Ransomware actor exploits unsupported ColdFusion servers – but comes away empty-handed

Servers are always a point of interest for threat actors as they are one of the most efficient attack vectors to penetrate an organization. Server-related accounts often have the highest privilege levels, making lateral movement to other machines in the Read More …

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit Read More …

Keeping PowerShell: Security Measures to Use and Embrace

Cybersecurity authorities from the United States, New Zealand, and the United Kingdom recommend proper configuration and monitoring of PowerShell, as opposed to removing or disabling PowerShell entirely. This will provide benefits from the security capabilities PowerShell can enable while reducing Read More …

Ukraine supporters in Germany targeted with PowerShell RAT malware

An unknown threat actor is targeting German users interested in the Ukraine crisis, infecting them with a custom PowerShell RAT (remote access trojan) and stealing their data. The malware campaign uses a decoy site to lure users into fake news Read More …

What did DeathStalker hide between two ferns?

DeathStalker is a threat actor who has been active starting 2012 at least, and we exposed most of his past activities in a previous article, as well as during a GREAT Ideas conference in August 2020. The actor draught our Read More …

More xHunt – New PowerShell Backdoor Blocked Through DNS Tunnel Detection

During our continued analysis of the xHunt campaign, we observed several domains with ties to the pasta58[.]com domain associated with known Sakabota command and control (C2) activity. In June 2019, we observed one of these overlapping domains, specifically, windows64x[.]com, being used as the Read More …

‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell

Exploit kits may no longer be as prolific as it was back when their activities were detected in the millions, but their recurring activities in the first half of 2019 indicate that they won’t be going away any time soon. The Rig exploit kit, for Read More …

DanaBot banking Trojan jumps from Australia to Germany in quest for new targets

The DanaBot banking Trojan is on the move and has traveled across the sea in a pivot from its original focus on Australia to strike European targets. DanaBot was first discovered by Proofpoint researchers last year. The malware was observed striking Australian Read More …