NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign

Co-authored byAnna Širokova and Ivan Feigl Executive summary Rapid7 has been tracking a malware campaign that uses fake software installers disguised as popular apps like VPN and QQBrowser—to deliver Winos v4.0, a hard-to-detect malware that runs entirely in memory and gives attackers remote...

North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity cluster is being tracked by Google-owned Mandiant...

Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion

While monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign...

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

Summary The Federal Bureau of Investigation FBI, Cybersecurity and Infrastructure Security Agency CISA, and the Department of Defense Cyber Crime Center DC3 are releasing this joint Cybersecurity Advisory CSA to warn network defenders that, as of August 2024, a group of Iran-based cyber actors...

New Gafgyt Botnet Variant Targets Weak SSH Passwords for GPU Crypto Mining

Cybersecurity researchers have discovered a new variant of the Gafgyt botnet that's targeting machines with weak SSH passwords to ultimately mine cryptocurrency on compromised instances using their GPU computational power. This indicates that the "IoT botnet is targeting more robust servers runni...

Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence

This blog entry will examine Trend Micro MDR team's investigation that successfully uncovered the intrusion sets employed by Earth Kapre in a recent incident, as well as how the team leveraged threat intelligence to attribute the extracted evidence to the cyberespionage threat group...

Attacks, Vulnerabilities and Actors 30 October to 5 November 2023

For a detailed threat digest, download the pdf file here Summary HiveForce Labs has recently made several significant discoveries related to cybersecurity threats. Over the past week, we identified a total of six executed attacks, three instances of adversary activity, and one exploited...

Flax Typhoon using legitimate software to quietly access Taiwanese organizations

Summary Microsoft has identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage. Flax Typhoon gains and maintains long-term access to Taiwanese organizations networks with...

Black Basta ransomware

What is Black Basta ransomware? Black Basta is a threat group that provides ransomware-as-a-service RaaS. The service is maintained by dedicated developers and is a highly efficient and professionally run operation; theres a TOR website that provides a victim login portal, a chat room, and a wall...

The Rising Diicot Threat Group with Diverse Attack Capabilities

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary A Romanian threat group “Diicot” has been actively employing SSH bruteforcing and deploying malware loaders to compromise systems for the purpose of cryptocurrency mining. The campaign involves exploitin...

GUI-Vil Threat Group Exploits AWS for Crypto Mining

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary GUI-Vil p0-LUCR-1, an Indonesian threat group, conducts unauthorized cryptocurrency mining using personalized infiltration tactics. They exploit AWS, leveraging compromised credentials and vulnerabilitie...

GoldenJackal: New Threat Group Targeting Middle Eastern and South Asian Governments

Government and diplomatic entities in the Middle East and South Asia are the target of a new advanced persistent threat actor named GoldenJackal. Russian cybersecurity firm Kaspersky, which has been keeping tabs on the group's activities since mid-2020, characterized the adversary as both capable...

Lancefly APT Group Deploys Custom Backdoor ‘Merdoor’ in Targeted Attacks

Threat Level Actor Report For a detailed threat advisory, download the pdf file here Summary The Lancefly APT group targets South and Southeast Asia using the Merdoor backdoor and an updated ZXShell rootkit. Their attack chain involves credential theft, lateral movement, file staging, and...

Unveiling ChinaZ DDoS Threat Landscape

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary ChinaZ, a Chinese threat group, is infamous for using DDoS botnets to attack Windows and Linux systems. To receive real-time threat advisories, please follow HiveForce Labs on LinkedIn...

Advanced Persistent Threat Groups Behind DDoS Attacks on Danish Hospitals

On Sunday 26 February the websites of several Danish hospitals were taken offline after being hit by Distributed Denial of Service DDoS attacks claimed by a group calling themselves ‘Anonymous Sudan’. According to reports on Twitter patient care was unaffected by the attacks and the sites were ba...

Malicious code in selfccvmosint (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 735b6485ce6e3e3e9746b485812380756b59948eefcec866d751a91cc18bd1d3 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in librandintelget (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 42982822e288413d509322db2f98bd67a80bee5acb0005957298c96ba75e9bc2 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in py-strnvidiamine (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx f49284d82a396eb8defd2e9425892426342ea0b7ddf685e937cbfbf759a23452 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in esqgrandhttpreplace (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 42a610a43aa7326b0be22ead65b1a49dce7978f2bd5536242be9583aa5bc69bb EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

Malicious code in selfminegrandkill (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 1fd5cf8e8055d7dba781fb28478e644a6bd08db74f58178676bf235f17de6ff4 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...