Italians Users Targeted by PureLogs Stealer Through Spam Campaigns Executive Summary

During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a tweet about PureLogs information stealer by TG Soft. This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy on the 14th of December 2022.…

Read More
Introduction

On July 17, 2022, Albanian news outlets reported a massive cyberattack that affected Albanian government e-services. A few weeks later, it was revealed that the cyberattacks were part of a coordinated effort likely intended to cripple the country’s computer systems. On September 10, 2022, Albanian local news reported a second wave of cyberattacks targeting Albania’s TIMS, ADAM and MEMEX systems – the latter two systems critical for law enforcement – reportedly using the same attack type and by the same actors.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Since our last blog in early February covering the advanced persistent threat (APT) group Trident Ursa (aka Gamaredon, UAC-0010, Primitive Bear, Shuckworm), Ukraine and its cyber domain has faced ever-increasing threats from Russia. Trident Ursa is a group attributed by the Security Service of Ukraine to Russia’s Federal Security Service.…

Read More

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-1028 is now tracked as Storm-1028.

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.…

Read More
 RAT capable of stealing Credit Card Information

A RAT (Remote Access Trojan) is a tool used by Threat Actors (TAs) to gain full access and remote control of a victim’s machine, including mouse and keyboard control, file access, network resources access, etc.  

Cyble Research and Intelligence Labs (CRIL) has been actively monitoring such RATs and blogging about them as and when they emerge.…

Read More

FortiGuard Labs recently encountered a previously unreported Content Management System (CMS) scanner and brute forcer written in the Go programming language (also commonly referred to as Golang). We took a closer look at this malware because it was being described in several online forums as being installed in compromised WordPress sites, but there were no publicly available analysis reports.…

Read More
Executive Summary SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses. Investigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.…
Read More

MuddyWater, also known as Static Kitten and Mercury, is a cyber espionage group that’s most likely a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).

Since at least 2017 MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.…

Read More
Cybercriminals exploiting World Cup buzz to conduct malicious campaigns

The 22nd FIFA World Cup launched in Qatar on November 20th, 2022, with 32 teams battling for the trophy. With fans around the world excited about the World Cup and cheering on their favorite team, Threat Actors (TAs) are actively also taking advantage of it and using FIFA as a theme in their malicious campaigns targeting unsuspecting victims.…

Read More

Editor’s Note: Click here to download the report as a PDF.

This report profiles the infrastructure used by the threat activity group TAG-53, which overlaps with public reporting on Callisto Group, COLDRIVER, and SEABORGIUM. The activity was identified through a combination of Network Intelligence and analysis derived from open-source reporting.…

Read More

Mandiant Managed Defense recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines. Mandiant tracks this activity as UNC4191 and we assess it has a China nexus.

UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S.,…

Read More
Threat Actors using Shortened URLs to infect Users

Deceptive phishing is the preferred way for cybercriminals to distribute malware since luring the victim into clicking a link in a likely phishing SMS or Email is easier. The Threat Actor(TA) usually uses brand impersonation in phishing campaigns to trick the users into believing that they are reputed and legitimate.…

Read More

A postmortem analysis of multiple incidents in which attackers eventually launched the latest version of LockBit ransomware (known variously as LockBit 3.0 or ‘LockBit Black’), revealed the tooling used by at least one affiliate. Sophos’ Managed Detection and Response (MDR) team has observed both ransomware affiliates and legitimate penetration testers use the same collection of tooling over the past 3 months.…

Read More

The holiday season seems to be at an ebb for the Aviation Industry in Southeast Asia, as two low-cost carriers faced ransomware attacks this week.

Ransomware is a daunting threat that has loomed over strategic industries, including Aviation, in 2022. In our previous blog, we covered the emerging threats to the Aviation industry and predicted an increase in large-scale cyber-attacks on the sector.…

Read More

December 8, 2022 update – Reflected additional research on Boa-related CVEs and updated supply chain diagram.

Vulnerabilities in network components, architecture files, and developer tools have become increasingly popular attack vectors to gain access into secure networks and devices. External tools and products that are managed by vendors and developers can pose a security risk, especially to targets in sensitive industries.…

Read More