In recent weeks, Rapid7 has observed an increased volume of incidents involving domains generated by domain generation algorithms (DGAs).
DGAs are a known technique leveraged by malware authors to quickly create a large number of domain names, which will point to command and control (C2) servers operated by the attackers. Observed domains shared multiple commonalities such as .infotop-level domains and a fixed length of 24 alphanumeric characters. Attacks that start with a ClickFix social engineering lure quickly morph into more sophisticated campaigns using PowerShell scripts hosted on a remote server for in-memory execution of obfuscated .NET loader, which in turn injects a newly-discovered infostealer into MSBuild.exe via process hollowing.
Read more…
Source: Rapid7
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor
December 29, 2025
In mid-2025, Kaspersky researchers identified a malicious driver file on computer systems in Asia. The driver file is signed with an old, stolen, or leaked digital certificate and registers as a mini-filter driver on infected machines. Its end-goal is to inject a backdoor Trojan into the system processes and provide protection for malicious files, user-mode ...
- CVE-2025-14847: Critical Memory Leak in MongoDB Allowing Attackers to Extract Sensitive Data
December 29, 2025
On December 19, 2025, MongoDB Inc. disclosed a critical new vulnerability, CVE-2025-14847, which has since been dubbed MongoBleed. This vulnerability is a high-severity unauthenticated memory leak affecting MongoDB, one of the world’s most popular document-oriented databases. While initially identified as a data exposure flaw, the severity is underscored by the fact that it allows attackers ...
- Malware in 2025 spread far beyond Windows PCs
December 29, 2025
If there’s one thing that became very clear in 2025, it’s that malware is no longer focused on Windows alone. We’ve seen some major developments, especially in campaigns targeting Android and macOS. Unfortunately, many people still don’t realize that protecting smartphones, tablets, and other connected devices is just as essential as securing their laptops. Banking Trojans ...
- Accused data thief threw MacBook into a river to destroy evidence
December 29, 2025
South Korean e-tailer Coupang claims a former employee has admitted to improperly accessing data describing 33 million of its customers, but says the accused deleted the stolen data. In a post published on Christmas, Coupang revealed it worked with Mandiant, Palo Alto Networks, and Ernst & Young, to conduct a forensic investigation into the incident, and ...
- South Korea: Shinhan Card reports massive data breaches
December 26, 2025
Shinhan Card, one of the country’s top credit card issuers, reported a massive data leak Tuesday. The Seoul-based company said more than 190,000 cases of potential data exposure have been identified that involve merchant partners’ personal and business information. The incident seems to stem from employee actions rather than an external cyberattack. Against this backdrop, Shinhan ...
- Threat landscape for industrial automation systems in Q3 2025
December 25, 2025
In Q3 2025, the percentage of ICS computers on which malicious objects were blocked decreased from the previous quarter by 0.4 pp to 20.1%. This is the lowest level for the observed period. Regionally, the percentage of ICS computers on which malicious objects were blocked ranged from 9.2% in Northern Europe to 27.4% in Africa. The most ...