This post is also available in: 日本語 (Japanese)

Executive Summary

Royal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it was first observed in September 2022. Bucking the popular trend of hiring affiliates to promote their threat as a service, Royal ransomware operates as a private group made up of former members of Conti.…

Read More

A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers. The leaked records indicate the network’s chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has promoted USPS employment websites since 2016.…

Read More
Malware Evades Detection by Lurking in Windows Registry

Phishing attacks pose an ongoing and widespread danger to both individuals and organizations. To trick users into divulging sensitive information like passwords and credit card details, Threat Actors (TAs) employ various tactics, including phishing websites. Attackers often use these fraudulent websites to distribute their malicious software, taking advantage of users’ trust in legitimate-looking sites.…

Read More

Affected Platforms: WindowsImpacted Users: Windows usersImpact: Controls victim’s machine and collects sensitive informationSeverity Level: Medium

Occasionally, FortiGuard Labs researchers come across a file name or e-mail subject that makes us sit up and take notice. Of course, it may turn out to be nothing. But every once in a while, one of these turns out to be incredibly interesting.…

Read More
Summary

CrossLock is a ransomware group that emerged in April 2023, targeting a large digital certifier company in Brazil. This ransomware was written in Go, which has also been adopted by other ransomware groups, including Hive, due to the cross-platform capabilities offered by the language. CrossLock operates in the double-extortion scheme, by threatening to leak stolen data on a website hosted on the deep web if the ransom isn’t paid by the victim.…

Read More

We have spotted malicious DLL sideloading activity that builds on the classic sideloading scenario, but adds complexity and layers to its execution. Moreover, our investigation indicates that the responsible threat actor(s) fell so much in love with this adaptation of the original scenario that they used multiple variations of it, repeatedly swapping out a particular component in the process to evade detection at this step of the attack chain.…

Read More
Stealer with Clipper Making Rounds in a Mass Campaign

PyPI (Python Package Index) is a widely used repository for software packages for the Python programming language, utilized by developers worldwide for sharing and downloading Python code. Due to the widespread usage of PyPI, it has become a desirable target for Threat Actors (TAs) who aim to attack developers or their projects.…

Read More
We’re sharing our latest threat research and technical analysis into persistent malware campaigns targeting businesses across the internet, including threat indicators to help raise our industry’s collective defenses across the internet. These malware families – including Ducktail, NodeStealer and newer malware posing as ChatGPT and other similar tools– targeted people through malicious browser extensions, ads, and various social media platforms with an aim to run unauthorized ads from compromised business accounts across the internet.…
Read More
The Increasing Menace of Small Ransomware Syndicates

In recent years, ransomware operations have emerged as highly profitable cybercrime schemes. Numerous companies have suffered immense financial, data, and reputation losses due to such attacks. Typically, cybersecurity researchers tend to concentrate on prominent ransomware groups that run extensive Ransomware-as-a-Service (RaaS) operations.…

Read More

By Tom Hegel and Aleksandar Milenkoski

Executive SummarySentinelLabs has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has a long history of targeting organizations across Asia, North America, and Europe. Ongoing campaigns use a new malware component we call ReconShark, which is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros.…
Read More

 Executive Summary

On 21st March 2023, EclecticIQ researchers detected a spearphishing email targeting the healthcare industry in Poland. The spoofed email was designed to appear as legitimately sent from a Polish government entity called the National Health Fund (Narodowy Fundusz Zdrowia – NFZ). 

The email contained a malicious Microsoft Excel XLL attachment that can download and execute Vidar Infostealer malware upon user execution.…

Read More

After months of dormancy, Earth Longzhi, a subgroup of advanced persistent threat (APT) group APT41, has reemerged using new techniques in its infection routine. This blog entry forewarns readers of Earth Longzhi’s resilience as a noteworthy threat.

We discovered a new campaign by Earth Longzhi (a subgroup of APT41) that targets organizations based in Taiwan, Thailand, the Philippines, and Fiji.…

Read More
Key findingsCheck Point Research (CPR) continues to track the evolution of ROKRAT and its delivery methods. ROKRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate multi-stage infection chains. This is another representation of a major trend in the threat landscape, where APTs and cybercriminals alike attempt to overcome the blocking of macros from untrusted sources.…
Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

From July-December 2022, Unit 42 researchers have observed and analyzed over 67 million unique malicious URLs, domains and IPs, which we use to block associated malicious network traffic. We will cover the trends we have observed during the second half of 2022 based on our detections of malicious URLs, domains and IPs.…

Read More
Multiple Malware Families Leveraging AresLoader for Propagation

Malware loaders are programs or scripts that have been created to install and run different types of malware on a victim’s computer system. The main objective of a malware loader is to avoid detection and continue operating on the victim’s computer by downloading and executing additional malicious software.…

Read More
Key takeawaysAdversaries continue to abuse and increase reach through malvertising such as Google Ads by impersonating legitimate software Elastic Security Labs is shedding light on an undiscovered hVNC malware that has been quietly collecting a large install base This malware we are calling LOBSHOT appears to be leveraged for financial purposes employing banking trojan and info-stealing capabilitiesPreamble

Elastic Security Labs along with the research community noticed a large spike in the adoption of malvertising earlier this year.…

Read More