Discover how Lazarus leverages fake job sites in the ClickFake Interview campaign targeting crypto firms using the ClickFix tactic.
In this blog post, learn about the supply chain attack targeting Chrome browser extensions and the associated targeted phishing campaign.
Detect the ClickFix tactic: a social engineering technique using fake video calls and CAPTCHA pages to deploy malicious code.
Uncover the secrets of the Quad7 botnet and its ever-evolving toolset. Learn about the new backdoors and protocols used by these operators.
Analyse the ClickFix tactic and related campaigns. Uncover a ClickFix campaign impersonating Google Meet and cybercrime infrastructure.
Discover Mamba 2FA, a previously unknown adversary-in-the-middle (AiTM) phishing kit and sold as phishing-as-a-service (PhaaS).
Our TDR team has been investigating the WebDAV infrastructure used to distribute the Emmenhtal loader. Here are some key insights:
Uncover the secrets of the Quad7 botnet and its ever-evolving toolset. Learn about the new backdoors and protocols used by these operators.
Sekoia.io investigated the mysterious 7777 botnet (aka. Quad7 botnet), published by the independent researcher Gi7w0rm inside the “The curious case of the 7777 botnet” blogpost.
This investigation allowed us to intercept network communications and malware deployed on a TP-Link router compromised by the Quad7 botnet in France.
To our understanding, the Quad7 botnet operators leverage compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts without any specific targeting.
Therefore, we link the Quad7 botnet activity to possible long term business email compromise (BEC) cybercriminal activity rather than an APT threat actor.
However, certain mysteries remain regarding the exploits used to compromise the routers, the geographical distribution of the botnet and the attribution of this activity cluster to a specific threat actor.
The insecure architecture of this botnet led us to think that it can be hijacked by other threat actors to install their own implants on the compromised TP-Link routers by using the Quad7 botnet accesses.
Uncover an in-depth analysis of PikaBot, a malware loader used by Initial Access Brokers for network compromise and ransomware deployment.
Tycoon 2FA has become one of the most widespread adversary-in-The-Middle (AiTM) phishing kits over the last few months.
Learn about key concepts and different crypters-related activities as well as the lucrative ecosystem of malicious groups that exploit them.
Learn about NoName057(16), a pro-Russian hacktivist group behind Project DDoSia targeting entities supporting Ukraine. Discover an overview of the changes made by the group, both from the perspective of the software shared by the group to generate DDoS attacks and the specifics of the evolution of the C2 servers. It also provides an overview of the country and sectors targeted by the group for 2024.
Discover our TDR team's revelations about Predator spyware: its C2 infrastructure and list of countries still using its cyber espionage tool.
Discover the techniques, tactics (TTPs) used by Scattered Spider intrusion set, including social engineering and targeted phishing campaigns.
Discover activities linking Korinets to CALISTO doxxing in our investigation. Uncover details from emails, domains & servers used to target UK Parliament & Cambridge University.
DDoSia is a DDoS attack toolkit used by the pro-Russia hacktivist group NoName057(16) against countries critical the invasion of Ukraine.
Exfiltrated Russian-written documents provide insights into cyber offensive tool projects contracted by Vulkan private firm for the Russian Ministry of Defense.
Scan-AS is a database used to map adversary networks in parallel or prior to cyber operations. Scan-AS is a subsystem of a wider management system used to conduct, manage and capitalize results of cyber operations.
Amezit is an information system aimed at managing the information flow on a limited geographical area. It allows communications interception, analysis and modification, and can create wide information campaigns through social media, email, altered websites or phone networks.
Raspberry Robin appears to be a type of Pay-Per-Install botnet, likely to be used by cybercriminals to distribute other malware.
