#ESETresearch has discovered the Lunar toolset, two previously unknown backdoors (which we named #LunarWeb and #LunarMail ) possibly linked to Turla, compromising a European MFA and its diplomatic missions abroad. welivesecurity.com/en/eset-resear… 1/6

We can also confirm kernel.org, hosting the Linux kernel source code repository, was a victim of Ebury between 2009 and 2011. During that timeframe, half of the kernel developers’ SSH passwords were stolen by the Ebury gang. 5/8

Two days ago I had the pleasure of presenting our latest research at iVerify about #NSO #Pegasus BLASTPASS Exploit Chain at #BHASIA in Singapore. (blackhat.com/asia-24/briefi…)

During the talk I presented how forensic analysis led to the discovery of the sample, the amount of steps

Today, Mandiant (part of Google Cloud) / Google is opening up a Can o’ Sandworms. I’m incredibly proud to have led the year+ long effort with a brilliant group of colleagues to graduate Sandworm into APT44. cloud.google.com/blog/topics/th…

Our latest blog post details Volexity's identification & incident response associated with the Palo Alto Networks GlobalProtect #0day vuln, assigned CVE-2024-3400, that the team found being exploited in the wild.

Read more here: volexity.com/blog/2024/04/1…

#DFIR #ThreatIntel

🔥 Hot 🔥 off the press, a new Mandiant (part of Google Cloud) blog detailing several case studies of lateral movement / post-ex activity we’ve observed following successful exploitation of Ivanti CS appliances. cloud.google.com/blog/topics/th…

Early fall last year we received an iTunes Backup: And I found THE *needle* in the haystack! A sample of NSO Pegasus BLASTPASS Exploit Chain.

Have a look at this blogpost which reveals some of my early steps of the analysis.

iverify.io/post/clipping-…

#Pegasus #iOS

#ESETresearch ’s monitoring of #AceCryptor shows that the activity of this notorious #cryptor -as-a-service (CaaS) has reached new heights. In H2 2023, the number of AceCryptor attack attempts we detected tripled when compared to the first half of 2023. welivesecurity.com/en/eset-resear… 1/6

It's been an interesting weekend! Eagle-eyed Tom Hegel spotted what appears to be a new variant of AcidRain. Notably this sample was compiled for Linux x86 devices, we are calling it 'AcidPour'. Those of you that analyzed AcidRain will recognize some of the strings. Analysis 🧵

#ESETresearch has discovered a new campaign by 🇨🇳China-aligned #APT #EvasivePanda , leveraging the Monlam Festival to target Tibetans. The campaign included a targeted watering hole, compromised news website, and an additional supply-chain attack ... welivesecurity.com/en/eset-resear… 1/7

I recently found two very interesting Linux binaries uploaded to Virustotal.

I call this malware 'GTPDOOR'.

GTPDOOR is a 'magic/wakeup' packet backdoor that uses a novel C2 transport protocol: GTP (GPRS Tunnelling Protocol), silently listening on the GRX network (1/n) 🧵

Lazarus is back with a new variant of their infamous FudModule rootkit!

Ditching their old BYOVD techniques, Lazarus upgraded to exploiting a much stealthier admin-to-kernel zero-day for CVE-2024-21338 (addressed in the February Patch Tuesday update).

decoded.avast.io/janvojtesek/la…

To read a detailed analysis of Operation Texonto, head over to welivesecurity.com/en/eset-resear… 5/5

#BREAKING #ESETresearch discovered Operation Texonto, a disinformation campaign intended to demoralize Ukrainians. We detected two spam waves: November and late December 2023. The emails warn about drug or food shortages, or suggest amputating a limb to avoid military. 🇺🇦🇷🇺 1/5

Action by DOJ on a botnet used by APT28 for C2. Similar to the recent action against Volt Typhoon. These impacts don’t last forever, but these are imminent threats to elections and critical infrastructure and DOJ is adding friction. Outstanding. justice.gov/opa/pr/justice…

New fantastic report -- Chinese APT intrusion into Ministry of Defence (MOD) of the Netherlands.

ncsc.nl/documenten/pub…

Announcing the latest report from Threat Analysis Group documents the rise of commercial surveillance vendors and the industry that threatens free speech, the free press and the open internet

blog.google/threat-analysi…

Some highlights below. 🧵

#ESETresearch has discovered a China-aligned APT group, which we named #Blackwood , that leverages adversary-in-the-middle (AitM) to deliver the NSPX30 implant via software updates. NSPX30 is a sophisticated implant evolving since at least 2005. facundo Mz welivesecurity.com/en/eset-resear… 1/6

#ESETresearch has documented a growing series of OilRig downloaders using legitimate cloud service providers for C&C communication, all deployed against a small group of especially interesting, repeatedly victimized targets in Israel. welivesecurity.com/en/eset-resear… Zuzana Hromcova 1/7

#ESETresearch warns about malicious Python packages in the official @PyPI repository that target Windows and Linux. This cluster shares metadata or has similar payloads, and seems different from the one we reported in May: x.com/esetresearch/s…. Marc-Etienne M.Léveillé 1/6