Found 6 bookmarks
Newest
Lyrix Ransomware
Lyrix Ransomware
CYFIRMA’s research team discovered Lyrix Ransomware while monitoring underground forums as part of our Threat Discovery Process. Developed in Python and compiled with PyInstaller — allowing it to run as a standalone executable with all dependencies—Lyrix targets Windows systems using strong encryption and appends a unique file extension to encrypted files. Its advanced evasion techniques and persistence mechanisms make it challenging to detect and remove. This discovery underscores the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data and reduce the risk of breaches. Target Technologies Windows Operating System Written In Python Encrypted file extension Original file names appended with ‘.02dq34jROu’ extension Observed First 2025-04-20 Problem Statement Lyrix Ransomware targets Windows operating systems using advanced evasion and anti-analysis techniques to reduce the likelihood of detection. Its tactics include obfuscating malicious behavior, bypassing rule-based detection systems, employing strong encryption, issuing ransom demands, and threatening to leak stolen data on underground forums. Lyrix Ransomware Basic Details Filename Encryptor.exe Size 20.43 MB Signed Not signed File Type Win32 EXE Timestamp Sun Apr 20 09:04:34 2025 (UTC) SHA 256 Hash fcfa43ecb55ba6a46d8351257a491025022f85e9ae9d5e93d945073f612c877b
#cyfirma#EN#2025#Lyrix#Ransomware#analysis
·cyfirma.com·
Lyrix Ransomware
VanHelsing Ransomware
VanHelsing Ransomware
orums as part of our Threat Discovery Process. Designed to target Windows systems, this ransomware employs advanced encryption techniques and appends a unique file extension to compromised files. Its stealthy evasion tactics and persistence mechanisms make detection and removal challenging. This highlights the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data integrity and minimize breach risks. Target Technologies: Windows Target Geography: France, USA. Target Industry: Government, Manufacturing, Pharma. Encrypted file extension: .vanhelsing Observed First: 2025-03-16 Threat actor Communication mode: Tor
#cyfirma#EN#2025#VanHelsing#Ransomware#analysis#RaaS
·cyfirma.com·
VanHelsing Ransomware
Inside FireScam : An Information Stealer with Spyware Capabilities
Inside FireScam : An Information Stealer with Spyware Capabilities
  • FireScam is an information stealing malware with spyware capabilities. It is distributed as a fake ‘Telegram Premium’ APK via a phishing website hosted on the GitHub.io domain, mimicking the RuStore app store. The phishing website delivers a dropper that installs the FireScam malware disguised as the Telegram Premium application. The malware exfiltrates sensitive data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint. FireScam monitors device activities such as screen state changes, e-commerce transactions, clipboard activity, and user engagement to gather valuable information covertly. Captures notifications across various apps, including system apps, to potentially steal sensitive information and track user activities. It employs obfuscation techniques to hide its intent and evade detection by security tools and researchers. FireScam performs checks to identify if it is running in an analysis or virtualized environment. The malware leverages Firebase for command-and-control communication, data storage, and to deliver additional malicious payloads. Exfiltrated data is temporarily stored in the Firebase Realtime Database, filtered for valuable content, and later removed. The Firebase database reveals potential Telegram IDs linked to the threat actors and contains URLs to other malware specimens hosted on the phishing site. By exploiting the popularity of messaging apps and other widely used applications, FireScam poses a significant threat to individuals and organizations worldwide.
#cyfirma#EN#2025#FireScam#Telegram#Premium#analysis#fake#apk#android#malware
·cyfirma.com·
Inside FireScam : An Information Stealer with Spyware Capabilities
Kematian-Stealer : A Deep Dive into a New Information Stealer
Kematian-Stealer : A Deep Dive into a New Information Stealer
Kematian-Stealer is actively being developed and distributed as an open-source tool on GitHub. Our investigation revealed that the stealer’s source code, related scripts, and a builder for generating malicious binaries are hosted under the GitHub account “Somali-Devs.” Significant contributions from the user KDot227 suggest a close link between this account and the development of the stealer. These scripts and stealer are designed to covertly extract sensitive data from unsuspecting users and organizations.
#cyfirma#EN#2024#Kematian-Stealer#open-source#stealer#analysis
·cyfirma.com·
Kematian-Stealer : A Deep Dive into a New Information Stealer