Festive_Season_Cyber_Threats
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Festive_Season_Cyber_Threats
- Date of Scan:
- 2024-12-26
- Impact:
- LOW
- Summary:
- Researchers from CYFIRMA have discovered that festive events and holidays have become prominent targets for cybercriminals and hacktivists, who take advantage of the increase in online transactions and retail activity during these periods. Threats include automated incidents that take advantage of security flaws, client-side data breaches that target payment information, and advanced bots that engage in fraudulent activities such as price scraping and account compromise.
Araneida_Scanner
LOW
+
—
- Intel Source:
- Silent Push
- Intel Name:
- Araneida_Scanner
- Date of Scan:
- 2024-12-25
- Impact:
- LOW
- Summary:
- Silent Push researchers have uncovered a tool called the Araneida Scanner. It seems to be based on a cracked version of Acunetix, a legitimate tool for testing web application security. However, it is being misused for illegal activities, stealing user data and identifying vulnerabilities for exploitation. Araneida is being promoted on platforms like Telegram where it is sold alongside stolen credential. These Telegram channels also provide instructions for malicious use of the tool.
Threat_Actors_Gift_Holiday_Lures
LOW
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- Threat_Actors_Gift_Holiday_Lures
- Date of Scan:
- 2024-12-25
- Impact:
- LOW
- Summary:
- Proofpoint researchers have observed a surge in phishing and fraud schemes leveraging holiday-themed lures, such as promotions for deals, bonuses, and job offers. A variety of attacks, including credential phishing and malware delivery, have been identified, with attackers impersonating airlines, HR departments, and even reputable nonprofits like Project HOPE. For example, one phishing campaign used fake holiday bonus messages to trick employees into entering their login credentials on counterfeit Microsoft pages.
SSH_Reverse_Backdoor_with_SOCKS_Proxy_for_Control
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- SSH_Reverse_Backdoor_with_SOCKS_Proxy_for_Control
- Date of Scan:
- 2024-12-25
- Impact:
- LOW
- Summary:
- The discovered Windows batch script leverages SSH to create a reverse backdoor on the victim's machine. It adds a registry entry for persistence and uses SSH with options that allow executing local commands, such as downloading and running a malicious executable (`Ghost.exe`). This executable is fetched from a URL hosted on a domain associated with Visual Studio's Dev Tunnels feature, which was repurposed for the attack. The reverse SSH tunnel acts as a SOCKS proxy, enabling the attacker to route traffic through the compromised machine. This method is a sophisticated way to establish remote control, likely via a RAT, while evading detection.
Early_Warning_Signs_of_Ransomware_Double_Extortion
MEDIUM
+
—
- Intel Source:
- CATO Network
- Intel Name:
- Early_Warning_Signs_of_Ransomware_Double_Extortion
- Date of Scan:
- 2024-12-25
- Impact:
- MEDIUM
- Summary:
- Recent investigations by the Cato CTRL and Cato MDR teams have uncovered a critical early warning sign for double extortion tactics used by ransomware groups, particularly Hunters International and Play. Both groups exhibit unusual internal data-copying activities as an early indicator of exfiltration, which often goes undetected. Hunters International, a new and highly active ransomware group that emerged in late 2023, operates under the Ransomware-as-a-Service (RaaS) model, providing tools and services to other cybercriminals. It is believed to have evolved from the defunct Hive ransomware gang. The Play ransomware gang is known for its sophisticated tactics and rapid evolution. It exploits vulnerabilities in public-facing applications, including FortiOS and Microsoft Exchange, and leverages services like Remote Desktop Protocol (RDP) and VPNs for initial access. Both groups are significant threats to organizations globally.
Technical_Analysis_of_RiseLoader
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Technical_Analysis_of_RiseLoader
- Date of Scan:
- 2024-12-24
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz has discovered a malware called RiseLoader which emerged in October 2024. It acts as a loader that downloads and executes other malicious payloads on victim’s machine. The malware uses a network communication protocol that is similar to another malware called Risepro which has been used for stealing information. RiseLoader focuses on distributing second-stage malware such as Vidar, Lumma Stealer, XMRig and Socks5Systemz. It also collects information about installed applications and browser extensions related to cryptocurrency that has seen in both RisePro and PrivateLoader also.
LYNX_Ransomware_Targets_Energy_Sector
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- LYNX_Ransomware_Targets_Energy_Sector
- Date of Scan:
- 2024-12-24
- Impact:
- LOW
- Summary:
- Researchers from Cyble have highlighted the growing threat posed by the LYNX ransomware group, encouraging energy sector firms to proactively monitor their IT and key infrastructure for harmful binaries. This followed a ransomware attack on December 9, 2024, that targeted Electrica Group, Romania's largest energy provider.
Vishing_Attack_Installs_DarkGate
LOW
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Vishing_Attack_Installs_DarkGate
- Date of Scan:
- 2024-12-23
- Impact:
- LOW
- Summary:
- Researchers at Trend Micro have discovered an attack that used vishing over Microsoft Teams to deliver DarkGate malware. The attacker employed social engineering by impersonating a known client during a Teams session and convincing the victim to download AnyDesk for remote access. Once access was gained, the attacker installed harmful files, including one identified as a Trojan.AutoIt.DARKGATE.D. Using an AutoIt script, the malware ran commands, connected to a command-and-control server, collected system information, and built persistence mechanisms.
LockBit_4_0_Ransomware
HIGH
+
—
- Intel Source:
- TheRavenFile
- Intel Name:
- LockBit_4_0_Ransomware
- Date of Scan:
- 2024-12-23
- Impact:
- HIGH
- Summary:
- Cybersecurity experts have reported that the LockBit ransomware group has launched LockBit 4.0, signaling a full comeback after a year of law enforcement crackdowns. In related news, the U.S. Department of Justice has charged Rostislav Panev, a 51-year-old Russian-Israeli dual-national, for his alleged involvement in developing LockBit ransomware encryptors and the "StealBit" data-theft tool, as outlined in a criminal complaint unsealed in New Jersey.
Christmas_Gift_Delivered_Through_SSH
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Christmas_Gift_Delivered_Through_SSH
- Date of Scan:
- 2024-12-23
- Impact:
- LOW
- Summary:
- Researcher from ISC.SANS have observed that the attackers are taking advantage of Christmas season to deliver gifts in your mailboxes in the form of malicious link file dubbed christmas_slab.pdf[.]lnk. When the file is opened, it triggers a process that runs a program called ssh.exe. which connects to a remote server and downloads a malicious executable file to the victim's machine. Once the payload is executed, the attacker passes their own IP address and a username as parameters to the malicious file.
Exploring_the_Advanced_Tactics_of_APT34_OilRig
LOW
+
—
- Intel Source:
- Picus
- Intel Name:
- Exploring_the_Advanced_Tactics_of_APT34_OilRig
- Date of Scan:
- 2024-12-23
- Impact:
- LOW
- Summary:
- OilRig (APT34), also known as Helix Kitten, is a state-sponsored cyber espionage group with a focus on the Middle East. The group has targeted critical sectors like government, energy, telecommunications, and technology services, using advanced tactics to gather intelligence and exert geopolitical influence. Notable incidents include the Helminth Backdoor Campaign (2016), where OilRig used spearphishing and the Helminth backdoor to infiltrate Saudi Arabian organizations, and the QUADAGENT Deployment (2018), where they exploited supply chain vulnerabilities by targeting a technology services provider, deploying a stealthy PowerShell-based backdoor. In 2024, OilRig leveraged the CVE-2024-30088 vulnerability to escalate privileges and deploy the STEALHOOK backdoor, which allowed them to perform data extraction and lateral movement across networks.
Phishing_Campaign_Targets_Businesses
LOW
+
—
- Intel Source:
- CloudSEK
- Intel Name:
- Phishing_Campaign_Targets_Businesses
- Date of Scan:
- 2024-12-23
- Impact:
- LOW
- Summary:
- A sophisticated malware campaign is targeting businesses via email phishing, using trusted brand names and professional collaboration offers as bait. The emails, which often contain malicious attachments disguised as business proposals or promotional materials, are sent from spoofed or compromised addresses. When recipients open the attachments (e.g., Word, PDF, or Excel files), the malware is activated, stealing sensitive data or providing remote access to attackers. The primary targets are individuals in marketing, sales, and executive roles, who are likely to engage in business opportunities.
CleverSoar_Campaign
LOW
+
—
- Intel Source:
- Esentire
- Intel Name:
- CleverSoar_Campaign
- Date of Scan:
- 2024-12-22
- Impact:
- LOW
- Summary:
- Esentire team has discovered a malware campaign involving a new malware installer called CleverSoar. This malware mainly targets Chinese and Vietnamese-speaking users through malicious installer packages delivered via poisoned search results. These packages install two tools such as the Winos4.0 framework which is used for advanced hacking activities and the Nidhogg rootkit which helps the malware stay hidden and maintain access. In this campaign, Winos4.0 framework referred as Online Module which is built on the Gh0strat malware. It allows attackers to use plugins for spying and control of compromised Windows systems.
Linking_Malicious_Infrastructure_to_Infostealers
LOW
+
—
- Intel Source:
- Vasilis Orlof
- Intel Name:
- Linking_Malicious_Infrastructure_to_Infostealers
- Date of Scan:
- 2024-12-22
- Impact:
- LOW
- Summary:
- A search for specific nginx versions running on port 19000 revealed 17 hosts, with a notable presence of Windows Server 2012, which previously helped identify infrastructure linked to the Rhadamanthys infostealer. This suggests that the infrastructure is likely used by multiple threat actors, primarily serving infostealers and RATs. A refined search returned 29 results, excluding 7 IPs already reported, leaving 22 unique IPs. Of these, 6 were previously reported, reinforcing the hypothesis and linking these IPs to malicious infrastructure with moderate to high confidence. However, the absence of SSH fingerprints limited further associations.
Recent_Kimsuky_Infrastructure_Trends
LOW
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- Recent_Kimsuky_Infrastructure_Trends
- Date of Scan:
- 2024-12-22
- Impact:
- LOW
- Summary:
- Hunt.Io researchers have discovered recent operations tied to the North Korean threat group Kimsuky, which involved websites returning the unique HTTP answer "Million OK!!!!". These domains are similar to the branding of Naver, a South Korean technology business, but have no real relationship. The group's continued use of previously known top-level domains such as p-e.kr, o-r.kr, and n-e.kr suggests that its infrastructure is being actively maintained and expanded. This activity shows Kimsuky's technique of using familiar branding to boost the legitimacy of their destructive activities.
BellaCiao_Campaign_Adds_BellaCPP
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- BellaCiao_Campaign_Adds_BellaCPP
- Date of Scan:
- 2024-12-21
- Impact:
- LOW
- Summary:
- Researchers at Securelist have noticed the BellaCiao malware family, which is linked to the Charming Kitten APT group, evolve with the development of BellaCPP, a C++ variant of the.NET-based malware. BellaCiao combines the stealth of a webshell with the capacity to create hidden tunnels, and its PDB routes expose target-specific data and versions. BellaCPP, discovered with a.NET BellaCiao sample on a machine in Asia, runs as a Windows service, decrypting strings to load DLLs, resolve functions, and build target-specific domains.
Autonomous_System_Spearphishing
LOW
+
—
- Intel Source:
- Proofpoint
- Intel Name:
- Autonomous_System_Spearphishing
- Date of Scan:
- 2024-12-21
- Impact:
- LOW
- Summary:
- In December 2024, a spearphishing campaign targeted over 20 Autonomous System (AS) owners, mostly Internet Service Providers (ISPs), by impersonating the Network Operations Center (NOC) of a major European ISP. The emails, sent to contact addresses in AS WHOIS records, claimed to address BGP flapping issues and were personalized based on the target's Autonomous System Number (ASN). The emails contained a password-protected RAR archive with a malicious Microsoft Shortcut file that triggered an executable to load shellcode and self-delete.
Using_LLMs_to_Obfuscate_Malicious_JavaScript
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Using_LLMs_to_Obfuscate_Malicious_JavaScript
- Date of Scan:
- 2024-12-21
- Impact:
- LOW
- Summary:
- Palo Alto researchers have developed a tool that uses large language models to generate new versions of malicious Java code on large scale which help them to improve their detection of such threats. They created a process that uses an LLM repeatedly to rewrite malicious JavaScript while maintaining its original behaviour. They also use the technique like renaming variables, adding unused code, and removing extra spaces, validating each time to ensure the malicious activity stayed intact. This approach significantly reduces the number of security tools like VirusTotal that flag the samples as malicious.
NotLockbit_Ransomware_Group
MEDIUM
+
—
- Intel Source:
- Qualys
- Intel Name:
- NotLockbit_Ransomware_Group
- Date of Scan:
- 2024-12-20
- Impact:
- MEDIUM
- Summary:
- Researchers at Qualys have discovered new ransomware called NotLockbit that mimics the behaviour and tactics of Lockbit ransomware group. It is written in the Go programming language and targets both macOS and Windows operating systems. The ransomware uses advanced techniques such as encrypting files, stealing data, and deleting itself. NotLockbit has the ability to exfiltrate files to remote storage such as Amazon S3 buckets and enables attackers to employ double-extortion tactics. The ransomware gathers information about the macOS system to better understand the target for maximum impact.
Malichus_Malware_via_Cleo_Exploit
MEDIUM
+
—
- Intel Source:
- Huntress
- Intel Name:
- Malichus_Malware_via_Cleo_Exploit
- Date of Scan:
- 2024-12-20
- Impact:
- MEDIUM
- Summary:
- Researchers at Huntress have discovered malicious behavior leveraging a 0-day vulnerability in Cleo software, which resulted in the distribution of Malichus, a newly found malware family. This malware, named after Malichus I, who retaliated against Cleopatra by destroying her navy fleet, has been studied, and a comprehensive technical breakdown is provided.
Lynx_Ransomware_Targets_Utilities
MEDIUM
+
—
- Intel Source:
- CIS
- Intel Name:
- Lynx_Ransomware_Targets_Utilities
- Date of Scan:
- 2024-12-20
- Impact:
- MEDIUM
- Summary:
- Researchers at the Center for Internet Security (CIS) have highlighted the growing threat of the Lynx ransomware group targeting utilities, especially in sectors like energy, oil, and gas. The group has impacted over 20 victims in the U.S. The group was highly active between 2022 and 2024, exploiting vulnerabilities in outdated systems and weak security practices.
PUMAKIT_Malware
LOW
+
—
- Intel Source:
- Elastic Labs
- Intel Name:
- PUMAKIT_Malware
- Date of Scan:
- 2024-12-20
- Impact:
- LOW
- Summary:
- Elastic researchers have uncovered a complex and advanced malware that design to target Linux systems. It operates in stages including dropper that deploys malware, two temporary files stored in memory, a kernel-level rootkit and a user-level rootkit. The kernel rootkit called PUMA uses advanced techniques to modify the Linux operating system which allows to hide files, directories and itself. The malware uses rmdir (remove directory) command to gain full control of the system and interact with the rootkit. Its main functions such as giving attackers high-level access, hiding malicious activities, communicating with remote servers, and ensuring it stays hidden and operational.
Cybercriminals_Target_AWS_with_Advanced_Techniques
MEDIUM
+
—
- Intel Source:
- Datadog
- Intel Name:
- Cybercriminals_Target_AWS_with_Advanced_Techniques
- Date of Scan:
- 2024-12-20
- Impact:
- MEDIUM
- Summary:
- DataDog Researchers have observed that attackers are targeting Amazon Web Services (AWS) account using advanced techniques to maintain long-term access. They leverage their own AWS account to gain access, use VPN service to avoid detection, and set up backdoors by creating fake users and roles with admin rights. They create a fake admin role named SupportAWS and link it to their AWS account. Once inside, they check the Simple Email Service (SES) to see if they can be used it for sending spam or phishing emails. The attackers also use automated tools to gather more information across different AWS regions.
BIZFUM_STEALER
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- BIZFUM_STEALER
- Date of Scan:
- 2024-12-19
- Impact:
- LOW
- Summary:
- Cyfrima Researchers have uncovered a malware called Bizfum Stealer which is available on Github. It primarily targets multiple browsers like Chrome, Firefox, and Edge to steal information such as browser credentials, files, and Discord tokens. Additionally, it also collects clipboard content and can take screenshots of the victim’s desktop that enable attackers to capture visual data about the victim's activities. Bizfum stealer has the capability to encrypt data using RSA encryption and sends all the stolen data to an attacker through Telegram bot.
Google_Ads_Spread_SocGholish_Malware
LOW
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Google_Ads_Spread_SocGholish_Malware
- Date of Scan:
- 2024-12-19
- Impact:
- LOW
- Summary:
- Researchers at Malware byte have found a malicious campaign that used Google Search Ads to target Kaiser Permanente employees. The fake advertisements, disguised as links to the healthcare company's HR portal, attempted to phish employees for login credentials. Victims who clicked on the advertisements were routed to a compromised website, asking them to upgrade their browser. This message was part of the SocGholish malware campaign, which infects machines and may enable human operators to carry out malicious activities if the target appears valuable.
Banking_Trojan_Disguised_as_Parcel_App
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- Banking_Trojan_Disguised_as_Parcel_App
- Date of Scan:
- 2024-12-19
- Impact:
- LOW
- Summary:
- Researchers at Securelist have discovered a fraudulent activities in which attackers deploy a banking Trojan disguised as parcel-tracking apps. This attractive plan targets both individuals and businesses by luring victims with seemingly authentic bulk-priced offers, causing them to contact the scammers first, so establishing confidence. The Trojan can steal login credentials from customisable windows and control SMS banking services.
IOCONTROL
LOW
+
—
- Intel Source:
- Claroty
- Intel Name:
- IOCONTROL
- Date of Scan:
- 2024-12-19
- Impact:
- LOW
- Summary:
- Team82 has uncovered a sophisticated IoT/OT malware, IOCONTROL, believed to be developed by Iranian-affiliated hackers, targeting critical infrastructure in Israel and the U.S. The malware has affected a range of devices, including routers, programmable logic controllers (PLCs), and fuel management systems, such as those from Orpak and Gasboy. IOCONTROL’s modular design allows it to target a variety of platforms, making it a versatile cyberweapon. The attacks, attributed to the CyberAv3ngers group, a faction linked to Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command, are part of ongoing cyber warfare tied to geopolitical tensions. The malware uses the MQTT protocol to securely communicate with command-and-control servers, enabling the attackers to disrupt services and potentially steal sensitive data. Team82’s analysis also revealed IOCONTROL’s sophisticated evasion techniques, including encryption and obfuscation to avoid detection.
Cloak_Ransomware
MEDIUM
+
—
- Intel Source:
- Halcyon
- Intel Name:
- Cloak_Ransomware
- Date of Scan:
- 2024-12-18
- Impact:
- MEDIUM
- Summary:
- Researchers from Halcyon have discovered a ransomware group called Cloak that first appeared in 2022. The group mainly targets small to medium-sized businesses in Europe but now expanded its operation to Asia including sectors such as healthcare, IT, manufacturing, real estate, construction, and food industries. This group access to victim networks by purchasing access from Initial Access Brokers or using social engineering techniques such as phishing, malvertising, and drive-by downloads disguised as Microsoft Windows installers. Victims are presented with ransom notes as desktop wallpapers and text files named readme_for_unlock.txt. If they refuse to pay, their stolen data is published on Cloak's Data Leak Site.
Scammers_Mimic_Dubai_Police_to_Defraud_UAE_People
LOW
+
—
- Intel Source:
- Resecurity
- Intel Name:
- Scammers_Mimic_Dubai_Police_to_Defraud_UAE_People
- Date of Scan:
- 2024-12-18
- Impact:
- LOW
- Summary:
- Resecurity researchers have uncovered a campaign in which cybercriminals are targeting people in the UAE by impersonating law enforcement officials such as Dubai Police. They are asked to victims to pay fake online fines for traffic tickets, parking violations, or license renewals. The scammers use phishing, smishing and vishing tactic to deceive victims with threats of driving license revocation or vehicle seizure. These scams include links to payment pages that mimic legitimate government websites, making victims believe the requests are genuine.
Python_Delivering_AnyDesk_Client_as_RAT
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Python_Delivering_AnyDesk_Client_as_RAT
- Date of Scan:
- 2024-12-18
- Impact:
- LOW
- Summary:
- The Remote access tool has become most popular tools among cybercriminals. They are used for both legitimate and malicious purposes. They allow users to remotely manage devices, access files, or troubleshoot systems. As per attacker’s point they are used for spying, stealing data, and moving laterally within a network. Researchers also identified a Python script called an5[.]py that installs Anydesk on victim’s machine which works on both Windows and Linux computers.
FLUXCONSOLE
MEDIUM
+
—
- Intel Source:
- SecuronixThreatLabs
- Intel Name:
- FLUXCONSOLE
- Date of Scan:
- 2024-12-16
- Impact:
- MEDIUM
- Summary:
- The Securonix Threat Research team has been monitoring an interesting tax-related phishing campaign where threat actors leveraged MSC files and advanced obfuscation techniques to execute a stealthy backdoor payload. The FLUX#CONSOLE campaign covers a rather interesting approach that threat actors are taking to deliver malware and to skirt traditional AV detections. One of the more notable aspects of the campaign is how the threat actors leverage MSC (Microsoft Common Console Document) files to deploy a dual-purpose loader and dropper to deliver further malicious payloads. This loader efficiently handles both payload delivery and execution, leading to a stealthy and highly obfuscated backdoor DLL file.
Cryptojacking_Campaign_Target_Docker_and_Kubernetes
LOW
+
—
- Intel Source:
- SOC Radar
- Intel Name:
- Cryptojacking_Campaign_Target_Docker_and_Kubernetes
- Date of Scan:
- 2024-12-14
- Impact:
- LOW
- Summary:
- A cryptojacking campaign is targeting unsecured Docker and Kubernetes systems by exploiting misconfigurations to gain unauthorized access. The attackers exploit open Docker API endpoints without proper authentication that allow them to deploy malicious programs for mining cryptocurrency especially Monero. They primarily target high-performance cloud system in industries such as finance, healthcare, and technology. These attacks slow down systems, increase costs, and disrupt operations.
China_linked_APT_Targets_Southeast_Asia
MEDIUM
+
—
- Intel Source:
- Symantec
- Intel Name:
- China_linked_APT_Targets_Southeast_Asia
- Date of Scan:
- 2024-12-13
- Impact:
- MEDIUM
- Summary:
- Threat actors linked to China-based APT groups have targeted several high-profile organizations in Southeast Asia since October 2023, including government ministries, an air traffic control body, a telecoms company, and a media outlet. These attacks appear to be focused on intelligence gathering. The attackers employ a mix of open-source and living-off-the-land tools, including a proxy tool called Rakshasa and DLL sideloading techniques used by the APT group Earth Baku (APT41). Their tactics involve using remote access tools to execute commands, install keyloggers, password collectors, reverse proxy tools, and custom DLLs to intercept login credentials and maintain access to compromised systems.
AIZ_Network_Targets_Retail_and_Crypto
MEDIUM
+
—
- Intel Source:
- Silent Push
- Intel Name:
- AIZ_Network_Targets_Retail_and_Crypto
- Date of Scan:
- 2024-12-12
- Impact:
- MEDIUM
- Summary:
- Researchers at Silent Push have discovered a large-scale phishing and pig-butchering network known as "Aggressive Inventory Zombies" (AIZ), which targeted major retail companies and cryptocurrency audiences. The effort impersonates organizations such as Etsy, Amazon, BestBuy, and Wayfair, using a popular website template and integrated chat services for phishing purposes.
Rise_of_Remcos_RAT_in_Q3_2024
LOW
+
—
- Intel Source:
- Mcafee
- Intel Name:
- Rise_of_Remcos_RAT_in_Q3_2024
- Date of Scan:
- 2024-12-12
- Impact:
- LOW
- Summary:
- Researchers from McAfee Labs have observed a considerable increase in the Remcos RAT threat in Q3 2024, indicating that it is a major cybersecurity concern. This malware, which is usually distributed through phishing emails and malicious attachments, allows attackers to remotely manipulate affected devices, aiding espionage, data theft, and system manipulation. Remcos RAT's rising sophistication highlights the necessity of knowing its methods and implementing strong cybersecurity measures, such as regular updates, email filtering, and network monitoring, to reduce its impact and preserve critical data.
Advanced_Snake_Keylogger_Variant
LOW
+
—
- Intel Source:
- ANY.RUN
- Intel Name:
- Advanced_Snake_Keylogger_Variant
- Date of Scan:
- 2024-12-12
- Impact:
- LOW
- Summary:
- Researchers from AnyRun have discovered a new variation of the Snake Keylogger family, known as "Nova," that displays enhanced evasion strategies and expanded data exfiltration capabilities. Snake Keylogger, a.NET-based virus discovered in 2020, is well-known for credential theft and keylogging via phishing campaigns. Nova, developed in VB.NET, uses obfuscation techniques such as Net Reactor Obfuscator and Process Hollowing to avoid detection.
Cobalt_Strike_Infrastructure_Exposed
LOW
+
—
- Intel Source:
- Hunt.IO
- Intel Name:
- Cobalt_Strike_Infrastructure_Exposed
- Date of Scan:
- 2024-12-07
- Impact:
- LOW
- Summary:
- Researchers from Hunt.IO have discovered a network of suspicious infrastructure running Cobalt Strike 4.10, the latest version released in July 2024. Despite efforts to prevent unauthorized use, threat actors continue to leverage its post-exploitation capabilities. The servers bear a distinct watermark shared by only five other IP addresses worldwide. Domains related to these servers, initially discovered on November 19, imitate well-known brands, indicating a focused phishing operation.
Malware_Campaign_Targets_Manufacturing_Industry
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Malware_Campaign_Targets_Manufacturing_Industry
- Date of Scan:
- 2024-12-06
- Impact:
- LOW
- Summary:
- Researchers from Cyble have discovered a sophisticated malware campaign targeted at the manufacturing industry. To circumvent typical security systems and remotely execute payloads, the attackers employ a misleading LNK file disguised as a PDF and exploit several Living-off-the-Land Binaries (LOLBins), such as ssh.exe, powershell.exe, and mshta.exe.
Meeten_Malware
LOW
+
—
- Intel Source:
- Cado Security Labs
- Intel Name:
- Meeten_Malware
- Date of Scan:
- 2024-12-06
- Impact:
- LOW
- Summary:
- Researchers at Cado Security Labs have uncovered a scam where Web3 professionals are being targeted in which crypto-stealing malware called Realst is involved which works on both macOS and Windows. The scam is operated by fake company called Meetio which frequently changes its name and has previously been called Clusee, Cuesee, and Meeten. The scammers lure victims through telegram with fake business opportunities and then convince them to download a fake meeting app Meeten from their website which installs the Realst info-stealer to access cryptocurrency wallets and sensitive information. Their websites also contain malicious JavaScript that can steal crypto directly from web browsers even without downloading malware.
Data_Exfiltration_via_Formbook_Moalware
LOW
+
—
- Intel Source:
- Cofense
- Intel Name:
- Data_Exfiltration_via_Formbook_Moalware
- Date of Scan:
- 2024-12-06
- Impact:
- LOW
- Summary:
- Researchers from Cofense have discovered a phishing campaign in which attackers are using legitimate HR communication about year-end leave approvals. The email with the subject line Mandatory Leave Notice for all employees uses professional language to lure employees into clicking on a malicious link that claims the recipient’s leave request has been approved. When the user clicks on a malicious link, it downloads a .zip file that contains an Excel (.xls) document related to Christmas leave schedules in which Formbook malware is deployed which steals sensitive information from the victim.
Investment_Scam
LOW
+
—
- Intel Source:
- Cyberarmor
- Intel Name:
- Investment_Scam
- Date of Scan:
- 2024-12-05
- Impact:
- LOW
- Summary:
- Cyberarmor researchers have uncovered an investment scam where scammers target individuals through online platforms. They trick victims by offer job opportunities or high-yield investments using tactics like social engineering, deceptive websites, and cryptocurrency transactions. The scam operates through a website called totallysoftware[.]tech which appears legitimate but require a special registration code provided by the scammer through WhatsApp. They also use a private backend dashboard to manage victim accounts and oversee the operation.
BlueAlpha_Abuses_Cloudflare_Tunneling_Service
LOW
+
—
- Intel Source:
- Recorded Future
- Intel Name:
- BlueAlpha_Abuses_Cloudflare_Tunneling_Service
- Date of Scan:
- 2024-12-05
- Impact:
- LOW
- Summary:
- Researchers at Insikt Group have uncovered an ongoing cyber-espionage campaign operated by Russian threat actor called BlueAlpha. The group has been active since 2014 and frequently targets Ukrainian organizations and individuals. BlueAlpha uses spearphishing emails with malicious attachments to infect victims with their malwares such as GammaDrop, GammaLoad, GammaSteel, and Pterodo. These malwares are capable of capable of stealing data, capturing credentials, and maintaining long-term access to compromised systems. The group is using advance tactics such as HTML smuggling to deliver malware via VBScript and leveraging Cloudflare Tunnels for staging its malwares.
DarkNimbus_Backdoor_Targets_Multiple_Platforms
LOW
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- DarkNimbus_Backdoor_Targets_Multiple_Platforms
- Date of Scan:
- 2024-12-05
- Impact:
- LOW
- Summary:
- Researchers from Trend Micro have discovered that the Earth Minotaur threat organization is using the MOONSHINE exploit kit to exploit vulnerabilities in Android messaging apps, primarily targeting the Tibetan and Uyghur groups. MOONSHINE, which has been updated with new capabilities compared to the 2019 version, has been deployed on over 55 servers and is used to distribute the recently found DarkNimbus backdoor. This backdoor, which also has a Windows variant, shows Earth Minotaur's cross-platform attack strategy, affecting both Android and Windows devices.
SecretBlizzard_Compromising_Storm0156_Infrastructure
MEDIUM
+
—
- Intel Source:
- Microsoft and Lumen
- Intel Name:
- SecretBlizzard_Compromising_Storm0156_Infrastructure
- Date of Scan:
- 2024-12-04
- Impact:
- MEDIUM
- Summary:
- Researchers from Microsoft and Lumen Labs have uncovered a cyber campaign conducted by Russian threat actor called Secret Blizzard also known as Turla. This group infiltrated 33 C2 servers previously used by a Pakistani threat group called Storm-0156 which is known for espionage activities. Storm-0156 is associated with two major groups such as SideCopy and Transparent Tribe. Secret Blizzard has been exploiting Storm-0156’s infrastructure for the past years. In 2023, they have used Storm-0156 pre-existing access to deploy their own malware like TwoDash and Statuezy into networks linked to various entities within the Afghan government They also gained access to Pakistani-based workstations, where they extracted sensitive data. By 2024, Secret Blizzard has expanded its tactics by using malware such as Waiscot and CrimsonRAT which had been used in attacks against India’s government and military. Secret Blizzard uses this malware to gather additional data.
Payroll_Pirates_Phishing_Campaign
LOW
+
—
- Intel Source:
- Silent Push
- Intel Name:
- Payroll_Pirates_Phishing_Campaign
- Date of Scan:
- 2024-12-04
- Impact:
- LOW
- Summary:
- Researchers from Silent Push have discovered an ongoing phishing attack known as "Payroll Pirates," which targets HR payroll systems via redirection scams. The gang employs search ads with brand keywords to promote phishing sites, website builders to quickly create domains, and corporate directory structures to boost credibility.
SocksSystemz_Botnet
LOW
+
—
- Intel Source:
- Bitsight
- Intel Name:
- SocksSystemz_Botnet
- Date of Scan:
- 2024-12-04
- Impact:
- LOW
- Summary:
- Researchers from Bitsight have identified a malware called Socks5Systemz that turns compromised systems into proxy servers for allowing criminals to hide their activities online. This is active since 2013 and it was often used as part of other malware like Andromeda and Trickbot but widely recognized in 2023. Researchers also found that Socks5Systemz had infected 250,000 systems around the world in 2023 where they used these systems through a service called PROXY.AM to hide their illegal activities like account hacking and other crimes. Socks5Systemz provides criminals anonymity that makes it difficult to stop and track.
Docusign_Phishing_Attacks
LOW
+
—
- Intel Source:
- Cado Security Labs
- Intel Name:
- Docusign_Phishing_Attacks
- Date of Scan:
- 2024-12-04
- Impact:
- LOW
- Summary:
- Cado researchers have discovered a new spearphishing campaign targeting technology executives through fake DocuSign emails. These emails usually state there is a document waiting for the recipient to sign and include a link to open it. But the link takes them to a fake DocuSign login page where their credentials are stolen. In this campaign, attackers use legitimate email accounts like Japanese business email accounts that have already been compromised to send the phishing emails.
Diving_Deep_into_Zephyr_Coin
LOW
+
—
- Intel Source:
- QuickHeal
- Intel Name:
- Diving_Deep_into_Zephyr_Coin
- Date of Scan:
- 2024-12-04
- Impact:
- LOW
- Summary:
- Zephyr Coin (ZEPH), launched in 2018, is a privacy-focused digital currency that uses a proof-of-stake system, allowing users to earn rewards by holding onto their coins. It is known for its strong privacy features and user-friendly design, making it a popular choice for secure online transactions. However, as its popularity grows, cybercriminals are increasingly targeting users through malware that spreads in four ways: Visual Basic Script (VBS), Batch Processing File (BAT), PowerShell Script (PS1), and Portable Executable (PE).
Parano_Malware_Targeting_Users
LOW
+
—
- Intel Source:
- Cyfirma
- Intel Name:
- Parano_Malware_Targeting_Users
- Date of Scan:
- 2024-12-04
- Impact:
- LOW
- Summary:
- Researchers at CYFIRMA discovered the introduction of the "Parano" malware family, created by the cybercriminal actor "Paranodeus." This malware package contains Parano Stealer, Parano Ransomware, and Parano Screen Locker, which are all written in Python and use advanced anti-analysis, persistence, and data exfiltration methods.
Andromeda_Backdoor
LOW
+
—
- Intel Source:
- Cybereason
- Intel Name:
- Andromeda_Backdoor
- Date of Scan:
- 2024-12-04
- Impact:
- LOW
- Summary:
- Researcher from Cybereason have identified a group of C2 servers related to Andromeda also known as Gamarue. This malware is active at least 2011 and have been used by multiple cybercriminals. It is distributed through phishing emails, infected external drives and as a secondary payload from other malware. Once active, it can download and execute additional malware, steal sensitive information like passwords and establish a backdoor for remote access. Andromeda is targeting manufacturing and logistics companies in the Asia-Pacific (APAC) region with the aim of conducting industrial espionage.
Howling_Scorpius_Ransomware_Threat
LOW
+
—
- Intel Source:
- Palo Alto
- Intel Name:
- Howling_Scorpius_Ransomware_Threat
- Date of Scan:
- 2024-12-03
- Impact:
- LOW
- Summary:
- Researchers from Palo Alto have discovered that the Howling Scorpius ransomware gang, which has been active since early 2023, operates the Akira ransomware-as-a-service (RaaS) and constantly ranks among the top five ransomware groups. Using a twofold extortion tactic, the group targets small to medium-sized businesses in North America, Europe, and Australia, spanning areas such as education, government, manufacturing, technology, and pharmaceuticals. Their operations include encryptors for Windows, Linux, and ESXi hosts, with continual tool developments that increase the risk for enterprises.
BYOVD_Attacks_Surge
MEDIUM
+
—
- Intel Source:
- CrowdStrike
- Intel Name:
- BYOVD_Attacks_Surge
- Date of Scan:
- 2024-12-03
- Impact:
- MEDIUM
- Summary:
- Over the past 18 months, Bring Your Own Vulnerable Driver (BYOVD) attacks have increased significantly, with adversaries attempting to bypass endpoint detection and response (EDR) solutions. In these attacks, attackers exploit known vulnerabilities in kernel drivers to perform privileged operations, such as terminating security products or bypassing anti-tampering protections. In September 2024, a CrowdStrike customer experienced an intrusion where six vulnerable drivers were used to evade the Falcon sensor, but all were detected or blocked. The incident resulted in 48 alerts across targeted endpoints, including malware execution and other malicious activities.
Extracting_Executables_from_Malicious_Word_Docs
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Extracting_Executables_from_Malicious_Word_Docs
- Date of Scan:
- 2024-12-03
- Impact:
- LOW
- Summary:
- Researchers at SANS have found and analyzed a sample that is a Word document with an embedded executable. To extract an embedded executable from a Word document, they used tools like `file-magic.py` to identify the document as an OOXML file. Then, used `zipdump.py` to inspect the ZIP container and find the OLE object (e.g., `oleObject1.bin`). With `oledump.py`, analyzed the OLE stream, extracted metadata like the file hash, and finally used the `-e` option to extract the executable. This process allows to analysis of the malicious executable, though it requires user interaction to run, typically through social engineering.
SmokeLoader_Targets_Entities_in_Taiwan
LOW
+
—
- Intel Source:
- Fortinet
- Intel Name:
- SmokeLoader_Targets_Entities_in_Taiwan
- Date of Scan:
- 2024-12-03
- Impact:
- LOW
- Summary:
- FortiGuard researchers have uncovered a campaign where attackers are using SmokeLoader malware to target sector such as manufacturing, healthcare, IT, and other industries in Taiwan. It is known for its advanced technique and acts as a downloader to deliver additional malware. In this campaign, the attack begins with phishing emails containing malicious attachments disguised as business communications such as a quotation. The emails use local language and phrases and are sent in bulk with same content including unaltered recipient details in file names. SmokeLoader performs attacks directly by downloading plugins from its C2 server.
Infostealer_From_Plain_to_Obfuscated_Version
LOW
+
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Infostealer_From_Plain_to_Obfuscated_Version
- Date of Scan:
- 2024-12-03
- Impact:
- LOW
- Summary:
- Trap-Stealer is an example of a Python-based malware that uses multiple obfuscation techniques to evade detection and analysis. These techniques include using meaningless classes and variables, base64 encoding to disguise payloads, encryption with various keys, and zlib compression to obfuscate its real functionality. The malware is dynamically decrypted and executed, making static analysis difficult. Additionally, an obfuscation tool is included in the repository, allowing attackers to automate the creation of obfuscated script versions. While the obfuscation increases file size and execution overhead, it significantly complicates detection.
Unveiling_RevC2_and_Venom_Loader
LOW
+
—
- Intel Source:
- Zscaler
- Intel Name:
- Unveiling_RevC2_and_Venom_Loader
- Date of Scan:
- 2024-12-03
- Impact:
- LOW
- Summary:
- Zscaler ThreatLabz discovered two major campaigns in which the RevC2 and Venom Loader malwares are being deployed by leveraging Venon Spider’s MaaS Tools. Venom Spider also known as GOLDEN CHICKENS is a threat actor known for offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader, TerraStealer, and TerraCryptor. RevC2 is a malware that uses WebSockets to communicate with its C2 server that allow to steal sensitive information like cookies and passwords. It can also enable remote code execution (RCE) on compromised systems. On the other hand, Venom Loader is a malware loader that customizes its payload for each victim and also uses the victim’s system name to encode the payload.
Gafgyt_Malware_Targets_Docker_Remote_API_Servers
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Gafgyt_Malware_Targets_Docker_Remote_API_Servers
- Date of Scan:
- 2024-12-03
- Impact:
- MEDIUM
- Summary:
- Trend Micro researchers have identified a shift in the behavior of the Gafgyt malware, which traditionally targets vulnerable IoT devices. The malware is now exploiting misconfigured Docker Remote API servers to deploy itself. Attackers create a Docker container using a legitimate "alpine" image to spread the malware and infect the servers. Once deployed, the Gafgyt botnet can be used to launch DDoS attacks on the targeted servers. This marks a significant expansion of the malware's attack scope beyond IoT devices.
AgentTesla_Campaign
LOW
+
—
- Intel Source:
- CERT-AGID
- Intel Name:
- AgentTesla_Campaign
- Date of Scan:
- 2024-12-02
- Impact:
- LOW
- Summary:
- CERT-AGID researchers have identified a malware campaign that spread through emails. Initially, the malware failed to active due to some technical problems but now attackers have fixed the issue and relaunched the malware with .NET file along with AES encryption. The attackers use a tool called Cyberchef to decrypt the malware. After decryption, the malware is identified as AgentTesla, a common tool used to steal sensitive information. This version is different from its usual versions because it loads directly into memory instead of user’s machine.
KimSooki_Email_Phishing_Campaign
LOW
+
—
- Intel Source:
- Genians
- Intel Name:
- KimSooki_Email_Phishing_Campaign
- Date of Scan:
- 2024-12-02
- Impact:
- LOW
- Summary:
- Genians researchers have identified phishing attacks targeting Korea that are linked to the Kimsuky group. The attackers impersonate trusted organizations or services such as government agencies, financial institutions or portal companies to deceive recipients. Recently, the phishing emails that appeared to come from the Korean government’s electronic document service called National Secretary and contained links to fraudulent websites hosted on a Korean domain service called MyDomain.Korea. These phishing campaigns do not always contain malware but often use URL that redirect recipients to fake websites where sensitive information can be stolen.
The_TA4557_Attack_Analysis
MEDIUM
+
—
- Intel Source:
- The DFIR Report
- Intel Name:
- The_TA4557_Attack_Analysis
- Date of Scan:
- 2024-12-02
- Impact:
- MEDIUM
- Summary:
- In March 2024, a malicious campaign attributed to TA4557 (linked to FIN6 and other groups like Cobalt Group and Evilnum) was detected after a user downloaded a malicious resume zip. The attack began with the execution of a malicious .lnk file, leading to the deployment of a series of tools, including a malicious DLL and WMI-based scripts, to establish a beacon to the attacker's command and control server. After initial discovery activity, the threat actor deployed Cobalt Strike and attempted to exploit a vulnerability (CVE-2023-27532) on a backup server to gain admin access. The attacker moved laterally, creating new administrator accounts, deploying Cloudflared, and scanning the network. Activity ceased temporarily but resumed with the removal of persistence tasks and continued use of Cobalt Strike and Cloudflared tunnels. Eventually, the attacker was evicted from the environment.
Printer_Support_Scam_Campaign
LOW
+
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Printer_Support_Scam_Campaign
- Date of Scan:
- 2024-12-02
- Impact:
- LOW
- Summary:
- Researchers at Malwarebytes have discovered a new fraud that targets consumers looking for printer support online. The scam consists of fraudulent search advertising that resemble the official websites of well-known printer brands such as HP and Canon. Victims who click these adverts are led to bogus sites and urged to download false printer drivers, which usually fail to install and display faked error messages. The scammers' ultimate goal is to get consumers to contact them, which might lead to extortion or data theft via remote access.
Horns_and_Hooves_Campaign_Updates
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- Horns_and_Hooves_Campaign_Updates
- Date of Scan:
- 2024-12-02
- Impact:
- LOW
- Summary:
- Securelist researcher have uncovered a campaign called Horns&Hooves which has been active since March 2023. The primary targets of this campaign are private users, retailers, and service companies in Russia. In this campaign, the attackers send phishing emails containing ZIP archives with malicious JavaScript or HTML Application disguised as legitimate docs like Purchase requests or Reconciliation statements. These emails trick user into downloading and installing NetSupportRAT, a tool that gives attackers full remote access to the victim's computer. Additionally, attackers installed a tool called Remote Manipulator System (RMS) which they renamed as BurnsRAT. This tool gives them full remote control over the compromised system including ability to transfer files, run commands, and access the desktop using Remote Desktop Protocol (RDP).
Exploitation_of_Zyxel_Firewalls
MEDIUM
+
—
- Intel Source:
- SOC Radar
- Intel Name:
- Exploitation_of_Zyxel_Firewalls
- Date of Scan:
- 2024-11-29
- Impact:
- MEDIUM
- Summary:
- A critical vulnerability has been disclosed in Zyxel Firewalls that identified as CVE-2024-11667 with CVSS score of 7.5. This flaw has identified in web management interface of certain firmware versions which allow attackers to upload or download files through specially crafted URLs. Researchers have linked this vulnerability to Helldown ransomware which exploits it to gain initial access to networks. Exploitation of this vulnerability can compromise of data theft, enabling attackers to establish VPN connections, alter firewall settings, and execute further malicious actions.
Analysis_of_APT_C_48_Phishing_Attack
MEDIUM
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- Analysis_of_APT_C_48_Phishing_Attack
- Date of Scan:
- 2024-11-29
- Impact:
- MEDIUM
- Summary:
- APT-C-48 (CNC), a threat actor with ties to a South Asian government, has been identified targeting various sectors such as government, military, education, and healthcare. They use spear-phishing emails with "resume"-related subjects to deliver malicious payloads. The malicious executable files are hidden in compressed attachments, with their icons disguised as PDF files and filenames obfuscated by blank characters to evade detection. When opened, these files download additional malicious components from a remote server, enabling further attacks.
Beluga_Phishing_Campaign
LOW
+
—
- Intel Source:
- Threatdown
- Intel Name:
- Beluga_Phishing_Campaign
- Date of Scan:
- 2024-11-28
- Impact:
- LOW
- Summary:
- Researchers from Threatdown have uncovered a phishing campaign targeting OneDrive users to steal their login credentials. It starts with an email containing an .htm attachment where the recipient's email address is pre-filled along with their company logo. Victims are tricked into clicking a VIEW DOCUMENT button to access a file which leads to a fake login page where the email address cannot be changed and fake login buttons like Sign In or Create Account are non-functional. The entered credentials like victim’s email and IP address are sent to attackers via Telegram. After gaining access, attackers can steal sensitive files, spread malware, delete backups, and encrypt important data for ransom.
Python_Package_aiocpa_Targets_Crypto
LOW
+
—
- Intel Source:
- Reversing Labs
- Intel Name:
- Python_Package_aiocpa_Targets_Crypto
- Date of Scan:
- 2024-11-28
- Impact:
- LOW
- Summary:
- Researchers at ReversingLabs have found a malicious Python module called aiocpa that is meant to exploit cryptocurrency wallets. Unlike traditional attacks on open-source repositories such as PyPI, the threat actors behind aiocpa did not use typosquatting or impersonation, instead releasing a crypto client tool to entice users before sending a malicious update.
Exploring_Rockstar_Kit_FUD_Link_Techniques
LOW
+
—
- Intel Source:
- Trustwave
- Intel Name:
- Exploring_Rockstar_Kit_FUD_Link_Techniques
- Date of Scan:
- 2024-11-28
- Impact:
- LOW
- Summary:
- Trustwave researchers have done the second part of an investigation into the Rockstar kit, focusing on real-world examples of phishing emails that utilize Rockstar's advanced techniques. The Rockstar platform promotes the creation of fully undetectable (FUD) links for phishing campaigns, which evade detection systems that examine the initial URL. These techniques include using link redirectors (e.g., shortened URLs, open redirects, and URL protection services), as well as abusing trusted services and sites to host phishing content or redirect victims.
Global_Netflix_Phishing_Campaign
LOW
+
—
- Intel Source:
- Bitdefender
- Intel Name:
- Global_Netflix_Phishing_Campaign
- Date of Scan:
- 2024-11-28
- Impact:
- LOW
- Summary:
- Bitdefender researchers have discovered a large-scale phishing attack aimed at Netflix subscribers in 23 countries, including the United States, Germany, Spain, and Australia, in an attempt to obtain login credentials and credit card details. The campaign uses SMS texts to build urgency, due to problems with subscription payments and driving people to bogus websites.
Advanced_Hunting_Unveiled
MEDIUM
+
—
- Intel Source:
- qualys
- Intel Name:
- Advanced_Hunting_Unveiled
- Date of Scan:
- 2024-11-27
- Impact:
- MEDIUM
- Summary:
- Researchers from Qualys have launched Advanced Hunting, a threat-hunting tool built into their Endpoint Detection and Response (EDR) platform. This capability helps security teams to proactively search for risks, uncover malicious behaviors, and identify potential breaches that may slip past traditional detection methods. Advanced Hunting uses the Qualys Query Language (QQL) to provide flexible operations such as field searches and string matching.
Credit_Card_Malware_Targeting_Magento_Website
LOW
+
—
- Intel Source:
- Sucuri
- Intel Name:
- Credit_Card_Malware_Targeting_Magento_Website
- Date of Scan:
- 2024-11-27
- Impact:
- LOW
- Summary:
- Sucuri researchers have observed that cybercriminals are targeting Magento ecommerce website due to the valuable customer data. The malware either creates fake credit card forms or directly steals payment details during checkout based on its variant It then encrypts the stolen data and sends it to a remote server. The attackers use malicious JavaScript injected into Magento sites to conduct these activities.
Rockstar_2FA_A_Phishing_Platform
LOW
+
—
- Intel Source:
- Trustwave
- Intel Name:
- Rockstar_2FA_A_Phishing_Platform
- Date of Scan:
- 2024-11-27
- Impact:
- LOW
- Summary:
- Trustwave researchers have identified a phishing tool called Rockstar 2FA which is linked to phishing campaign targeting Microsoft user accounts. This campaign employs advanced techniques called adversary-in-the-middle (AiTM) attacks which allow attackers to bypass MFA and steal login credentials and session cookies. The phishing emails in this campaign use various lures such as fake document notifications, HR messages, and IT alerts. The Rockstar 2FA phishing operates as Platform-as-a-Service (PaaS) which provides easy to use tool and multiple features like MFA bypass, anti-bot protection, and multiple customizable login page templates to attackers for launching phishing attacks.
Snowflake_Security_Exploited_by_Hackers
LOW
+
—
- Intel Source:
- Krebsonsecurity
- Intel Name:
- Snowflake_Security_Exploited_by_Hackers
- Date of Scan:
- 2024-11-27
- Impact:
- LOW
- Summary:
- A massive cybercrime operation aimed against Snowflake customers has been discovered, indicating significant data theft and extortion. Two individuals have been caught, but the third, "Kiberphant0m," continues to sell stolen data online. Evidence suggests that this hacker, who may have been a US Army man stationed in South Korea, used poor account security to get access to important archives.
GodLoader_Targeting_Multiple_Operating_Systems
LOW
+
—
- Intel Source:
- Checkpoint
- Intel Name:
- GodLoader_Targeting_Multiple_Operating_Systems
- Date of Scan:
- 2024-11-27
- Impact:
- LOW
- Summary:
- Researcher from Check Point have uncovered a malware called GodLoader that can infect multiple operating systems such as Windows, macOS, Linux, Android, and iOS. It leverages Godot Engine, a popular open-source game development platform to execute malicious activities. It is distributed through the Stargazers Ghost Network, a Malware-as-a-Service operation which is hosted on GitHub. The attackers use Godot's scripting language, GDScript to execute malicious commands and deliver malware. When GodLoader run, it decrypts and executes malicious GDScripts and downloads additional malicious payloads such as cryptocurrency miners like XMRig and credential-stealing malware like RedLine.
Bootkitty_The_First_UEFI_Bootkit_for_Linux
LOW
+
—
- Intel Source:
- ESET
- Intel Name:
- Bootkitty_The_First_UEFI_Bootkit_for_Linux
- Date of Scan:
- 2024-11-27
- Impact:
- LOW
- Summary:
- ESET researchers have discovered the first UEFI bootkit which is created to target Linux systems called Bootkitty. It is currently in experimental stage rather than fully developed malware. Bootkitty’s primary goal is to disable Linux kernel security checks and load extra programs during the Linux boot process. It specifically targets certain versions of Ubuntu and modifying the integrity verification functions in memory before the GRUB bootloader is executed. Additionally, researchers identified an unsigned kernel module called BCDropper which loads another kernel module using an ELF program.
PSLoramyra_Loader_Exploits_Scripts
LOW
+
—
- Intel Source:
- Any.Run
- Intel Name:
- PSLoramyra_Loader_Exploits_Scripts
- Date of Scan:
- 2024-11-27
- Impact:
- LOW
- Summary:
- Researchers at Any.Run have found PSLoramyra, a powerful fileless loader that uses PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory, avoiding typical detection methods. Its infection chain begins with a PowerShell script that creates essential files and establishes persistence via Windows Task Scheduler. The loader's hidden operation and small system footprint make it a major cybersecurity risk.
Matrix_Launches_Large_Scale_DDoS_Campaign
LOW
+
—
- Intel Source:
- Aquasec
- Intel Name:
- Matrix_Launches_Large_Scale_DDoS_Campaign
- Date of Scan:
- 2024-11-26
- Impact:
- LOW
- Summary:
- Aquasec researchers have uncovered a DDOS campaign conducted by threat actor called Matrix. The attacker exploits weak credentials, misconfigurations, and vulnerabilities in internet-connected devices particularly IoT devices and enterprise servers to create a massive botnet capable of causing global disruptions. They target devices like routers, cameras, and telecom equipment as well as software systems like Hadoop and HugeGraph using brute-force attacks and public scripts to gain access. The campaign focuses heavily on cloud service providers (CSPs) and organizations in China and Japan.
Strengthening_Defenses_Against_C2_Tactics
LOW
+
—
- Intel Source:
- Huntress
- Intel Name:
- Strengthening_Defenses_Against_C2_Tactics
- Date of Scan:
- 2024-11-26
- Impact:
- LOW
- Summary:
- Researchers at Huntress have discovered a novel yet traceable tradecraft used by a threat actor for remote access and command-and-control infrastructure. This shows the need of establishing continual feedback loops between detection and hunting cycles, with no opportunity for persistent threats or backdoors.
VidarStealerUpdate
LOW
+
—
- Intel Source:
- LIA Insights
- Intel Name:
- VidarStealerUpdate
- Date of Scan:
- 2024-11-26
- Impact:
- LOW
- Summary:
- Threat actors managing botnets often use unique identifiers to organize bots, distinguish campaigns, and assign administrative access, particularly in Malware-as-a-Service (MaaS) operations. Identifiers vary across malware families; for instance, SmokeLoader uses plaintext strings, Bokbot employs binary identifiers, and Vidar stealer uses unique hexadecimal build IDs linked to threat actor profiles. Vidar build IDs, which hinder researchers from grouping samples without backend access, can still reveal campaign patterns when historical tasking data is available. Recent tracking highlighted increased activity and automation in October, with two Vidar tasks yielding 131 unique payloads identified as Lumma Stealer. These tasks, also used by other botnets like StealC, suggest automation to evade detection.
SMOKEDHAM_Backdoor
MEDIUM
+
—
- Intel Source:
- TRAC Labs
- Intel Name:
- SMOKEDHAM_Backdoor
- Date of Scan:
- 2024-11-26
- Impact:
- MEDIUM
- Summary:
- The SMOKEDHAM backdoor, operational since 2019, is deployed by the financially driven threat group UNC2465, known for advanced extortion campaigns, including ransomware such as DARKSIDE and LOCKBIT. Using trojanized software installers spread via malvertising on platforms like Google and Bing Ads, UNC2465 gains initial access to victims’ systems. SMOKEDHAM facilitates persistence and reconnaissance, employing tools like BloodHound and RDP, with malware often delivered through phishing emails or supply chain attacks. A notable 2021 supply chain attack targeted a CCTV vendor's clients, while recent 2023 campaigns used malicious versions of legitimate software. UNC2465 also exploits Cloudflare Workers for domain fronting and advanced persistence techniques such as DLL side-loading and registry modifications.
APTC60_ThreatGroup
LOW
+
—
- Intel Source:
- JPCERT
- Intel Name:
- APTC60_ThreatGroup
- Date of Scan:
- 2024-11-26
- Impact:
- LOW
- Summary:
- In August 2024, the APT-C-60 group launched targeted attacks against domestic organizations using spear-phishing emails that impersonated job applicants. These emails linked to a malicious Google Drive-hosted VHDX file, which contained malware designed to infect systems via legitimate tools and services, including git.exe, Bitbucket, and StatCounter. The malware leveraged sophisticated techniques such as COM hijacking and XOR encoding for persistence and stealth. It deployed backdoors, including SpyGrace v3.1.6, to exfiltrate data and execute commands.
The_Examination_of_Elpaco_Ransomware
LOW
+
—
- Intel Source:
- Securelist
- Intel Name:
- The_Examination_of_Elpaco_Ransomware
- Date of Scan:
- 2024-11-26
- Impact:
- LOW
- Summary:
- Researchers at Securelist have examined a customized variant of the Mimic ransomware, identified as ElPaco. In a recent incident response case, it was found that the attackers gained access through Remote Desktop Protocol (RDP) via a brute-force attack and escalated their privileges by exploiting the CVE-2020-1472 (Zerologon) vulnerability. ElPaco uses the Everything library, which comes with a user-friendly graphical interface that allows attackers to tailor its functionality. The ransomware also includes features to disable security measures and run system commands.
AutoIt_Credential_Flusher
LOW
+
—
- Intel Source:
- Open Analysis Research
- Intel Name:
- AutoIt_Credential_Flusher
- Date of Scan:
- 2024-11-26
- Impact:
- LOW
- Summary:
- The Credential Flusher technique, observed since August 22, 2024, leverages AutoIt scripts to coerce victims into entering credentials into their browsers, which are later stolen using traditional stealer malware. This approach launches a browser in kiosk mode—locking it to a login page like Google—forcing victims to input credentials out of frustration. These credentials are stored in the browser’s credential store and subsequently exfiltrated by malware such as StealC. The Credential Flusher itself does not steal credentials but acts as a catalyst. It identifies available browsers, targets specific login pages, and is packaged into executable binaries for deployment.
Perfctl_Malware_Targets_Linux_Servers
LOW
+
—
- Intel Source:
- SOC Radar
- Intel Name:
- Perfctl_Malware_Targets_Linux_Servers
- Date of Scan:
- 2024-11-26
- Impact:
- LOW
- Summary:
- Perfctl is a sophisticated and stealthy malware targeting Linux servers, leveraging fileless infection techniques to evade traditional security defenses. It infiltrates systems by mimicking legitimate processes and using server resources for cryptocurrency mining and proxyjacking. The malware has primarily impacted industries like cryptocurrency platforms and software development, where high computational demand is common. Its ability to remain undetected while consuming valuable server resources makes it a significant threat, emphasizing the need for enhanced detection measures in Linux environments.
Xworm_Malware
LOW
+
—
- Intel Source:
- Seqrite
- Intel Name:
- Xworm_Malware
- Date of Scan:
- 2024-11-26
- Impact:
- LOW
- Summary:
- Xworm is a sneaky malware which is known for its design and obfuscation techniques to avoid detection. It communicates with its C2 server to execute their malicious activity. After compromising a machine, it creates a unique mutex to ensure only one copy of itself runs at a time. It sends detailed information about the infected computer back to attackers to monitor the system remotely and issue commands. Additionally, XWorm can change DNS settings, update itself and erase traces from the system.
EDRBypass_Detection_Update
MEDIUM
+
—
- Intel Source:
- DETECT FYI
- Intel Name:
- EDRBypass_Detection_Update
- Date of Scan:
- 2024-11-26
- Impact:
- MEDIUM
- Summary:
- EDR Silencer, EDRSandblast, Killer Ultra, Kill AV, AVNeutralizer, EDR killer detection updates
RomCom_Zero_Day_Exploitations
MEDIUM
+
—
- Intel Source:
- ESET Research
- Intel Name:
- RomCom_Zero_Day_Exploitations
- Date of Scan:
- 2024-11-26
- Impact:
- MEDIUM
- Summary:
- ESET researchers uncovered a campaign by the Russia-aligned cybercrime and espionage group RomCom, exploiting two zero-day vulnerabilities in Mozilla products (CVE-2024-9680) and Windows (CVE-2024-49039). These critical flaws enabled attackers to execute code remotely and bypass Firefox’s sandbox protections, culminating in the delivery of the RomCom backdoor. The campaign utilized fake websites to redirect victims to exploit-hosting servers, deploying shellcode and privilege escalation techniques. Mozilla and Microsoft quickly patched the vulnerabilities in October and November 2024, respectively.
Exploitation_of_PAN_OS_Vulnerabilities
LOW
+
—
- Intel Source:
- Arcticwolf
- Intel Name:
- Exploitation_of_PAN_OS_Vulnerabilities
- Date of Scan:
- 2024-11-26
- Impact:
- LOW
- Summary:
- Researchers at Arctic Wolf have discovered several attacks targeting Palo Alto Networks firewall devices in a variety of businesses. Threat actors gained early access by exploiting two recently published PAN-OS vulnerabilities, CVE-2024-0012 and CVE-2024-9474. These attacks involved malicious HTTP downloads of the Sliver C2 framework, coinminer binaries, and other payloads.
The_Return_of_ANEL_Backdoor
LOW
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- The_Return_of_ANEL_Backdoor
- Date of Scan:
- 2024-11-26
- Impact:
- LOW
- Summary:
- A new spear-phishing campaign, attributed to Earth Kasha, has been targeting individuals and organizations in Japan since June 2024. This campaign marks the return of the ANEL backdoor, previously used by APT10 until 2018, and the use of NOOPDOOR, associated with Earth Kasha. The campaign focuses on political organizations, research institutions, think tanks, and those involved in international relations, reflecting a shift in target from enterprises to individuals. Earth Kasha's tactics, techniques, and procedures (TTPs) have evolved, moving away from exploiting edge device vulnerabilities to spear-phishing, with a particular interest in Japan's national security and international relations.
Obfuscated_Gh0st_Campaign_Targets_Chinese_Users
LOW
+
—
- Intel Source:
- Still / Azaka
- Intel Name:
- Obfuscated_Gh0st_Campaign_Targets_Chinese_Users
- Date of Scan:
- 2024-11-25
- Impact:
- LOW
- Summary:
- The Obfuscated Gh0st campaign targets Chinese-speaking individuals through fake downloads of browsers, VPNs, and Telegram. It collects fingerprinting information, including screen dimensions, language, and website titles upon page load. Clicking anywhere on the page triggers a malicious download, leading to the installation of the GoegIesretp malware, which is placed under C:\Windows\svcorenos once elevated to a service. The malware uses DSClock as a launcher and decodes obfuscated shellcode via checkUpdater.cfg and the RtlDecompressBuffer function.
Earth_Estries_Cyber_Espionage_Campaign
MEDIUM
+
—
- Intel Source:
- Trend Micro
- Intel Name:
- Earth_Estries_Cyber_Espionage_Campaign
- Date of Scan:
- 2024-11-25
- Impact:
- MEDIUM
- Summary:
- Trend Micro researchers have uncovered the cyber espionage campaign operated by Chinese advanced persistent threat (APT) group also known as Salt Typhoon, FamousSparrow targeting critical industries such as telecommunications, government entities, consulting firms, and NGOs since 2023. Their primary focus is on regions like the US, Asia-Pacific, Middle East, South Africa, and Southeast Asia. They use advanced techniques, exploiting server vulnerabilities like Ivanti VPN flaws, Fortinet SQL injection, and Microsoft Exchange's ProxyLogon to gain initial access. After gaining the access, they leverage legitimate tools for network traversal and deploy custom malware such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT to conduct long-term espionage on their targets.
CyberVolk_Evolving_Hacktivist_Threat
LOW
+
—
- Intel Source:
- Sentinelone
- Intel Name:
- CyberVolk_Evolving_Hacktivist_Threat
- Date of Scan:
- 2024-11-25
- Impact:
- LOW
- Summary:
- Researchers at SentinelLabs have discovered a pro-Russian hacktivist organization, CyberVolk, using ransomware attacks to take advantage of geopolitical tensions. They promote technologies like HexaLocker and Parano and exchange codebases with AzzaSec and DoubleFace.
JinxLoader_to_Astolfo_Loader
LOW
+
—
- Intel Source:
- Blackberry
- Intel Name:
- JinxLoader_to_Astolfo_Loader
- Date of Scan:
- 2024-11-25
- Impact:
- LOW
- Summary:
- Researchers at BlackBerry have uncovered a malware called JinxLoader which has been active since 2023. It operates as a MaaS and is distributes through phishing emails to target Windows and Linux systems. JinxLoader is primarily designed to deploy other malicious malware such as Formbook and XLoader and is managed through a centrally managed server panel. It oftens spread via password-protected RAR files and HTML-based phishing lures that use JavaScript to deliver the malware. Additionally, Astolfo Loader works similarly to Jinxloader which has been rewritten in C++ for better performance and smaller file size.
Banking_Entity_Targeting_Via_PEC_Mailboxes
LOW
+
—
- Intel Source:
- CERT-AGID
- Intel Name:
- Banking_Entity_Targeting_Via_PEC_Mailboxes
- Date of Scan:
- 2024-11-25
- Impact:
- LOW
- Summary:
- CERT-AGID researchers have uncovered a phishing campaign targeting customers of the Intesa SanPaolo banking institution in Italy. In this campaign, the attackers send emails from compromised Certified Electronic Mail (PEC) accounts to look more legitimate. The emails warn users about an urgent need to update the device used for banking services to avoid losing access which include a link that redirects the user to fake banking login page. After entering their login credentials, victim further tricked into providing their payment card details to steal sensitive financial information.
Ursnif_Banking_Trojan
LOW
+
—
- Intel Source:
- Cyble
- Intel Name:
- Ursnif_Banking_Trojan
- Date of Scan:
- 2024-11-25
- Impact:
- LOW
- Summary:
- Cyble researchers have discovered a phishing campaign targeting business professionals in the United States. The attacker uses a LNK file disguised as a PDF inside a ZIP archive that often delivered through spam emails to trick users. When the file is opened, it runs a command to executes malicious HTA file (HTML Application) that activates a malicious DLL file which identified as a banking trojan called Ursnif. This trojan connects to a remote server to download additional malware to steal sensitive information from the victim’s machine.
New_Domains_of_INC_and_Lynx_Ransomware
LOW
+
—
- Intel Source:
- TheRavenFile
- Intel Name:
- New_Domains_of_INC_and_Lynx_Ransomware
- Date of Scan:
- 2024-11-25
- Impact:
- LOW
- Summary:
- The INC Ransomware group, known for attacks on companies like Yamaha Motors Philippines, Xerox, and various healthcare sectors, has been using multiple DLS (Data Leak Sites) on the surface web to leak victim data. In May 2024, they offered their ransomware project for sale and rebranded as Lynx Ransomware in July 2024. Despite the rebranding, the original INC Ransomware DLS, with over 100 victims, remains active, alongside the new Lynx Ransomware DLS, which has 40 victims. New domains related to both ransomware variants are still in operation.
NPM_Supply_Chain_Attack
LOW
+
—
- Intel Source:
- Checkmarx
- Intel Name:
- NPM_Supply_Chain_Attack
- Date of Scan:
- 2024-11-25
- Impact:
- LOW
- Summary:
- Researchers from Checkmarx have discovered a supply chain attack replated to NPM Packages. The package steals sensitive information such as SSH keys and command history in every 12 hours while simultaneously mining cryptocurrency on infected systems. It sends stolen data to Dropbox and file.io. The package spread through two methods: direct installation from NPM and as a hidden dependency in a GitHub project named “yawpp” which pretends to be a WordPress tool. As of now, at least 68 systems have been compromised and actively mining cryptocurrency for the attackers.
APT_C_36_Targets_Colombia_with_DcRat
MEDIUM
+
—
- Intel Source:
- 360 Threat Intelligence Center
- Intel Name:
- APT_C_36_Targets_Colombia_with_DcRat
- Date of Scan:
- 2024-11-22
- Impact:
- MEDIUM
- Summary:
- APT-C-36, also known as Blind Eagle, is a suspected South American cyber threat group primarily targeting Colombia, with some activity in Ecuador and Panama. Since its discovery in 2018, the group has focused on attacking government entities, financial sectors, insurance companies, and large corporations in Colombia. Recently, Blind Eagle has used UUE-compressed packages disguised as judicial documents to deliver the DcRat backdoor, compromising victims systems.
SAFEPAY_Ransomware_Overview
LOW
+
—
- Intel Source:
- Intel Name:
- SAFEPAY_Ransomware_Overview
- Date of Scan:
- 2024-11-22
- Impact:
- LOW
- Summary:
- SAFEPAY ransomware emerged in late November 2024, although it had been active since August 2024. It primarily targets Windows systems and has impacted 25 victims, including organizations in the United States, Argentina, Belgium, Canada, and the United Kingdom. Industries affected include service, energy, grocery, healthcare, hospitality, IT, and retail, with some victims previously attacked by Meow and Black Suit ransomware. SAFEPAY uses ShareFinder.ps1 to gather network situational awareness on Windows domains and has been observed operating under the hostnames WIN-3IUUOFVTQAR and WIN-SBOE3CPNALE. The ransomware's data leaks are hosted on an onion site, with the attackers utilizing VULTR services for DLS hosting on the TOR network. The group appears to be a rapidly organized entity, using a leaked Conti/LockBit encryptor and choosing basic vanity onion addresses.
PyPI_Library_Targeting_Private_Keys
LOW
+
—
- Intel Source:
- Phylum
- Intel Name:
- PyPI_Library_Targeting_Private_Keys
- Date of Scan:
- 2024-11-22
- Impact:
- LOW
- Summary:
- Researchers at Phylum have observed that the PyPI package aiocpa was upgraded with malicious code intended to steal private keys. When users initialize the crypto library, the code sends these keys to Telegram. Notably, the attacker avoided detection by keeping the package's GitHub repository free of malicious code.
Supply_Chain_Attack_on_Lottie_Player
LOW
+
—
- Intel Source:
- Reversing Labs
- Intel Name:
- Supply_Chain_Attack_on_Lottie_Player
- Date of Scan:
- 2024-11-22
- Impact:
- LOW
- Summary:
- Researchers from Reversing Labs have discovered a supply chain attack targeting the popular @lottiefiles/lottie-player package, showing the dangers of rogue packages infiltrating established codebases. This attack used hijacked maintainer accounts to publish malicious versions, potentially affecting many projects.
