ALERTS HOME AI APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
2024 March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67) October(13) November(80) December(6) 2025 January(36) February(50) March(77)
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
| 2.4.25 | Masslogger Bank-Themed Phishing Primarily Targets Romania, With Broader European Reach | VIRUS | Symantec has observed a Masslogger campaign primarily targeting organizations in Romania, where attackers are impersonating a Romanian bank. In addition to Romanian entities, the campaign has also impacted organizations in several other countries across Europe and beyond. | |
| 2.4.25 | TsarBot Android malware | VIRUS | TsarBot is a new Android banking trojan reported to be targeting over 750 different banking, financial and cryptocurrency-related applications. | |
| 1.4.25 | New SnakeKeylogger multistage Info-stealer campaign | ALERTS | VIRUS | SnakeKeylogger is an info-stealer malware that harvests credentials and other sensitive data. It targets a wide range of applications such as web browsers like Google Chrome, Mozilla Firefox, and email clients such as Microsoft Outlook and Thunderbird. |
| 1.4.25 | Crocodilus Android malware | ALERTS | VIRUS | Crocodilus is a new mobile banking trojan variant identified recently on the threat landscape. The malware has extensive remote control and infostealing functionalities, allowing the attackers for application overlay attacks, remote access to the compromised devices, theft of credentials/data stored on the mobile device, keylogging and execution of commands received from C2 servers, among others. |
| 1.4.25 | New CoffeeLoader malware | VIRUS | CoffeeLoader is a new sophisticated malware loader designed to implement secondary payloads while evading detection. This loader leverages a packer that executes code on a system’s GPU. CoffeeLoader can establish persistence via the Windows Task Schedule and can maintain persistence via a scheduled task with a hard-coded name. | |
| 1.4.25 | MassLogger Targets Businesses Worldwide via Procurement-themed Phishing | ALERTS | PHISHING | MassLogger, an information-stealing malware designed to capture credentials, keystrokes, and clipboard data from victims, has been gaining prevalence in the threat landscape, with campaigns of various sizes and victimology observed worldwide. |
|
28.3.25 |
Remcos backdoor distributed in the latest campaign attributed to Shuckworm APT | ALERTS | CAMPAIGN | A new campaign attributed to the Shuckworm APT (aka Gamaredon) has been reported by researchers from Cisco Talos. According to the released report, the attackers are targeting users from Ukraine with malicious .LNK files and PowerShell downloaders before infecting them with Remcos RAT payload. |
|
28.3.25 |
Argenta Bank users targeted with new phishing emails | ALERTS | PHISHING | Argenta is a bank based in Belgium and also operates in the Netherlands and Luxembourg. Recently, Symantec has detected a new wave of phish runs spoofing Argenta's bank services with fake account notifications. |
|
28.3.25 |
RALord Ransomware | RANSOM | RALord is a new Rust-based ransomware variant identified in the wild. The malware encrypts user data and appends ".RALord" extension to the names of the locked files. | |
|
28.3.25 |
VIPKeyLogger Targets Japan’s Corporate Sector | ALERTS | VIRUS | VIPKeyLogger, a stealthy keylogging malware, has been observed in two phishing campaigns targeting Japanese organizations and international companies with local offices in Japan. |
|
28.3.25 |
PJobRAT Android malware | ALERTS | VIRUS | A new campaign distributing PJobRAT malware for Android has been discovered by the researchers from Sophos. The campaign targets mostly the mobile users from Taiwan and aims at collection and exfiltration of sensitive data including SMS messages, contact lists as well as documents and media file stored on the compromised devices. |
|
28.3.25 |
CVE-2025-24799 - SQL injection vulnerability in GLPI | VULNEREBILITY | CVE-2025-24799 is a recently identified SQL injection vulnerability affecting GLPI, which is a popular and open-source IT Service Management (ITSM) software. | |
|
27.3.25 |
CVE-2025-29891 - Bypass/Injection vulnerability in Apache Camel | ALERTS | VULNEREBILITY | CVE-2025-29891 is a second recently identified bypass/injection vulnerability affecting Apache Camel, which is a popular open source integration framework. If successfully exploited, the flaw might enable the remote attackers to inject arbitrary parameters in the HTTP requests that are sent to the Camel application. |
|
27.3.25 |
New Go-based ReaderUpdate macOS malware variant | ALERTS | VIRUS | A new Go-based strain of the macOS malware dubbed ReaderUpdate has been discovered in the wild. Previous variants of this malware were based on Crystal, Nim and Rust programming languages. |
|
27.3.25 |
Phishing Surge Targets Rakuten Securities Users | ALERTS | PHISHING | In recent weeks, there has been an increase in phishing campaigns targeting users of Rakuten Securities (楽天証券), one of Japan’s largest and most well-established online brokerage firms. The company offers a wide range of investment services, including stocks, ETFs, mutual funds, futures, options, forex trading, and NISA (Japan’s tax-advantaged investment accounts). |
|
27.3.25 |
New Android malware leverages .NET MAUI framework for detection evasion | VIRUS | A new Android malware variant leveraging .NET MAUI framework has been identified in the wild. .NET MAUI is a cross-platform framework used to build native, desktop and mobile apps with C# and XAML. | |
|
27.3.25 |
PlayBoy Locker Ransomware | RANSOM | PlayBoy Locker is a ransomware variant discovered last September and initially distributed in form of a Ransomware-as-a-Service (RaaS) offering. The ransomware platform offered multi-OS support including Windows, NAS and ESXi operating systems. | |
|
26.3.25 |
CVE-2025-24813 - Critical path equivalence RCE vulnerability in Apache Tomcat | ALERTS | VULNEREBILITY | Security researchers have observed active exploitation attempts of CVE-2025-24813, a critical Remote Code Execution (RCE) vulnerability in Apache Tomcat, an open-source servlet container and web server for Java applications. The flaw, caused by a path equivalence issue, allows attackers to bypass security constraints and execute arbitrary code remotely. |
|
26.3.25 |
Dragon RaaS Group: Ransomware targeting the US and European countries | ALERTS | RANSOM | Dragon RaaS, a ransomware group that emerged in July 2024, primarily targets organizations in the US, Israel, UK, France and Germany. The group leverages web application vulnerabilities, brute-force attacks and stolen credentials as its main attack vectors using two ransomware variants: a Windows-focused encryptor, likely a modified version of StormCry and a PHP webshell which provides both backdoor functionality and persistent ransomware capabilities. |
|
26.3.25 |
New JS downloader observed in recent malspam campaign | ALERTS | VIRUS | Symantec has observed a new email campaign delivering a JavaScript downloader as an attachment. The JS arrives under various filenames in an email with variable subjects. |
|
26.3.25 |
Funnelweb attack group targets victims in Operation FishMedley | OPERATION | The China-backed advanced persistent threat group known as Funnelweb (aka Aquatic Panda, Earth Lusca, FishMonger) was responsible for an extensive campaign identified as Operation FishMedley. The campaign targeted entities including governments, NGOs, and think tanks across numerous countries. | |
|
26.3.25 |
CVE-2025–26319 - Flowise Pre-Auth arbitrary file upload vulnerability | VULNEREBILITY | CVE-2025–26319 is a recently disclosed pre-auth arbitrary file upload vulnerability affecting Flowise, which is a popular open source tool for developers to build customized LLM (Large Language Model) orchestration flows and AI agents. | |
|
26.3.25 |
FogDoor backdoor delivery campaign | ALERTS | VIRUS | A new campaign targeting Polish-speaking job-seeking developers has been reported to deliver a new backdoor variant dubbed FogDoor. The attackers lure the victims with a fake recruitment test that leads to a download of a .iso archive containing a malicious .lnk file. The executed .lnk file runs a PowerShell script responsible for installing the malware payload. |
|
25.3.25 |
CVE-2024-56346 & CVE-2024-56347 - recent IBM AIX OS vulnerabilities | VULNEREBILITY | CVE-2024-56346 and CVE-2024-56347 are two recently disclosed critical (CVSS score 10.0 and 9.6 respectively) vulnerabilities affecting IBM AIX operating system. | |
|
25.3.25 |
SVCStealer malware | VIRUS | SVCStealer is a new C++based infostealing malware identified in the wild. The infostealer collects various sensitive information from the infected endpoints such as system information, credentials, cryptocurrency wallets, data stored in browsers, screenshots, data from messaging applications (Discord, Tox, Telegram) or VPN apps, and others. | |
|
22.3.25 |
New variants of the Albabat ransomware implement multi-OS capabilities | RANSOM | A new strain of the Albabat ransomware has been reported to offer multi-OS support, according to latest report from Trend Micro. New Albabat variant is still under active development and it adds Linux and macOS to the list of the targeted platforms. | |
|
22.3.25 |
New phishing campaign targets Pocket Card users | PHISHING | Symantec has detected a phishing campaign targeting Japanese users with fake Pocket Card notification emails. The emails use the subject line: | |
|
22.3.25 |
VanHelsing Ransomware | RANSOM | VanHelsing is a new ransomware variant recently identified in the wild. The malware encrypts user data and appends .vanhelsing or .vanlocker extension to the locked files. VanHelsing drops the ransom note in form of a text file called “README.txt” and it is also able to modify the desktop wallpaper. | |
|
22.3.25 |
Campaign impersonating travel bookings site using “ClickFix" technique | ALERTS | CAMPAIGN | A phishing campaign impersonating Booking.com to deliver credential stealing malware has been observed targeting hospitality organizations in Asia, North America, Oceania, and Europe. The attackers send fake emails impersonating the online travel agency. |
|
22.3.25 |
Recent UAT-5918 APT malicious activities targeting entities in Taiwan | APT | Researchers from Cisco Talos have reported a long-lasting campaign targeting entities in Taiwan and attributed to the UAT-5918 APT. The attackers are known to obtain access to the targeted environments usually via vulnerability exploitation. | |
|
22.3.25 |
DarkCrystal RAT distributed in malicious campaign UAC-0200 | VIRUS | According to a recent alert released by Ukraine's Computer Emergency Response Team (CERT-UA), a new wave of attacks against the defense sector in Ukraine has been detected. The campaign dubbed as UAC-0200 distributes malicious messages via the Signal messenger leading the victims to execution of DarkTortilla loader, which in turn decrypts and runs the DarkCrystal RAT (aka DCRat) payload. | |
|
22.3.25 |
Custom Betruger backdoor deployed by RansomHub affiliate | The Symantec Threat Hunter team has observed activity from a custom backdoor that can be tied to a RansomHub affiliate. RansomHub is a Ransomware-as-a-Service offering and the backdoor has been named Betruger. | ||
|
20.3.25 |
New Steganographic malware campaign exploits JPEG files to distribute Infostealers | ALERTS | VIRUS | A new steganographic malware campaign has been identified, using JPEG image files to distribute various infostealer malwares. The attack starts by luring users into downloading an obfuscated JPEG file, which contains hidden malicious scripts and executables. |
|
20.3.25 |
Fake captchas entice users to run malicious commands for rootkit deployment | VIRUS | Another fake captcha campaign is resulting in rootkits being deployed to unsuspecting victims. The attack is spread via fake captchas that impersonate popular software tools and websites, the captcha copies a malicious powershell command using curl to the users clipboard and provides instructions on how to run it to prove they are human. | |
|
20.3.25 |
CVE-2024-27564 - ChatGPT commit f9f4bbc SSRF vulnerability exploited in the wild | VULNEREBILITY | New reports emerged about threat actors actively exploiting an older Server-Side Request Forgery (SSRF) vulnerability (CVE-2024-27564) affecting OpenAI’s ChatGPT. | |
|
20.3.25 |
NailaoLocker Ransomware | RANSOM | NailaoLocker is a ransomware variant distributed last year in campaigns targeting various European healthcare organizations. The attackers responsible for the attacks have been leveraging previously disclosed Check Point Security Gateway vulnerability CVE-2024-24919 in the initial attack stages. | |
|
20.3.25 |
AnubisBackdoor: New Python-based malware linked to Coreid APT group | ALERTS | VIRUS | A relatively new backdoor malware dubbed AnubisBackdoor has been spotted in the wild. This Python-based backdoor is attributed to the Savage Ladybug group, which is reportedly connected to the notorious Coreid (aka Fin7) APT group. |
|
20.3.25 |
CVE-2025-27636 - Apache Camel Message Header Injection vulnerability | VULNEREBILITY | CVE-2025-27636 is a recently identified bypass/injection vulnerability affecting Apache Camel, which is a popular open source integration framework. | |
|
20.3.25 |
StilachiRAT malware | ALERTS | VIRUS | StilachiRAT is a new remote access trojan variant discovered recently by researchers from Microsoft. The malware possesses extensive remote control as well as infostealing capabilities. |
|
19.3.25 |
Protection Highlight: Thwarting Ransomware with Carbon Black Endpoint Standard | ALERTS | RANSOM | Today's ransomware is innovating at a rapid pace. Going beyond simple file encryption, ransomware increasingly leverages unknown variants and fileless techniques. |
|
19.3.25 |
JPHP downloader uncovered | VIRUS | A new downloader compiled with JPHP was recently observed. JPHP is an interpreter that allows PHP scripts to execute in a Java Virtual Machine. This particular malware was originally delivered in a ZIP file and leveraged Telegram for its C2 communications. Potential downloaded payloads include infostealers such as Danabot. | |
|
19.3.25 |
VenomRat malware campaign uses VHD files for data exfiltration | CAMPAIGN | A VenomRat malware campaign using VHD files has been observed in the wild. The attack begins with a phishing email containing an archive attachment disguised as a purchase order to lure users. Inside the archive there is a .vhd file which mounts itself as a hard disk when opened. | |
|
19.3.25 |
New XCSSET macOS malware variant discovered | According to recent reports, a new variant of XCSSET, the macOS modular malware, has been observed by researchers at Microsoft. First discovered in 2020, XCSSET is a sophisticated modular malware known to target users by infecting Apple Xcode projects. | ||
|
19.3.25 |
A new Sobolan malware campaign | ALERTS | CAMPAIGN | Threat Actors use compromised interactive computing environments like Jupyter Notebooks to spread Sobolan malware in a multi stage attack. |
|
16.3.25 |
OctoV2 mobile malware distributed as fake DeepSeek AI app | ALERTS | AI | A new variant of the OctoV2 Android banking malware has been spread recently under the disguise of a DeepSeek AI mobile app. DeepSeek is a recently released AI-powered chatbot, much similar to the well known ChatGPT. |
| 14.3.25 | SuperBlack - a new Lockbit ransomware variant | RANSOM | SuperBlack is a new ransomware variant based on the leaked Lockbit builder. According to recent reports, a newly observed distribution of this malware has been attributed to the threat actor dubbed as Mora_001 (a possible Lockbit affiliate). | |
| 14.3.25 | LithiumWare Ransomware | RANSOM | LithiumWare is a new ransomware strain observed in the wild. The malware encrypts user data and appends random four-character extensions to the locked files. | |
| 14.3.25 | Vedalia threat group tied to new Android spyware called KoSpy | VIRUS | KoSpy is a recently discovered Android spyware that has been associated with the North Korean APT Vedalia (also known as APT37 ScarCruft). The spyware was observed masquerading as numerous utility applications to entice/trick its victims. | |
| 14.3.25 | Hellcat: Ransomware-as-a-Service group | RANSOM | Since its identification in late 2024, the Hellcat Ransomware Group has emerged as a prominent Ransomware-as-a-Service (RaaS) threat claiming attacks on critical national infrastructure and government organizations. | |
| 14.3.25 | Sosano backdoor targets UAE Aviation and Satellite firms | VIRUS | An email campaign targeting organizations in the UAE associated with aviation and satellite communications has been reported. The attack leveraged a compromised email account from an Indian electronics firm to send malicious emails aimed at luring victims. | |
| 13.3.25 | DocSwap mobile malware | VIRUS | DocSwap is a new mobile malware variant distributed under the disguise of a "document viewing authentication" mobile app. | |
| 13.3.25 | A new campaign distributing scam crypto investment platforms | CRYPTOCURRENCY | A new campaign spreading fraudulent cryptocurrency investment platforms has been reported by researchers from Palo Alto. The attackers leverage websites and Android mobile apps masqueraded as known brands of retail stores, financial institutions or technology companies to lure their victims. | |
| 13.3.25 | CVE-2025-25181 - Advantive VeraCore SQL Injection vulnerability | VULNEREBILITY | CVE-2025-25181 is a SQL Injection vulnerability affecting Advantive VeraCore, which is an order fulfillment and warehouse management software. If successfully exploited, the flaw might allow the remote attackers to execute arbitrary SQL commands via the PmSess1 parameter and gain unauthorized access to sensitive data. | |
| 13.3.25 | Ballista botnet targets TP-Link Archer routers via vulnerability exploitation | BOTNET | A new botnet dubbed Ballista has targeted organizations in Australia, China, Mexico, and the US focusing on healthcare, manufacturing, services, and technology sectors. | |
| 13.3.25 | Credential Theft Campaign Disguised as Construction Quote Requests | PHISHING | An actor has been running a large phishing campaign, targeting businesses with emails disguised as requests for quotations. The emails, sent from multiple Outlook, Live, Hotmail, and MSN addresses, urge recipients to review an attached document, claiming it contains the scope of work for an urgent project. | |
| 13.3.25 | PlayPraetor mobile malware | VIRUS | PlayPraetor is a mobile malware recently distributed via fake Play Store websites. Many of the observed fraudulent domains leverage typo-squatting techniques to lure the unsuspecting victims into downloading the malicious binaries. | |
| 13.3.25 | CVE-2024-32444 and CVE-2024-32555 - WordPress RealHome and Easy Real Estate Plugin vulnerabilities | VULNEREBILITY | CVE-2024-32444 and CVE-2024-32555 are two recently disclosed vulnerabilities affecting WordPress RealHome and WordPress Easy Real Estate Plugin respectively. | |
| 13.3.25 | Blind Eagle malicious .url files variant | APT | Blind Eagle (aka APT-C-36), is a threat actor group that engages in both espionage and cyber-crime. It primarily targets organizations in Colombia and other Latin American countries focusing on government institutions, financial organizations, and critical infrastructure. | |
| 13.3.25 | Malvertising campaign found in pirate streaming sites leading to infostealers | VIRUS | A malvertising campaign has been recently disclosed by Microsoft. The malicious actors start by injecting malvertising redirectors into videos hosted on pirate streaming sites. | |
| 13.3.25 | Phishing Campaign Impersonates Korean Tax Service | PHISHING | A new wave phishing is making rounds in South Korea, disguising itself as an official email from the Korean National Tax Service (NTS). The email claims to contain an electronic tax invoice and includes an HTML attachment named NTS_eTaxInvoice.html. | |
| 13.3.25 | Malicious operations attributed to the EncryptHub threat actor | RANSOM | EncryptHub is a new threat actor engaging in malicious operations distributing ransomware and infostealers (StealC, Rhadamanthys) to the unsuspecting victims. | |
| 13.3.25 | Leafperforator APT conducts attacks on maritime sector | APT | A new malicious campaign targeting the maritime and nuclear energy sector across South and Southeast Asia, the Middle East, and Africa has been attributed to the Leafperforator (also known as SideWinder) APT group. | |
| 11.3.25 | New Poco RAT distribution campaign | VIRUS | A new campaign distributing Poco RAT to Spanish-speaking users in Latin America has been reported in the wild. The campaign has been attributed to the Darkling APT (aka Dark Caracal). The group is known to leverage Bandook-based backdoors in their attacks. | |
| 11.3.25 | CVE-2024-13159 - Ivanti Endpoint Manager (EPM) Absolute Path Traversal vulnerability | VULNEREBILITY | CVE-2024-13159 is a critical (CVSS score 9.8) absolute path traversal vulnerability affecting the Ivanti Endpoint Manager (EPM) software. If successfully exploited, the flaw might allow a remote unauthenticated attacker to leak sensitive information. | |
| 10.3.25 | Strela Stealer targets MS Outlook users credentials | VIRUS | Strela Stealer is a malware infostealer typically distributed through phishing campaigns affecting users in Italy, Germany, Spain, and Ukraine. It is designed to target specific email clients (notably Microsoft Outlook and Mozilla Thunderbird) and exfiltrate email login credentials. | |
| 10.3.25 | Boramae Ransomware | RANSOM | Boramae is a new ransomware discovered just recently in the threat landscape and a suspected variant of the Beast aka BlackLockbit malware family. The malware encrypts user files and appends ".boramae" to them. | |
| 10.3.25 | Phantom-Goblin operation spreading infostealers to victims | OPERATION | Phantom-Goblin is the name of a malicious infostealing campaign recently identified in the wild. The attackers responsible are leveraging social engineering techniques luring victims into execution of malicious .LNK files. | |
| 10.3.25 | Ebyte Ransomware | Desert Dexter is a recently reported malicious operation targeting users based in Middle East and North Africa. The responsible threat actors are distributing malicious binaries hosted on legitimate file-sharing portals or via seemingly harmless Telegram channels. | ||
| 7.3.25 | Desert Dexter malicious campaign | CAMPAIGN | Desert Dexter is a recently reported malicious operation targeting users based in Middle East and North Africa. The responsible threat actors are distributing malicious binaries hosted on legitimate file-sharing portals or via seemingly harmless Telegram channels. | |
| 7.3.25 | Latest Njrat variant uses Microsoft Dev Tunnels for C2 communications | VIRUS | A new variant of the NjRAT malware has been reported in the wild. NjRAT (also known as Bladabindi or Ratenjay) is an older but still widely used Remote Access Trojan (RAT). This malware is often used to extract data from the compromised endpoints, send commands via remote shell, manipulate the registry as well as download additional payloads. | |
| 7.3.25 | Medusa ransomware activity on the rise | RANSOM | Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024. | |
| 7.3.25 | A new campaign targeting ISP infrastructure with infostealers | VIRUS | A new campaign targeting ISP (Internet service providers) infrastructure with infostealers and cryptocurrency miners has been reported in the wild. In the initial attack stages the threat actors are leveraging brute force attacks to access the vulnerable environments. | |
| 5.3.25 | Phishing campaign used to deliver Havoc malware | CAMPAIGN | In a new report, researchers at Fortinet have detailed a phishing campaign that was used to deliver Havoc malware. Havoc is a malicious framework, akin to Cobalt Strike, that is actively leveraged to compromise victims. In this campaign, the attackers leveraged multiple components, starting with an html file which lures the recipient into executing a malicious PowerShell command. | |
| 5.3.25 | Danger & Loches - recent Globeimposter ransomware variants seen in the wild | RANSOM | Dange and Loches are the two most recently identified variants of the Globeimposter ransomware family. The malware will encrypt user data and append .danger or .loches extension to the locked files respectively. | |
| 5.3.25 | GrassCall malware campaign spreads infostealers to job seekers | VIRUS | GrassCall is a recently identified campaign attributed to the threat group known as Crazy Evil. The attack has been targeting job seekers with fake job interviews in efforts to distribute malicious executables used for infostealing. The attackers have been advertising fake job offers on various well know websites such as LinkedIn or CryptoJobsList. The victims were asked to download fake video meeting software called GrassCall. | |
| 5.3.25 | CVE-2024-12356 - BeyondTrust PRA and RS vulnerability | VULNEREBILITY | CVE-2024-12356 is a critical (CVSS score 9.8) command injection vulnerability affecting the BeyondTrust Privileged Remote Access (PRA) and BeyondTrust Remote Support (RS) software. If successfully exploited, the flaw might allow an unauthenticated attacker to inject commands that are run as a site user. This vulnerability has been previously added to the CISA Known Exploited Vulnerabilities (KEV) Catalog in December 2024 following the reports of the in-the-wild exploitation. | |
| 5.3.25 | Leveraging malicious LNK files and Null-AMSI tool to deliver AsyncRAT | VIRUS | A malware campaign using malicious LNK files disguised as wallpapers to lure users has been observed. As part of the attack vector, the open-source Null-AMSI tool is employed to bypass malware scanning interfaces (AMSI) and Event Tracing for Windows (ETW). Obfuscated PowerShell scripts are used to connect to a remote server and download gzip compressed payloads to evade detection. The final payload is loaded into memory via reflection enabling the execution of AsyncRAT for remote control. | |
| 5.3.25 | Attackers spread Winos4.0 malware using taxation as a lure | The Winos4.0 malware framework has been used by threat groups to perpetrate attacks against intended victims. In a recent report from Fortinet, they have outlined an attack observed against users in Taiwan, using a tax related lure to distribute Winos4.0 malware. The campaign leveraged a PDF attachment with a zip archive that contained malicious DLL and shellcode components along with further modules which are downloaded from a C2. | ||
| 5.3.25 | Fake browser updates being distributed through malicious redirects | Security researchers have observed recent malware campaigns utilizing web-based malware distribution via compromised sites rather than relying solely on email-based attacks to spread malicious links. | ||
| 1.3.25 | LCRYX Ransomware | ALERTS | LCRYX is a VBScript-based ransomware discovered in the wild last year. The malware encrypts user data, appends ‘.lcryx’ to the locked files and demands ransom payment in the Bitcoin cryptocurrency. | |
| 1.3.25 | New Squidoor backdoor variant distributed in latest campaigns | ALERTS | VIRUS | Squidoor is a modular multi-platform backdoor variant supporting both Windows and Linux platforms. According to the researchers from Palo Alto, the newest strain of this malware is distributed in attacks associated with suspected Chinese threat actors. |
| 1.3.25 | Bank of Yokohama users targeted with new phishing emails | ALERTS | PHISHING | In Japan, the Bank of Yokohama is the largest regional bank headquartered in Yokohama. Recently, Symantec has detected a new wave of phish runs spoofing the Bank of Yokohama services with fake account notifications. The emails use the subject line: 【横浜銀行】3月ご利用明細のご案内について (Translated: [Yokohama Bank] Information on March usage statements). |
| 1.3.25 | Billbug (aka Lotus Blossom) threat group uses Sagerunex malware to target numerous victims | ALERTS | APT | The Billbug (aka Lotus Blossom) threat group has been observed leveraging Sagerunex malware, along with other hacking tools, to target numerous victims across industries. In a recent report by researchers at Cisco Talos, activity from this group was seen in attacks affecting organizations such as governments, manufacturing, and telecommunications and media in Asia. |