Found 60 bookmarks
Custom sorting
Investigating Anonymous VPS services used by Ransomware Gangs
Investigating Anonymous VPS services used by Ransomware Gangs
One of the challenges with investigating cybercrime is the infrastructure the adversaries leverage to conduct attacks. Cybercriminal infrastructure has evolved drastically over the last 25 years, which now involves hijacking web services, content distribution networks (CDNs), residential proxies, fast flux DNS, domain generation algorithms (DGAs), botnets of IoT devices, the Tor network, and all sorts of nested services. This blog shall investigate a small UK-based hosting provider known as BitLaunch as an example of how challenging it can be to tackle cybercriminal infrastructure. Research into this hosting provider revealed that they appear to have a multi-year history of cybercriminals using BitLaunch to host command-and-control (C2) servers via their Anonymous VPS service.
#bushidotoken#EN#2025#investigation#VPS#BitLaunch#C2#Ransomware
·blog.bushidotoken.net·
Investigating Anonymous VPS services used by Ransomware Gangs
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.
#netlab360#EN#2022#Orchard#botnet#C2#bitcoin#domains
·blog.netlab.360.com·
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
  • Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries. It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems. Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention. Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.
#talosintelligence#2022#dark-utilities#DarkUtilities#C2
·blog.talosintelligence.com·
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
  • Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.
#talosintelligence#EN#2022#manjusaka#CobaltStrike#framework#imitation#C2
·blog.talosintelligence.com·
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.
#netlab360#EN#2022#Orchard#botnet#C2#bitcoin#domains
·blog.netlab.360.com·
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
  • Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries. It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems. Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention. Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.
#talosintelligence#2022#dark-utilities#DarkUtilities#C2
·blog.talosintelligence.com·
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
  • Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.
#talosintelligence#EN#2022#manjusaka#CobaltStrike#framework#imitation#C2
·blog.talosintelligence.com·
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.
#netlab360#EN#2022#Orchard#botnet#C2#bitcoin#domains
·blog.netlab.360.com·
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
  • Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries. It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems. Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention. Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.
#talosintelligence#2022#dark-utilities#DarkUtilities#C2
·blog.talosintelligence.com·
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
  • Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.
#talosintelligence#EN#2022#manjusaka#CobaltStrike#framework#imitation#C2
·blog.talosintelligence.com·
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.
#netlab360#EN#2022#Orchard#botnet#C2#bitcoin#domains
·blog.netlab.360.com·
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
  • Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries. It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems. Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention. Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.
#talosintelligence#2022#dark-utilities#DarkUtilities#C2
·blog.talosintelligence.com·
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
  • Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.
#talosintelligence#EN#2022#manjusaka#CobaltStrike#framework#imitation#C2
·blog.talosintelligence.com·
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.
#netlab360#EN#2022#Orchard#botnet#C2#bitcoin#domains
·blog.netlab.360.com·
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
  • Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries. It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems. Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention. Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.
#talosintelligence#2022#dark-utilities#DarkUtilities#C2
·blog.talosintelligence.com·
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
  • Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.
#talosintelligence#EN#2022#manjusaka#CobaltStrike#framework#imitation#C2
·blog.talosintelligence.com·
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.
#netlab360#EN#2022#Orchard#botnet#C2#bitcoin#domains
·blog.netlab.360.com·
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
  • Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries. It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems. Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention. Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.
#talosintelligence#2022#dark-utilities#DarkUtilities#C2
·blog.talosintelligence.com·
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
  • Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.
#talosintelligence#EN#2022#manjusaka#CobaltStrike#framework#imitation#C2
·blog.talosintelligence.com·
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.
#netlab360#EN#2022#Orchard#botnet#C2#bitcoin#domains
·blog.netlab.360.com·
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
  • Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries. It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems. Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention. Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.
#talosintelligence#2022#dark-utilities#DarkUtilities#C2
·blog.talosintelligence.com·
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
  • Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.
#talosintelligence#EN#2022#manjusaka#CobaltStrike#framework#imitation#C2
·blog.talosintelligence.com·
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike