Intel-Ops researchers recently discovered that the 8Base Ransomware Group has been using Phobos ransomware to infect their targets’ networks. 8Base has reportedly been active since mid-2023.
The Phobos operators have been selling the ransomware’s multiple variants (e.g., Eking, Eight, Elbie, Devos and Faust) via the ransomware-as-a-service (RaaS) model.…
A decade-old advanced persistent threat (APT) group called “Stately Taurus,” also known as “Mustang Panda” and “Earth Preta,” was recently observed targeting Association of Southeast Asian Nations (ASEAN) countries in cyberespionage activities. Specifically, Palo Alto Networks observed two malware packages that may have been used to target Japan, Myanmar, the Philippines, and Singapore.…
More than 30.6 billion records have been exposed in 2024 so far based on 8,839 publicly disclosed incidents. Intensifying cybersecurity efforts has thus become more critical than ever for organizations the world over. But that requires having the whole picture on hand, and that’s only possible if users can take a closer look inside and outside their networks.…
Bleeping Computer recently reported that a phishing-as-a-service (PhaaS) available in cybercriminal forums dubbed “Typhoon 2FA” has the ability to compromise Microsoft 365 and Google accounts even if users have two-factor authentication (2FA) enabled.
Sekoia security analysts uncovered the phishing kit back in October 2023 though they believe it has been active since at least August of that same year.…
The 2024 U.S. tax season is well underway, and as usual, scams of all kinds targeting taxpayers and causing the Internal Revenue Service (IRS) problems have cropped up. One such ongoing malicious campaign has explicitly been trailing its sights on small business owners and the self-employed.…
A new info-stealing malware called “TimbreStealer” is in town. Cisco Talos detected its distribution through a phishing campaign targeting Mexico. The threat actors used finance-themed phishing emails to lure victims in, including generic fake invoices and those imitating invoices from Comprobante Fiscal Digital por Internet (CDFI), the country’s standard electronic invoice format.…
After analyzing 21+ million newly registered domains (NRDs) added from 1 January to 31 March 2024, our researchers found that the new domain registration volume declined by about 32% from the previous quarter.
These NRDs were gleaned from the Newly Registered Domains Data Feeds, further revealing the following insights:
The TLD type distribution of the Q1-registered domains The most used generic top-level domain (gTLD) and country-code TLD (ccTLD) extensions The most popular registrars The most used gTLDs and ccTLDs among the malicious domains detected as indicators of compromise (IoCs) in Q1An overview of the key insights from the report is presented below.…
Threat actors have been abusing App Installer, a Windows 10 feature that makes installing applications more convenient. The abuse could lead to ransomware distribution and was likely carried out by financially motivated actors Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674. These malicious actors imitated the landing pages of popular software, such as Zoom, Microsoft OneDrive, Microsoft SharePoint, and Microsoft Teams, to lure target victims into downloading malicious installers.…
macOS has been gaining the unwanted attention of more and more backdoor operators since late 2023.
In February 2024, Bitdefender uncovered RustDoor, which was written in Rust and possibly has ties to the operators of a Windows ransomware. They published their findings, including seven indicators of compromise (IoCs) comprising five domain names and two IP addresses.…
Group-IB uncovered ResumeLooters, a threat actor group specializing in victimizing job hunters to steal their personally identifiable information (PII). Along with their in-depth threat analysis, they identified 15 indicators of compromise (IoCs), specifically seven domain names, three subdomains, and five IP addresses.
The WhoisXML API research team used the 15 IoCs as jump-off points for an expansion analysis in a bid to find more potential ResumeLooters attack vectors that led to the discovery of:
302 registrant-connected domains 69 email-connected domains Six additional IP addresses, all of which turned out to be malicious Three IP-connected domains 573 string-connected domains, two of which turned out to be maliciousA sample of the additional artifacts obtained from our analysis is available for download from our website.…
In the past two decades, at least 41 advanced persistent threat (APT) groups have launched attacks on entities and organizations based in North America.
In a recent analysis, the WhoisXML API research team expanded lists of indicators of compromise (IoCs) related to seven APT groups that remained active as of 2023 and are currently targeting or have targeted the region in the past.…
The Citizen Lab recently uncovered an ongoing online propaganda campaign they have dubbed “PAPERWALL” that has been targeting local news outlets across 30 countries in Europe, Asia, and Latin America.
PAPERWALL bore similarities with HaiEnergy, an influence operation Mandiant reported about in July 2023. Both threats specifically drew significant portions of content from Times Newswire.…
VexTrio, a traffic distribution system (TDS) provider believed to be an affiliate of ClearFake and SocGholish, among other threat actors, has been active since 2017. While many security researchers have studied ClearFake and SocGholish, VexTrio remained under the radar until Infoblox published their analysis, that is.…
Among the latest to suffer from zero-day exploitation is Ivanti, a software company providing endpoint management and remote access solutions to various organizations, including U.S. federal agencies. High-impact zero-day vulnerabilities affecting Ivanti Connect Secure VPN and Policy Secure were recently reported, which could allow threat actors to execute arbitrary code with high-level access.…
Law enforcement agencies shut down xDedic, a cybercrime-as-a-service (CaaS) marketplace specifically providing web servers to cybercriminals, back in 2019. However, WhoisXML API threat researcher Dancho Danchev posits that parts of its backend infrastructure may remain traceable.
Our research team dove deep into the DNS in a bid to expand the list of 19 xDedic indicators of compromise (IoCs) Danchev provided, comprising three domains and 16 IP addresses, and determine if threat traces remained active.…
New kids on the cybercrime block, pig butchering scams, have been making waves lately, and it is not surprising why. Scammers have been earning tons from them by being able to trick users into investing in seemingly legitimate business ventures but losing their hard-earned cash instead.…