Threat Research

Detects the execution of more.com and vbc.exe within the process tree, a behavior linked to samples associated with Lummac Stealer. The Lummac payload is injected into the vbc.exe process....

"QuickAssist Execution" refers to the detection of the execution of the Microsoft Quick Assist tool ("QuickAssist.exe"). This utility is designed for remote assistance, allowing users to receive or provide support. However, attackers can exploit it to gain unauthorized remote access to a victim's system....

With smartphones playing a central role in daily life, malicious apps have become more deceptive and sophisticated. Recently, we identified a seemingly innocent app called “BMI CalculationVsn” on the Amazon Appstore, which secretly stole package names of installed apps and intercepted incoming SMS messages while posing as a health tool....

The "Effective Phishing Campaign Targeting European Companies and Institutions" report details a phishing campaign aimed at harvesting credentials and compromising Microsoft Azure cloud infrastructure. Investigated by Unit 42, the campaign targeted European companies, particularly in Germany and the UK, peaking in June 2024....

On November 18, 2024, TA397 (also known as Bitter) targeted a defense sector organization in Turkey with a spearphishing email. The email included a RAR archive containing a decoy PDF (~tmp.pdf), a malicious LNK file disguised as a PDF (PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk), and an Alternate Data Stream (ADS) file with embedded PowerShell code....

The "Technical Analysis of RiseLoader" explores the newly discovered malware family, which uses a network communication protocol similar to that of RisePro. Unlike RisePro, which primarily focuses on information theft, RiseLoader specializes in downloading and executing second-stage payloads....

"Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation" explores a new malware protection service called HeartCrypt, which has been in development since July 2023 and started offering its services in February 2024. HeartCrypt allows cybercriminals to pack malware into legitimate files, making it harder to detect....

Detects possible COM object hijacking through changes to the default system CLSID....

It was identified that a malware campaign utilizing Node.js applications on Windows to deliver cryptocurrency miners and information stealers. Dubbed NodeLoader, this malware family uses Node.js-compiled executables to distribute second-stage payloads, including XMRig, Lumma, and Phemedrone Stealer....

CVE-2024-50623 Exploitation Attempt - Cleo refers to a security vulnerability within the Cleo software suite that is being targeted by attackers. The exploitation attempt is identified by monitoring for a "cmd.exe" process launching from Cleo's software, which is often indicative of malicious activity....

Threat actors often capitalize on trending events, such as global sporting championships, to execute attacks like phishing and scams. As a result, proactive monitoring of event-related domain abuse is vital for cybersecurity teams....

"A New Android Banking Trojan Masquerades as Utility and Banking Apps in India" discusses the discovery of a new Android banking trojan targeting Indian users, identified by McAfee Mobile Research Team. This malware disguises itself as utility or banking apps, such as gas or electricity services, to steal sensitive information....

Zloader (also known as Terdot, DELoader, or Silent Night) is a modular Trojan derived from the leaked Zeus source code, first appearing in 2015....

"The Stealthy Stalker: Remcos RAT" highlights the rising threat of the Remcos Remote Access Trojan (RAT), identified by McAfee Labs in Q3 2024. This malware, commonly delivered via phishing emails and malicious attachments, allows cybercriminals to remotely control infected systems....

During proactive threat hunting, Trellix Advanced Research Center identified samples of Celestial Stealer, a JavaScript-based infostealer packaged as either an Electron application or a NodeJS single application for Windows 10 and 11....