Found 80 bookmarks
Custom sorting
Storm-2372 conducts device code phishing campaign
Storm-2372 conducts device code phishing campaign
Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign has been active since August 2024 with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Storm-2372’s targets during this time have included government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft.
#microsoft#EN#2025#Storm-2372#phishing#campaign#Russia
·microsoft.com·
Storm-2372 conducts device code phishing campaign
New TorNet backdoor seen in widespread campaign
New TorNet backdoor seen in widespread campaign
Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany. The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware. The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence. The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions. We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion.
#talosintelligence#EN#2025#TorNet#backdoor#campaign#Poland#Germany#analysis#malware
·blog.talosintelligence.com·
New TorNet backdoor seen in widespread campaign
New Star Blizzard spear-phishing campaign targets WhatsApp accounts | Microsoft Security Blog
New Star Blizzard spear-phishing campaign targets WhatsApp accounts | Microsoft Security Blog
In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group. This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, and procedures (TTPs) to leverage a […]
#microsoft#Threat#Intelligence#Star-Blizzard#WhatsApp#spear-phishing#campaign#research
·microsoft.com·
New Star Blizzard spear-phishing campaign targets WhatsApp accounts | Microsoft Security Blog
Effective Phishing Campaign Targeting European Companies and Organizations
Effective Phishing Campaign Targeting European Companies and Organizations
A phishing campaign targeting European companies used fake forms made with HubSpot's Free Form Builder, leading to credential harvesting and Azure account takeover. A phishing campaign targeting European companies used fake forms made with HubSpot's Free Form Builder, leading to credential harvesting and Azure account takeover.
#unit42#EN#2024#Phishing#Campaign#EU#Azure#takeover#HubSpot#analysis
·unit42.paloaltonetworks.com·
Effective Phishing Campaign Targeting European Companies and Organizations
HijackLoader evolution: abusing genuine signing certificates
HijackLoader evolution: abusing genuine signing certificates
Since mid-September 2024, our telemetry has revealed a significant increase in “Lumma Stealer”1 malware deployments via the “HijackLoader”2 malicious loader. On October 2, 2024, HarfangLab EDR detected and blocked yet another HijackLoader deployment attempt – except this time, the malware sample was properly signed with a genuine code-signing certificate. In response, we initiated a hunt for code-signing certificates (ab)used to sign malware samples. We identified and reported more of such certificates. This report briefly presents the associated stealer threat, outlines the methodology for hunting these certificates, and providees indicators of compromise.
#harfanglab#EN#2024#HijackLoader#captcha#fake#malicious#loader#campaign
·harfanglab.io·
HijackLoader evolution: abusing genuine signing certificates
Behind the CAPTCHA: A Clever Gateway of Malware
Behind the CAPTCHA: A Clever Gateway of Malware
McAfee Labs recently observed an infection chain where fake CAPTCHA pages are being leveraged to distribute malware, specifically Lumma Stealer. We are observing a campaign targeting multiple countries. Below is a map showing the geolocation of devices accessing fake CAPTCHA URLs, highlighting the global distribution of the attack.
#mcafee#EN#2024#CAPTCHA#Gateway#Malware#LummaStealer#campaign#fake
·mcafee.com·
Behind the CAPTCHA: A Clever Gateway of Malware
Extension Trojan Malware Campaign
Extension Trojan Malware Campaign
Malwares make no distinction between corporate and personal devices. Therefore, past perceptions of different levels of antivirus for businesses and households must be challenged. ReasonLabs is the first endpoint protection based on a multilayered machine-learning engine, that provides enterprise-grade security for all your personal devices.
#reasonlabs#EN#2024#Extension#Trojan#Malware#Campaign
·reasonlabs.com·
Extension Trojan Malware Campaign
SeleniumGreed Cryptomining Campaign Exploiting Grid Services | Wiz Blog
SeleniumGreed Cryptomining Campaign Exploiting Grid Services | Wiz Blog
SeleniumGreed is an active crypto-mining campaign targeting older versions of Grid services. Explore the risks, attack methods, and essential security measures. Wiz Research has detected an ongoing threat campaign that exploits exposed Selenium Grid services for cryptomining, dubbed “SeleniumGreed”. Selenium is among the most commonly used testing frameworks. Our data shows that the technology can be found in 30% of cloud environments, and the official selenium/hub docker image has over 100 million pulls in Docker Hub. Unbeknownst to most users, Selenium WebDriver API enables full interaction with the machine itself, including reading and downloading files, and running remote commands. By default, authentication is not enabled for this service. This means that many publicly accessible instances are misconfigured and can be accessed by anyone and abused for malicious purposes. We have identified a threat actor targeting publicly exposed instances of Selenium Grid and leveraging features of Selenium WebDriver API to run Python with a reverse shell to deploy scripts that download a XMRig miner. The threat actor is still active as of this blog post’s date of publication. * We believe this is the first documentation of this misconfiguration being exploited in the wild.
#wiz#EN#2024#SeleniumGreed#Selenium#XMRig#crypto-mining#campaign
·wiz.io·
SeleniumGreed Cryptomining Campaign Exploiting Grid Services | Wiz Blog
entagon ran secret anti-vax campaign to undermine China during pandemic
entagon ran secret anti-vax campaign to undermine China during pandemic
The U.S. military launched a clandestine program amid the COVID crisis to discredit China’s Sinovac inoculation – payback for Beijing’s efforts to blame Washington for the pandemic. One target: the Filipino public. Health experts say the gambit was indefensible and put innocent lives at risk.
#reuters#EN#2024#disinformation#US#CHina#pandemic#Philippines#campaign#Covid-19#antivax
·reuters.com·
entagon ran secret anti-vax campaign to undermine China during pandemic
The Darkside of TheMoon
The Darkside of TheMoon
Executive Summary The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and
#lumen#EN#2020#SOHO#TheMoon#campaign#EoL#routers#IoT#proxy
·blog.lumen.com·
The Darkside of TheMoon