PCTattletale is a simple stalkerware app. Rather than the sophisticated monitoring of many similarly insecure competitors it simply asks for permission to record the targeted device (Android and Windows are supported) on infection. Afterward the observer can log in to an online portal and activate recording, at which point a screen capture is taken on the device and played on the target's browser.
ESET researchers provide technical analysis of the Lunar toolset, likely used by the Turla APT group, that infiltrated a European ministry of foreign affairs
This article presents a case study on new applications of domain name system (DNS) tunneling we have found in the wild. These techniques expand beyond DNS tunneling only for command and control (C2) and virtual private network (VPN) purposes.
Malicious actors occasionally employ DNS tunneling as a covert communications channel, because it can bypass conventional network firewalls. This allows C2 traffic and data exfiltration that can remain hidden from some traditional detection methods.
While monitoring attacks targeting MS-SQL servers, AhnLab SEcurity intelligence Center (ASEC) recently identified cases of the TargetCompany ransomware group installing the Mallox ransomware. The TargetCompany ransomware group primarily targets improperly managed MS-SQL servers to install the Mallox ransomware. While these attacks have been ongoing for several years, here we will outline the correlation between the newly identified malware and previous attack cases involving the distribution of the Tor2Mine CoinMiner and BlueSky ransomware.
Analysts from Sekoia.io and Orange Cyberdefense delve into the phenomenon of RESIP, explore the actual market landscape, which is composed of multiple shady providers, and explain how cyber threat actors abuse or even directly provide such services.
Kandji's threat research team has discovered a piece of malware that combines aspects of an infostealer and spyware. Here's how it works.
This report provides an in-depth technical analysis of the backdoor and its capabilities, and analyzes the connection between Kapeka and Sandworm group. The purpose of this report is to raise awareness amongst businesses, governments, and the broader security community. WithSecure has engaged governments and select customers with advanced copies of this report. In addition to the report, we are releasing several artifacts developed as a result of our research, including a registry-based & hardcoded configuration extractor, a script to decrypt and emulate the backdoor’s network communication, and as might be expected, a list of indicators of compromise, YARA rules, and MITRE ATT&CK mapping
Exploiting remote code execution in Cisco's CIMC management system and jailbreaking the device to run untrusted code
What happened Proofpoint identified TA547 targeting German organizations with an email campaign delivering Rhadamanthys malware. This is the first time researchers observed TA547 use Rhadamanthys,...
Welcome to April 2024, again. We’re back, again.
Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device.
We’ve seen all the commentary around the certification process of these devices for certain .GOVs - we’re not here to comment on that, but sounds humorous.
Key takeaways TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the No...
Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.
Binary Defense threat researchers analyzed the reemergence of the QakBot botnet. The new QakBot DLL has undergone some minor changes.
Authored by Anuradha and Preksha Introduction PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a
Nozomi Networks Labs found 9 vulnerabilities in DJI drones - we outline the research process for identifying and mitigating these security issues.
notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) - amlweems/xzbot
esterday Andres Freund emailed oss-security@ informing the community of the discovery of a backdoor in xz/liblzma, which affected OpenSSH server (huge respect for noticing and investigating this). Andres' email is an amazing summary of the whole drama, so I'll skip that. While admittedly most juicy and interesting part is the obfuscated binary with the backdoor, the part that caught my attention – and what this blogpost is about – is the initial part in bash and the simple-but-clever obfuscation methods used there. Note that this isn't a full description of what the bash stages do, but rather a write down of how each stage is obfuscated and extracted.
Lass Security's recent research on AI Package Hallucinations extends the attack technique to GPT-3.5-Turbo, GPT-4, Gemini Pro (Bard), and Coral (Cohere).
Tycoon 2FA has become one of the most widespread adversary-in-The-Middle (AiTM) phishing kits over the last few months.
