ESET has collaborated with the Federal Police of Brazil in an attempt to disrupt the Grandoreiro botnet. ESET contributed to the project by providing technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses. Due to a design flaw in Grandoreiro’s network protocol, ESET researchers were also able to get a glimpse into the victimology.…

Read More
Recent postsHomeMalware Analysis CrackedCantil: A Malware Symphony Breakdown

Lena aka LambdaMamba

I am a Cybersecurity Analyst, Researcher, and ANY.RUN Ambassador. My passions include investigations, experimentations, gaming, writing, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things as well as disassembling things!…

Read More

In this article, we will explore the FalseFont Backdoor used by Peach Sandstorm APT to target defense contractors worldwide. The backdoor was initially identified and reported on by Microsoft. The malware features data exfiltration and remote access capabilities. It poses as a legitimate application from US Defense and Intelligence Contractor Maxar Technologies, and provides the user with a realistic UI and behavior.…

Read More
Key TakeawaysCRIL discovered phishing websites pretending to be popular Mac applications and are spreading the Atomic Stealer (AMOS). At the time of publishing this analysis, these deceptive sites were operational. AMOS demonstrates continuous evolution with frequent updates, reflecting the developer’s unwavering commitment to refining its functionalities for malicious purposes.…
Read More

ESET researchers provide an analysis of an attack carried out by a previously undisclosed China-aligned threat actor we have named Blackwood, and that we believe has been operating since at least 2018. The attackers deliver a sophisticated implant, which we named NSPX30, through adversary-in-the-middle (AitM) attacks hijacking update requests from legitimate software.…

Read More

In recent months, the Malek Team, a hacker group with alleged links to Iran, has escalated its cyber offensive against key Israeli institutions, marking a significant uptick in digital threats within the region. The Malek Team, which has previously targeted a private college in Israel, claimed responsibility for a sophisticated cyberattack on Israel’s Ziv Medical Center.…

Read More
What is Infamous Chisel?

Infamous Chisel is a collection of surveillance tooling used to target Android devices. It was first reported by the Ukrainian Security Service (SBU) in early August 2023 and attributed to Russia’s Sandworm APT. According to the SBU, the main purpose of this toolset was to collect information from Android devices likely connected to Ukrainian military information systems during the Russia-Ukraine war.…

Read More
Key TakeawaysCyble Research and Intelligence Labs (CRIL) came across a ZIP archive file that could be downloaded from a URL and possibly disseminated through spam emails. Within the ZIP file lies a shortcut LNK file, cleverly masked as a PDF document. Upon execution of the shortcut file, it initiates the VPN application, which utilizes DLL sideloading to load a concealed malicious DLL.…
Read More

Throughout Q2 and Q3 2023, Kroll has observed an increased use of the malicious “SYSTEMBC” tool to maintain access in a compromised network. SYSTEMBC was first observed in the wild in 2018 with its core functionality revolving around its ability to act as SOCKS5 proxy. This provides a useful capability for threat actors as a persistent access mechanism or for purposes of leaving behind a backdoor in case of discovery of their initial access method.…

Read More

Huntress SOC analysts recently alerted customers regarding two disparate endpoints identified as being minimally impacted by ransomware; that is, only a limited number of ransomware canary files were encrypted. In neither instance was there any indication of the threat actor conducting reconnaissance activities beyond the impacted endpoint, nor attempting to move laterally to other endpoints within the infrastructure. …

Read More

AutoIt is a scripting language designed for automating the Windows GUI and general scripting. Over the years, it has been utilized for malicious purposes, including AutoIt-compiled malware, which dates back to as early as 2008.

Malware creators have exploited the versatility of AutoIT in a variety of ways, such as using obfuscated scripts for payload decryption, utilizing legitimate tools like BaSupportVNC, and even creating worms capable of spreading through removable media and Windows shares.…

Read More

One hacker collective continues to confound federal law enforcement and cybersecurity experts — the Scattered Spider. Known by a multitude of aliases such as Muddled Libra, UNC3944, Starfraud, and Octo Tempest, this hacking group has not only infiltrated major corporate networks like MGM Resorts and Caesars Entertainment but has done so with a bold audacity that leaves many wondering.…

Read More