their worm-based attacks and their time-sensitive spear-phishing campaign. | Malware blog | |
14.9.24 | Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads | The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable. | Malware blog | Cisco Blog |
7.9.24 | Banking Trojans: Mekotio Looks to Expand Targets, BBTok Abuses Utility Command | Notorious Mekotio and BBTok are having a resurgence targeting Latin American users. Mekotio’s latest variant suggests the gang behind it is broadening their target, while BBTok is seen abusing MSBuild.exe to evade detection. | Malware blog | |
7.9.24 | Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion | While monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign. | Malware blog | |
7.9.24 | ESET Research Podcast: HotPage | ESET researchers discuss HotPage, a recently discovered adware armed with a highest-privilege, yet vulnerable, Microsoft-signed driver | Malware blog | |
7.9.24 | In plain sight: Malicious ads hiding in search results | Sometimes there’s more than just an enticing product offer hiding behind an ad | Malware blog | |
31.8.24 | Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence | Trend Micro discovered that old Atlassian Confluence versions that were affected by CVE-2023-22527 are being exploited using a new in-memory fileless backdoor. | Malware blog | |
31.8.24 | This week, the SonicWall Capture Labs threat research team observed an AutoIT-compiled executable that attempts to open Gmail login pages via MS Edge, Google Chrome and Mozilla Firefox. | |||
24.8.24 | MoonPeak malware from North Korean actors unveils new details on attacker infrastructure | Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean nexus cluster we are calling “UAT-5394.” | Malware blog | Cisco Blog |
17.8.24 | Mario movie malware might maliciously mess with your machine | There are probably few among us who, never have they ever, downloaded questionable content. Whether it was a hit song in the Napster era or a Blockbuster movie you found on a “special” site online, you can probably think of at least one occasion when you got access to something from a, shall we say, less than reputable source. | Malware blog | Avast Blog |
17.8.24 | Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove | Check Point Research (CPR) recently uncovered Styx Stealer, a new malware capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency. Even though it only recently appeared, it has already been noticed in attacks, including those targeting our customers. | Malware blog | |
10.8.24 | Cloud Cover: How Malicious Actors Are Leveraging Cloud Services | In the past year, there has been a marked increase in the use of legitimate cloud services by attackers, including nation-state actors. | Malware blog | Symantec |
10.8.24 | Beware of Fake WinRar Websites: Malware Hosted on GitHub | A fake website seemingly distributing WinRar, a data compression, encryption, and archiving tool for Windows, has been seen also hosting malware. This fake website closely resembles the official website, uses typosquatting, and capitalizes on internet users who might incorrectly type the URL of this well-known archiving application. | Malware blog | |
3.8.24 | Detecting evolving threats: NetSupport RAT campaign | In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats. | Malware blog | Cisco Blog |
3.8.24 | Phishing targeting Polish SMBs continues via ModiLoader | ESET researchers detected multiple, widespread phishing campaigns targeting SMBs in Poland during May 2024, distributing various malware families | Malware blog | |
27.7.24 | This blog will focus on the threat actor’s background and previous actions, the attack chain, and the wiper’s internals and reused code. | |||
27.7.24 | ESET researchers have discovered threats abusing the success of the Hamster Kombat clicker game | |||
20.7.24 | Beware of BadPack: One Weird Trick Being Used Against Android Devices | This article discusses recent samples of BadPack Android malware and examines how this threat’s tampered headers can obstruct malware analysis. We also review the effectiveness of various freely available tools for analyzing BadPack Android Package Kit (APK) files. | Malware blog | Palo Alto |
20.7.24 | NEW BUGSLEEP BACKDOOR DEPLOYED IN RECENT MUDDYWATER CAMPAIGNS | MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), has significantly increased its activities in Israel since the beginning of the Israel-Hamas war in October 2023. This parallels with activities against targets in Saudi Arabia, Turkey, Azerbaijan, India and Portugal. | Malware blog | Checkpoint |
20.7.24 | HotPage: Story of a signed, vulnerable, ad-injecting driver | A study of a sophisticated Chinese browser injector that leaves more doors open! | Malware blog | Eset |
13.7.24 | The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution | ViperSoftX uses CLR to embed and execute PowerShell commands within AutoIt, seamlessly integrating malicious functions while evading detection with an AMSI bypass. | Malware blog | Trelix |
13.7.24 | Disarming DarkGate: A Deep Dive into Thwarting the Latest DarkGate Variant | The SonicWall RTDMI ™ engine has recently protected users against the distribution of the “6.6” variant of DarkGate malware by a phishing email campaign containing PDF files as an attachment. DarkGate is an advanced Remote Access Trojan that has been widely active since 2018. The RAT has been marketed as Malware-as-a-Service in underground forums, and threat actors are actively updating its code. The malware supports a wide range of features, including (Anti-VM Anti-AV Delay Execution multi-variant support and process hollowing, etc.), which are controlled by flags in the configuration data. | Malware blog | SonicWall |
13.7.24 | DarkGate: Dancing the Samba With Alluring Excel Files | This article reviews a DarkGate malware campaign from March-April 2024 that uses Microsoft Excel files to download a malicious software package from public-facing SMB file shares. This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware. | Malware blog | Palo Alto |
13.7.24 | Dissecting GootLoader With Node.js | This article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js debugging in Visual Studio Code. This evasion technique used by GootLoader JavaScript files can present a formidable challenge for sandboxes attempting to analyze the malware. | Malware blog | Palo Alto |
6.7.24 | Mekotio Banking Trojan Threatens Financial Systems in Latin America | We’ve recently seen a surge in attacks involving the Mekotio banking trojan. In this blog entry, we'll provide an overview of the trojan and what it does. | Malware blog | Trend Micro |
6.7.24 | The Hidden Danger of PDF Files with Embedded QR Codes | The SonicWall Capture Labs threat research team has been observing PDF files with QR codes being abused by malware authors to deceive users for a long time. | Malware blog | SonicWall |
6.7.24 | Hijacked: How hacked YouTube channels spread scams and malware | Here’s how cybercriminals go after YouTube channels and use them as conduits for fraud – and what you should watch out for when watching videos on the platform | Malware blog | Eset |
| 29.6.24 | StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe | The SonicWall Capture Labs threat research team has been tracking StrelaStealer for a long time. Recently, in the third week of June, we observed a huge spike in JavaScript spreading StrelaStealer. StrelaStealer specifically steals Outlook and Thunderbird email credentials. The infection chain looks like previous versions of StrelaStealer except major checks have been added to avoid infecting systems in Russia. We are continuing to observe its target regions limited to Poland, Spain, Italy and Germany. | Malware blog | SonicWall |
| 29.6.24 | New Orcinius Trojan Uses VBA Stomping to Mask Infection | This week, the SonicWall Capture Labs threat research team investigated a sample of Orcinius malware. This is a multi-stage trojan that is using Dropbox and Google Docs to download second-stage payloads and stay updated. It contains an obfuscated VBA macro that hooks into Windows to monitor running windows and keystrokes and creates persistence using registry keys. | Malware blog | SonicWall |
| 29.6.24 | Attackers Exploiting Public Cobalt Strike Profiles | In this article, Unit 42 researchers detail recent findings of malicious Cobalt Strike infrastructure. We also share examples of malicious Cobalt Strike samples that use Malleable C2 configuration profiles derived from the same profile hosted on a public code repository. | Malware blog | Palo Alto |
| 29.6.24 | RAFEL RAT, ANDROID MALWARE FROM ESPIONAGE TO RANSOMWARE OPERATIONS | Android, Google’s most popular mobile operating system, powers billions of smartphones and tablets globally. Known for its open-source nature and flexibility, Android offers users a wide array of features, customization options, and access to a vast ecosystem of applications through the Google Play Store and other sources. | Malware blog | Checkpoint |
| 29.6.24 | SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques | Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023. | Malware blog | Cisco Blog |
| 29.6.24 | Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia | The new remote access trojan (RAT) dubbed SpiceRAT was used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. | Malware blog | Cisco Blog |
| 29.6.24 | Exploring malicious Windows drivers (Part 2): the I/O system, IRPs, stack locations, IOCTLs and more | As the second entry in our “Exploring malicious Windows drivers” series, we will continue where the first left off: Discussing the I/O system and IRPs. | Malware blog | Cisco Blog |
| 15.6.24 | Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups | This blog entry provides an analysis of the Noodle RAT backdoor, which is likely being used by multiple Chinese-speaking groups engaged in espionage and other types of cybercrime. | Malware blog | Trend Micro |
| 15.6.24 | DarkGate again but... Improved? | DarkGate is back, if it ever left, with the latest version, the number 6, which includes new distribution methods, anti-analysis techniques and features. | Malware blog | Trelix |
| 15.6.24 | Operation Celestial Force employs mobile and desktop malware to target Indian entities | Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.” | Malware blog | Cisco Blog |
| 15.6.24 | How Arid Viper spies on Android users in the Middle East – Week in security with Tony Anscombe | The spyware, called AridSpy by ESET, is distributed through websites that pose as various messaging apps, a job search app, and a Palestinian Civil Registry app | Malware blog | Eset |
1.6.24 | STATIC UNPACKING FOR THE WIDESPREAD NSIS-BASED MALICIOUS PACKER FAMILY | Packers or crypters are widely used to protect malicious software from detection and static analysis. | Malware blog | Checkpoint |
25.5.24 | Introducing Nimfilt: A reverse-engineering tool for Nim-compiled binaries | Available as both an IDA plugin and a Python script, Nimfilt helps to reverse engineer binaries compiled with the Nim programming language compiler by demangling package and function names, and applying structs to strings | Malware blog | Eset |
| 27.5.24 | 60 Malicious npm Packages Leak Network and Host Data in Active Malware Campaign | Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. | Malware blog | SOCKET DEV |
| 25.5.24 | “Anti-Ledger” malware: The battle for Ledger Live seed phrases | Hackers are increasingly exploiting the trust that crypto owners place in cold wallets, turning the very tools meant to secure assets into attack surfaces. The recent ByBit heist has shaken the crypto industry and is unlikely to be the last. However, more low-profile heists are already underway. | Malware blog | Moonlock-lab |
| 25.5.24 | A Sting on Bing: Bumblebee delivered through Bing SEO poisoning campaign | Bumblebee is a downloader malware which has become known for its sophistication and effectiveness. The malware was first discovered in 2022 and was believed to be a tool for ransomware groups due to the developer’s close ties with Conti. | Malware blog | Cyjax |
| 25.5.24 | Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool | Microsoft’s Digital Crimes Unit (DCU) and international partners are disrupting the leading tool used to indiscriminately steal sensitive personal and organizational information to facilitate cybercrime. | Malware blog | Microsoft blog |
| 25.5.24 | Hidden Threats of Dual-Function Malware Found in Chrome Extensions | An unknown actor has been continuously creating malicious Chrome Browser extensions since approximately February, 2024. | Malware blog | dti domain tools |
| 24.5.24 | GhostSpy Web-Based Android RAT : Advanced Persistent RAT with Stealthy Remote Control and Uninstall Resistance | EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely intelligence on emerging threats and attacker tactics. In this report, we analyze a high-risk Android | Malware blog | Cyfirma |
| 24.5.24 | Enhanced Threat Detection: Bootloaders, Bootkits, and Secure Boot | The attack surface Eclypsium set out to defend extends to areas in our systems that many security teams and monitoring tools are either overlooking or trusting someone else has secured for them. This pre-operating system attack surface includes components such as UEFI and bootloaders. | Malware blog | Eclypsium |
| 24.5.24 | A Brief History of DanaBot, Longtime Ecrime Juggernaut Disrupted by Operation Endgame | DanaBot is a cybercrime malware-as-a-service that Proofpoint researchers first identified and named in May 2018. At the time, banking trojans were the most popular email-based cybercriminal malware threat, and DanaBot became one of the favored payloads by TA547 before being adopted by other notable cybercrime threat actors. | Malware blog | PROOFPOINT |
| 24.5.24 | Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer | Over the past year, Microsoft Threat Intelligence observed the persistent growth and operational sophistication of Lumma Stealer, an info-stealing malware used by multiple financially motivated threat actors to target various industries. | Malware blog | Microsoft blog |
| 24.5.24 | Fake CAPTCHA Attacks Deploy Infostealers and RATs in a Multistage Payload Chain | We have detected a new tactic involving fake CAPTCHA pages that trick users into executing harmful commands in Windows. This scheme uses disguised files sent via phishing and other malicious methods. | Malware blog | Trend Micro |
| 24.5.24 | DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt | In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks. | Malware blog | Palo Alto |
| 24.5.24 | Threat Group Assessment: Muddled Libra (Updated May 16, 2025) | We’ve added an additional section to this article that describes the evolution of Muddled Libra activity since the beginning for 2024. This group is a dynamic one, and as members cycle in and out of the group, its knowledgebase and skill set naturally shift. Its toolbox has now expanded to include: | Malware blog | Palo Alto |
| 24.5.24 | Lampion Is Back With ClickFix Lures | Unit 42 researchers recently uncovered a highly focused malicious campaign targeting dozens of Portuguese organizations, particularly in the government, finance and transportation sectors. This campaign was orchestrated by the threat actors behind Lampion malware, an infostealer that focuses on sensitive banking information. This malware family has been active since at least 2019. | Malware blog | Palo Alto |
| 24.5.24 | Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources | This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. Upon execution, these files kick off a multi-stage chain of extracting, deobfuscating, loading and executing secondary payloads (dynamic-link libraries), eventually detonating the final payload (executable). | Malware blog | Palo Alto |
| 24.5.24 | Danabot under the microscope | ESET Research has been tracking Danabot’s activity since 2018 as part of a global effort that resulted in a major disruption of the malware’s infrastructure | Malware blog | Eset |
| 24.5.24 | Danabot: Analyzing a fallen empire | Malware blog | Eset | |
| 24.5.24 | Lumma Stealer: Down for the count | The bustling cybercrime enterprise has been dealt a significant blow in a global operation that relied on the expertise of ESET and other technology companies | Malware blog | Eset |
| 24.5.24 | ESET takes part in global operation to disrupt Lumma Stealer | Our intense monitoring of tens of thousands of malicious samples helped this global disruption operation | Malware blog | Eset |
| 24.5.24 | Copyright Phishing Lures Leading to Rhadamanthys Stealer Now Targeting Europe | Analysis of new Rhadamanthys infostealer campaign in Europe and malware breakdown | Malware blog | Cybereason |
| 24.5.24 | Genesis Market - Malicious Browser Extension | In this Threat Alert, Cybereason identifies a malware infection exhibiting similarities to a previous Genesis Market campaign. | Malware blog | Cybereason |
| 17.5.24 | DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt | In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks. | Malware blog | Palo Alto |
18.5.24 | Payload Trends in Malicious OneNote Samples | In this post, we look at the types of embedded payloads that attackers leverage to abuse Microsoft OneNote files. Our analysis of roughly 6,000 malicious OneNote samples from WildFire reveals that these samples have a phishing-like theme where attackers use one or more images to lure people into clicking or interacting with OneNote files. | Malware blog | Palo Alto |
| 17.5.24 | Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources | This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. Upon execution, these files kick off a multi-stage chain of extracting, deobfuscating, loading and executing secondary payloads (dynamic-link libraries), eventually detonating the final payload (executable). | Malware blog | Palo Alto |
| 10.5.24 | PupkinStealer : A .NET-Based Info-Stealer | Executive Summary At CYFIRMA, we are committed to delivering timely insights into active cyber threats and the techniques used by malicious actors to target individuals and | Malware blog | Cyfirma |
11.5.24 | The hacker’s toolkit: 4 gadgets that could spell security trouble | Their innocuous looks and endearing names mask their true power. These gadgets are designed to help identify and prevent security woes, but what if they fall into the wrong hands? | Malware blog | Eset |
| 10.5.24 | Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer | Introduction A security researcher from Seqrite Labs has uncovered a malicious campaign targeting U.S. citizens as Tax Day approaches on April 15. Seqrite Labs has identified multiple phishing attacks leveraging tax-related themes as a vector for social engineering, aiming... | Malware blog | Seqrite |
| 10.5.24 | NetSupport RAT Malware Spied in Ukraine | This week, the SonicWall Capture Labs threat research team analyzed a sample of NetSupport RAT malware. OSINT shows that this malware has been regularly seen in Ukraine and Poland as of mid- to late-2024. | Malware blog | Palo Alto |
| 10.5.24 | Lampion Is Back With ClickFix Lures | Unit 42 researchers recently uncovered a highly focused malicious campaign targeting dozens of Portuguese organizations, particularly in the government, finance and transportation sectors. | Malware blog | Palo Alto |
| 10.5.24 | Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources | This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. | Malware blog | Palo Alto |
| 4.5.24 | It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise | Our telemetry indicates a growing number of threat actors are turning to malware-initiated scanning attacks. This article reviews how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans. | Malware blog | Palo Alto |
| 28.4.24 | ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices | ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. | Malware blog | Cisco Blog |
| 28.4.24 | Suspected CoralRaider continues to expand victimology using three information stealers | Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host. | Malware blog | Cisco Blog |
| 20.4.24 | Redline Stealer: A Novel Approach | Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was... | Malware blog | Mcafee |
| 20.4.24 | OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal | The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. | Malware blog | Cisco Blog |
| 13.4.24 | Starry Addax targets human rights defenders in North Africa with new malware | Cisco Talos is disclosing a new threat actor we deemed “Starry Addax” targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware. | Malware blog | Cisco Blog |
| 13.4.24 | eXotic Visit includes XploitSPY malware – Week in security with Tony Anscombe | Almost 400 people in India and Pakistan have fallen victim to an ongoing Android espionage campaign called eXotic Visit | Malware blog | Eset |
| 6.4.24 | AGENT TESLA TARGETING UNITED STATES & AUSTRALIA: REVEALING THE ATTACKERS’ IDENTITIES | When considering a notoriously famous topic known for quite a long time, it may feel like there is nothing new to add to this area anymore – all paths traced, all words said, all “i”s dotted. Is it worth an investigation to begin with? As it turns out, there are new discoveries with previously hidden information of valuable significance that can be built into the already-painted picture. | Malware blog | Checkpoint |
| 6.4.24 | MALWARE SPOTLIGHT: LINODAS AKA DINODASRAT FOR LINUX | In recent months, Check Point Research (CPR) has been closely monitoring the activity of a Chinese-nexus cyber espionage threat actor who is focusing on Southeast Asia, Africa, and South America. | Malware blog | Checkpoint |
| 6.4.24 | Adversaries are leveraging remote access tools now more than ever — here’s how to stop them | While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns. | Malware blog | Cisco Blog |
| 6.4.24 | Malware hiding in pictures? More likely than you think | There is more to some images than meets the eye – their seemingly innocent façade can mask a sinister threat. | Malware blog | Eset |
| 23.3.24 | Large-Scale StrelaStealer Campaign in Early 2024 | StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s C2 server. Upon a successful attack, the threat actor would gain access to the victim's email login information, which they can then use to perform further attacks. | Malware blog | Palo Alto |
| 23.3.24 | Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention | This article reviews the recently discovered FalseFont backdoor, which was used by a suspected Iranian-affiliated threat actor that Unit 42 tracks as Curious Serpens. Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors. | Malware blog | Palo Alto |
| 23.3.24 | Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor | This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). | Malware blog | Palo Alto |
| 23.3.24 | AceCryptor attacks surge in Europe – Week in security with Tony Anscombe | The second half of 2023 saw massive growth in AceCryptor-packed malware spreading in the wild, including courtesy of multiple spam campaigns where AceCryptor packed the Rescoms RAT | Malware blog | Eset |
| 23.3.24 | Rescoms rides waves of AceCryptor spam | Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries | Malware blog | Eset |
| 23.3.24 | A prescription for privacy protection: Exercise caution when using a mobile health app | Given the unhealthy data-collection habits of some mHealth apps, you’re well advised to tread carefully when choosing with whom you share some of your most sensitive data | Malware blog | Eset |
| 17.3.24 | Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled | This article will focus on the newly released BunnyLoader 3.0, as well as historically observed BunnyLoader infrastructure and an overview of its capabilities. BunnyLoader is dynamically developing malware with the capability to steal information, credentials and cryptocurrency, as well as deliver additional malware to its victims. | Malware blog | Palo Alto |
| 2.3.24 | The Art of Domain Deception: Bifrost's New Tactic to Deceive Users | First identified in 2004, Bifrost is a remote access Trojan (RAT) that allows an attacker to gather sensitive information, like hostname and IP address. In this article, along with exploring Bifrost, we’ll also showcase a notable spike in Bifrost’s Linux variants during the past few months. | Malware blog | Palo Alto |
| 2.3.24 | TimbreStealer campaign targets Mexican users with financial lures | Talos has observed a phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023. | Malware blog | Cisco Blog |
| 25.2.24 | Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns | Since September 2023, we have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. | Malware blog | Cisco Blog |
| 10.2.24 | RASPBERRY ROBIN KEEPS RIDING THE WAVE OF ENDLESS 1-DAYS | Two new 1-day LPE exploits were used by the Raspberry Robin worm before they were publicly disclosed, which means that Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time. | Malware blog | Checkpoint |
| 10.2.24 | New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization | Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.” | Malware blog | Cisco Blog |
| 4.2.24 | Exploring the Latest Mispadu Stealer Variant | Unit 42 researchers recently discovered activity attributed to Mispadu Stealer, a stealthy infostealer first reported in 2019. We found this activity as part of the Unit 42 Managed Threat Hunting offering. We discovered this threat activity while hunting for the SmartScreen CVE-2023-36025 vulnerability. | Malware blog | Palo Alto |
| 4.2.24 | Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers | Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. | Malware blog | Cisco Blog |
| 4.2.24 | Grandoreiro banking malware disrupted – Week in security with Tony Anscombe | The banking trojan, which targeted mostly Brazil, Mexico and Spain, blocked the victim’s screen, logged keystrokes, simulated mouse and keyboard activity and displayed fake pop-up windows | Malware blog | Eset |
| 4.2.24 | ESET takes part in global operation to disrupt the Grandoreiro banking trojan | ESET provided technical analysis, statistical information, known C&C servers and was able to get a glimpse of the victimology | Malware blog | Eset |
20.1.24 | Parrot TDS: A Persistent and Evolving Malware Campaign | This campaign is unique in its methodology, employing a source spoofing technique to target a broad spectrum of token holders. It specifically focuses on more than 100 highly popular projects, aiming its attacks at token holders. | Malware blog | Palo Alto |
14.1.24 | Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer | Malware, like many complex software systems, relies on the concept of software configuration. Configurations establish guidelines for malware behavior and they are a common feature among the various malware families we examine. | Malware blog | Palo Alto |
14.1.24 | .NET HOOKING – HARMONIZING MANAGED TERRITORY | For a malware researcher, analyst, or reverse engineer, the ability to alter the functionality of certain parts of code is a crucial step, often necessary to reach a meaningful result during the analysis process. | Malware blog | Checkpoint |