Author: Securonix

Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine | Microsoft Security Blog
Microsoft Threat Intelligence has reported on the Russian nation-state actor Secret Blizzard, which has been using co-opted tools and infrastructure from other threat actors to conduct espionage activities against targets in Ukraine. The campaigns have involved the deployment of custom malware, including the Tavdig and KazuarV2 backdoors, often facilitated through cybercriminal tools like Amadey bot malware.…
Read More
Qbot is Back.Connect
QBot, also known as Qakbot or Pinkslipbot, is a modular information stealer that has been active since 2007, primarily targeting financial data. Recent law enforcement actions have disrupted its operations, but signs of a resurgence have emerged. Research indicates the involvement of QBot operators in new malware activities, including the use of DNS tunneling and backConnect malware.…
Read More
RansomHub Affiliate leverages Python-based backdoor
GuidePoint Security identified a Python-based backdoor used by a threat actor to maintain access to compromised systems and deploy RansomHub encryptors across the network. The malware employs obfuscation techniques and utilizes Remote Desktop Protocol for lateral movement. Key indicators of compromise and a detailed analysis of the deployment process and command-and-control mechanisms are also discussed.…
Read More
New Star Blizzard spear-phishing campaign targets WhatsApp accounts | Microsoft Security Blog
In mid-November 2024, Microsoft Threat Intelligence reported a shift in tactics by the Russian threat actor Star Blizzard, who began targeting WhatsApp accounts through spear-phishing campaigns. This new approach involves impersonating US government officials to lure victims into malicious links that compromise their WhatsApp data. The campaign highlights the actor’s resilience and adaptability in the face of operational disruptions.…
Read More
Securonix Threat Labs 2024 Annual Autonomous Threat Sweeper Intelligence Insights
The 2024 Annual Cyber Threat Report reveals a significant increase in cyber threats, including advanced persistent threats (APTs) and evolving tactics used by attackers. Key incidents include the resurgence of LockBit ransomware, exploitation of vulnerabilities in widely-used technologies, and notable data breaches affecting major organizations. Affected: Ivanti Connect Secure, GlobalProtect, CrowdStrike, Snowflake, Palo Alto Networks

Keypoints :

Emerging threats exploit vulnerabilities in Ivanti Connect Secure and GlobalProtect VPN.…
Read More
Hunt for RedCurl | Huntress
Huntress discovered ongoing cyberespionage activities linked to the APT group RedCurl, targeting various organizations in Canada since late 2023. The group employs unique tactics involving scheduled tasks and PowerShell scripts to exfiltrate data without detection. Their methods include using legitimate Windows binaries for malicious purposes, making detection challenging.…
Read More
PEAKLIGHT: Illuminating the Shadows
PEAKLIGHT is an obfuscated PowerShell downloader identified by Mandiant that delivers malware-as-a-service infostealers through Microsoft Shortcut Files. It utilizes a JavaScript dropper hosted on a CDN to execute malicious payloads, including LummaC2, HijackLoader, and CryptBot. The campaign highlights the use of legitimate tools for malware delivery while evading detection.…
Read More
Black Basta’s Tactical Evolution: Deploying Zbot, DarkGate, and Bespoke Malware – SOCRadar® Cyber Intelligence Inc.
Black Basta is a sophisticated ransomware group that employs advanced social engineering and malware tactics to breach organizational defenses. Their recent operations involve phishing, impersonation, and exploitation of remote access tools, impacting various sectors globally. Affected: healthcare, finance, manufacturing, energy, national security

Keypoints :

Black Basta utilizes phishing emails to create a smokescreen for attacks.…
Read More
Turla Cyber Campaign Targeting Pakistan’s Critical Infrastructure – SOCRadar® Cyber Intelligence Inc.
The Turla group, a state-sponsored cyber threat actor, has launched a sophisticated campaign targeting Pakistan’s critical infrastructure, including energy, telecommunications, and government networks. Using advanced techniques like phishing and malware, Turla exploits vulnerabilities to gain access and maintain persistence. This campaign highlights the importance of robust cybersecurity measures to combat complex cyber threats.…
Read More

Cyberhaven faced a significant data breach involving a malicious browser extension that targeted customer accounts for information theft. The incident underscores the vulnerabilities associated with browser extensions and the need for improved extension management practices. Affected Platform: Chrome Web Store

Keypoints :

Cyberhaven’s breach was due to the compromise of a Chrome Web Store administrative account.…
Read More

The ClickFix campaign utilizes social engineering tactics to deploy malware on Windows and macOS platforms by presenting fake Google Meet error messages. Users are tricked into downloading malware disguised as troubleshooting files. This campaign highlights the dangers of browser-based attacks and the need for enhanced security measures.…
Read More

The Water Makara campaign is a sophisticated spear-phishing attack targeting Brazilian organizations, utilizing obfuscated JavaScript to deliver the Astaroth malware. This malware compromises systems undetected, posing significant threats to sectors like banking and national security. Affected Platform: Brazilian organizations

Keypoints :

Water Makara is a spear-phishing attack specifically aimed at Brazilian organizations.…
Read More

Lazarus, a highly active APT organization, targets financial institutions and cryptocurrency exchanges using sophisticated attack methods. Their recent weaponization of the IPMsg installer demonstrates their technical prowess in social engineering and malware deployment. #LazarusAPT #CyberThreat #MalwareAnalysis

Keypoints :

Lazarus is known for its advanced persistent threat (APT) tactics.…
Read More

The “Butcher Shop” phishing campaign targets Microsoft 365 accounts, primarily affecting legal, government, and construction sectors. Utilizing email redirects and open redirect vulnerabilities, it poses a significant challenge to traditional phishing detection methods. Organizations must adopt advanced security measures to combat this evolving threat. #Phishing #CyberSecurity #Microsoft365

Keypoints :

New phishing campaign named “Butcher Shop” targeting Microsoft 365 accounts.…
Read More