627 reports
AhnLab reported that Lazarus compromised Windows IIS web servers and repurposed them as malware distribution servers for attacks exploiting unpatched INISAFE CrossWeb EX installations. In the observed server compromise, IIS worker process w3wp.exe created…
360’s threat research team reported APT-C-28/ScarCruft activity using an energy-sector lure about the Sharara-to-Mellitah oil pipeline to deliver the RokRAT backdoor. The attack used a large padded LNK file containing a decoy PDF and malicious BAT logic, …
JumpCloud published a July 2023 incident IOC list for defenders responding to its targeted customer compromise investigation. The advisory identifies malicious domains to block for ingress and egress, including centos-repos.org, datadog-cloud.com, toyouro…
JumpCloud disclosed that a sophisticated nation-state actor gained unauthorized access to part of its infrastructure after a June 22 spear-phishing campaign and was detected on June 27 through anomalous activity in an internal orchestration system. The in…
Qianxin's 2023 midyear APT report says its telemetry saw Lazarus among the foreign APT groups communicating with suspected compromised IP addresses in China during the first half of 2023. The report places Lazarus at about 6% of suspected controlled domes…
JPCERT/CC analyzed DangerousPassword activity, also known as CryptoMimic or SnatchCrypto, targeting developers at cryptocurrency exchanges across Windows, macOS, and Linux systems. The attackers seeded malicious code into developer-facing Python and Node.…
NSHC’s May 2023 ThreatRecon report identified five North Korean government-supported SectorA groups active during the collection window. SectorA01 targeted vulnerable Windows IIS servers in the United States with downloader malware, while SectorA02 used Z…
Group123, also tracked as ScarCruft/APT-Q-3 and linked by the source to North Korea, has recently increased attacks against South Korean targets using oversized LNK files disguised as legitimate documents. The campaign uses spear-phishing-style archives c…
questions – where has all the cryptomalware gone? Lukáš Štefanko, ESET Senior Malware Geographic distribution of SpyLoan detections seen by ESET telemetry in H1 2023 Ever since ESET started tracking cryptocurrency Conversely, the cryptocurrency threats tr…
Based on the function names used by the malware and the downloaded URL parameters, it is suspected to have been distributed by the Kimsuky group. This malware is designed to download various scripts based on the anti-malware process, including AhnLab prod…
Genians disclosed a suspected compromise involving its Genian NAC update server after unidentified files were transmitted from the cloud update service to some customer NAC policy servers. The company said it notified affected partners and customers, work…
AhnLab ASEC reported that Kimsuky activity increased slightly in May 2023 compared with April. The report notes newly observed top-level domains and small code changes, indicating continued infrastructure and implementation adjustments across Kimsuky oper…
ReversingLabs described Operation Brainleeches as a malicious npm campaign in which more than a dozen packages supported both Microsoft 365 phishing and software supply-chain compromise. The first tranche hosted files for phishing emails that launched fak…