Analyzing Dark Crystal RAT, a C# Backdoor | Mandiant
A .NET rat target Mongolia
A new document royal road v7 installs a backdoor in .NET. a first executable is dropped \os03C2.tmp. This exe has many similarities with…
HelloKitty Ransomware Lacks Stealth, But Still Strikes Home - SentinelLabs
HelloKitty lacks the stealth of Ryuk, REvil and Conti, but has still struck some notable targets, including CEMIGO. Ransomware overview and IoCs here.
Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware
This blog details how Iron Tiger threat actors have updated their toolkit with an updated SysUpdate malware variant that now uses five files in its infection routine instead of the usual three.
New Variant of Buer Loader Written in Rust | Proofpoint US
Proofpoint researchers identified a new variant of the Buer malware loader distributed via emails masquerading as shipping notices in early April.
PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector
In a highly targeted operation by a Chinese APT, a newly discovered backdoor dubbed PortDoor is being used in attacks targeting a Russian defense contractor...
GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence - Microsoft Security Blog
Microsoft has identified three new pieces of malware being used in late-stage activity by NOBELIUM – the actor behind the SolarWinds attacks, SUNBURST, and TEARDROP.
Woody RAT: A new feature-rich malware spotted in the wild
A Technical Analysis of SolarMarker Backdoor | CrowdStrike
Learn how the Falcon Complete Team detected the SolarMarker Backdoor using the Falcon UI, our deobfuscation process, and how we collaborated with our Intel team.
Analyzing APT19 malware using a step-by-step method
IcedID GZIPLOADER Analysis - Binary Defense
In late February, while tracking a malicious spam campaign from the Qakbot distributor “TR,” Binary Defense’s analysts identified a new version of IcedID being delivered through malicious Word and Excel files. The updated IcedID has a new first stage loading mechanism, which we’ve dubbed “gziploader,” along with new encryption algorithms for hiding its configuration and […]
GuLoader: Peering Into a Shellcode-based Downloader | CrowdStrike
In this blog, we cover all things GuLoader – a new malware family – including its main shellcode, anti-analysis techniques and final payload delivery mechanism.
The golden tax department and emergence of goldenspy malware
Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)
Linux Threat Hunting: 'Syslogk' a kernel rootkit found under development in the wild - Avast Threat Labs
Introduction Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort to code reuse from open source projects. As rootkits are very interesting to analyze, we are always looking out for these kinds of samples […]
BPFDoor - An Evasive Linux Backdoor Technical Analysis
BPFDoor is an stealthy Linux backdoor operating for years undetected. We disclose full technical details and detection techniques here.
Malware Evasion Encyclopedia
Evasion techniques
GitHub - mandiant/speakeasy: Windows kernel and user mode emulation.
Windows kernel and user mode emulation. Contribute to mandiant/speakeasy development by creating an account on GitHub.
capa: Automatically Identify Malware Capabilities | Mandiant
mandiant/capa: The FLARE team's open-source tool to identify capabilities in executable files.
The FLARE team's open-source tool to identify capabilities in executable files. - mandiant/capa: The FLARE team's open-source tool to identify capabilities in executable files.
Carbon Black Threat Research Dissects Red Leaves Malware, Which Leverages DLL Side Loading - VMware Security Blog - VMware
At the beginning of April, Carbon Black Threat Research began analyzing a malware variant commonly referred to as Red Leaves, which appears to have code reuse from the PlugX family. During the last month, this malware family has been referenced in several security blogs and government