Microsoft has identified a phishing campaign conducted by Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884 to deliver a payload with similarities to the RomCom backdoor. msft.it/6015g0O8x

do you HATE miscreants? do you LOVE writing detections, hunting thru INSANE amounts of data, and protecting a LOT of orgs? Microsoft is hiring Detection Engineering/Threat Hunting roles for email security. work with some of the smartest folks in the game: jobs.careers.microsoft.com/global/en/job/…

RIP Qbot. After having to look at Qbot email campaigns on a regular basis since ~2017, I don't think I'll miss it.

Malware delivered via teams, you should have a look at this. No log, no protection, except if you configure team to only allow trusted orgs to discuss with yours. But you can’t see if it’s already in use because you don’t have logs… truesec.com/hub/blog/darkg…

Coworker of mine on his first solo blog post! #smartapesg medium.com/walmartglobalt…

Would you realise if java.exe spawning something dodgy was a 0-day? OG and team did, patch your on-prem SysAid instances

So proud to be a part of this collective effort at Microsoft. Badasses at Microsoft Threat Intelligence supporting significant Digital Crimes Unit legal disruptions. This is just the beginning, so many more targets, so much more we are doing and will do #staytuned

Microsoft has identified new Qakbot phishing campaigns following the August 2023 law enforcement disruption operation. The campaign began on December 11, was low in volume, and targeted the hospitality industry. Targets received a PDF from a user masquerading as an IRS employee.

An embedded configuration EPOCH timestamp indicates the payload was generated on December 11. The campaign code was tchk06. Most notably, the delivered Qakbot payload was configured with the previously unseen version 0x500. Observed Qakbot C2: 45[.]138.74.191 65[.]108.218.24

Unfortunately, I had to look at their email campaigns again this week.

Ya Qbot is back, it sucks. But look what happened with Emotet when it came back. Was a half assed attempt at running a botnet which eventually disappeared without any LE. Lets make it so that becomes the case with Qbot as well.

Can confirm that we have seen the recent #Qbot #Quakbot #Qakbot activity. PDFs/URLs has been used since at least November 28, but can't confirm what payload it was earlier than December 11. URL example: urlhaus.abuse.ch/url/2741437/ MSI/DLL: bazaar.abuse.ch/browse/tag/teo…

Join me, hadojae, @a_de_pasquale, and our team as a Sr. Threat Researcher focusing on phishing detection. Use your skills in pattern-based detection, regex, HTML/HTTP, and current phishing landscape, to combat phishing threats for SAA customers splunk.com/en_us/careers/…

I’ll be speaking SLEUTHCON this year! The lineup is amazing. I can’t wait to learn from everyone. Full list of speakers here: sleuthcon.com/speakers

aka.ms/ghostjobs

Zscaler's Nikolaos Pantazopoulos analyses the functionality of Raspberry Robin (also known as Roshtyak), including its execution layers, obfuscation methods and network communication process, along with its latest exploits. zscaler.com/blogs/security…