Tag: LATERAL MOVEMENT

StilachiRAT analysis: From system reconnaissance to cryptocurrency theft | Microsoft Security Blog
In November 2024, Microsoft Incident Response uncovered StilachiRAT, a remote access trojan that employs sophisticated evasion techniques and data exfiltration capabilities, targeting sensitive information such as credentials, digital wallet data, and clipboard contents. StilachiRAT establishes command-and-control connectivity with remote servers, and Microsoft has issued guidance to bolster defenses against this growing threat.…
Read More
⚡ THN Weekly Recap: Router Hacks, PyPI Attacks, New Ransomware Decryptor, and More
Summary: This week’s cybersecurity report highlights the evolving landscape of cyber threats, including advanced techniques used by threat groups and rising supply chain vulnerabilities. Law enforcement efforts against cybercriminal networks show promise, while new exploits and vulnerabilities demand prompt attention from organizations. The report includes notable incidents, emerging attack methods, and critical vulnerabilities that security teams should prioritize.…
Read More
How to Execute the Bybit .5B ETH Heist – An Attack Path for Offensive Security Operations in AWS
On February 21st, a significant cryptocurrency theft occurred involving Bybit, where hackers from the Lazarus Group infiltrated a supplier’s system to redirect 401,000 Ethereum coins worth approximately .5 billion. The attack exemplifies a supply chain vulnerability that permitted hackers to exploit AWS services while leaving the Bybit system itself secure.…
Read More
Patching is Not Enough: Why You Must Search for Hidden Intrusions
Organizations often fail to investigate after patching zero-day vulnerabilities, leading to undetected compromises. A proactive approach involving compromise assessments is critical to uncover potential breaches. Affected: VMware ESXi, cybersecurity sector

Keypoints :

Patching alone does not confirm if systems have been breached. Recent zero-day vulnerabilities in VMware ESXi (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) have been exploited.…
Read More
Cato CTRL, Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers
A recent global campaign has been identified that targets TP-Link Archer routers through a remote code execution (RCE) vulnerability (CVE-2023-1389). The campaign exploits these routers to create a botnet, with the potential for widespread impact given the number of vulnerable devices connected to the internet. The malware dropper utilizes a bash script to install and execute additional malware while maintaining evasion techniques.…
Read More
Why Most Microsegmentation Projects Fail—And How Andelyn Biosciences Got It Right
Summary: Microsegmentation can be a crucial strategy for achieving Zero Trust security, but traditional approaches often fail due to complexity and operational disruptions. Andelyn Biosciences successfully implemented Elisity’s identity-based microsegmentation approach, allowing them to rapidly secure their networks without significant downtime or resource allocation. This case highlights the importance of visibility and policy simulation in modern segmentation efforts.…
Read More
Live Ransomware Demo: See How Hackers Breach Networks and Demand a Ransom
Summary: Join a live webinar that explores the comprehensive process of ransomware attacks, highlighting the tactics and technologies used by hackers. Led by Joseph Carson, an expert in enterprise security, the session includes a live demonstration of an attack from breach to ransom demand. Attendees will gain valuable insights on identifying vulnerabilities and defending against such threats.…
Read More
SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware
Trend Research’s analysis of SocGholish’s MaaS framework highlights its critical role in delivering RansomHub ransomware via compromised websites. Utilizing highly obfuscated JavaScript loaders, SocGholish evades detection and successfully executes malicious tasks. Notably, the framework propels initial access for ransomware attacks, mainly affecting government entities in the United States.…
Read More
How to Detect and Eliminate Persistent Malware Before It Wreaks Havoc
This article provides an in-depth analysis of an intrusion investigation conducted by security professionals, focusing on the methods and techniques used to unravel a complex attack. It details how the threat actor gained initial access, performed credential theft, and executed lateral movement within a network. The findings highlight the challenges of gathering complete telemetry during such investigations.…
Read More
Response to CISA Advisory (AA25-071A): #StopRansomware: Medusa Ransomware
This article discusses a cybersecurity advisory released on March 12, 2025, by the FBI, CISA, and MS-ISAC regarding the Medusa ransomware, detailing its methods, impacts, and tactics used. Medusa is a Ransomware-as-a-Service operation that targets Windows environments and has affected over 300 victims. The advisory provides insights into its tactics, techniques, and procedures (TTPs) to help organizations bolster their security measures.…
Read More
New SuperBlack ransomware exploits Fortinet auth bypass flaws
Summary: A new ransomware group named ‘Mora_001’ is leveraging Fortinet vulnerabilities CVE-2024-55591 and CVE-2025-24472 to compromise firewall appliances and deploy their ransomware variant known as SuperBlack. This group utilizes a structured attack strategy, gaining high-level privileges and executing double extortion tactics. There are indications that SuperBlack is connected to LockBit operations through several shared methods and tools.…
Read More
Threat Intelligence: A Deep Dive into Cyber Kill Chains, Diamond Models, and the Zero-Day Crisis
The recent VMware zero-day vulnerability (CVE-2023–20867) has made numerous organizations—including cloud providers and financial institutions—vulnerable to serious attacks such as data theft and ransomware. This incident highlights the importance of cybersecurity frameworks like the Cyber Kill Chain and Diamond Model for developing effective defenses against increasingly sophisticated threats.…
Read More
HellCat Ransomware: Exposing the TTPs of a Rising Ransomware Threat in 2025
HellCat Ransomware is a significant cyber extortion group that emerged in 2024, using advanced phishing techniques and exploiting vulnerabilities to target organizations. Their operations focus on data exfiltration and aggressive ransom demands, often collaborating with the Morpheus group. This article analyzes their tactics, techniques, and procedures to better understand their threat.…
Read More
Elysium Ransomware: A New Variant of the Ghost Family Targeting Critical Infrastructure
Summary: A new ransomware variant called Elysium, linked to the Ghost ransomware family, targets critical sectors like healthcare and government. The attackers exploit outdated applications to gain access and deploy various tools to execute a multi-stage attack. Elysium disrupts recovery efforts by targeting backups and encrypting files with a specific extension while demanding a ransom in Monero for decryption.…
Read More
This advisory details the tactics, techniques, and procedures (TTPs) associated with the Medusa ransomware variant. Medusa, operating as a ransomware-as-a-service (RaaS), has affected over 300 victims across various critical infrastructure sectors since its inception in June 2021. The advisory provides insights into initial access methods, lateral movement tactics, and a double extortion model employed by Medusa actors.…
Read More