Fake DMCA and DDoS complaints lead to BazaLoader malware

Researchers recently identified several malicious files that were written primarily in Python and compiled in the Linux binary format ELF (Executable and Linkable Format) for the Debian operating s...

Analysts have been focusing on BazarLoader as it comes through various distribution channels. One such channel is the "Stolen Images Evidence" campaign, described by Microsoft . The "Stolen I...

Recent campaigns involved exploits against Exchange and MySQL servers. Group has heavy focus on telecoms sector. Symantec, part of Broadcom Software, has linked the recently discovered Sidewalk ...

New details have emerged about the recent Windows CVE-2021-40444 zero-day vulnerability, how it is being exploited in attacks, and the threat actor's ultimate goal of taking over corporate networks...

Researchers has discovered a new campaign by threat group TeamTNT that is targeting multiple operating systems and applications. The campaign uses multiple shell/batch scripts, new open source to...

Most of the bait pages are hosted on WordPress blog platforms. Download buttons on these pages link to another host, passing a set of parameters that includes the package name and affiliate ident...

Palo Alto Networks observed exploits in the wild for a recently disclosed command injection vulnerability affecting WebSVN, an open-source web application for browsing source code. The critical ...

FormBook stealer is a rojan available as a malware-as-service. This malware is often used by attackers with low technical literacy and little programming knowledge. FormBook can be used to steal ...

Cybercriminals behind the BazaLoader malware came up with a new lure to trick website owners into opening malicious files: fake notifications about the site being engaged in distributed denial-of-s...

SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C server, makes use of Google Docs as a dead drop resolver, and uses Cloudflare workers as a C&C ...

Key facts about Sardonic: Sardonic is a new backdoor in the FIN8 ecosystem Sardonic is a project still under development and includes several components The new components were identified in a r...

he FBI has learned of a cyber-criminal group who self identifies as the "OnePercent Group" and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020....

LockFile - What appears to be a new ransomware family is being used to target victims in various industries around the globe. The LockFile ransomware was first observed on the network of a U.S. ...

Attackers are actively scanning for vulnerable Microsoft Exchange servers and abusing the latest line of Microsoft Exchange vulnerabilities that were patched earlier this year.

ShadowPad emerged as the successor to PlugX. The relationship between PlugX and ShadowPad has been publicly discussed before. However, analysts discovered other evidence proving th...

It has been a tough for many enterprise security teams fighting a series of severe bugs in Microsoft Windows 10. Shortly after being 'all hands on deck' dealing with the remote code execution (RCE...

Iranian Railways and the Ministry of Roads and Urban Development systems became the subject of targeted cyber attacks. Attacks heavily rely on the attacker's previous knowledge and reconnaissance...

Anomali Threat Research discovered a spearphishing campaign that appears to have begun in early July 2021, targeting the manufacturing industry throughout Asia. The tactics, techniques, and proced...

Magniber ransomware makes a comeback using the same methods: exploiting unpatched vulnerabilities on South Korean victims In July 2021, analysts identified Magniber ransomware attempting to use a ...

A new variant of eCh0raix ransomware targeting Synology network-attached storage (NAS) and Quality Network Appliance Provider (QNAP) NAS devices. To achieve this, attackers are also leveraging CVE-...

Mandiant attributes this campaign to Chinese espionage operators which tracked as UNC215 a Chinese espionage operation that has been suspected of targeting organizations around the world since at l...

Juniper Threat Labs continuously monitors in-the-wild network traffic for malicious activity. Recently, they have discovered an active exploitation of a vulnerability that was disclosed days ago. ...

Advertised as a 'Malware-as-a-Service' (MaaS) threat on various cybercriminal forums, Raccoon is an information stealer targeting victim credentials and cryptocurrency wallets. Seemingly favored...

Following Biden administration's public rebuke of China's Ministry of State Security for the recent HAFNIUM attacks that exploited vulnerabilities in unpatched Microsoft Exchange Servers and put t...

The attackers taunted the Iranian government as hacked displays instructed passengers to direct their complaints to the phone number of the Iranian Supreme Leader Khamenei's office. SentinelLabs r...

Healthcare and education sectors are the frequent targets of a new surge in credential harvesting activity from what's a "highly modular" .NET-based information stealer and keylogger, charting the ...

On July 21, 2021, reseach teams identified a suspicious document named "Manifest.docx" that downloads and executes two templates: one is macro-enabled and the other is an html object that contains ...

A new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies. The LockBit ransomware operation launched in Sep...

As society becomes increasingly reliant on technology, and as the world is more connected than ever, attacks by threat actors are not only more prevalent but also more disruptive. Because of the v...

Proofpoint researchers identified a new group, TA2721 distributing Spanish-language email threats. The group often targets individuals with Spanish-language surnames at global organizations repres...

Over the past months, researchers have been tracking a unique malspam campaign delivering the Remcos remote access trojan (RAT) via financially-themed emails. Remcos is often delivered via malici...

The researches were recently monitoring a new phishing campaign that uses the classic strategy of attaching a malicious Microsoft Word document to an unsolicited email that recipients were then ask...

Unit 42 has discovered a specific single bit (Trap Flag) in the Intel CPU register that can be abused by malware to evade sandbox detection in general purposes. Malware can detect whether it is ...

Analysts recently came across unusual APT activity that exhibits the latter trait - it was detected in high volumes, albeit most likely aimed at a few targets of interest. This large-scale and high...

Although IcedID was originally discovered back in 2017, it did not gain in popularity until the latter half of 2020. "The DFIR Report" have analyzed a couple ransomware cases in 2021 (Sodinokibi &...

As the industry moves closer to the adoption of a Zero Trust security posture with broad and layered defenses, analysts remain committed to sharing threat intelligence with the community to shine a...

As the industry moves closer to the adoption of a Zero Trust security posture with broad and layered defenses, analysts remain committed to sharing threat intelligence with the community to shine a...

BIOPASS RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution. It also has the ability to compro...

Intezer's research team has found a sophisticated campaign, active for at least one year, targeting large international companies in the energy, oil & gas, and electronics industries. The atta...

Cisco Talos is tracking an increase in SideCopy's activities targeting government personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe). SideCop...

Since 2009, the known tools and capabilities believed to have been used by the Lazarus Group include DDoS botnets, keyloggers, remote access tools (RATs), and drive wiper malware. The most publicly...

Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA securi...

Kaspersky were able to find a newer version of the WildPressure malware. It contains the C++ Milum Trojan, a corresponding VBScript variant with the same version (1.6.1) and a set of modules that ...

The ransomware drops a ransom note in a text format in every folder it goes over. According to the note, the authors claim they stole data from the victim's machine, though analysts did not find a...

The ransomware drops a ransom note in a text format in every folder it goes over. According to the note, the authors claim they stole data from the victim's machine, though analysts did not find a...

Check Point research recently discovered an ongoing spear-phishing campaign targeting the Afghan government. Further investigation revealed this campaign was a part of a long-running activity tar...

Kaseya has released a new statement confirming they were the victim of a sophisticated cyberattack. At this time they are still urging customers to keep their on-premise VSA servers offline. Acc...

Last week, security researchers discovered that someone uploaded the Babuk operation's ransomware builder to VirusTotal. When tested the builder, it was simplistic to generate a customized ransomw...

The FortiGuard Labs team has identified yet another spear phishing campaign, this one targeting aviation companies. In this campaign, a malicious link that distributes an AsyncRAT payload is sent ...

Lumen's Black Lotus Labs detected a new remote access trojan - ReverseRat. Based on Lumen's global telemetry and analysis, the actor is targeting government and energy organizations in the South a...

Proofpoint researchers observed a new variant of the downloader JSSLoader in several campaigns impacting a variety of organizations. This version of the malware loader was rewritten from .NET to t...

It has been almost five years since the source code of the notorious MIRAI IoT malware was released to the public by its author in late 2016. This event led to the emergence of numerous copycats, c...

In one of the strangest cases in a while, researchrs discovered a malware campaign whose primary purpose appears to stray from the more common malware motives: Instead of seeking to steal passwords...

With more malware written in Golang than ever before, the threat from Go-based Remote Access Trojans (RATs) has never been higher. Not only has the number of Go malware increased but also the soph...

A recently discovered Bash ransomware piqued interest in multiple ways. Upon investigating, it was found that the attack chain is fully implemented as a bash script, but it also seems that the scri...

Proofpoint researchers identified a malware called LastConn distributed by TA402, a threat actor also known as Molerats. The malware targeted government institutions in the Middle East and global ...

Researchers recently captured a fresh phishing campaign in which a Microsoft Excel document attached to a spam email downloaded and executed several pieces of VBscript code. This malware is used ...

In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500. Malware loaders are malicious software that typ...

Hades ransomware has been on the scene since December 2020, but there has been limited public reporting on the threat group that operates it. Secureworks incident response (IR) engagements in the ...

Cuba is a C++ based ransomware tool targeting Windows systems. It is used in double extortion attacks against a wide range of industries in Europe and America, with the extracted information poste...

n APT group that is called BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East...

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windo...

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

Check Point Research identified an ongoing surveillance operation targeting a Southeast Asian government. The attackers use spear-phishing to gain initial access and leverage old Microsoft Office ...

Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition ...

There is a honeypot that mimics a misconfigured Docker daemon and explore the data obtained between March and April 2021, including 33 different kinds of attacks with a total of 850 attacks. More...

The US Department of Justice has seized two Internet domains used in recent phishing attacks impersonating the U.S. Agency for International Development (USAID) to distribute malware and gain acces...

The FBI published information about the continuous exploitation of Fortinet FortiOS vulnerabilities in attacks targeting commercial, government, and technology services networks. In early April,...

In the past week, analysts uncovered a new ransomware written in the Go programming language that calls itself Epsilon Red. The malware was delivered as the final executable payload in a hand-con...

A wide-scale malicious email campaign operated by NOBELIUM, was uncovered. NOBELIUM-the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware,...

Kubernetes is the most widely adopted container orchestration platform for automating the deployment, scaling, and management of containerized applications. Unfortunately, like any widely used ap...

Dubbed Apostle, never-before-seen wiper masquerades as ransomware. Researchers say they have uncovered never-before-seen disk-wiping malware that is disguising itself as ransomware as it unleash...

The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks. MountLocker started operating in July 2020 as a Ransomware-as-a-Service (RaaS) wh...

BazarLoader (sometimes referred to as BazaLoader) is malware that provides backdoor access to an infected Windows host. After a client is infected, criminals use this backdoor access to send follo...

A campaign was discovered, in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine...

There is a unique and ongoing RAT delivery campaign that started in February of this year. This campaign is unique in that it heavily uses the AutoHotKey scripting language-a fork of the AutoIt l...

Morphisec has recently monitored a highly sophisticated Crypter-as-a-Service that delivers numerous RAT families onto target machines. The Crypter is most commonly delivered through phishing ema...

Bizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the world. Users are being targeted in Spain, Portugal, France and Italy. Attempts hav...

Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco T...

Since April 2021, researchers have observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers an...

A new sample of Darkside was found, this time it is a linux variant. Darkside develops their ransomwares to support both Windows and Linux regularly. It is unknown if this variant was the one t...

The emergence of several zero-day exploits relating to ProxyLogon, a Microsoft Exchange Server vulnerability that was discovered in late 2020, has allowed several threat actors to carry out attacks...

DarkSide is among ransomware gangs that have "professionalized" a criminal industry that has cost Western nations billions of dollars in losses. The cyberextortion attempt that has forced the sh...

Trifecta Phishing campaign started with 28 organizations that phishing emails were sent to, though targeting was likely broader than directly observed. These emails were sent using 26 unique ema...

As of a few hours ago, Codecov has started notifying the maintainers of software repositories affected by the recent supply-chain attack. These notifications, delivered via both email and the Code...

The Cybereason Nocturnus Team has been tracking recent developments in the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. Over the years, this tool has become a part of t...

Proofpoint researchers identified a new variant of the Buer malware loader distributed via emails masquerading as shipping notices in early April. Buer is a downloader sold on underground marketpl...

An aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by o...

The malicious actors behind it may be connected to previous campaigns of Pay2Key. This is a wave of ransomware attacks from a specfic group, identified as N3tw0rm. They use "commercial identity...

In January, appeared a new ransomware using .hello as its extension in one of our cases that possibly arrived via a SharePoint server vulnerability. This appeared to be a new ransomware family du...

Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware to sending spam emails, to ransomware and c...

Shlayer malware detected allows an attacker to bypass Gatekeeper, Notarization and File Quarantine security technologies in macOS. The exploit allows unapproved software to run on Mac and is dist...

Emotet, one of the most dangerous email spam botnets in recent history, is being uninstalled from all infected devices with the help of a malware module delivered in January by law enforcement. ...

A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads. ...

A new malware written in Go, which is called HabitsRAT, targeting both Windows and Linux machines, was discovered recently. The Windows version of the malware was first reported on in attacks aga...

Spear-phishing attack operated by a North Korean threat actor targeting its southern counterpart has been found to conceal its malicious code within a bitmap (.BMP) image file to drop a remote acce...

Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSS...

Researches have recently captured a phishing campaign that was sending a Microsoft PowerPoint document as an email attachment to spread the new variant of the FormBook malware. FormBook is a well...

Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34 (aka OilRig), against what appears to be a Lebanese target, employing a new backdoor variant that was du...

In late March 2021, Malwarebytes analysts discovered a phishing email with an attached zip file containing unfamiliar malware. Contained within the zip file was a PowerShell script masquerading as...

It was found a sample that we identified as one belonging to the SysUpdate malware family, also named Soldier, FOCUSFJORD, and HyperSSL. SysUpdate was first described by the NCC Group in 2018. ...

In the nebula of Chinese-speaking threat actors, it is quite common to see tools and methodologies being shared. One such example of this is the infamous "DLL side-loading triad": a legitimate exe...

SynAck ransomware family is the first to use Process Doppelganging to bypass known security solutions. While SynAck was discovered in September 2017 and Process Doppelganging presented in Decembe...

Palo Alto Networks noticed a dramatic 1,160% increase in malicious PDF files - from 411,800 malicious files to 5,224,056. PDF files are an enticing phishing vector as they are cross-platform and a...

Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Hancitor remains a threat and has evolved to use tools like Cobalt Str...

Threat actors target gamers with backdoored game tweaks, patches, and cheats hiding malware capable of stealing information from infected systems. The attackers mostly use social media channels ...

The new malware was discovered being distributed by call centers in late January and is named BazarCall. Like many malware campaigns, BazarCall starts with a phishing email but from there deviates...

The AnchorDNS malware performs C2 over DNS to two specific domains The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to...

New Pay2Decrypt variant that appends the .aes and .lck extension, encrypts target files with AES+RSA and demands a ransom of 0.0002 BTC. Originally written on AutoIt.

British clothing brand FatFace has sent a controversial 'confidential' data breach notification to customers after suffering a ransomware attack. Customers began receiving data breach notificati...

Investigation uncovered an actively developed password and cookie stealer with a downloader function, capable of delivering additional malware after performing stealer activity. The earliest dis...

Another ransomware operation known as 'Black Kingdom' is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. Over the weekend, security researcher Marcus Hutc...

Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000. Acer is a Taiwanese electronics and computer ma...

Threat actors are abusing the Run Script feature in Apple's Xcode IDE to infect unsuspecting Apple Developers via shared Xcode Projects. XcodeSpy is a malicious Xcode project that installs a custo...

The TA800 threat actor has predominantly used BazaLoader since April of 2020, but on February 3rd, 2021 they distributed a new malware named NimzaLoader. One of NimzaLoader's distinguishing featu...

The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions.

Researchers keep noticing more and more new Dharma variants.