⚠️We analyzed a highly evasive #infostealer spread across #Italian entities in early Dec. 2022. The attacker used several level of obfuscation and packing techniques to hinder and make analysis more difficult. Happy reading 👇 blog.cluster25.duskrise.com/2022/12/22/an-…

Another year has passed tracking #cybercriminals. This year has been particularly intense from a #cyber point of view also due to the conflict between Russia and Ukraine. We are pleased to share an infographic about the activities conducted by the Cluster25 team in the year 2022.

Newly registered domain belonging to #Gamaredon #APT #infrastructure secureurl[.]shop

#Bitter #APT Initial Access implant (tutorial by #ChatGPT)

Similarly to some campaigns attributed to #APT29, the #DarkPink #APT abuses of the "SyncAppvPublishingServer" App-V service to silently execute arbitrary PowerShell code #LOLBAS #TTPs

Cluster25 joined the VirusTotal community! Starting from March 2023, part of our intelligence data will be shared with this amazing community, allowing users to get insights about suspicious IPs, domains, and URLs. Enjoy our public #Intelligence! blog.cluster25.duskrise.com/2023/03/16/c25…

The #chemical sector is definitely considered a critical infrastructure with #strategic goals, so it's a very attractive target for #threat actors. Check out our overview about the #cyber #risks of the chemical sector! blog.cluster25.duskrise.com/2023/04/12/cyb…

Cluster25 has become partner of dns0.eu project! Starting April 27, 2023, Cluster25 started sharing its #APT, #Phishing / #Fraud and #Malware indicators with DNS0 in order to further raise the #security levels of its users. blog.cluster25.duskrise.com/2023/05/02/c25…

#BlackByte and his #ransomware continue operating all around the world, we dissected the latest version of this famous ransomware. Here the #Ida #Python script we used: github.com/Microv/BlackBy… Here the report: blog.cluster25.duskrise.com/2023/05/22/bac… Hoping this helps the community!

#IDAPython script to resolve hashes of procedures in #MysticStealer github.com/Microv/MysticS… #mystic #stealer #infostealer #malware

🚨Beware of #BEC #attacks! Here, we are reporting a recent, well-prepared #fraud campaign involving the names of existing non-profit foundations as bait. Read more on: blog.cluster25.duskrise.com/2023/08/25/the… #cybersecurity #scam

🚨 Cluster25 has uncovered phishing attacks likely linked to a pro-Russia nation-State adversary. These attacks, conducted in the context of the RU-UA conflict zone, leverage a recently discovered vulnerability (CVE-2023-38831) affecting WinRAR. Read more: blog.cluster25.duskrise.com/2023/10/12/cve…

🚨A seemingly legitimate #LinkedIn profile contacts you via direct message and offers you a job, sending a PDF file. This is the beginning of a bad story that leads to #DUCKTAIL infection. Read more on: blog.cluster25.duskrise.com/2023/10/25/the…

Link to the malware configuration and string decryption source code used for the analysis of DuckTail lnkd.in/drtKzRX4

🚨Cluster25 investigated a possible #APT campaign targeting #Russian dissidents. Using different lures, the #attacks aimed at organizations and citizens, leveraging a #reverseshell. Read more on: blog.cluster25.duskrise.com/2024/01/30/rus…

#Python script to extract the configuration from samples of the #Astaroth malware github.com/Microv/Astarot…

#Pryx group actively distributing a Golang RAT against #UAE gov. The backdoor purpose is to download a Tor package to setup a Tor hidden service on the victim that act as a stealthy HTTP listener for backdoor-related activities. Backdoor versions & IoCs discussed in thread 🧵👇

(1/5) 🚨The Cleafy TIR team identified some campaigns involving a new variant of the Android malware TrickMo, incorporating new anti-analysis mechanisms. The variant uses malformed ZIP files and JSONPacker, and is distributed via a dropper disguised as the Google Chrome browser.

‼️ (1/5) On October 7th, 2024, we identified a new dropper associated with the TeaBot banking trojan within the Google Play Store. The initial stage of infection originates from the following application (com.mastercreativestudio.documanagerandpdf):

[1/6] 🚨We tracked a new Android banking trojan fraud operation dubbed ToxicPanda, which has intriguing connections with tgToxic. According to our investigation, TAs are currently targeting European and LATAM countries.