Tag: DEFENSE EVASION

Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign
Summary: The Winnti threat actor has been connected to the RevivalStone campaign targeting Japanese companies in the manufacturing and energy sectors in March 2024, utilizing advanced malware techniques for cyber espionage. This campaign is associated with APT41, known for its stealthy and methodical attacks, which involve exploiting vulnerabilities in systems for persistent access.…
Read More
RansomHub: Analyzing the TTPs of One of the Most Notorious Ransomware Variants of 2024
RansomHub, a ransomware-as-a-service variant, poses a significant threat to critical sectors like healthcare, transportation, and water systems. It employs a double-extortion model by encrypting data and demanding ransoms after exfiltration. The article details its tactics, techniques, and procedures (TTPs), outlining vulnerabilities and offering mitigation strategies. Affected: healthcare, transportation, water systems

Keypoints :

RansomHub is a ransomware-as-a-service variant formerly known as Cyclops and Knight.…
Read More
This report analyzes a phishing incident involving a spear-phishing email that targeted employees via a compromised legitimate domain. The malicious strategy included the use of an obfuscated URL to redirect victims to a fake banking login page aimed at harvesting credentials. The report highlights critical findings on the attack’s impact on organizations and provides actionable recommendations for executives and SOC teams.…
Read More
Qilin is a sophisticated ransomware group that emerged in July 2022, utilizing advanced tactics and exploiting vulnerabilities in popular software, notably demanding a high-profile ransom from a major pathology services provider. The group’s methods include initial access via misconfigurations and vulnerabilities, execution of malicious payloads, privilege escalation, and data encryption to impact recovery efforts.…
Read More
Lumma Stealer Chronicles: PDF-themed Campaign Using Compromised Educational Institutions’ Infrastructure | CloudSEK
Lumma Stealer is a sophisticated information-stealing malware promoted via a Malware-as-a-Service (MaaS) model that primarily targets multiple sectors through malicious LNK files disguised as legitimate documents. This malware campaign employs a multi-stage infection process and aims to gather sensitive user data. Affected: Education & Academia, Corporate & Business, Government & Legal, Healthcare & Pharmaceuticals, Financial & Banking, Engineering & Manufacturing, Technology & Blockchain, Media & Journalism

Keypoints :

Lumma Stealer is offered as Malware-as-a-Service (MaaS).…
Read More
RevivalStone: Attack Campaign Targeting Japanese Organizations by Winnti Group | LAC WATCH
The LAC Cyber Emergency Response Team confirmed a new attack campaign named “RevivalStone,” launched by the China-based “Winnti Group” in March 2024. This campaign targeted Japanese companies in the manufacturing, materials, and energy sectors, utilizing a new version of “Winnti malware.” The report elaborates on the campaign’s overall scope, the updated functionalities of the Winnti malware, and introduces detection and mitigation strategies against similar attacks.…
Read More
Dark Web Profile: Fog Ransomware
Fog Ransomware, detected in May 2024, primarily targets educational institutions in the US, employing a double extortion tactic. It utilizes a TOR-based data leak site to pressure victims into compliance by threatening to release stolen data if ransoms are not paid. The operational structure behind Fog remains unclear, emphasizing the model of varied affiliates over unified groups.…
Read More
Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks
The Securonix Threat Research team has identified a sophisticated malware campaign, DEEP#DRIVE, attributed to the North Korean group Kimsuky. Targeting South Korean businesses, government entities, and cryptocurrency users, the attackers utilize phishing lures crafted in Korean that masquerade as legitimate documents. The campaign employs various evasion techniques, including leveraging Dropbox for payload delivery and executing malicious PowerShell scripts to exfiltrate sensitive information.…
Read More
Sandworm APT Attacks Detection: Russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine – SOC Prime
The Sandworm APT group, linked to Russian military intelligence, has ramped up cyber-espionage attacks against Ukrainian organizations, focusing on critical infrastructure and state bodies since the full-scale invasion in 2022. The group employs trojanized Microsoft KMS activators and fake Windows updates to infect systems with various malware, including Dark Crystal RAT.…
Read More
From South America to Southeast Asia: The Fragile Web of REF7707 – Elastic Security Labs
The REF7707 campaign, targeting a South American nation’s Foreign Ministry, employs novel malware including FINALDRAFT, GUIDLOADER, and PATHLOADER. Despite showcasing advanced tactics, the attackers demonstrated poor operational security. The malware utilized common LOLBins for execution and relied heavily on cloud services for command and control, complicating detection efforts.…
Read More
XELERA Ransomware Targets Tech Aspirants with Fake Food Corporation of India Job Offers
The article discusses the discovery of multiple cyberattack campaigns targeting job applicants at Food Corporations of India, using a variant of ransomware named Xelera. The attack begins with a malicious document aimed at enticing applicants, which ultimately installs a PyInstaller executable that also utilizes Discord for command and control.…
Read More
Microsoft Patch Tuesday, February 2025 Security Update Review – Qualys ThreatPROTECT
Microsoft’s February 2025 Patch Tuesday release addressed 67 vulnerabilities, including three critical and 53 important ones, with key updates targeting Microsoft Edge, Windows services, and multiple software vulnerabilities. Notably, four zero-day vulnerabilities were patched, two of which were actively exploited. Users are advised to implement these updates promptly to enhance system security.…
Read More
APT PROFILE – APT43
APT43, a North Korean state-sponsored cyber operator, engages in strategic intelligence gathering and financially motivated cyber activities. Known for using advanced social engineering techniques, APT43 has increasingly involved itself in stealing and laundering cryptocurrency while targeting various sectors, especially South Korean academia. Affected: South Korean Academia, Government Offices, Diplomatic Organizations, Think Tanks, Health Verticals

Keypoints :

APT43 is linked to the North Korean Reconnaissance General Bureau (RGB).…
Read More
CL0P Ransomware : Latest Attacks
The Cl0p ransomware group has targeted 43 organizations using exploits, notably the Cleo vulnerability. The majority of these targets were in the manufacturing, retail, and transportation sectors, with a strong focus on U.S.-based organizations. Observations suggest that Cl0p’s activities exhibit sophisticated techniques for initial access and persistence, with numerous indicators of compromise documented.…
Read More
Ratatouille: Cooking Up Chaos in the I2P Kitchen
This report details the discovery and analysis of a sophisticated multi-stage Remote Access Trojan (RAT) named I2PRAT, identified during a campaign called ClickFix12. The malware uses advanced evasion techniques, including privilege escalation and dynamic API resolution, while communicating covertly over the I2P network. The report discusses its infection chain, functionalities, and potential tracking and detection strategies for detecting I2PRAT in compromised systems.…
Read More
AhnLab EDR Utilization in Detecting Akira Ransomware Attack Case – ASEC
Akira is a relatively new ransomware actor active since March 2023, known for infiltrating organizations, encrypting files, and stealing sensitive information for negotiation purposes. The ransomware attacks have significantly impacted numerous sectors, as demonstrated by statistics from 2024. Affected: organizations, information technology, cybersecurity

Keypoints :

Akira ransomware has been active since March 2023.…
Read More