New Yokai Side-loaded Backdoor Targets Thai Officials - Netskope
Summary DLL side-loading is a popular technique used by threat actors to execute malicious payloads under the umbrella of a benign, usually legitimate,
Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels
Threat actors abused Visual Studio Code and Microsoft Azure infrastructure to target large business-to-business IT service providers in Southern Europe.
Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign
A threat actor we track under the Intrusion set Water Curupira (known to employ the Black Basta ransomware) has been actively using Pikabot. a loader malware with similarities to Qakbot, in spam campaigns throughout 2023.
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders | Huntress
Huntress identified an intrusion against a non-profit supporting Vietnamese human rights that’s likely spanned years. Jump in as we provide a thorough analysis of this malicious threat actor.
Earth Freybug Uses UNAPIMON for Unhooking Critical APIs
This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON.
Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
Volexity would like to thank Palo Alto Networks for their partnership, cooperation, and rapid response to this critical issue. Their research can be found here. On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. Volexity received alerts regarding suspect network traffic emanating from the customer’s firewall. A subsequent investigation determined the device had been compromised. The following day, April 11, 2024, Volexity observed further, identical exploitation at another one of its NSM customers by the same threat actor. The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within […]
Threat Actor Abuses Cloudflare Tunnels to Deliver RATs | Proofpoint US
Key findings Proofpoint has observed an increase in malware delivery via TryCloudflare Tunnel abuse. The activity is financially motivated and delivers exclusively remote access trojans (RATs). ...
Unmasking VEILDrive: Threat Actors Exploit Microsoft Services for C2
Discover how the latest cybersecurity threat research on VEILDrive exposes attackers exploiting Microsoft services for C2, bypassing defenses, and leveraging SaaS infrastructure.
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
KEY TAKEAWAYS Russian APT GruesomeLarch deployed a new attack technique leveraging Wi-Fi networks in close proximity to the intended target. The threat actor primarily leveraged living-off-the-land techniques. A zero-day privilege escalation was used to further gain access. Ukrainian-related work and projects were targeted in this attack, just ahead of Russian Invasion of Ukraine. In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever worked. The investigation began when an alert from a custom detection signature Volexity had deployed at a customer site (“Organization A”) indicated a threat actor had compromised a server on the customer’s network. While Volexity quickly investigated the threat activity, more questions were raised than answers due to a very motivated and skilled advanced persistent threat (APT) actor, who was using a novel attack vector Volexity […]
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella | Trend Micro (US)
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
In this report, Cybereason confirms the ties between Cuckoo Spear and APT10 Intrusion Set by tying multiple incidents together and disclosing new information about this group’s new arsenal and techniques.
Executive Summary In mid-2023, Black Lotus Labs began an investigation into compromised routers that led to the discovery of a large, multi-tiered botnet consisting of small office/home office (SOHO) and IoT devices that we assess is likely operated by the nation-state Chinese threat actors known as Flax Typhoon. We call this botnet “Raptor Train,” and
TIDRONE Targets Military and Satellite Industries in Taiwan | Trend Micro (US)
Our research reveals that an unidentified threat cluster we named TIDRONE have shown significant interest in military-related industry chains, particularly in the manufacturers of drones.
Unmasking ViperSoftX: In-Depth Defense Strategies Against AutoIt-Powered Threats
Explore in-depth defense strategies against ViperSoftX with the Trellix suite, and unpack why AutoIt is an increasingly popular tool for malware authors
The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort” | Proofpoint US
Key findings Proofpoint researchers identified an unusual campaign delivering malware that the threat actor named “Voldemort”. Proofpoint assesses with moderate confidence the goal of the activi...
Unmasking Styx Stealer: How a Hacker's Slip Led to an Intelligence Treasure Trove - Check Point Research
Key takeaways Introduction In the shadowy world of cybercrime, even the most cunning hackers can make blunders that expose their operations. In this article CPR describes the discovery of Styx Stealer, a new malware variant derived from the notorious Phemedrone Stealer. Our investigation revealed critical missteps by the developer of Styx Stealer, including a significant […]