A Deep Dive into Water Gamayun’s Arsenal and Infrastructure

Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework CVE-2025-26633 to execute malicious code on infected machines...

How Ransomware Is Delivered and How to Prevent Attacks

...

Ebury Botnet Malware Compromises 400,000 Linux Servers Over Past 14 Years

A malware botnet called Ebury is estimated to have compromised 400,000 Linux servers since 2009, out of which more than 100,000 were still compromised as of late 2023. The findings come from Slovak cybersecurity firm ESET, which characterized it as one of the most advanced server-side malware...

SuperSize Me

SuperSize Me By Floser Bacurio Jr., Bernadette Canubas, Michaelo Oliveros · April 02, 2024 Introduction Cyber attackers are always finding new ways to outsmart security systems and distribute malware effectively. We discovered an interesting detection evasion technique of delivering archive files...

Raccoon Infostealer operator extradited to the United States

A Ukrainian national, Mark Sokolovsky, has been indicted for crimes related to fraud, money laundering and aggravated identity theft and extradited to the United States from the Netherlands, the US Attorney’s Office of the Western District of Texas has announced. In March 2022, around the same ti...

A history of ransomware: How did it get this far?

Today's ransomware is the scourge of many organizations. But where did it start? If we define ransomware as malware that encrypts files to extort the owner of the system, then the first malware that could be classified as ransomware is the 1989 AIDS Trojan. However, while it encrypted filenames a...

Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX

A Chinese nation-state group has been observed targeting Foreign Affairs ministries and embassies in Europe using HTML smuggling techniques to deliver the PlugX remote access trojan on compromised systems. Cybersecurity firm Check Point said the activity, dubbed SmugX, has been ongoing since at...

Webinar — A MythBusting Special: 9 Myths about File-based Threats

Bad actors love to deliver threats in files. Persistent and persuasive messages convince unsuspecting victims to accept and open files from unknown sources, executing the first step in a cyber attack. This continues to happen whether the file is an EXE or a Microsoft Excel document. Far too often...

Tracking the Stealthy Movements of Vidar Info-Stealer Malware

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Vidar is an info-stealer malware that was first spotted in the wild in late 2018. It is considered a distinct fork of the Arkei malware family and has a simple business model where customers pay between...

DEV-0569 finds new ways to deliver Royal ransomware, various payloads

Recent activity from the threat actor that Microsoft tracks as DEV-0569, known to distribute various payloads, has led to the deployment of the Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors. Observed DEV-0569 attacks show a pattern of...

New Report Uncovers Emotet's Delivery and Evasion Techniques Used in Recent Attacks

Threat actors associated with the notorious Emotet malware are continually shifting their tactics and command-and-control C2 infrastructure to escape detection, according to new research from VMware. Emotet is the work of a threat actor tracked as Mummy Spider aka TA542, emerging in June 2014 as ...

New Hacking Campaign by Transparent Tribe Hackers Targeting Indian Officials

A threat actor of likely Pakistani origin has been attributed to yet another campaign designed to backdoor targets of interest with a Windows-based remote access trojan named CrimsonRAT since at least June 2021. "Transparent Tribe has been a highly active APT group in the Indian subcontinent,"...

Mass-Scale Ransomware Attacks Providing Hackers the Ability to Earn Quick Money

During the past six months, the Carbon Black Threat Analysis Unit TAU analyzed more than 1,000 ransomware samples, categorizing them into 150 families, and found the following: Attackers are looking to make quick, easy money with unsophisticated malware combined with sophisticated delivery method...

WinRM Script Exec Remote Code Execution

This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2 and above and VBS CmdStager. The module will check if Powershell is available, and if so uses that method. Otherwise it falls back to the VBS...

Microsoft SQL Server - Payload Execution (via SQL Injection) (Metasploit)

$Id: mssqlpayloadsqli.rb 11730 2011-02-08 23:31:44Z jduck $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use...

Microsoft SQL Server Payload Execution via SQL Injection

This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xpcmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection...