Summary :
RiseLoader is a newly identified malware loader that emerged in October 2024, utilizing a TCP-based binary protocol similar to RisePro. It focuses on downloading and executing second-stage payloads, including various malware families. The threat actor behind RiseLoader is believed to be the same as that of RisePro and PrivateLoader.…
Summary :
Zscaler ThreatLabz has uncovered a malware campaign named NodeLoader, which utilizes Node.js applications to distribute cryptocurrency miners and information stealers, targeting users via social engineering tactics on platforms like YouTube and Discord. #NodeLoader #MalwareCampaign #CyberSecurity
Keypoints :
NodeLoader malware leverages Node.js applications to deliver malicious payloads.…Summary :
Zloader, a modular Trojan based on the Zeus source code, has evolved with new features enhancing its capabilities for ransomware deployment and evasion of detection. The latest version introduces DNS tunneling and an interactive shell, making it a significant threat to corporate environments. #Zloader #Ransomware #CyberThreats
Keypoints :
Zloader is a modular Trojan that has been repurposed for initial access and ransomware deployment.…Summary:
Raspberry Robin, a sophisticated downloader discovered in 2021, primarily spreads through infected USB devices. It employs advanced binary obfuscation, anti-analysis techniques, and privilege escalation exploits, making it a notable threat in the malware landscape. This analysis delves into its execution layers, obfuscation methods, and network communication strategies, highlighting its capabilities to evade detection and propagate across networks.…Summary:
In November 2023, North Korean threat actors were found using the Contagious Interview and WageMole campaigns to secure remote jobs in Western countries while evading financial sanctions. The Contagious Interview campaign focuses on data theft, while WageMole utilizes stolen data to create fake identities for job applications.…The Dark Angels ransomware threat group, active since April 2022, employs stealthy and sophisticated strategies to execute highly targeted attacks on large companies. With a focus on minimal disruption, they have achieved significant financial gains, including a record ransom payment of $75 million in 2024.…
Short Summary:
The 2024 ThreatLabz Phishing Report by Zscaler ThreatLabz highlights the growing prevalence of typosquatting and brand impersonation in phishing campaigns. An analysis of over 30,000 lookalike domains revealed that more than 10,000 were malicious, with Google, Microsoft, and Amazon being the most targeted brands.…
In June 2024, Zscaler ThreatLabz reported on BlindEagle, an APT actor targeting the Colombian insurance sector through phishing emails. The actor utilizes the BlotchyQuasar RAT to gain access and steal sensitive data, primarily from banking services. The attack chain involves sophisticated obfuscation techniques and the use of compromised Google Drive folders to distribute malware.…
Short Summary:
The article discusses a new variant of Copybara, an Android malware family that has been active since November 2023. This malware is primarily spread through voice phishing attacks and uses the MQTT protocol for communication with its command-and-control server. It exploits the Accessibility Service feature on Android devices to gain control and download phishing pages that mimic popular financial institutions and cryptocurrency exchanges, aiming to steal user credentials.…
This is Part 1 of our two-part technical deep dive into APT41’s new tooling, which includes DodgeBox and MoonWalk. For details about MoonWalk, go to Part 2.
In April 2024, Zscaler ThreatLabz uncovered a previously unknown loader called DodgeBox. Upon further analysis, striking similarities were found between DodgeBox and variants of StealthVector, a tool associated with the China-based advanced persistent threat (APT) actor APT41 / Earth Baku.…
This is Part 2 of our two-part technical deep dive into APT41’s new tooling, DodgeBox and MoonWalk. For details of DodgeBox, go to Part 1.
In Part 2 of this blog series, we examine the MoonWalk backdoor, a new addition to APT41’s toolkit. Continuing from our previous analysis of the DodgeBox loader in Part 1, we have discovered that MoonWalk shares several evasion techniques.…
In this two-part blog series, we explore the evolution of SmokeLoader, a malware downloader that has been active since 2011. In Part 1, we explored early versions of SmokeLoader, from its initial rudimentary framework to its adoption of a modular architecture and introduction of encryption and obfuscation. …
In March 2024, Zscaler ThreatLabz observed new activity from Kimsuky (aka APT43, Emerald Sleet, and Velvet Chollima), an advanced persistent threat actor backed by the North Korean government. This group, first observed in 2013, is notorious for cyber espionage, and financially motivated cyber attacks, primarily targeting South Korean entities, including think tanks, government institutions, and the academic sector.…
ValleyRAT is a remote access trojan (RAT) that was initially documented in early 2023. Its main objective is to infiltrate and compromise systems, providing remote attackers with unauthorized access and control over infected machines. ValleyRAT is commonly distributed through phishing emails or malicious downloads.…
Smoke (a.k.a. SmokeLoader or Dofoil) is a malware loader that has been operational since 2011. Smoke is primarily used to deliver second-stage malware payloads including various trojans, ransomware, and information stealers. In addition, Smoke can deploy its own custom plugins that extend its functionality including mining cryptocurrency, harvesting credentials, and hijacking web browser data.…
At Zscaler ThreatLabz, we regularly monitor the Google Play store for malicious applications. Over the past few months, we identified and analyzed more than 90 malicious applications uploaded to the Google Play store. These malware-infected applications have collectively garnered over 5.5 million installs.
Recently, we noticed an increase in instances of the Anatsa malware (a.k.a.…
HijackLoader (a.k.a. IDAT Loader) is a malware loader initially spotted in 2023 that is capable of using a variety of modules for code injection and execution. It uses a modular architecture, a feature that most loaders do not have – which we discussed in a previous HijackLoader blog.…
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular trojan based on leaked ZeuS source code. As detailed in our previous blog, Zloader reemerged following an almost two-year hiatus with a new iteration that included modifications to its obfuscation techniques, domain generation algorithm (DGA), and network communication.…