2023-07-12 (Wednesday) - #Gozi/#ISFB infection in an AD environment led to #CobaltStrike C2: 170.130.55[.]162:443 - iamupdate[.]com. List of IOCs at bit.ly/3XO2p3c

New blog post for #Gootloader, just a small update on their #C2 servers gootloader.wordpress.com/2023/08/02/upd…

Raccoons are cute but not the stealers 🦝 Check out my latest writeup on Raccoon Stealer esentire.com/blog/esentire-… eSentire Threat Intel

#TA558 attacker is back with malicious JavaScript. Now they download a Spiderman image which looks valid, but at the end has <BASE64_START> and <BASE64_END> tags. The PowerShell spawned ensures that this string stream is extracted and decoded to helper DLL, which ends up

Another TryCloudflare domain in this campaign: dial-posters-corporations-des.trycloudflare[.]com 🔥 FUD "update.cmd": 43feb4c81e9e5be7b22c542dd0d54725075a67dbf592bb65b3b625c04256af55 leads to #AsyncRAT. C2: mkys[.]duckdns[.]org

2024-03-14 (Wednesday): A tax season-themed campaign is possibly targeting citizens of Spain. A Dropbox link hosts a ZIP archive, which leads to #AsyncRAT and #XWorm. A 2014 tax return form serves as a decoy. IoCs: bit.ly/3vmboPn #XRat #AsyncRAT #Unit42ThreatIntel

notepad++ malware again securelist.com/trojanized-tex…

With the release of #MaaS #BunnyLoader 3.0, our researchers distill the information gained from new samples of this upgraded malware. Capable of #CredentialStealing and more, this article provides a thorough overview of BunnyLoader’s progression: bit.ly/4adA8rT

2024-03-27 (Wednesday): With the recent rise in malicious Google ads impersonating legitimate software, today we found one leading to a fake Cisco AnyConnect page pushing #NetSupportRAT. Indicators available at bit.ly/49mdPzG #Unit42ThreatIntel #RemoteAccessTrojan

Felt nostalgic, searched Google for a phrase which over a year ago lead to #Gootloader, and what do you know.. it's still there. #malvertising

Interesting, thanks to Google we now know that this was also part of a post on the VirusTotal blog, unfortunately it also caused the analyst's confusion/distraction. Apparently the article was later updated by removing the internal IP part, which makes it clear that it is a

The #xworm campaign targets users in Spain 🇪🇸. 📂 #opendir: 209.126.87[.35:8888 🔗 iz.ps1 - tria.ge/240402-p8r1baa… 🌐 C2: freshinxworm.ddns[.net:7000 CC: Who said what? Germán Fernández

2024-06-12 (Wednesday): Threat actor distributing #KoiLoader/#KoiStealer tries to evade detection by using an initial email query. Only sends a message linking to the malware after the targeted organization responds. Indicators from an infection today at bit.ly/3z1WTSw

#HeartCrypt, a new #PaaS, packs malicious code with legitimate binaries. Advertised on Telegram and elsewhere, the low cost ($20/file) combined with support for multiple payload types makes it an attractive tool for bad actors with varying expertise: bit.ly/41yljiM

The latest #HeartCrypt update removes position-independent code (PIC) from a PE file's resource data and now stores the payload as 2 XOR-encrypted blocks, with keys hidden after a fake BMP header. More info at bit.ly/408EZHC #TimelyThreatIntel #Unit42ThreatIntel

Check out my Google blog on the garble obfuscator. The article dives deep into how garble obfuscates strings in Go binaries. I'm also introducing an open-source tool to dump strings and deobfuscate binaries protected by this obfuscating compiler! cloud.google.com/blog/topics/th…

In a recent wave of #SocialEngineering, attackers impersonate help desk personnel and use MS Teams to contact potential victims. This campaign distributes Trojanized installers for GlobalProtect to infect vulnerable hosts with #MadMxShell. More info at bit.ly/43lCQLo