Search cyberveille.decio.ch

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.

#netlab360 #EN #2022 #Orchard #botnet #C2 #bitcoin #domains

·blog.netlab.360.com·Aug 9, 2022

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.

#talosintelligence #EN #2022 #manjusaka #CobaltStrike #framework #imitation #C2

·blog.talosintelligence.com·Aug 3, 2022

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices

#Cloudsek #EN #2022 #malware #macOS #Gimmick #C2

·cloudsek.com·May 27, 2022

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.

#netlab360 #EN #2022 #Orchard #botnet #C2 #bitcoin #domains

·blog.netlab.360.com·Aug 9, 2022

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.

#talosintelligence #EN #2022 #manjusaka #CobaltStrike #framework #imitation #C2

·blog.talosintelligence.com·Aug 3, 2022

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices

#Cloudsek #EN #2022 #malware #macOS #Gimmick #C2

·cloudsek.com·May 27, 2022

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.

#netlab360 #EN #2022 #Orchard #botnet #C2 #bitcoin #domains

·blog.netlab.360.com·Aug 9, 2022

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.

#talosintelligence #EN #2022 #manjusaka #CobaltStrike #framework #imitation #C2

·blog.talosintelligence.com·Aug 3, 2022

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices

#Cloudsek #EN #2022 #malware #macOS #Gimmick #C2

·cloudsek.com·May 27, 2022

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.

#netlab360 #EN #2022 #Orchard #botnet #C2 #bitcoin #domains

·blog.netlab.360.com·Aug 9, 2022

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.

#talosintelligence #EN #2022 #manjusaka #CobaltStrike #framework #imitation #C2

·blog.talosintelligence.com·Aug 3, 2022

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices

#Cloudsek #EN #2022 #malware #macOS #Gimmick #C2

·cloudsek.com·May 27, 2022

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.

#netlab360 #EN #2022 #Orchard #botnet #C2 #bitcoin #domains

·blog.netlab.360.com·Aug 9, 2022

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.

#talosintelligence #EN #2022 #manjusaka #CobaltStrike #framework #imitation #C2

·blog.talosintelligence.com·Aug 3, 2022

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices

#Cloudsek #EN #2022 #malware #macOS #Gimmick #C2

·cloudsek.com·May 27, 2022

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.

#netlab360 #EN #2022 #Orchard #botnet #C2 #bitcoin #domains

·blog.netlab.360.com·Aug 9, 2022

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.

#talosintelligence #EN #2022 #manjusaka #CobaltStrike #framework #imitation #C2

·blog.talosintelligence.com·Aug 3, 2022

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices

#Cloudsek #EN #2022 #malware #macOS #Gimmick #C2

·cloudsek.com·May 27, 2022

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.

#netlab360 #EN #2022 #Orchard #botnet #C2 #bitcoin #domains

·blog.netlab.360.com·Aug 9, 2022

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. The implants for the new malware family are written in the Rust language for Windows and Linux. A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.

#talosintelligence #EN #2022 #manjusaka #CobaltStrike #framework #imitation #C2

·blog.talosintelligence.com·Aug 3, 2022

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices

#Cloudsek #EN #2022 #malware #macOS #Gimmick #C2

·cloudsek.com·May 27, 2022

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice | Proofpoint US

Key Takeaways * Nighthawk is an advanced C2 framework intended for red team operations through commercial licensing. * Proofpoint researchers observed initial use of the framework in September 2022 by a likely red team. * We have seen no indications at this time that leaked versions of Nighthawk are being used by attributed threat actors in the wild. * The tool has a robust list of configurable evasion techniques that are referenced as “opsec” functions throughout its code. P* roofpoint researchers expect Nighthawk will show up in threat actor campaigns as the tool becomes more widely recognized or as threat actors search for new, more capable tools to use against targets.

#proofpoint #EN #2022 #redteam #tool #Nighthawk #C2 #framework #threat

·proofpoint.com·Nov 23, 2022

Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice | Proofpoint US

Alchimist: A new attack framework in Chinese for Mac, Linux and Windows

Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities. * The Alchimist has a web interface in Simplified Chinese with remote administration features. * The attack framework is designed to target Windows, Linux and Mac machines. * Alchimist and Insekt binaries are implemented in GoLang. * This campaign consists of additional bespoke tools such as a MacOS exploitation tool, a custom backdoor and multiple off-the-shelf tools such as reverse proxies.

#talosintelligence #EN #2022 #TheAlchimist #C2 #C&C #attack-framework

·blog.talosintelligence.com·Oct 14, 2022

Alchimist: A new attack framework in Chinese for Mac, Linux and Windows

Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks - Microsoft Security Blog

Threat actors evade detection by adopting the Sliver command-and-control (C2) framework in intrusion campaigns.

#microsoft #EN #2022 #Sliver #C2 #framework #command-and-control #threat-actor

·microsoft.com·Aug 25, 2022

Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks - Microsoft Security Blog

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.

#netlab360 #EN #2022 #Orchard #botnet #C2 #bitcoin #domains

·blog.netlab.360.com·Aug 9, 2022

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. * The implants for the new malware family are written in the Rust language for Windows and Linux. * A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors. * We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints. * We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.

#talosintelligence #EN #2022 #manjusaka #CobaltStrike #framework #imitation #C2

·blog.talosintelligence.com·Aug 3, 2022

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors

Unit 42 continuously hunts for new and unique malware samples that match known advanced persistent threat (APT) patterns and tactics. On May 19, one such sample was uploaded to VirusTotal, where it received a benign verdict from all 56 vendors that evaluated it. Beyond the obvious detection concerns, we believe this sample is also significant in terms of its malicious payload, command and control (C2), and packaging.

#unit42 #EN #2022 #BruteRatelC4 #CobaltStrike #redteam #APT #BRc4 #C2 #malware

·unit42.paloaltonetworks.com·Jul 7, 2022

When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices

#Cloudsek #EN #2022 #malware #macOS #Gimmick #C2

·cloudsek.com·May 27, 2022

Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK

Complete dissection of an APK with a suspicious C2 Server

During our analysis of the Penquin-related infrastructure we reported in our previous post, we paid special attention to the malicious binaries contacting these IP addresses, since as we showed in the analysis, they had been used as C2 of other threats used by Turla.

#turla #apk #android #analysis #EN #2022 #lab52 #c2

·lab52.io·Apr 2, 2022

Complete dissection of an APK with a suspicious C2 Server

Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice | Proofpoint US

Key Takeaways * Nighthawk is an advanced C2 framework intended for red team operations through commercial licensing. * Proofpoint researchers observed initial use of the framework in September 2022 by a likely red team. * We have seen no indications at this time that leaked versions of Nighthawk are being used by attributed threat actors in the wild. * The tool has a robust list of configurable evasion techniques that are referenced as “opsec” functions throughout its code. P* roofpoint researchers expect Nighthawk will show up in threat actor campaigns as the tool becomes more widely recognized or as threat actors search for new, more capable tools to use against targets.

#proofpoint #EN #2022 #redteam #tool #Nighthawk #C2 #framework #threat

·proofpoint.com·Nov 23, 2022

Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice | Proofpoint US