Tag: INITIAL ACCESS

Raspberry Robin: From Copy Shop Worm to Russian GRU Cyber Tool
Summary: The report highlights the evolution of Raspberry Robin from a basic worm targeting copy shops to a sophisticated initial access broker (IAB) affiliated with notorious cybercriminals and state-sponsored actors. Through extensive NetFlow analysis, nearly 200 command and control domains were identified, revealing significant connections to Russian cyber operations.…
Read More
Unsecured Loans: How Hidden Flaws in Digital Lending Platforms Could Cripple Your Fintech Business
Digital lending platforms face significant security challenges, including unprotected endpoints, inadequate identity verification, and a lack of comprehensive encryption. These vulnerabilities pose risks not only to the platforms but also to customer trust and regulatory compliance. Financial institutions must take immediate action to fortify their security measures to avoid reputational damage and financial loss.…
Read More
SnakeKeylogger: A Multistage Info Stealer Malware Campaign
The SnakeKeylogger campaign illustrates a sophisticated credential-stealing threat targeting both individuals and businesses. Utilizing multi-stage infection techniques, it cleverly evades detection while harvesting sensitive data from various platforms. Attackers employ malicious spam emails containing disguised executable files to initiate the infection. Affected: Individuals, Businesses, Email Clients, Web Browsers, FTP Clients.…
Read More
YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks
This report reveals a sophisticated malware campaign targeting YouTube creators through spearphishing, utilizing the Clickflix technique to deceive victims into executing malicious scripts. Attackers leverage brand impersonation and exploit interest in professional collaborations to spread malware via meticulously crafted phishing emails. Once activated, the malware steals sensitive data or allows remote access.…
Read More
Chinese Hackers Breach Asian Telecom, Remain Undetected for Over 4 Years
Summary: A major telecommunications company in Asia suffered a breach by Chinese state-sponsored hackers known as Weaver Ant, who maintained a prolonged presence in their systems for over four years. The attackers employed advanced techniques, including the use of web shells and a unique tool dubbed INMemory, to facilitate cyber espionage and maintain access to sensitive data.…
Read More
Researchers Uncover ~200 Unique C2 Domains Linked to Raspberry Robin Access Broker
Summary: A recent investigation has revealed nearly 200 unique command-and-control domains linked to the malware Raspberry Robin, a complex threat actor that acts as an initial access broker for various criminal groups, particularly those associated with Russia. This malware facilitates access for various malicious strains and employs multiple distribution methods, including USB propagation and communication via Discord.…
Read More
Raspberry Robin: Copy Shop USB Worm Evolves to Initial Access Broker Enabling Other Threat Actor Attacks
The article discusses the ongoing threat posed by Raspberry Robin, a sophisticated initial access broker (IAB) linked to various cybercriminal organizations, particularly those connected to Russia. It highlights recent findings such as the discovery of nearly 200 unique command and control domains, the involvement of Russian GRU’s Unit 29155, and the threat actor’s evolution in attack methodologies.…
Read More
Active Lumma Stealer Campaign Impacting U.S. SLTTs
The Lumma Stealer malware has been observed targeting U.S. State, Local, Tribal, and Territorial (SLTT) government organizations through fake CAPTCHA verification pages that trick users into executing malicious PowerShell scripts. This malware, available as a Malware-as-a-Service, specializes in stealing sensitive data. Cyber threat actors utilize a variety of deceptive tactics and defense evasion techniques to deliver the malware and avoid detection.…
Read More
RaaS Evolved: LockBit 3.0 vs LockBit 4.0
LockBit is a prominent ransomware strain operating since 2019, known for its aggressive tactics and Ransomware-as-a-Service model. The evolution of LockBit has seen the transition from version 3.0 to 4.0, introducing enhanced evasion techniques and impacting various organizations worldwide. Affected: organizations, cybersecurity sector

Keypoints :

LockBit ransomware has been operational since 2019, targeting diverse industries.…
Read More
Inside Hunters International Group: How a Retailer Became the Latest Ransomware Victim
Summary: In February 2025, the eSentire Threat Response Unit (TRU) uncovered a sophisticated ransomware campaign by the Hunters International group against a retail organization, utilizing vulnerabilities in FortiOS for initial access. The attack involved the creation of a super admin account, lateral movement within the network, and the deployment of a new variant of ransomware designed to evade detection and prevent data recovery.…
Read More
Unveiled the Threat Actors
This article explores various threat actors known for their significant cyber attacks, detailing their origins, techniques, and famous hacks. It categorizes these actors by their affiliations, such as state-sponsored and financially motivated groups, providing insight into their behaviors and methodologies. Affected: Government networks, financial institutions, healthcare, energy sector, retail, hospitality, media, technology, and more.…
Read More
Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup
The article discusses the evolution of the Lazarus group, indicating that it has now transformed into a collection of subgroups rather than a single entity. It emphasizes the importance of understanding these subgroups, their tactics, and their individual characteristics for effective cyber defense strategies. Affected: Japan, cryptocurrency sector, defense industry, aviation industry

Keypoints :

The term “Lazarus” has evolved from a singular APT group to multiple subgroups.…
Read More
VanHelsing RaaS Launch: 3 Victims, K Entry Fee, Multi-OS, and Double Extortion Tactics
Summary: The VanHelsing ransomware-as-a-service (RaaS) operation emerged on March 7, 2025, quickly claiming multiple victims through a user-friendly platform that supports a variety of operating systems. The scheme employs double extortion tactics and allows affiliates to profit significantly while only prohibiting attacks on the Commonwealth of Independent States (CIS).…
Read More
The Crazy Hunter ransomware attack exploited Active Directory misconfigurations and utilized Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to escalate privileges and distribute ransomware through Group Policy Objects. Despite claims of data exfiltration, forensic investigations found no supporting evidence. This attack resulted in significant operational disruptions and highlighted the importance of proactive threat intelligence in cybersecurity.…
Read More
⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More
Summary: Recent cyber threats highlight vulnerabilities in open-source tools, escalating ad fraud through mobile apps, and advanced ransomware tactics targeting critical defenses. Notably, attacks have leveraged AI, and a supply chain breach at Coinbase exemplifies these risks. A rise in stolen credentials further underscores the urgent need for improved cybersecurity measures.…
Read More
Technical Advisory: Mass Exploitation of CVE-2024-4577
In June 2024, Bitdefender Labs highlighted a critical security vulnerability (CVE-2024-4577) in PHP affecting Windows systems in CGI mode, allowing remote code execution through manipulated character encoding. This vulnerability has seen an increase in exploitation attempts, especially in Taiwan and Hong Kong, with attackers also modifying firewall settings to block known malicious IPs.…
Read More