Malware

An analysis of REF8685's abuse of GitHub for C2 to evade defenses.

CoffeeLoader is a new malware loader that employs stealthy techniques including call stack spoofing, sleep obfuscation, and Windows fibers to evade detection.

Discover the DEEP#DRIVE campaign targeting South Korea, attributed to North Korea's Kimsuky APT group. Learn about phishing tactics, PowerShell obfuscation, Dropbox-hosted payloads, and key cybersecurity recommendations.

Unit 42 details the just-discovered connection between threat group Stately Taurus (aka Mustang Panda) and the malware Bookworm, found during analysis of the group's infrastructure.

During a recent investigation (REF7707), Elastic Security Labs discovered new malware targeting a foreign ministry. The malware includes a custom loader and backdoor with many features including using Microsoft’s Graph API for C2 communications.

Team82 has researched a malware sample called IOCONTROL linked to an Iran-based attack group used to target IoT and OT civilian infrastructure in the U.S. and Israel.

Elastic Security Labs share details about the SADBRIDGE loader and GOSAR backdoor, malware used in campaigns targeting Chinese-speaking victims.

PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers.

Author: Vlad Pasca A technical deep dive into the new North Korean keylogger from a Hybrid Analysis perspective The keylogger incorporates j...

Uncover the latest campaign using DarkVision RAT and PureCrypter. Learn about attack techniques, persistence, and command-line parsing.

ESET researchers analyzed previously unknown Linux backdoors that are connected to known Windows malware used by the China-aligned Gelsemium group, as well as to Project Wood.

Perfctl is particularly elusive and persistent malware employing several sophisticated techniques

The threat actor behind LightSpy has expanded their toolset with the introduction of DeepData, a modular Windows-based surveillance framework that significantly broadens their espionage capabilities.

BabbleLoader: the annoyingly clever malware loader that jumbles, scrambles, and evades its way past modern defenses with frustrating ease.

Discover how APT36's ElizaRAT, an evolving malware, leverages cloud services like Slack and Google Drive for cyber espionage.

ESET's discovery of the first UEFI bootkit designed for Linux sendss an important message: UEFI bootkits are no longer confined to Windows systems alone.

The IMEEX framework is a newly discovered, custom-built malware designed to target Windows systems. Delivered as a 64-bit DLL, it offers attackers extensive control over compromised machines. This framework is notable for its robust capabilities, featuring a wide array of functionalities, including execution of additional modules, file manipulation, process management, registry modification, and remote command […]

Read the details of the evolution, evasion techniques, and malware configurations of Ladrodectus malware in this in-depth malware analysis

Recent cyber attacks by Transparent Tribe, or APT36, utilize increasingly sophisticated malware called ElizaRAT

Stroz Friedberg identified a stealthy malware, dubbed “sedexp,” utilizing Linux udev rules to achieve persistence and evade detection. This advanced threat, active since 2022, hides in plain sight while providing attackers with reverse shell capabilities and advanced concealment tactics.

Executive Summary Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement. Public scan data Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP).

https://blog.talosintelligence.com/tinyturla-next-generationhttps://blog.talosintelligence.com/tinyturla

Learn about our process for collecting telemetry data from PlugX worm-infected workstations, as well as how to disinfect them.

Avast discovered and analyzed GuptiMiner, a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers.

Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. Microsoft has issued a security update addressing this vulnerability as CVE-2022-38028.

For educational purposes only, samples of old & new malware builders including screenshots! - GitHub - yuankong666/Ultimate-RAT-Collection: For educational purposes only, samples of old &am...