Tag: DEFENSE EVASION

SPYLEND: The Android App Available on Google Play Store: Enabling Financial Cyber Crime & Extortion
This report discusses the malicious Android app “SpyLend,” disguised as a legitimate finance application. It exploits location-based targeting to facilitate predatory lending practices against Indian users, leading to data harvesting and potential extortion. The findings emphasize the ongoing risks associated with questionable mobile applications available on platforms like the Google Play Store.…
Read More
Fake CAPTCHA Malware Campaign: How Cybercriminals Use Deceptive Verifications to Distribute Malware
The rise of the “ClickFix” technique has enabled cybercriminals to exploit fake CAPTCHA verification processes, facilitating sophisticated phishing and malware distribution campaigns. Through deceptive methods, such as mimicking legitimate security checks, threat actors can deliver malware like Lumma Stealer, steal sensitive information, and bypass security measures.…
Read More
Escape | VulnLab – Ever Heard of Windows Kiosk Mode? No? Well, It’s Time to Learn!
This article outlines a penetration testing experience on a VulnLab machine utilizing Kiosk Mode. The author showcases methods to gain access and escalate privileges, particularly through RDP and exploiting Microsoft Edge. The journey includes discovering sensitive files, using tools like BulletsPassView, and successfully bypassing User Account Control (UAC) to achieve SYSTEM-level access.…
Read More
Ransomware 2025: Attacks Keep Rising as Threat Shows its Resilience
Qilin ransomware, initially developed in Go and later in Rust, targets various platforms like Windows, Linux, and ESXi. In June 2024, a significant attack on London hospitals was claimed by Stinkbug, leading to considerable disruptions. The updated version, Qilin.B, introduced advanced encryption and evasion techniques, while attackers increasingly utilize living-off-the-land tools for data exfiltration and security software impairment.…
Read More
DeceptiveDevelopment targets freelance developers
Cybercriminals, under the guise of recruiters, have targeted freelance software developers in a deceptive malware campaign named DeceptiveDevelopment. This campaign, linked to North Korea, has been promoting fake job offers that lead to the installation of malware during the application process. The operators primarily utilize two malware families — BeaverTail and InvisibleFerret — to steal sensitive information and cryptocurrency.…
Read More
Blink and They’re In: How Rapid Phishing Attacks Exploit Weaknesses
Recent findings indicate that a manufacturing sector breach involving phishing led to a substantial data exfiltration, with an alarming breakout time of just 48 minutes. Attackers employed tactics associated with the Black Basta ransomware group, highlighting a pressing need for faster security response capabilities. Recommendations for heightened defense measures against such threats are provided, alongside insights into future attack trends.…
Read More
Ghost Cring Ransomware Detection: The FBI CISA and Partners Warn of Increasing China Backed Group’s Attacks for Financial Gain – SOC Prime
Increasing ransomware volumes, particularly from China-affiliated Ghost (Cring) ransomware groups, have raised global cyber risk concerns. Organizations across multiple sectors face significant financial losses, with recovery costs reaching .73 million in 2024. The FBI and CISA have issued alerts to enhance awareness and proactive measures. Affected: critical infrastructure, healthcare, government, education, technology, manufacturing

Keypoints :

Surge in ransomware incidents targeting multiple sectors globally.…
Read More
Cracked Games, Cryptojacked PCs: The StaryDobry Campaign
Summary: A cyber campaign named StaryDobry targeted users globally, distributing the XMRig cryptominer through trojanized versions of popular games shared on torrent sites during the holiday season. The sophisticated malware incorporated multiple evasion techniques to prevent detection and primarily affected individual users, with notable cases in Russia, Brazil, Germany, Belarus, and Kazakhstan.…
Read More
This joint Cybersecurity Advisory highlights the threat posed by Ghost (Cring) ransomware, detailing its tactics, techniques, and indicators of compromise (IOCs) as observed mainly since early 2021. Ghost actors exploit vulnerabilities in outdated software to target various sectors, resulting in significant impacts worldwide. Affected: critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, small- and medium-sized businesses

Keypoints :

Ghost ransomware actors have been compromising networks worldwide since early 2021.…
Read More
Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign
Summary: The Winnti threat actor has been connected to the RevivalStone campaign targeting Japanese companies in the manufacturing and energy sectors in March 2024, utilizing advanced malware techniques for cyber espionage. This campaign is associated with APT41, known for its stealthy and methodical attacks, which involve exploiting vulnerabilities in systems for persistent access.…
Read More
RansomHub: Analyzing the TTPs of One of the Most Notorious Ransomware Variants of 2024
RansomHub, a ransomware-as-a-service variant, poses a significant threat to critical sectors like healthcare, transportation, and water systems. It employs a double-extortion model by encrypting data and demanding ransoms after exfiltration. The article details its tactics, techniques, and procedures (TTPs), outlining vulnerabilities and offering mitigation strategies. Affected: healthcare, transportation, water systems

Keypoints :

RansomHub is a ransomware-as-a-service variant formerly known as Cyclops and Knight.…
Read More
This report analyzes a phishing incident involving a spear-phishing email that targeted employees via a compromised legitimate domain. The malicious strategy included the use of an obfuscated URL to redirect victims to a fake banking login page aimed at harvesting credentials. The report highlights critical findings on the attack’s impact on organizations and provides actionable recommendations for executives and SOC teams.…
Read More
Qilin is a sophisticated ransomware group that emerged in July 2022, utilizing advanced tactics and exploiting vulnerabilities in popular software, notably demanding a high-profile ransom from a major pathology services provider. The group’s methods include initial access via misconfigurations and vulnerabilities, execution of malicious payloads, privilege escalation, and data encryption to impact recovery efforts.…
Read More
Lumma Stealer Chronicles: PDF-themed Campaign Using Compromised Educational Institutions’ Infrastructure | CloudSEK
Lumma Stealer is a sophisticated information-stealing malware promoted via a Malware-as-a-Service (MaaS) model that primarily targets multiple sectors through malicious LNK files disguised as legitimate documents. This malware campaign employs a multi-stage infection process and aims to gather sensitive user data. Affected: Education & Academia, Corporate & Business, Government & Legal, Healthcare & Pharmaceuticals, Financial & Banking, Engineering & Manufacturing, Technology & Blockchain, Media & Journalism

Keypoints :

Lumma Stealer is offered as Malware-as-a-Service (MaaS).…
Read More
RevivalStone: Attack Campaign Targeting Japanese Organizations by Winnti Group | LAC WATCH
The LAC Cyber Emergency Response Team confirmed a new attack campaign named “RevivalStone,” launched by the China-based “Winnti Group” in March 2024. This campaign targeted Japanese companies in the manufacturing, materials, and energy sectors, utilizing a new version of “Winnti malware.” The report elaborates on the campaign’s overall scope, the updated functionalities of the Winnti malware, and introduces detection and mitigation strategies against similar attacks.…
Read More
Dark Web Profile: Fog Ransomware
Fog Ransomware, detected in May 2024, primarily targets educational institutions in the US, employing a double extortion tactic. It utilizes a TOR-based data leak site to pressure victims into compliance by threatening to release stolen data if ransoms are not paid. The operational structure behind Fog remains unclear, emphasizing the model of varied affiliates over unified groups.…
Read More