As botnets continue to evolve, so do the techniques required to detect them. While Transport Layer Security (TLS) encryption is widely adopted for secure communications, botnets leverage TLS to obscure command-and-control (C2) traffic. These malicious actors often have identifiable characteristics embedded within their TLS certificates, opening a potential pathway for advanced detection techniques.
In first-of-its-kind research, Rapid7’s Dr. Stuart Millar, in collaboration with Kumar Shashwat, Francis Hahn and Prof. Xinming Ou, at the University of South Florida, studied the use of AI large language models (LLMs) to detect botnets’ use of TLS encryption by analyzing embedding similarities to weed out botnets within a sea of benign TLS certificates.
Read more…
Source: Rapid7
Related:
- Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal
March 3, 2025
The Trend Micro Managed XDR and Incident Response (IR) teams recently analyzed incidents where threat actors deploying Black Basta and Cactus ransomware used the same BackConnect malware to strengthen their foothold on compromised machines. The BackConnect malware is a tool that cybercriminals use to establish and maintain persistent control over compromised systems. Once infiltrated, it grants ...
- Havoc: SharePoint with Microsoft Graph API turns into FUD C2
March 3, 2025
Havoc is a powerful command-and-control (C2) framework. Like other well-known C2 frameworks, such as Cobalt Strike, Silver, and Winos4.0, Havoc has been used in threat campaigns to gain full control over the target. Additionally, It is open-source and available on GitHub, making it easier for threat actors to modify it to evade detection. FortiGuard Labs recently ...
- Uncovering .NET Malware Obfuscated by Encryption and Virtualization
March 3, 2025
This article examines obfuscation techniques used in popular malware families, and offers some insights into possible opportunities for automating unpacking of these malware samples. Palo Alto researchers will examine these behaviors in samples we have observed, showing how to extract their configuration parameters through unpacking each stage. Performing this same process through automation would allow a ...
- Mobile malware evolution in 2024
March 3, 2025
These statistics are based on detection alerts from Kaspersky products, collected from users who consented to provide statistical data to Kaspersky Security Network. The statistics for previous years may differ from earlier publications due to a data and methodology revision implemented in 2024. According to Kaspersky Security Network, in 2024: A total of 33.3 million attacks involving ...
- Philippines: 5.4M cyber attacks against government agencies deterred in 2024
March 1, 2025
The Department of Information and Communications Technology (DICT) was able to prevent over 5 million attempts to compromise the cybersecurity of several government agencies last year. “In 2024, the DICT automatically deterred approximately 5.4 million malicious attempts against 32 government agencies connected to our national security operations,” DICT Undersecretary for Cybersecurity Jeffrey Ian Dy said at ...
- The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT
February 28, 2025
In early 2024, analysts at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious sample. The cybersecurity community named it Poco RAT after the POCO libraries in its C++ codebase. At the time of its discovery, the sample had not been linked to any known threat group. The malware came loaded with a full ...