Threat Research

    "Raspberry Robin Subsequent Execution of Commands" refers to a malware operation where an initial infection is used to execute further commands on a compromised system. Typically, it involves the use of removable media to spread the malware, which then enables attackers to run additional scripts or payloads....
    Identifies the Emotet Epoch4 loader, as reported by @malware_traffic in 2022. The ".lnk" file was distributed through a phishing campaign....
    The threat actor Earth Baxia has targeted a Taiwanese government organization and potentially others in the Asia-Pacific region using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401, which allows remote code execution....
    The phrase describes a sequence of actions typically associated with malware distribution. It involves downloading a ZIP file, which likely contains an MSI (Microsoft Installer) file. The process continues with a file downloader that operates through DLL side-loading, a technique that exploits trusted applications to load malicious code....
    Detects the post-exploitation execution method of the Serpent backdoor. According to Proofpoint, one of the commands executed by the backdoor involved creating a temporary scheduled task through an unconventional approach. It generates a fake Windows event along with a trigger, which executes the payload once the event is created....
    The "Gleaming Pisces Poisoned Python Packages" campaign involves attackers distributing malicious Python packages that deliver a backdoor called PondRAT to Linux and macOS systems. These packages are designed to look legitimate, tricking users into downloading them....
    Identifies the initial execution of FakeUpdates/SocGholish malware through wscript, which subsequently runs commands using cmd or PowerShell....
    The "An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader" report details how a threat actor group, UNC2970, spreads a backdoor by using a compromised PDF reader. Victims are tricked into downloading a malicious version of the software, which secretly installs the backdoor on their systems....
    Identifies when the "taskschd.dll" module is loaded from a potentially suspicious or unusual directory. This loading could suggest that the application has the ability to create a scheduled task using the "Schedule.Service" COM object. An investigation into the application and its behavior is necessary to determine if it is malicious....
    "SNAKE KEYLOGGER ACTIVITY" refers to the monitoring and recording of keystrokes by a keylogger, which is often used maliciously to capture sensitive information like passwords and credit card numbers. This activity can occur through software or hardware-based keyloggers....
    Identify potential adversaries using WMI ActiveScriptEventConsumers remotely to move laterally within a network. This event is best correlated and serves as valuable enrichment to assess possible lateral movement activities....
    The "Exploitation Attempt of CVE-2020-1472 - Execution of ZeroLogon PoC" refers to the exploitation of a critical vulnerability in Microsoft Windows' Netlogon protocol, identified as CVE-2020-1472. This vulnerability allows attackers to impersonate any computer on a domain, potentially gaining unauthorized access to sensitive data and systems....
    We’ve recently noted changes in the Akira ransomware codebase. The ransomware now uses open-source crypto libraries for key import and data encryption instead of an API. The addition of KCipher2 alongside ChaCha20 is unusual, and metadata is now fully encrypted with RSA rather than partially....
    Identifies specific process creation patterns associated with UNC2452, as outlined in Microsoft Defender ATP queries provided by Microsoft....
    CVE-2021-1675, also known as the "Print Spooler" vulnerability, is a security flaw in Microsoft Windows that affects the Print Spooler service. This vulnerability allows attackers to execute arbitrary code with system-level privileges by exploiting improper validation of file paths....
    Looking for Something?
    Threat Research Categories:
    Tags