#Italy Weekly malspam n.18 from 1 to 7 May 2023 We have analyzed 43 campaigns, 15 in italian 🔥 #FormBook #AgentTesla #QakBot #Lokibot #Ursnif and #Emotet in holidays🏖️ Total family 11 tgsoft.it/news/news_arch… moto_sato sugimu JAMESWT_MHT Michele Breabin Radu

#Mekotio dal mese di marzo sta colpendo l'Italia con campagne a tema "fatture elettroniche". Il #CRAM di #TGSoft sta monitorando attivamente le campagne di malspam atte a colpire l'utenza italiana. moto_sato JAMESWT_MHT Breabin Radu sugimu tgsoft.it/news/news_arch…

#Italy Weekly malspam n.19 from 8 to 14 May 2023 We have analyzed 55 campaigns, 6 in italian 🔥 #FormBook #AgentTesla #Remcos #BluStealer New entry #DCRAT #Ursnif and #Emotet in holidays🏖️ Total family 9 tgsoft.it/news/news_arch… moto_sato sugimu JAMESWT_MHT Breabin Radu

#Italy Weekly malspam n.20 from 15 to 21 May 2023 We have analyzed 57 campaigns, 12 in italian 🔥 #AgentTesla #FormBook #STRRAT #Strela New entry #ChaosRansomware #PikaBot #Emotet in holidays🏖️ Total family 13 tgsoft.it/news/news_arch… moto_sato sugimu JAMESWT_MHT

#Italy Weekly malspam n.21 from 22 to 28 May 2023 We have analyzed 63 campaigns, 13 in italian 🔥 #AgentTesla #FormBook #Remcos #BluStealer #Ursnif with theme Agenzia delle Entrate Total family 10 tgsoft.it/news/news_arch… moto_sato sugimu JAMESWT_MHT Breabin Radu

#Italy Weekly malspam n.23 from 5 to 6 Jun 2023 We have analyzed 53 campaigns, 8 in italian 🔥 #AgentTesla #FormBook #LokiBot #SnakeLogger New entry #NetSupportRat Total family 7 tgsoft.it/news/news_arch… moto_sato sugimu JAMESWT_MHT Michele Breabin Radu

#Italy Weekly malspam n.25 from 19 to 25 Jun 2023 We have analyzed 51 campaigns, 6 in italian 🔥 #AgentTesla #FormBook #SnakeLogger #Ave_Maria #Ursnif hits Italy again with theme Pagamenti Total family 8 tgsoft.it/news/news_arch… moto_sato sugimu🐞 JAMESWT_MHT Breabin Radu

#Italy Weekly malspam n.26 from 26 Jun to 2 Jul 2023 We have analyzed 51 campaigns, 15 in italian 🔥 #AgentTesla #FormBook #LokiBot #Rhadamanthys New entry RAT spread via PEC Total family 10 moto_sato JAMESWT_MHT sugimu🐞 Breabin Radu Michele tgsoft.it/news/news_arch…

I’m gonna give 10 random people that repost this and follow me $25,000 for fun (the $250,000 my X video made) I’ll pick the winners in 72 hours

#PlugX campaign from 07-30 to 08-01 via MSC files: 3e6772aca8bb8e71956349f1ea9fecda5d9b9cfa00f8cdbf846c169ab468a370 6784b646378c650a86ba4fdd4baaaf608e5ecdf171c71bb7720f83965cc8c96f ca0dfda9a329f5729b3ca07c6578b3b6560e7cfaeff8d988d1fe8c9ca6896da5 moto_sato nao_sec

d0c4eb52ea0041cab5d9e1aea17e0fe8a588879a03415f609b195cfbd69caafc MSC->MSI->EXE side loading DLL + DAT

TG Soft has been monitoring the abuse of MSC files by a Chinese APT that exploited a new diskless shellcode that download the Marte Beacon with Cobalt Strike tgsoft.it/news/news_arch… moto_sato nao_sec AhnLab Security Information Elastic Security Labs StrikeReady Labs Joe Desimone

Interesting #CobaltStrike from "apt-99" with C2: pythongo[.]online LNK -> Silverlight.exe (sideloading coreclr.dll) -> bin.dat -> CS C:\Users\admin\Desktop\Project\cs4.5(apt-99)\cs4.5 2\external\beacon\Release\beacon.pdb moto_sato StrikeReady Labs

#apt on 19th september has been uploaded the MSC file 19_09_2024.msc from Russia with low detection MSC->CertUtil->Powershell->Excel: - Decoy pdf - Shellcode x64-> #Sliver Msc hash: 44c8565f05bc93f399c960dd44e66a9c moto_sato Yogesh Londhe 780th Military Intelligence Brigade (Cyber)

The Powershell script creates an Excel macro on the fly, the macro extract the decoy pdf and execute the shellcode. As final stage the shellcode download from the IP s://213.183.54[.]123:8444 the #Sliver framework with C2: techitzone[.]ru Below the translated decoy.

The PDF isn't a simple decoy, instead it asks some informations that must be send via email to min-trud.gov@mail[.]ru The email address mimics an offcial address but is a generic email service. In this way the cyber actor can steal reserved informations about some subjects.

We have discovered a new campaign targeting Russia from unknown #APT The file 23.09.2024.7z was uploaded on VT from Russia yesterday This is similar to the 19th sept campaign x.com/VirITeXplorer/… Infection chain: 7z->MSC->CertUtil->CMD->PowerShell->Excel moto_sato

The Excel macro drops a PDF decoy and run a shellcode that download from s://92.243.66.]237:8464 a new shellcode that contains the #Sliver framework with c2 rtxcore.]ru The decoy is similar to 19th sept campaign , but the threat actor fix the email address with the official one

The email address used in the decoy isn't the official as reported previously, but it's similar. In this way the cyber actor can steal reserved informations about some subjects.

Hello, it is our official very last giveaway. We made it. For our last giveaway we are doing - $500 in Bitcoin - $100 in Etherium - $500 in cash (x2) via PayPal We ended up throwing some cash at other people behind the scenes who we believe genuinely needed it. Unfortunately,