Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka

A previously undocumented macOS infostealer has surfaced during our routine threat hunting. We initially tracked it as NukeChain , but shortly before publication, the malware’s operator panel became publicly visible, revealing its real name: Infiniti Stealer. This malware is designed to steal...

Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721

The abuse of known security flaws to deploy bots on vulnerable systems is a widely recognized problem. Many automated bots constantly search the web for known vulnerabilities in servers and devices connected to the internet, especially those running popular services. These bots often carry Remote...

Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware

Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments. "The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job...

Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign

The Iranian nation-state actor known as MuddyWater has been linked to a new spear-phishing campaign targeting two Israeli entities to ultimately deploy a legitimate remote administration tool from N-able called Advanced Monitoring Agent. Cybersecurity firm Deep Instinct, which disclosed details o...

QakBot's Endgame: The Final Move Before the Takedown

QakBot's Endgame: The Final Move Before the Takedown By Daksh Kapur, Nico Paulo Yturriaga and Alfred Alvarado · September 06, 2023 Figure 1 Attribution at the bottom Qakbot, known under aliases like QBot, QuakBot, and Pinkslipbot, represents an intricately advanced malware strain that has...

HelloKitty: When Cyberpunk met cy-purr-crime

On February 9, after discovering a compromise, CD Projekt Red CDPR announced to its 1+ million followers on Twitter that it was the victim of a ransomware attack against its systems and made it clear they would not yield to the demands of the threat actors, nor negotiate. Cyberpunk 2077, the late...

New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452

Executive Summary In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository. SUNSHUTTLE is a second-stage backdoor written in GoLang that features some detection evasion capabilities. Mandiant observed SUNSHUTTLE at a victim compromis...

QSnatch Data-Stealing Malware Infected Over 62,000 QNAP NAS Devices

Cybersecurity agencies in the US and UK yesterday issued a joint advisory about a massive ongoing malware threat infecting Taiwanese company QNAP's network-attached storage NAS appliances. Called QSnatch or Derek, the data-stealing malware is said to have compromised 62,000 devices since reports...

Researcher Spots New Malware Claimed to be 'Tailored for Air‑Gapped Networks'

A cybersecurity researcher at ESET today published an analysis of a new piece of malware, a sample of which they spotted on the Virustotal malware scanning engine and believe the hacker behind it is likely interested in some high-value computers protected behind air‑gapped networks. Dubbed 'Ramsa...

Quarterly Report: Incident Response trends in fall 2019

By David Liebenberg and Kendall McKay. While many Cisco Talos Incident Response CTIR engagements have shown similar patterns over the past two quarters, we’re seeing a dangerous trend emerge this winter. Threat actors are increasingly combining the exfiltration of sensitive data along with data...

Android Malware Plaguing 45K Devices Remains a Mystery

Researchers are on the hunt for the infection vector behind a mysterious mobile malware that has infected over 45,000 Android devices in the past six months. Researchers said they have detected a surge in detections of the malware, dubbed Xhelper, which can hide itself from users, download...

Fake Cisco Job Posting Targets Korean Candidates

Edmund Brumaghin and Paul Rascagneres authored this post, with contributions from Jungsoo An. Executive summary Cisco Talos recently observed a targeted malware campaign being leveraged in an attempt to compromise specific organizations. The infection vector associated with this campaign was a...

Why Malwarebytes decided to participate in AV testing

Starting this month, Malwarebytes began participating in the antivirus software for Windows comparison test performed by AV-test.org. This is uncharted territory for us, as we have refrained from participating in these types of tests since our inception. Although recent testing results show...

Multiple Cobalt Personality Disorder

Introduction Despite the notion that modern cybersecurity protocols have stopped email-based attacks, email continues to be one of the primary attack vectors for malicious actors — both for widespread and targeted operations. Recently, Cisco Talos has observed numerous email-based attacks that ar...

GoScanSSH Malware Targets SSH Servers, But Avoids Military and .GOV Systems

Researchers have identified a new malware family, dubbed GoScanSSH, that targets public facing SSH servers, but avoids those linked to government and military IP addresses. The malware has been in the wild since June 2017 and exhibits a number of unique characteristics, such as being written in t...

HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign

A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing campaigns typically used email themes based on current events and media reports that would piqu...

USB Key Cleaner: CIRCLean

USB Key Cleaner Malware regularly uses USB sticks to infect victims, and the abuse of USB sticks is a common vector of infection. CIRCLean is an independent hardware solution to clean documents from untrusted obtained USB keys / USB sticks. The device automatically converts untrusted documents in...

Resurrection of the Evil Miner

At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME inline frame – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate sourc...

Resurrection of the Evil Miner

At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME inline frame – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate sourc...

Desert Falcons: First Arabic Cyberespionage Operation Uncovered

CANCUN, Mexico — A Middle Eastern cyberespionage gang is capitalizing on subpar security practices in the region to backdoor a mix of business, political and military targets. Dubbed Desert Falcons, the gang is thought to be the first Arabic APT operation, according to researchers at Kaspersky La...