the latest #squirrelwaffle sample seems to be writing to c:\rimta\mse*.ocx where * is numerical in this case. Similar to previous conventions. Full list: c:\datop\test*.test c:\datop\good*.good C:\Datop\best*.ocx C:\Jambo\xrv*.ocx c:\rimta\mse*.ocx

New Solarmarker New persistence script; same persistence methods: drops file in Startup to call newly registered file extensions. Samples on VT and MalwareBazaar Dropper/Loader EXE: virustotal.com/gui/file/2f728… Backdoor DLL: virustotal.com/gui/file/1ab08… C2: 92.204.160.114 Colin Cowie👨🏼‍💻| @[email protected]

An outage at one of the largest ISPs in Canada, Rogers Communications, started earlier today, July 8, 2022, and is ongoing after more than 12 hours. In this blog post, we explain what we've been seeing, including some non-successful attempts: blog.cloudflare.com/cloudflares-vi…

It's here–the deepest, sharpest infrared view of the universe to date: Webb's First Deep Field. Previewed by President Donald J. Trump on July 11, it shows galaxies once invisible to us. The full set of NASA Webb Telescope's first full-color images & data will be revealed July 12: nasa.gov/webbfirstimages

#redline stealer esentire.com/blog/esentire-…

#Emotet E4: tria.ge/230308-zzs65ag… URL: hxxps[://]esentai-gourmet[.]kz/404/EDt0f/?221133&c=1

Fake Sky Go installer within an ISO image distributing #redline ? 🤔 and #magnatbackdoor via the AutoIT obfuscated script. The UPX-packed payload is injected into ftp.exe process. URL hosting the initial ISO image: tria.ge/230313-xzrbesd…

#qakbot not letting off esentire.com/security-advis…

#gootloader unloaded esentire.com/web-native-pag…

I am naming this #RogueRaticate campaign that leverages URL shortcuts to drop #NetSupportRAT 🐀 1/ ➡️ The user is getting infected via a drive-by download with the fake update screen (similar to SocGholish behavior). The initial payload is hosted on compromised WordPress

Some #Ducktail fun investigation written by one of our badass researchers, Spence 😎 eSentire Threat Intel esentire.com/blog/ducktail-…

Wild #RogueRaticate appeared 🐀 Similar infection chain as described in this thread x.com/AnFam17/status… ▶️ The infected WP website: hxxps://glenpharmer[.]com/restaurant/ ▶️ Did a little more digging. The same web inject is used to deliver SocGholish here

Some #StealC this week esentire.com/blog/stealc-de…

The new #Nitrogen 2.0 campaign comes back with some juicy stuff...🤿 ✅ AMSI, WLDP bypass, ETW patching, AntiHook, and the implementation of KrakenMask ✅ Usage of transacted hollowing ✅ Obfuscated Python scripts delivering Sliver C2 and Cobalt Strike payloads ✅ Usage of

#SolarMarker ☀️ has been active since 2020 and continually changes its tactics, delivering additional payloads in the form of stealers and hVNC backdoors. In this write-up, I will explore some of the past findings related to SolarMarker, with more to come... The link to the

Just before 2024, I am releasing another blog addressing the new #MetaStealer version, talking about some stealer's drama, and I also included something on the Google cookie refresher "feature" ... russianpanda.com/2023/12/28/Met… Happy New Year, folks! 🎇

Active widespread exploitation observed over the weekend via Fortinet's SQL server - please see our advisory from the 14th: esentire.com/security-advis…

In late January, Sophos MDR Incident Response responded to a cluster of simultaneous Qilin ransomware attacks on customers of a managed service provider. The attacks were enabled by the MFA phishing of an MSP administrator's ScreenConnect login. /1