November 6, 2024 at 04:51PM Sophos reports that the Gootloader malware, known for SEO poisoning tactics, targets niche victims, including Australian Bengal cat enthusiasts. As an infostealer or malware dropper, it exploits search queries to deliver malicious payloads. The use of malvertising is rising, connecting cybercrime to ransomware operations, prompting action from cybersecurity agencies. ### … Read more
September 26, 2024 at 08:25AM Threat actors have leveraged generative artificial intelligence (GenAI) to create and spread malicious code, using it to write VBScript and JavaScript for the distribution of the AsyncRAT. The attackers’ use of GenAI was identified by researchers from HP Wolf Security, signifying a concerning advancement in attackers’ methods. This technological development … Read more
September 5, 2024 at 04:15AM Cisco Talos has discovered that threat actors may be using MacroPack, a payload generation framework, to distribute malware. The malicious documents are observed to have bypassed anti-malware detections and follow a three-step attack chain. The attackers are utilizing sophisticated techniques and diverse lure themes, suggesting the involvement of distinct threat … Read more
August 2, 2024 at 06:48AM Proofpoint reports that threat actors have been misusing Cloudflare Tunnels for six months to distribute various remote access trojan (RAT) families. The attackers used the TryCloudflare feature since February 2024 to create one-time tunnels and deliver malware payloads through phishing messages. The attacks have impacted organizations globally, with the threat … Read more
June 4, 2024 at 03:00AM The DarkGate malware-as-a-service (MaaS) operation has shifted to using an AutoHotkey mechanism for delivering its final stages, underscoring ongoing efforts to evade detection. Developed by RastaFarEye, it includes remote access trojan (RAT) capabilities and various malicious modules. Cyber criminals have been found abusing Docusign for phishing and business email compromise … Read more
June 3, 2024 at 10:25AM Cybersecurity researchers found a suspicious package in the npm registry called glup-debugger-log, disguising as a toolkit logger. It has been downloaded 175 times and contains obfuscated files deploying a remote access trojan. The package uses a series of checks before launching a JavaScript file for persistence and executing arbitrary commands. … Read more
May 29, 2024 at 11:09AM A new campaign targets Brazilian banks with a Windows-based AllaSenha RAT, using Azure cloud as C2 infrastructure. The attack begins with a malicious LNK file disguised as a PDF, hosted since March 2024. The BPyCode launcher fetches and executes malicious files to steal banking credentials. Additionally, Anatsa Android Banking Trojan … Read more
May 17, 2024 at 08:33AM Cybersecurity researchers have provided insights into Deuterbear, a remote access trojan (RAT) used by the China-linked BlackTech group as part of their cyber espionage campaign in the Asia-Pacific region. Deuterbear exhibits advanced capabilities and is an updated version of the older malware Waterbear. Additionally, Proofpoint detailed a targeted cyber campaign … Read more
May 16, 2024 at 03:47AM This report provides a detailed analysis of Earth Hundun’s cyberespionage campaign, focusing on the evolution from Waterbear to Deuterbear malware. Deuterbear displays advancements in capabilities such as shellcode plugins and HTTPS communication for C&C operations. The report also outlines the functionalities and differences between the two malware variants. The comprehensive … Read more
April 26, 2024 at 10:18AM Sekoia reports that over 90,000 unique IP addresses are still infected with a self-spreading PlugX worm variant, attributed to a China-linked threat actor. The malware spreads through infected USB drives, creating potential risks for data exfiltration and surveillance, especially in regions strategically important to China’s Belt and Road Initiative. Sekoia … Read more