As of today, a large majority of intrusion sets and threat actors leverage crypters prior to delivering and executing malicious payloads on a target system. They use it to build …
Search Results for: underground
Recent discussion around an emerging information-stealing trojan project reinforces the continual need to track intelligence on capabilities adversaries rely on for the collection of sensitive information from victims. In today’s …
Written by: Aseel Kayal
During the analysis of a banking trojan sample targeting Android smartphones, Mandiant identified the repeated use of a string obfuscation mechanism throughout the application code. To …
Analysis of an Android Malware-as-a-Service Operation
Coper, a descendant of the ,,Exobot malware family, was ,,first observed in the wild in July 2021, targeting Colombian Android users. At that time, …
Law enforcement agencies shut down xDedic, a cybercrime-as-a-service (CaaS) marketplace specifically providing web servers to cybercriminals, back in 2019. However, WhoisXML API threat researcher Dancho Danchev posits that parts of …
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
tldr: In order for malware to successfully infect its target, code obfuscation passed into cmd.exe is frequently used. …
This post is also available in: 日本語 (Japanese)
Executive SummaryDynamic-link library (DLL) hijacking is one of the oldest techniques that both threat actors and offensive security professionals continue to …
On February 2, 2024, Cyble Research & Intelligence Labs (CRIL) identified a Malware-as-a-services (MaaS) dubbed ‘AsukaStealer’ advertised on a Russian-language cybercrime forum, for which the version 0.9.7 of the web …
Published On : 2024-02-13
EXECUTIVE SUMMARYIn this report, we discuss the recently observed XSSLite Stealer that is being discussed within multiple hacking communities. It was released as part of …
This post is also available in: 日本語 (Japanese)
Executive SummaryGlupteba is advanced, modular and multipurpose malware that, for over a decade, has mostly been seen in financially driven cybercrime …
[Update] March 20, 2024: “Technical Documentation and Detailed Exploit Code on CVE-2024-21762”
[Update] March 18, 2024: “PoC Exploit for FortiOS SSL VPN Vulnerability (CVE-2024-21762) Emerges on a Hacker Forum”
[Update] …
Pony (also known as Fareit or Siplog) is a malware categorized as a loader and stealer, although it is also used as a botnet, being a tool that has been …
By Oleg Zaytsev, Nati Tal (Guardio Labs)
Over the last few years, the phishing ecosystem has been “democratized. …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers have been tracking the BianLian ransomware group, which has been in the top 10 of the most …
By Max Kersten · January 17, 2024
The Golang-based Kuiper ransomware is presented as an opportunity for other criminals to make money by ransoming one or more targets. Additionally, RobinHood, …
Zloader (aka Terdot, DELoader, or Silent Night), is a modular trojan born from the leaked Zeus source code. It surfaced publicly in 2016 during a targeted campaign against German …
Throughout Q2 and Q3 2023, Kroll has observed an increased use of the malicious “SYSTEMBC” tool to maintain access in a compromised network. SYSTEMBC was first observed in the wild …
Written by: Zach Riddle, Joe Dobson, Lukasz Lamparski, Stephen Eckels
On January 3, 2024, Mandiant’s X social media account was taken over and subsequently used to distribute links to a …
Last year, we documented malware distribution campaigns both via malvertising and compromised sites delivering Atomic Stealer (AMOS) onto Mac users. This stealer has proven to be quite popular in the …
Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: The information collected can be used for future attacksSeverity Level: High
FortiGuard Labs recently discovered a threat group using YouTube channels to distribute …
Published On : 2024-01-03
EXECUTIVE SUMMARYThis report provides a glimpse into the evolving landscape of RAT development and malicious activities performed by threat actors working under name of ‘Anonymous …
The next Olympic Games hosted in Paris will take place from 26 July to 11 August 2024, while the Paralympic Games will be carried out from …
Resecurity has uncovered a cybercriminal group known as “GXC Team“, which specializes in crafting tools for online banking theft, ecommerce fraud, …
On Christmas Eve, Resecurity’s HUNTER (HUMINT) spotted the author of perspective password stealer Meduza has released a new version (2.2). This product has already generated significant interest in Dark Web …
In 2023, the payment fraud underground showed signs of recovery following Russian law enforcement's crackdown on domestic cybercriminals and the Russian invasion of Ukraine in 2022. The dark web carding …
Recently, we noticed another strain of Instagram “Copyright Infringement” phishing emails in our spam traps. In this version, in addition to targeting Instagram credentials, the cybercriminals also aim to obtain …
The ransomware landscape is characterized by a heavy churn in both actor groups and malware families, with only a few players exhibiting relative longevity. Once feared threats such as REvil …
DarkGate is a malware family, dating back to 2018, that gained prominence after the demise of Qakbot with a Malware-as-a-Service (MaaS) offering advertised in underground cybercrime forums starting in …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers recently discovered two separate campaigns targeting job-seeking activities linked to state-sponsored threat actors associated with the Democratic …
The Trend Micro Managed XDR team encountered malicious operations that used techniques similar to the ones used by Genesis Market, a website for facilitating fraud that was taken down in …
Robin Banks is a phishing as a service (PhaaS) that was discovered by IronNet in July 2022 [and has been active as …
By Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll and Vinoo Thomas · November 21, 2023
On September 2023, the Trellix Security Operations Center (SOC) successfully detected and stopped an …
The Malware-as-a-Service (MaaS) model, and its readily available scheme, remains to be the preferred method for emerging threat actors to carry …
Resecurity has identified an alarming rise in ransomware operators targeting the energy sector, including nuclear facilities and related research entities. Over the last year, ransomware attackers have targeted energy installations …
SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT, as its uses can be diverse depending on …
This report explores the Kopeechka service and gives a detailed technical analysis of the service’s features and capabilities and how it can help cybercriminals to achieve their goals.
In recent …
Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth’s statement, Stealc is …
The login page for the criminal reshipping service SWAT USA Drop.
One of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and …
Published On : 2023-11-03
Ransomware of the WeekCYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – …
In the past month, the Netskope Threat Labs team observed a considerable increase of SharePoint usage to deliver malware caused by an attack campaign abusing Microsoft Teams and SharePoint …
As a cybersecurity company, Kaspersky is constantly dealing with known and brand-new malware samples. As part of our crimeware reporting service, we provide our customers with technical reports on …
This blog discusses how threat actors abuse Discord’s content delivery network (CDN) to host and spread Lumma Stealer, and talks about added capabilities to the information stealing malware.
Our latest …
The ongoing conflict between Israel and Hamas has also extended into the digital domain. The involvement of hackers highlights the evolving nature of warfare in the 21st century, where traditional …
We detail an ongoing campaign abusing messaging platforms Skype and Teams to distribute the DarkGate malware to targeted organizations. We also discovered that once DarkGate is installed on the victim’s …
Almost a year after Void Rabisu shifted its targeting from opportunistic ransomware attacks with an emphasis on cyberespionage, the threat actor is still developing its main malware, the ROMCOM backdoor.…
As long as cybercriminals want to make money, they’ll keep making malware, and as long as they keep making malware, we’ll keep analyzing it, publishing reports and providing protection. …
September 26, 2023 – Fresh off the publication of data they exfiltrated from Sony on the Dark Web, emerging ransomware syndicate Ransomed.vc announced a new …