Threat Reports

ESET Research analyzed two separate toolsets for breaching air-gapped systems, used by a cyberespionage threat actor known as GoldenJackal.

In this report, Cybereason confirms the ties between Cuckoo Spear and APT10 Intrusion Set by tying multiple incidents together and disclosing new information about this group’s new arsenal and techniques.

Author: Vlad Pasca A Hybrid Analysis perspective and deep technical dive into the new Turla APT backdoor  Turla starts its attack by using ...

Analysis of malware samples using a technique to thwart all binary analysis tools, and hinder reverse engineering efforts.

Executive Summary In mid-2023, Black Lotus Labs began an investigation into compromised routers that led to the discovery of a large, multi-tiered botnet consisting of small office/home office (SOHO) and IoT devices that we assess is likely operated by the nation-state Chinese threat actors known as Flax Typhoon. We call this botnet “Raptor Train,” and

Our research reveals that an unidentified threat cluster we named TIDRONE have shown significant interest in military-related industry chains, particularly in the manufacturers of drones.

Explore in-depth defense strategies against ViperSoftX with the Trellix suite, and unpack why AutoIt is an increasingly popular tool for malware authors

The public blog of Santander Cyber Security Research

Key findings  Proofpoint researchers identified an unusual campaign delivering malware that the threat actor named “Voldemort”.   Proofpoint assesses with moderate confidence the goal of the activi...

Key takeaways Introduction In the shadowy world of cybercrime, even the most cunning hackers can make blunders that expose their operations.  In this article CPR describes the discovery of Styx Stealer, a new malware variant derived from the notorious Phemedrone Stealer. Our investigation revealed critical missteps by the developer of Styx Stealer, including a significant […]

Since late 2022, Earth Baku has broadened its scope from the Indo-Pacific region to Europe, the Middle East, and Africa. Their latest operations demonstrate sophisticated techniques, such as exploiting public-facing applications like IIS servers for initial access and deploying the Godzilla webshell for command and control.

Elastic Security Labs identified a novel Windows backdoor leveraging the Background Intelligent Transfer Service (BITS) for C2. This malware was found during a recent activity group tracked as REF8747.

We detail the evolution of UNC4393's operational tactics and malware usage throughout its active lifespan.

APT45 is a long-running, moderately sophisticated North Korean cyber operator operating since as early as 2009.

Part 1 | ThreatLabz uncovers new tooling from APT41 including DodgeBox, which uses advanced evasion techniques to deploy the MoonWalk backdoor that leverages Google Drive

This malware research article describes the REMCOS implant at a high level, and provides background for future articles in this multipart series.

Elastic researchers uncovered a new technique, GrimResource, which allows full code execution via specially crafted MSC files. It underscores a trend of well-resourced attackers favoring innovative initial access methods to evade defenses.

Introduction Code reuse is very frequent in malware, especially for those parts of the sample that are complex to develop or hard to write with an essentially different alternative code. By tracking both source code and object code, we efficiently detect new malware and track the evolution of existing malware in-the-wild.  Diamorphine is a well-known […]

icrosoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789), that combines many tried-and-true techniques used by other North Korean threat actors, as well as unique attack methodologies to target companies for its financial and cyberespionage objectives.

By Anna Bennett, Nicole Hoffman, Asheer Malhotra, Sean Taylor and Brandon White.  * Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) we’re calling “LilacSquid.”   * LilacSquid’s victimology includes a diverse set of victims consisting

This blog entry will examine Trend Micro MDR team's investigation that successfully uncovered the intrusion sets employed by Earth Kapre in a recent incident, as well as how the team leveraged threat intelligence to attribute the extracted evidence to the cyberespionage threat group.

We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises.

The Lazarus Group is back with an upgraded variant of their FudModule rootkit, this time enabled by a zero-day admin-to-kernel vulnerability for CVE-2024-21338. Read this blog for a detailed analysis of this rootkit variant and learn more about several new techniques, including a handle table entry manipulation technique that directly targets Microsoft Defender, CrowdStrike Falcon, and HitmanPro.