Tag: HUNTING

XWorm Cocktail: A Mix of PE data with PowerShell Code – SANS Internet Storm Center
The article discusses the deobfuscation of malicious files identified as potential malware, specifically indicating they are related to a variant of XWorm. The files contain obfuscated PowerShell code and information related to system commands, revealing their malicious intent. Affected: online gaming, cybersecurity, Windows environment

Keypoints :

Two files identified as malicious: “XClient.exe”…
Read More
Who are Hellcat Ransomware Group? | Bridewell
The Hellcat Ransomware Group is a newly identified Ransomware-as-a-Service (RaaS) threat group, recognized for targeting various organizations, especially in telecommunications and government sectors. Their operations reveal sophisticated tactics, including phishing, exploitation of public-facing applications, and deployment of PowerShell for maintaining persistence. The group has shown strong ties with other ransomware actors and employs unique methods for data exfiltration.…
Read More
Dark Web Profile: Ghost (Cring) Ransomware – SOCRadar® Cyber Intelligence Inc.
The Ghost (Cring) ransomware is a critical cybersecurity threat primarily targeting organizations with vulnerable systems, including healthcare, finance, government, and education sectors. This ransomware employs sophisticated techniques such as exploiting vulnerabilities, lateral movement, and advanced evasion methods to encrypt sensitive data and demand ransom payments. Affected: healthcare, financial services, government, critical infrastructure, manufacturing, education, professional services, retail, e-commerce

Keypoints :

Ghost (Cring) ransomware has been active since at least 2021, targeting vulnerable internet-facing systems.…
Read More
Unmasking the new persistent attacks on Japan
Cisco Talos discovered a malicious campaign attributed to an unknown attacker targeting organizations in Japan since January 2025, primarily exploiting the CVE-2024-4577 vulnerability to gain initial access and deploy advanced adversarial tools via Cobalt Strike. The attacker’s activities entail credential theft, system compromise, and potential lateral movement which could impact various industries.…
Read More
Unveiling EncryptHub: Analysis of a Multi-Stage Malware Campaign
EncryptHub, a notable cybercriminal organization, has gained increasing attention from threat intelligence teams due to its operational security missteps. These lapses have allowed analysts to gain insights into their tactics and infrastructure. The report details EncryptHub’s multi-stage attack chains, trojanized application distribution strategies, and their evolving killchain, making them a significant threat in the cyber landscape.…
Read More
GO Language Based Ebyte Ransomware – A Brief Analysis – CYFIRMA
EByte Ransomware is a new variant developed by EvilByteCode that targets Windows systems using advanced encryption methods. It encrypts user data, displays a ransom note, and has significant potential risks due to its public availability on GitHub. Affected: Windows systems, organizations, individuals

Keypoints :

Developed in Go language and utilizes ChaCha20 encryption and ECIES for key transmission.…
Read More
Booking a Threat: Inside LummaStealer’s Fake reCAPTCHA
Cybercriminals are exploiting the travel industry’s rising demand by creating fake booking websites and utilizing phishing scams to deceive travelers. They have employed an advanced attack strategy through malicious booking sites, using techniques like fake CAPTCHAs to deploy LummaStealer, a malware designed to steal information. Affected: users in the travel sector, individuals in the Philippines, individuals in Germany

Keypoints :

New campaign using fake booking websites to deliver LummaStealer.…
Read More
Federal cyber firings imperil efforts to stop Chinese hacking campaigns, experts tell lawmakers
Summary: Recent firings and potential staff cuts at the Cybersecurity and Infrastructure Security Agency (CISA) jeopardize U.S. efforts to combat Chinese cyberattacks, warn former officials. Concerns were raised during a House hearing about the long-term impact on cybersecurity expertise and coordination among critical agencies. The loss of talent and experience is likely to hinder national security and defensive capabilities against persistent threats from China.…
Read More
Bug Bounty Hunting: Web Vulnerability (Cross-Site Request Forgery)
Cross-Site Request Forgery (CSRF) attacks manipulate authenticated users into executing unwanted actions without their consent, risking account security and sensitive information. Exploits use techniques like CSRF tokens, clickjacking, and forged requests to bypass protections, making effective prevention essential. Affected: websites, online services, users

Keypoints :

CSRF is a client-side attack exploiting authenticated sessions.…
Read More
Getting the Most Value Out of the OSCP: The PEN-200 Course
This article highlights essential strategies for maximizing the experience of the PEN-200 course, focusing on the importance of building proficiency with tools, understanding the real-world implications of techniques, and leveraging industry connections. By diversifying skills in note-taking and tool usage, aspiring ethical hackers can enhance their career prospects and avoid common pitfalls in penetration testing.…
Read More
Analysis of the Relationship Between Emergency Martial Law Themed APT Attacks and the Kimsuky Group
This article analyzes APT attacks leveraging political and social issues in South Korea, with a focus on a spear phishing campaign distributing malicious files via email. The attack targets users in the North Korean sector using social engineering tactics to avoid antivirus detection. It emphasizes the urgent need for Endpoint Detection and Response (EDR) systems to identify and mitigate these threats effectively.…
Read More
Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal
In this blog entry, we explore the tactics employed by the Black Basta and Cactus ransomware groups to compromise systems and exfiltrate sensitive information. They leveraged social engineering, remote access tools, and the BackConnect malware to establish persistent control over infected machines. Mitigating damages, businesses must adopt enhanced security protocols.…
Read More
Cisco’s SnapAttack Deal Expands Splunk’s Capabilities
Summary: Cisco’s acquisition of SnapAttack aims to enhance Splunk’s security information and event management (SIEM) platform by incorporating advanced threat detection capabilities leveraging artificial intelligence. SnapAttack’s technology provides real-time visualizations and support for the MITRE ATT&CK framework, improving proactive threat hunting and detection. This move is part of Cisco’s broader initiative to automate security operations and improve threat management within its Security Operations Center of the Future.…
Read More
Turkey’s Attacking APT Groups and Attack Analyses
This study offers a comprehensive examination of Advanced Persistent Threats (APTs), focusing on their dynamics, techniques employed, and preventive measures. The article discusses the identification of APTs, the reasons behind attacks on Turkey, and their geopolitical and economic impacts. Furthermore, it explains the concept of Tactics, Techniques, and Procedures (TTP), their subdivision into sub-techniques, and details effective strategies to mitigate APT attacks.…
Read More
Threat Hunt Report: Public Exposure
This article discusses the findings of a cybersecurity investigation into a virtual machine (VM) that was inadvertently exposed to the public internet. It highlights the identification of brute-force login attempts by adversaries and the implementation of security measures to mitigate these threats. Importantly, no unauthorized access was confirmed despite the attacks.…
Read More
Healthcare Malware Hunt, Part 1: Philips DICOM Viewers
The article discusses a campaign by the China-based Advanced Persistent Threat (APT) group Silver Fox, which exploited vulnerabilities in Philips DICOM viewers to deploy malware such as a Remote Access Tool (RAT), keyloggers, and crypto miners targeting healthcare organizations. The healthcare sector remains a significant target for cyberattacks, necessitating robust security measures.…
Read More
Astrill VPN: Silent Push Publicly Releases New IPs on VPN Service Heavily Used by North Korean Threat Actors
The Lazarus Group from North Korea continues to use Astrill VPN to obscure their IP addresses during cyber attacks. Recent findings confirm that both the “Contagious Interview” subgroup and DPRK Fake IT workers employ this VPN to hide their activities. Silent Push has compiled a real-time updated list of Astrill VPN IP addresses to help protect users from these threats.…
Read More