Malicious code in @cloudplatform-single-spa/installations (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures

The North Korea-linked threat actor known as Lazarus Group employed its time-tested fabricated job lures to deliver a new remote access trojan called Kaolin RAT. The malware could, "aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL...

PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin

The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users. The Phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the users site with an identifier of CVE-2023-45124, which is not...

Chinese Hackers Using SugarGh0st RAT to Target South Korea and Uzbekistan

A suspected Chinese-speaking threat actor has been attributed to a malicious campaign that targets the Uzbekistan Ministry of Foreign Affairs and South Korean users with a remote access trojan called SugarGh0st RAT. The activity, which commenced no later than August 2023, leverages two different...

New SugarGh0st RAT targets Uzbekistan government and South Korea

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan RAT we dubbed "SugarGh0st." We found evidence suggesting the threat actor is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. We...

Threat Advisory: 3CX Softphone Supply Chain Compromise

Cisco Talos is tracking and actively responding to a supply chain attack involving the 3CX Desktop Softphone application. This is a multi-stage attack that involves sideloading DLLs, seven-day sleep routines, and additional payloads dependent on a now-removed GitHub repository for Windows-based...

MyloBot Botnet Spreading Rapidly Worldwide: Infecting Over 50,000 Devices Daily

A sophisticated botnet known as MyloBot has compromised thousands of systems, with most of them located in India, the U.S., Indonesia, and Iran. That's according to new findings from BitSight, which said it's "currently seeing more than 50,000 unique infected systems every day," down from a high ...

A new secret stash for “fileless” malware

In February 2022 we observed the technique of putting the shellcode into Windows event logs for the first time "in the wild" during the malicious campaign. It allows the "fileless" last stage Trojan to be hidden from plain sight in the file system. Such attention to the event logs in the campaign...

Social Media Hijacking Malware Spreading Through Gaming Apps on Microsoft Store

A new malware capable of controlling social media accounts is being distributed through Microsoft's official app store in the form of trojanized gaming apps, infecting more than 5,000 Windows machines in Sweden, Bulgaria, Russia, Bermuda, and Spain. Israeli cybersecurity company Check Point dubbe...

Looking Over the Nation-State Actors’ Shoulders

Looking over the nation-state actors’ shoulders: Even they have a difficult day sometimes By Trellix and Marc Elias · Febraury 17, 2022 Have you ever been curious about how nation-state actors operate and what their day-to-day work looks like? This blog reveals some of these details observed base...

Hackers-For-Hire Group Develops New 'PowerPepper' In-Memory Malware

Cybersecurity researchers on Thursday disclosed details of a previously undiscovered in-memory Windows backdoor developed by a hacker-for-hire operation that can execute remotely malicious code and steal sensitive information from its targets in Asia, Europe, and the US. Dubbed "PowerPepper" by...

OilRig’s Poison Frog – old samples, same trick

After we wrote our private report on the OilRig leak, we decided to scan our archives with our YARA rule, to hunt for new and older samples. Aside from finding some new samples, we believe we also succeeded in finding some of the first Poison Frog samples. Poison Frog We're not quite sure whether...

Domain Hunter - Checks Expired Domains For Categorization/Reputation And Archive.org History To Determine Good Candidates For Phishing And C2 Domain Names

Domain name selection is an important aspect of preparation for penetration tests and especially Red Team engagements. Commonly, domains that were used previously for benign purposes and were properly categorized can be purchased for only a few dollars. Such domains can allow a team to bypass...

LuckyMouse hits national data center to organize country-level waterholing campaign

What happened? In March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government...

Massive Spam Campaign Targets Unpatched Systems

Cybercriminals are leveraging a recently patched critical Adobe Flash Player vulnerability in a massive spam campaign targeting unpatched computers. According to cybersecurity firm Morphisec, cybercriminals are blasting spam messages that urge recipients to click a link to download a Word documen...