Malware Blog News(339) - 2024 2023 2022 2021 2020 2019 2018
APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
DATE | NAME | Info | CATEG. | WEB |
| 14.6.25 | GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically | In the course of its investigations, Volexity frequently encounters malware samples written in Golang. Binaries written in Golang are often challenging to analyze because of the embedded libraries and the sheer size of the resulting binaries. This issue is amplified when samples are obfuscated using tools such as Garble, an open-source Golang obfuscation tool. | Malware blog | VELOXITY |
| 14.6.25 | StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms | In mid-2023, Volexity detected and responded to multiple incidents involving systems becoming infected with malware linked to StormBamboo (aka Evasive Panda, and previously tracked by Volexity under “StormCloud”). | Malware blog | VELOXITY |
| 14.6.25 | DISGOMOJI Malware Used to Target Indian Government | In 2024, Volexity identified a cyber-espionage campaign undertaken by a suspected Pakistan-based threat actor that Volexity currently tracks under the alias UTA0137 | Malware blog | VELOXITY |
| 14.6.25 | Understanding CyberEYE RAT Builder: Capabilities and Implications | EXECUTIVE SUMMARY CyberEye (also distributed under names like TelegramRAT) is a modular, .NET-based Remote Access Trojan (RAT) that provides a wide array of surveillance and | Malware blog | Cyfirma |
| 14.6.25 | JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique | We recently discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code. | Malware blog | Palo Alto |
| 14.6.25 | From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery | Check Point Research uncovered an active malware campaign exploiting expired and released Discord invite links. Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers. | Malware blog | Checkpoint |
| 14.6.25 | Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine | Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.” | Malware blog | CISCO TALOS |
| 13.6.25 | First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted | On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists that consented for the technical analysis of their cases. The key findings from our forensic analysis of their devices are summarized below: | Malware blog | THE CITIZENLAB |
| 13.6.25 | Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal | On November 13, 2024, Qurium researchers exposed that the Swiss-Czech adtech company Los Pollos was part of VexTrio, the largest and oldest known malicious TDS. | Malware blog | Infoblox |
| 13.6.25 | Attackers Unleash TeamFiltration: Account Takeover Campaign (UNK_SneakyStrike) Leverages Popular Pentesting Tool | Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting framework to target Entra ID user accounts. | Malware blog | PROOFPOINT |
| 7.6.25 | DuplexSpy RAT: Stealthy Windows Malware Enabling Full Remote Control and Surveillance | EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely intelligence on emerging cyber threats and adversarial tactics targeting individuals and organizations. | Malware blog | Cyfirma |
| 7.6.25 | GuLoader Brings the Noise — and the Obfuscation | This week the SonicWall Capture Labs threat research team analyzed a sample of GuLoader, a dropper and infostealer capable of harvesting credentials, evading AV, and creating persistence through a variety of techniques. It drops a number of files and uses them as timers and canaries to ensure uptime on the victim system. | Malware blog | SonicWall |
| 7.6.25 | Blitz Malware: A Tale of Game Cheats and Code Repositories | In 2024, we discovered new Windows-based malware called Blitz. This article provides an in-depth analysis of the malware, examines its distribution and reviews Blitz malware's command and control (C2) infrastructure. We found a new version of Blitz in early 2025, which indicates this malware has been in active development. | Malware blog | Palo Alto |
| 7.6.25 | Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine | Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.” | Malware blog | CISCO TALOS |
| 7.6.25 | Demystifying Myth Stealer: A Rust Based InfoStealer | During regular proactive threat hunting, the Trellix Advanced Research Center identified a fully undetected infostealer malware sample written in Rust. | Malware blog | Trelix |
| 1.6.25 | Infostealer Malware FormBook Spread via Phishing Campaign – Part II | Learn how the FormBook payload operates on a compromised machine, including the complicated anti-analysis techniques employed by this variant. | Malware blog | FOTINET |
| 1.6.25 | Lumma Infostealer – Down but Not Out? | The takedown achieved a significant disruption to Lumma infostealers’ infrastructure, but likely didn’t permanently affect most of its Russia-hosted infrastructure. | Malware blog | Checkpoint |
| 1.6.25 | Enhanced Threat Detection: Bootloaders, Bootkits, and Secure Boot | The attack surface Eclypsium set out to defend extends to areas in our systems that many security teams and monitoring tools are either overlooking or trusting someone else has secured for them. | Malware blog | Eclypsium |
| 27.5.24 | 60 Malicious npm Packages Leak Network and Host Data in Active Malware Campaign | Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. | Malware blog | SOCKET DEV |
| 25.5.24 | “Anti-Ledger” malware: The battle for Ledger Live seed phrases | Hackers are increasingly exploiting the trust that crypto owners place in cold wallets, turning the very tools meant to secure assets into attack surfaces. The recent ByBit heist has shaken the crypto industry and is unlikely to be the last. However, more low-profile heists are already underway. | Malware blog | Moonlock-lab |
| 25.5.24 | A Sting on Bing: Bumblebee delivered through Bing SEO poisoning campaign | Bumblebee is a downloader malware which has become known for its sophistication and effectiveness. The malware was first discovered in 2022 and was believed to be a tool for ransomware groups due to the developer’s close ties with Conti. | Malware blog | Cyjax |
| 25.5.24 | Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool | Microsoft’s Digital Crimes Unit (DCU) and international partners are disrupting the leading tool used to indiscriminately steal sensitive personal and organizational information to facilitate cybercrime. | Malware blog | Microsoft blog |
| 25.5.24 | Hidden Threats of Dual-Function Malware Found in Chrome Extensions | An unknown actor has been continuously creating malicious Chrome Browser extensions since approximately February, 2024. | Malware blog | dti domain tools |
| 24.5.24 | GhostSpy Web-Based Android RAT : Advanced Persistent RAT with Stealthy Remote Control and Uninstall Resistance | EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely intelligence on emerging threats and attacker tactics. In this report, we analyze a high-risk Android | Malware blog | Cyfirma |
| 24.5.24 | Enhanced Threat Detection: Bootloaders, Bootkits, and Secure Boot | The attack surface Eclypsium set out to defend extends to areas in our systems that many security teams and monitoring tools are either overlooking or trusting someone else has secured for them. This pre-operating system attack surface includes components such as UEFI and bootloaders. | Malware blog | Eclypsium |
| 24.5.24 | A Brief History of DanaBot, Longtime Ecrime Juggernaut Disrupted by Operation Endgame | DanaBot is a cybercrime malware-as-a-service that Proofpoint researchers first identified and named in May 2018. At the time, banking trojans were the most popular email-based cybercriminal malware threat, and DanaBot became one of the favored payloads by TA547 before being adopted by other notable cybercrime threat actors. | Malware blog | PROOFPOINT |
| 24.5.24 | Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer | Over the past year, Microsoft Threat Intelligence observed the persistent growth and operational sophistication of Lumma Stealer, an info-stealing malware used by multiple financially motivated threat actors to target various industries. | Malware blog | Microsoft blog |
| 24.5.24 | Fake CAPTCHA Attacks Deploy Infostealers and RATs in a Multistage Payload Chain | We have detected a new tactic involving fake CAPTCHA pages that trick users into executing harmful commands in Windows. This scheme uses disguised files sent via phishing and other malicious methods. | Malware blog | Trend Micro |
| 24.5.24 | DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt | In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks. | Malware blog | Palo Alto |
| 24.5.24 | Threat Group Assessment: Muddled Libra (Updated May 16, 2025) | We’ve added an additional section to this article that describes the evolution of Muddled Libra activity since the beginning for 2024. This group is a dynamic one, and as members cycle in and out of the group, its knowledgebase and skill set naturally shift. Its toolbox has now expanded to include: | Malware blog | Palo Alto |
| 24.5.24 | Lampion Is Back With ClickFix Lures | Unit 42 researchers recently uncovered a highly focused malicious campaign targeting dozens of Portuguese organizations, particularly in the government, finance and transportation sectors. This campaign was orchestrated by the threat actors behind Lampion malware, an infostealer that focuses on sensitive banking information. This malware family has been active since at least 2019. | Malware blog | Palo Alto |
| 24.5.24 | Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources | This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. Upon execution, these files kick off a multi-stage chain of extracting, deobfuscating, loading and executing secondary payloads (dynamic-link libraries), eventually detonating the final payload (executable). | Malware blog | Palo Alto |
| 24.5.24 | Danabot under the microscope | ESET Research has been tracking Danabot’s activity since 2018 as part of a global effort that resulted in a major disruption of the malware’s infrastructure | Malware blog | Eset |
| 24.5.24 | Danabot: Analyzing a fallen empire | Malware blog | Eset | |
| 24.5.24 | Lumma Stealer: Down for the count | The bustling cybercrime enterprise has been dealt a significant blow in a global operation that relied on the expertise of ESET and other technology companies | Malware blog | Eset |
| 24.5.24 | ESET takes part in global operation to disrupt Lumma Stealer | Our intense monitoring of tens of thousands of malicious samples helped this global disruption operation | Malware blog | Eset |
| 24.5.24 | Copyright Phishing Lures Leading to Rhadamanthys Stealer Now Targeting Europe | Analysis of new Rhadamanthys infostealer campaign in Europe and malware breakdown | Malware blog | Cybereason |
| 24.5.24 | Genesis Market - Malicious Browser Extension | In this Threat Alert, Cybereason identifies a malware infection exhibiting similarities to a previous Genesis Market campaign. | Malware blog | Cybereason |
| 17.5.24 | DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt | In January 2025, Unit 42 researchers identified a series of attacks distributing DarkCloud Stealer. The latest attack chain incorporated AutoIt to evade detection and used a file-sharing server to host the malware. This article explores the chain of events from these recent campaigns and analyzes the characteristics of these attacks. | Malware blog | Palo Alto |
| 17.5.24 | Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources | This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. Upon execution, these files kick off a multi-stage chain of extracting, deobfuscating, loading and executing secondary payloads (dynamic-link libraries), eventually detonating the final payload (executable). | Malware blog | Palo Alto |
| 10.5.24 | PupkinStealer : A .NET-Based Info-Stealer | Executive Summary At CYFIRMA, we are committed to delivering timely insights into active cyber threats and the techniques used by malicious actors to target individuals and | Malware blog | Cyfirma |
| 10.5.24 | Threat Actors are Targeting US Tax-Session with new Tactics of Stealerium-infostealer | Introduction A security researcher from Seqrite Labs has uncovered a malicious campaign targeting U.S. citizens as Tax Day approaches on April 15. Seqrite Labs has identified multiple phishing attacks leveraging tax-related themes as a vector for social engineering, aiming... | Malware blog | Seqrite |
| 10.5.24 | NetSupport RAT Malware Spied in Ukraine | This week, the SonicWall Capture Labs threat research team analyzed a sample of NetSupport RAT malware. OSINT shows that this malware has been regularly seen in Ukraine and Poland as of mid- to late-2024. | Malware blog | Palo Alto |
| 10.5.24 | Lampion Is Back With ClickFix Lures | Unit 42 researchers recently uncovered a highly focused malicious campaign targeting dozens of Portuguese organizations, particularly in the government, finance and transportation sectors. | Malware blog | Palo Alto |
| 10.5.24 | Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources | This article highlights a new obfuscation technique threat actors are using to hide malware through steganography within bitmap resources embedded in otherwise benign 32-bit .NET applications. | Malware blog | Palo Alto |
| 25.4.25 | Infostealer Malware FormBook Spread via Phishing Campaign – Part I | FortiGuard Labs observed a phishing campaign in the wild that delivered a malicious Word document as an attachment. Learn more. | Malware blog | FOTINET |
| 25.4.25 | HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage | EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely intelligence on emerging cyber threats and adversarial tactics targeting individuals and organizations. | Malware blog | Cyfirma |
| 25.4.25 | Technical Malware Analysis Report: Python-based RAT Malware | EXECUTIVE SUMMARY The malware analyzed in this report is a Python-based Remote Access Trojan (RAT) that utilizes Discord as a command-and-control (C2) platform. Disguised as a | Malware blog | Cyfirma |
| 25.4.25 | Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs | Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme. | Malware blog | CISCO TALOS |
| 25.4.25 | A Deep Dive into the Latest Version of Lumma InfoStealer | The Trellix Advanced Research Center has been closely tracking the latest developments in Lumma Infostealer, particularly the recent introduction of sophisticated code flow obfuscation techniques. This report will delve into the threat actors' recent campaign and examine the evolution of their Tactics, Techniques, and Procedures (TTPs). | Malware blog | Trelix |
| 19.4.25 | Around the World in 90 Days: State-Sponsored Actors Try ClickFix | While primarily a technique affiliated with cybercriminal actors, Proofpoint researchers discovered state-sponsored actors in multiple campaigns using the ClickFix social engineering technique for the first time. | Malware blog | PROOFPOINT |
| 19.4.25 | Threat actors misuse Node.js to deliver malware and other malicious payloads | Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. | Malware blog | Microsoft blog |
| 19.4.25 | BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets | A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. | Malware blog | Trend Micro |
| 19.4.25 | Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis | In December 2024, we uncovered an attack chain that employs distinct, multi-layered stages to deliver malware like Agent Tesla variants, Remcos RAT or XLoader. Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution. The phishing campaign we analyzed used deceptive emails posing as an order release request to deliver a malicious attachment. | Malware blog | Palo Alto |
| 19.4.25 | Unmasking the new XorDDoS controller and infrastructure | Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks. | Malware blog | Palo Alto |
| 19.4.25 | From Shadow to Spotlight: The Evolution of LummaStealer and Its Hidden Secrets | This article is a continuation of the previous research published on the malware LummaStealer: "Your Data Is Under New Lummanagement: The Rise of LummaStealer". | Malware blog | Cybereason |
| 12.4.25 | TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications | Cyble analyzes TsarBot, a newly identified Android banking Trojan that employs overlay attacks to target over 750 banking, financial, and cryptocurrency applications worldwide. | Malware blog | Cyble |
| 12.4.25 | Beware! Fake ‘NextGen mParivahan’ Malware Returns with Enhanced Stealth and Data Theft | Cybercriminals continually refine their tactics, making Android malware more insidious and challenging to detect. A new variant of the fake NextGen mParivahan malware has emerged, following its predecessor’s deceptive strategies but introducing significant enhancements. Previously, attackers exploited the government’s. | Malware blog | Seqrite |
| 12.4.25 | NEPTUNE RAT : An advanced Windows RAT with System Destruction Capabilities and Password Exfiltration from 270+ Applications | At CYFIRMA, we are committed to providing up-to-date insights into current threats and the tactics used by malicious actors targeting both organizations and individuals. In this report, we will take an in-depth look at the latest version of Neptune RAT, which has been shared on GitHub using a technique involving PowerShell commands: | Malware blog | Cyfirma |
|
29.3.25 |
MoDiRAT Malware Uses Horus Protector to Target France | The SonicWall Capture Labs threat research team has identified a new development in the Horus Protector distributed infection chain. Recently, it has been targeting the French region with MoDiRAT, a malware notorious for stealing credit card and other victim information. | Malware blog | SonicWall |
|
29.3.25 |
Gamaredon campaign abuses LNK files to distribute Remcos backdoor | Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024. | Malware blog | Cisco Blog |
|
15.3.25 |
Recently, we discovered several new malware samples with unique characteristics that made attribution and function determination challenging. |
|||
| 8.3.25 | Malvertising campaign leads to info stealers hosted on GitHub | Microsoft detected a large-scale malvertising campaign in early December 2024 that impacted nearly one million devices globally. The attack originated from illegal streaming websites embedded with malvertising redirectors and ultimately redirected users to GitHub to deliver initial access payloads as the start of a modular and multi-stage attack chain. | Malware blog | Microsoft blog |
| 8.3.25 | Uncovering .NET Malware Obfuscated by Encryption and Virtualization | We will examine these behaviors in samples we have observed, showing how to extract their configuration parameters through unpacking each stage. Performing this same process through automation would allow a sandbox performing static analysis to extract crucial malware configuration parameters from such samples. | Malware blog | Palo Alto |
| 1.3.25 | Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations | This article reviews a cluster of malicious activity that we identify as CL-STA-0049. Since at least March 2023, a suspected Chinese threat actor has targeted governments, defense, telecommunication, education and aviation sectors in Southeast Asia and South America. | Malware blog | |
| 1.3.25 | RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector | Malware targeting macOS systems is increasingly pervasive in our current threat landscape. Most of the associated threats are cybercrime-related, ranging from information stealers to cryptocurrency mining. Over the past year, we have witnessed an increase in cybercrime activity linked to North Korean nation-state APT groups. | Malware blog | |
| 1.3.25 | Auto-Color: An Emerging and Evasive Linux Backdoor | Between early November and December 2024, Palo Alto Networks researchers discovered new Linux malware called Auto-color. We chose this name based on the file name the initial payload renames itself after installation. | Malware blog | |
|
22.2.25 | Updated Shadowpad Malware Leads to Ransomware Deployment | In this blog entry, we discuss how Shadowpad is being used to deploy a new undetected ransomware family. Attackers deploy the malware by exploiting weak passwords and bypassing multi-factor authentication. | Malware blog | |
|
22.2.25 | Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response | The Managed XDR team investigated a sophisticated campaign distributing Lumma Stealer through GitHub, where attackers leveraged the platform's release infrastructure to deliver malware such as SectopRAT, Vidar, and Cobeacon. | Malware blog | |
|
22.2.25 | Remcos RAT Targets Europe: New AMSI and ETW Evasion Tactics Uncovered | This loader was seen distributing Async RAT in the past but now it has extended its functionality to Remcos RAT and other malware families. From our analysis, it seems to be targeting European institutions. | Malware blog | |
|
22.2.25 | GCleaner is Packed and Ready to Go | This week, the SonicWall Capture Labs threat research team investigated a sample of GCleaner, a Themida-packed malware variant that downloads and drops additional malware, has C2, heavy anti-analysis/anti-VM, and evasion capabilities. GCleaner will also attempt to infect removable drives by encryption or to spread to other systems. | Malware blog | |
|
22.2.25 |
Fake job offers target software developers with infostealers |
|||
|
22.2.25 |
ESET researchers analyzed a campaign delivering malware bundled with job interview challenges |
|||
|
22.2.25 |
Stately Taurus Activity in Southeast Asia Links to Bookworm Malware |
While analyzing infrastructure related to Stately Taurus activity targeting organizations in countries affiliated with the Association of Southeast Asian Nations (ASEAN), Unit 42 researchers observed overlaps with infrastructure used by a variant of the Bookworm malware. |
||
|
18.1.25 | GhostRAT Plays Effective Hide and Seek | OverviewThis week, the SonicWall Capture Labs threat research team investigated a sample of GhostRAT malware. This highly infectious file is built to be persistent and thorough, with many anti-analysi... | Malware blog | SonicWall |
|
11.1.25 | How Cracks and Installers Bring Malware to Your Device | Our research shows how attackers use platforms like YouTube to spread fake installers via trusted hosting services, employing encryption to evade detection and steal sensitive browser data. | Malware blog | |
|
11.1.25 | Banshee: The Stealer That “Stole Code” From MacOS XProtect | Since September, Check Point Research has been monitoring a new version of the Banshee macOS stealer, a malware linked to Russian-speaking cyber criminals targeting macOS users. | Malware blog | |
|
22.12.24 | Python-Based NodeStealer Version Targets Facebook Ads Manager | In this blog entry, Trend Micro’s Managed XDR team discuss their investigation into how the latest variant of NodeStealer is delivered through spear-phishing attacks, potentially leading to malware execution, data theft, and the exfiltration of sensitive information via Telegram. | Malware blog | |
|
22.12.24 | Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation | This article analyzes a new packer-as-a-service (PaaS) called HeartCrypt, which is used to protect malware. It has been in development since July 2023 and began sales in February 2024. We have identified examples of malware samples created by this service based on strings found in several development samples the operators used to test their work. | Malware blog | |
|
22.12.24 | Strela Stealer Targeting Ukraine Alongside Other European Countries | OverviewThe SonicWall Capture Labs threat research team has been tracking Strela Stealer for a long time. Our research shows that Strela Stealer remained active throughout 2024. We recently identified... | Malware blog | |
|
22.12.24 | Trojan Disguised as VPN Client Exploits Users with Fake Cisco AnyConnect Installer | This week, the SonicWall Capture Labs threat research team analyzed a PDF file with a link to download a copy of a well-known VPN client. This PDF file appears to have been distributed via spam email and has a link to download Cisco AnyConnect. However, no VPN client was installed upon execution – instead, it downloaded a Trojan that constantly connected to various remote servers. | Malware blog | |
|
22.12.24 | Gaming Engines: An Undetected Playground for Malware Loaders | Check Point Research discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal. | Malware blog | |
|
22.12.24 | Malware Spotlight: A Deep-Dive Analysis of WezRat | Check Point Research (CPR) provides a comprehensive analysis of a custom modular infostealer, tracked as WezRat, after the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD) released a joint Cybersecurity Advisory and attributed the malware to the Iranian cyber group Emennet Pasargad. The group has been held responsible for several recent cyber operations in the US, France, Sweden, and Israel. | Malware blog | |
|
22.12.24 | CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits | Check Point Research is tracking an ongoing, large scale and sophisticated phishing campaign deploying the newest version of the Rhadamanthys stealer (0.7). We dubbed this campaign CopyRh(ight)adamantys. | Malware blog | |
|
21.12.24 |
Your Data Is Under New Lummanagement: The Rise of LummaStealer |
In this Threat Analysis report, Cybereason investigates the rising activity of the malware LummaStealer. | ||
|
21.12.24 |
In this Threat Analysis report, Cybereason investigates incidents relating to the Andromeda backdoor and a new cluster of C2 servers | |||
|
21.12.24 |
During proactive hunting, Trellix Advanced Research Center found samples belonging to Celestial Stealer, a JavaScript-based infostealer which is packaged either as an Electron application or as a NodeJS single application for Windows 10 and Windows 11 operating system. It is a Malware-as-a-Service (MaaS) advertised on the Telegram platform. The stealer is marketed as a FUD (fully undetectable). | |||
|
21.12.24 |
When Guardians Become Predators: How Malware Corrupts the Protectors |
We often trust our security software to stand as an unbreakable wall against malware and attacks, but what happens when that very wall is weaponized against us? | ||
|
2.11.24 | Attackers Target Exposed Docker Remote API Servers With perfctl Malware | We observed an unknown threat actor abusing exposed Docker remote API servers to deploy the perfctl malware. | Malware blog | |
|
2.11.24 | A Look Into Embargo Ransomware, Another Rust-based Ransomware | Embargo is a relatively new ransomware group that emerged in 2024. This group is known for using Rust-based malware and operating under a ransomware-as-a-service (Raas) model. Like many modern ransomware groups, Embargo employs double extortion tactics where they first exfiltrate sensitive data from their victims before encrypting their files. They then threaten to release the stolen data unless a ransom Is paid. | Malware blog | SonicWall |
|
2.11.24 | HORUS Protector Part 1: The New Malware Distribution Service | Recently, the SonicWall threat research team came across a new malware distribution service called Horus Protector. Horus Protector is claiming to be a Fully Undetectable (FUD) crypter. We have observed a variety of malware families propagated by Horus Protector including AgentTesla, Remcos, Snake, NjRat and many others. | Malware blog | SonicWall |
|
2.11.24 | Threat Spotlight: WarmCookie/BadSpace | WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. | Malware blog | Cisco Blog |
|
2.11.24 | Threat actor abuses Gophish to deliver new PowerRAT and DCRAT | Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. | Malware blog | Cisco Blog |
|
2.11.24 | Ghidra data type archive for Windows driver functions | Cisco Talos is releasing a GDT file on GitHub that contains various definitions for functions and data types. | Malware blog | Cisco Blog |
28.9.24 | Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors | Unit 42 researchers have been tracking the activity of an ongoing poisoned Python packages campaign delivering Linux and macOS backdoors via infected Python software packages. We’ve named these infected software packages PondRAT. We’ve also found Linux variants of POOLRAT, a known macOS remote administration tool (RAT) previously attributed to Gleaming Pisces (aka Citrine Sleet, distributor of AppleJeus). Based on our research into both RAT families, we assess that the new PondRAT is a lighter version of POOLRAT. | Malware blog | Palo Alto |
28.9.24 | Inside SnipBot: The Latest RomCom Malware Variant | We recently discovered a novel version of the RomCom malware family called SnipBot and, for the first time, show post-infection activity from the attacker on a victim system. This new strain makes use of new tricks and unique code obfuscation methods in addition to those seen in previous versions of RomCom 3.0 and PEAPOD (RomCom 4.0). | Malware blog | Palo Alto |
28.9.24 | Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy | Unit 42 researchers discovered two malware samples used by the Sparkling Pisces (aka Kimsuky) threat group. This includes an undocumented keylogger, called KLogEXE by its authors, and an undocumented variant of a backdoor dubbed FPSpy. These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the group’s continuous evolution and increasing capabilities. | Malware blog | Palo Alto |
21.9.24 | Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware | Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are... | Malware blog | |
21.9.24 | ESET Research Podcast: EvilVideo | ESET researchers discuss how they uncovered a zero-day Telegram for Android exploit that allowed attackers to send malicious files posing as videos | Malware blog | |
14.9.24 | Earth Preta Evolves its Attacks with New Malware and Strategies | In this blog entry, we discuss our analysis of Earth Preta’s enhancements in their attacks by introducing new tools, malware variants and strategies to their worm-based attacks and their time-sensitive spear-phishing campaign. | Malware blog | |
14.9.24 | Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads | The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable. | Malware blog | Cisco Blog |
7.9.24 | Banking Trojans: Mekotio Looks to Expand Targets, BBTok Abuses Utility Command | Notorious Mekotio and BBTok are having a resurgence targeting Latin American users. Mekotio’s latest variant suggests the gang behind it is broadening their target, while BBTok is seen abusing MSBuild.exe to evade detection. | Malware blog | |
7.9.24 | Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion | While monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign. | Malware blog | |
7.9.24 | ESET Research Podcast: HotPage | ESET researchers discuss HotPage, a recently discovered adware armed with a highest-privilege, yet vulnerable, Microsoft-signed driver | Malware blog | |
7.9.24 | In plain sight: Malicious ads hiding in search results | Sometimes there’s more than just an enticing product offer hiding behind an ad | Malware blog | |
31.8.24 | Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence | Trend Micro discovered that old Atlassian Confluence versions that were affected by CVE-2023-22527 are being exploited using a new in-memory fileless backdoor. | Malware blog | |
31.8.24 | This week, the SonicWall Capture Labs threat research team observed an AutoIT-compiled executable that attempts to open Gmail login pages via MS Edge, Google Chrome and Mozilla Firefox. | |||
24.8.24 | MoonPeak malware from North Korean actors unveils new details on attacker infrastructure | Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean nexus cluster we are calling “UAT-5394.” | Malware blog | Cisco Blog |
17.8.24 | Mario movie malware might maliciously mess with your machine | There are probably few among us who, never have they ever, downloaded questionable content. Whether it was a hit song in the Napster era or a Blockbuster movie you found on a “special” site online, you can probably think of at least one occasion when you got access to something from a, shall we say, less than reputable source. | Malware blog | Avast Blog |
17.8.24 | Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove | Check Point Research (CPR) recently uncovered Styx Stealer, a new malware capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency. Even though it only recently appeared, it has already been noticed in attacks, including those targeting our customers. | Malware blog | |
10.8.24 | Cloud Cover: How Malicious Actors Are Leveraging Cloud Services | In the past year, there has been a marked increase in the use of legitimate cloud services by attackers, including nation-state actors. | Malware blog | Symantec |
10.8.24 | Beware of Fake WinRar Websites: Malware Hosted on GitHub | A fake website seemingly distributing WinRar, a data compression, encryption, and archiving tool for Windows, has been seen also hosting malware. This fake website closely resembles the official website, uses typosquatting, and capitalizes on internet users who might incorrectly type the URL of this well-known archiving application. | Malware blog | |
3.8.24 | Detecting evolving threats: NetSupport RAT campaign | In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats. | Malware blog | Cisco Blog |
3.8.24 | Phishing targeting Polish SMBs continues via ModiLoader | ESET researchers detected multiple, widespread phishing campaigns targeting SMBs in Poland during May 2024, distributing various malware families | Malware blog | |
27.7.24 | This blog will focus on the threat actor’s background and previous actions, the attack chain, and the wiper’s internals and reused code. | |||
27.7.24 | ESET researchers have discovered threats abusing the success of the Hamster Kombat clicker game | |||
20.7.24 | Beware of BadPack: One Weird Trick Being Used Against Android Devices | This article discusses recent samples of BadPack Android malware and examines how this threat’s tampered headers can obstruct malware analysis. We also review the effectiveness of various freely available tools for analyzing BadPack Android Package Kit (APK) files. | Malware blog | Palo Alto |
20.7.24 | NEW BUGSLEEP BACKDOOR DEPLOYED IN RECENT MUDDYWATER CAMPAIGNS | MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), has significantly increased its activities in Israel since the beginning of the Israel-Hamas war in October 2023. This parallels with activities against targets in Saudi Arabia, Turkey, Azerbaijan, India and Portugal. | Malware blog | Checkpoint |
20.7.24 | HotPage: Story of a signed, vulnerable, ad-injecting driver | A study of a sophisticated Chinese browser injector that leaves more doors open! | Malware blog | Eset |
13.7.24 | The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution | ViperSoftX uses CLR to embed and execute PowerShell commands within AutoIt, seamlessly integrating malicious functions while evading detection with an AMSI bypass. | Malware blog | Trelix |
13.7.24 | Disarming DarkGate: A Deep Dive into Thwarting the Latest DarkGate Variant | The SonicWall RTDMI ™ engine has recently protected users against the distribution of the “6.6” variant of DarkGate malware by a phishing email campaign containing PDF files as an attachment. DarkGate is an advanced Remote Access Trojan that has been widely active since 2018. The RAT has been marketed as Malware-as-a-Service in underground forums, and threat actors are actively updating its code. The malware supports a wide range of features, including (Anti-VM Anti-AV Delay Execution multi-variant support and process hollowing, etc.), which are controlled by flags in the configuration data. | Malware blog | SonicWall |
13.7.24 | DarkGate: Dancing the Samba With Alluring Excel Files | This article reviews a DarkGate malware campaign from March-April 2024 that uses Microsoft Excel files to download a malicious software package from public-facing SMB file shares. This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware. | Malware blog | Palo Alto |
13.7.24 | Dissecting GootLoader With Node.js | This article shows how to circumvent anti-analysis techniques from GootLoader malware while using Node.js debugging in Visual Studio Code. This evasion technique used by GootLoader JavaScript files can present a formidable challenge for sandboxes attempting to analyze the malware. | Malware blog | Palo Alto |
6.7.24 | Mekotio Banking Trojan Threatens Financial Systems in Latin America | We’ve recently seen a surge in attacks involving the Mekotio banking trojan. In this blog entry, we'll provide an overview of the trojan and what it does. | Malware blog | Trend Micro |
6.7.24 | The Hidden Danger of PDF Files with Embedded QR Codes | The SonicWall Capture Labs threat research team has been observing PDF files with QR codes being abused by malware authors to deceive users for a long time. | Malware blog | SonicWall |
6.7.24 | Hijacked: How hacked YouTube channels spread scams and malware | Here’s how cybercriminals go after YouTube channels and use them as conduits for fraud – and what you should watch out for when watching videos on the platform | Malware blog | Eset |
| 29.6.24 | StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe | The SonicWall Capture Labs threat research team has been tracking StrelaStealer for a long time. Recently, in the third week of June, we observed a huge spike in JavaScript spreading StrelaStealer. StrelaStealer specifically steals Outlook and Thunderbird email credentials. The infection chain looks like previous versions of StrelaStealer except major checks have been added to avoid infecting systems in Russia. We are continuing to observe its target regions limited to Poland, Spain, Italy and Germany. | Malware blog | SonicWall |
| 29.6.24 | New Orcinius Trojan Uses VBA Stomping to Mask Infection | This week, the SonicWall Capture Labs threat research team investigated a sample of Orcinius malware. This is a multi-stage trojan that is using Dropbox and Google Docs to download second-stage payloads and stay updated. It contains an obfuscated VBA macro that hooks into Windows to monitor running windows and keystrokes and creates persistence using registry keys. | Malware blog | SonicWall |
| 29.6.24 | Attackers Exploiting Public Cobalt Strike Profiles | In this article, Unit 42 researchers detail recent findings of malicious Cobalt Strike infrastructure. We also share examples of malicious Cobalt Strike samples that use Malleable C2 configuration profiles derived from the same profile hosted on a public code repository. | Malware blog | Palo Alto |
| 29.6.24 | RAFEL RAT, ANDROID MALWARE FROM ESPIONAGE TO RANSOMWARE OPERATIONS | Android, Google’s most popular mobile operating system, powers billions of smartphones and tablets globally. Known for its open-source nature and flexibility, Android offers users a wide array of features, customization options, and access to a vast ecosystem of applications through the Google Play Store and other sources. | Malware blog | Checkpoint |
| 29.6.24 | SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques | Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023. | Malware blog | Cisco Blog |
| 29.6.24 | Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia | The new remote access trojan (RAT) dubbed SpiceRAT was used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. | Malware blog | Cisco Blog |
| 29.6.24 | Exploring malicious Windows drivers (Part 2): the I/O system, IRPs, stack locations, IOCTLs and more | As the second entry in our “Exploring malicious Windows drivers” series, we will continue where the first left off: Discussing the I/O system and IRPs. | Malware blog | Cisco Blog |
| 15.6.24 | Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups | This blog entry provides an analysis of the Noodle RAT backdoor, which is likely being used by multiple Chinese-speaking groups engaged in espionage and other types of cybercrime. | Malware blog | Trend Micro |
| 15.6.24 | DarkGate again but... Improved? | DarkGate is back, if it ever left, with the latest version, the number 6, which includes new distribution methods, anti-analysis techniques and features. | Malware blog | Trelix |
| 15.6.24 | Operation Celestial Force employs mobile and desktop malware to target Indian entities | Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.” | Malware blog | Cisco Blog |
| 15.6.24 | How Arid Viper spies on Android users in the Middle East – Week in security with Tony Anscombe | The spyware, called AridSpy by ESET, is distributed through websites that pose as various messaging apps, a job search app, and a Palestinian Civil Registry app | Malware blog | Eset |
1.6.24 | STATIC UNPACKING FOR THE WIDESPREAD NSIS-BASED MALICIOUS PACKER FAMILY | Packers or crypters are widely used to protect malicious software from detection and static analysis. | Malware blog | Checkpoint |
25.5.24 | Introducing Nimfilt: A reverse-engineering tool for Nim-compiled binaries | Available as both an IDA plugin and a Python script, Nimfilt helps to reverse engineer binaries compiled with the Nim programming language compiler by demangling package and function names, and applying structs to strings | Malware blog | Eset |
18.5.24 | Payload Trends in Malicious OneNote Samples | In this post, we look at the types of embedded payloads that attackers leverage to abuse Microsoft OneNote files. Our analysis of roughly 6,000 malicious OneNote samples from WildFire reveals that these samples have a phishing-like theme where attackers use one or more images to lure people into clicking or interacting with OneNote files. | Malware blog | Palo Alto |
11.5.24 | The hacker’s toolkit: 4 gadgets that could spell security trouble | Their innocuous looks and endearing names mask their true power. These gadgets are designed to help identify and prevent security woes, but what if they fall into the wrong hands? | Malware blog | Eset |
| 4.5.24 | It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise | Our telemetry indicates a growing number of threat actors are turning to malware-initiated scanning attacks. This article reviews how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans. | Malware blog | Palo Alto |
| 28.4.24 | ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices | ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. | Malware blog | Cisco Blog |
| 28.4.24 | Suspected CoralRaider continues to expand victimology using three information stealers | Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host. | Malware blog | Cisco Blog |
| 20.4.24 | Redline Stealer: A Novel Approach | Authored by Mohansundaram M and Neil Tyagi A new packed variant of the Redline Stealer trojan was... | Malware blog | Mcafee |
| 20.4.24 | OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal | The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. | Malware blog | Cisco Blog |
| 13.4.24 | Starry Addax targets human rights defenders in North Africa with new malware | Cisco Talos is disclosing a new threat actor we deemed “Starry Addax” targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware. | Malware blog | Cisco Blog |
| 13.4.24 | eXotic Visit includes XploitSPY malware – Week in security with Tony Anscombe | Almost 400 people in India and Pakistan have fallen victim to an ongoing Android espionage campaign called eXotic Visit | Malware blog | Eset |
| 6.4.24 | AGENT TESLA TARGETING UNITED STATES & AUSTRALIA: REVEALING THE ATTACKERS’ IDENTITIES | When considering a notoriously famous topic known for quite a long time, it may feel like there is nothing new to add to this area anymore – all paths traced, all words said, all “i”s dotted. Is it worth an investigation to begin with? As it turns out, there are new discoveries with previously hidden information of valuable significance that can be built into the already-painted picture. | Malware blog | Checkpoint |
| 6.4.24 | MALWARE SPOTLIGHT: LINODAS AKA DINODASRAT FOR LINUX | In recent months, Check Point Research (CPR) has been closely monitoring the activity of a Chinese-nexus cyber espionage threat actor who is focusing on Southeast Asia, Africa, and South America. | Malware blog | Checkpoint |
| 6.4.24 | Adversaries are leveraging remote access tools now more than ever — here’s how to stop them | While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns. | Malware blog | Cisco Blog |
| 6.4.24 | Malware hiding in pictures? More likely than you think | There is more to some images than meets the eye – their seemingly innocent façade can mask a sinister threat. | Malware blog | Eset |
| 23.3.24 | Large-Scale StrelaStealer Campaign in Early 2024 | StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s C2 server. Upon a successful attack, the threat actor would gain access to the victim's email login information, which they can then use to perform further attacks. | Malware blog | Palo Alto |
| 23.3.24 | Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention | This article reviews the recently discovered FalseFont backdoor, which was used by a suspected Iranian-affiliated threat actor that Unit 42 tracks as Curious Serpens. Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors. | Malware blog | Palo Alto |
| 23.3.24 | Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor | This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). | Malware blog | Palo Alto |
| 23.3.24 | AceCryptor attacks surge in Europe – Week in security with Tony Anscombe | The second half of 2023 saw massive growth in AceCryptor-packed malware spreading in the wild, including courtesy of multiple spam campaigns where AceCryptor packed the Rescoms RAT | Malware blog | Eset |
| 23.3.24 | Rescoms rides waves of AceCryptor spam | Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries | Malware blog | Eset |
| 23.3.24 | A prescription for privacy protection: Exercise caution when using a mobile health app | Given the unhealthy data-collection habits of some mHealth apps, you’re well advised to tread carefully when choosing with whom you share some of your most sensitive data | Malware blog | Eset |
| 17.3.24 | Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled | This article will focus on the newly released BunnyLoader 3.0, as well as historically observed BunnyLoader infrastructure and an overview of its capabilities. BunnyLoader is dynamically developing malware with the capability to steal information, credentials and cryptocurrency, as well as deliver additional malware to its victims. | Malware blog | Palo Alto |
| 2.3.24 | The Art of Domain Deception: Bifrost's New Tactic to Deceive Users | First identified in 2004, Bifrost is a remote access Trojan (RAT) that allows an attacker to gather sensitive information, like hostname and IP address. In this article, along with exploring Bifrost, we’ll also showcase a notable spike in Bifrost’s Linux variants during the past few months. | Malware blog | Palo Alto |
| 2.3.24 | TimbreStealer campaign targets Mexican users with financial lures | Talos has observed a phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023. | Malware blog | Cisco Blog |
| 25.2.24 | Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns | Since September 2023, we have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. | Malware blog | Cisco Blog |
| 10.2.24 | RASPBERRY ROBIN KEEPS RIDING THE WAVE OF ENDLESS 1-DAYS | Two new 1-day LPE exploits were used by the Raspberry Robin worm before they were publicly disclosed, which means that Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time. | Malware blog | Checkpoint |
| 10.2.24 | New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization | Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.” | Malware blog | Cisco Blog |
| 4.2.24 | Exploring the Latest Mispadu Stealer Variant | Unit 42 researchers recently discovered activity attributed to Mispadu Stealer, a stealthy infostealer first reported in 2019. We found this activity as part of the Unit 42 Managed Threat Hunting offering. We discovered this threat activity while hunting for the SmartScreen CVE-2023-36025 vulnerability. | Malware blog | Palo Alto |
| 4.2.24 | Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers | Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. | Malware blog | Cisco Blog |
| 4.2.24 | Grandoreiro banking malware disrupted – Week in security with Tony Anscombe | The banking trojan, which targeted mostly Brazil, Mexico and Spain, blocked the victim’s screen, logged keystrokes, simulated mouse and keyboard activity and displayed fake pop-up windows | Malware blog | Eset |
| 4.2.24 | ESET takes part in global operation to disrupt the Grandoreiro banking trojan | ESET provided technical analysis, statistical information, known C&C servers and was able to get a glimpse of the victimology | Malware blog | Eset |
20.1.24 | Parrot TDS: A Persistent and Evolving Malware Campaign | This campaign is unique in its methodology, employing a source spoofing technique to target a broad spectrum of token holders. It specifically focuses on more than 100 highly popular projects, aiming its attacks at token holders. | Malware blog | Palo Alto |
14.1.24 | Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer | Malware, like many complex software systems, relies on the concept of software configuration. Configurations establish guidelines for malware behavior and they are a common feature among the various malware families we examine. | Malware blog | Palo Alto |
14.1.24 | .NET HOOKING – HARMONIZING MANAGED TERRITORY | For a malware researcher, analyst, or reverse engineer, the ability to alter the functionality of certain parts of code is a crucial step, often necessary to reach a meaningful result during the analysis process. | Malware blog | Checkpoint |