Detecting Concept Drift in Evolving Malware Families Using Rule-Based Classifier Representations

This work proposes a structural approach to concept drift detection in malware classification using decision tree rulesets. Classifiers are trained across temporal windows on the EMBER2024 dataset, and drift is quantified by comparing extracted rule representations using feature importance,...

From HealthKick to GOVERSHELL: The Evolution of UTA0388's Espionage Malware

A China-aligned threat actor codenamed UTA0388 has been attributed to a series of spear-phishing campaigns targeting North America, Asia, and Europe that are designed to deliver a Go-based implant known as GOVERSHELL. "The initially observed campaigns were tailored to the targets, and the message...

Understanding Malware Propagation Dynamics through Scientific Machine Learning

Accurately modeling malware propagation is essential for designing effective cybersecurity defenses, particularly against adaptive threats that evolve in real time. While traditional epidemiological models and recent neural approaches offer useful foundations, they often fail to fully capture the...

Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations

The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message "Don't do crime CRIME IS BAD xoxo from Prague," linking to a MySQL database dump. This archive contains a SQL file from LockBit's affiliate panel database that...

Chinese APT Lotus Panda Targets Governments With New Sagerunex Backdoor Variants

The threat actor known as Lotus Panda has been observed targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with updated versions of a known backdoor called Sagerunex. "Lotus Blossom has been using the Sagerunex backdoor...

New Grandoreiro Banking Malware Variants Emerge with Advanced Tactics to Evade Detection

New variants of a banking malware called Grandoreiro have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation. "Only part of this ga...

Highlighting TA866/Asylum Ambuscade Activity Since 2021

TA866 also known as Asylum Ambuscade is a threat actor that has been conducting intrusion operations since at least 2020. TA866 has frequently relied on commodity and custom tooling to facilitate post-compromise activities. These tools often perform specific functions and are deployed and used as...

Grandoreiro, the global trojan with grandiose goals

Grandoreiro is a well-known Brazilian banking trojan — part of the Tetrade umbrella — that enables threat actors to perform fraudulent banking operations by using the victim's computer to bypass the security measures of banking institutions. It's been active since at least 2016 and is now one of...

SolarMarker Malware Evolves to Resist Takedown Attempts with Multi-Tiered Infrastructure

The persistent threat actors behind the SolarMarker information-stealing malware have established a multi-tiered infrastructure to complicate law enforcement takedown efforts, new findings from Recorded Future show. "The core of SolarMarker's operations is its layered infrastructure, which consis...

ZLoader Malware Evolves with Anti-Analysis Trick from Zeus Banking Trojan

The authors behind the resurfaced ZLoader malware have added a feature that was originally present in the Zeus banking trojan that it's based on, indicating that it's being actively developed. "The latest version, 2.4.1.0, introduces a feature to prevent execution on machines that differ from the...

Kimsuky Group’s Intriguing Exploits with AppleSeed Malware

Summary: The Kimsuky group has been actively utilizing weaponized LNK files to deploy the AppleSeed malware. While the group typically relies on spear-phishing attacks for initial access, their recent campaigns have prominently featured the use of shortcut-type malware in LNK file format. AppleSe...

2023 State of Malware Report: What the channel needs to know to stay ahead of threats

The channel, comprising managed service providers MSPs, Systems Integrators SIs, value-added resellers VARs, and more, plays a vital role in providing cybersecurity for companies around the globe today. But as malware evolves and cyberattacks become more common, keeping up with the top threats to...

The Intricate Evolution of SoulSearcher Loader for Multi-Stage Malware Execution

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary SoulSearcher is a second-stage loader that has been seen in the wild since October 2017, and it is responsible for executing the Soul module payload and parsing its configuration. The samples found in th...

LodaRAT Malware Resurfaces with New Variants Employing Updated Functionalities

The LodaRAT malware has resurfaced with new variants that are being deployed in conjunction with other sophisticated malware, such as RedLine Stealer and Neshta. "The ease of access to its source code makes LodaRAT an attractive tool for any threat actor who is interested in its capabilities,"...

In hot pursuit of ‘cryware’: Defending hot wallets from attacks

The steep rise in cryptocurrency market capitalization, not surprisingly, mirrors a marked increase in threats and attacks that target or leverage cryptocurrencies. But Microsoft researchers are observing an even more interesting trend: the evolution of related malware and their techniques, and t...

The evolution of a Mac trojan: UpdateAgent’s progression

Our discovery and analysis of a sophisticated Mac trojan in October exposed a year-long evolution of a malware family—and depicts the rising complexity of threats across platforms. The trojan, tracked as UpdateAgent, started as a relatively basic information-stealer but was observed distributing...

The UNC2529 Triple Double: A Trifecta Phishing Campaign

In December 2020, Mandiant observed a widespread, global phishing campaign targeting numerous organizations across an array of industries. Mandiant tracks this threat actor as UNC2529. Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded...

Malware Variants: More Sophisticated, Prevalent and Evolving in 2021

A malicious program intended to cause havoc with IT systems—malware—is becoming more and more sophisticated every year. The year 2021 is no exception, as recent trends indicate that several new variants of malware are making their way into the world of cybersecurity. While smarter security...

FIN8 Resurfaces with Revamped Backdoor Malware

The FIN8 cyberattack group has resurfaced after a period of relative quiet, researchers have found. The gang is using new versions of the BadHatch backdoor to compromise companies in the chemical insurance, retail and technology industries. The attacks have been seen hitting organizations around...

Targeted ransomware: it’s not just about encrypting your data!

When we talk about ransomware, we need to draw a line between what it used to be and what it currently is. Why? Because nowadays ransomware is not just about encrypting data – its primarily about data exfiltration. After that, its about data encryption and leaving convincing proof that the attack...