1012 matches found
ICS and OT threat predictions for 2024
We do not expect rapid changes in the industrial cyberthreat landscape in 2024. Most of the below-described trends have been observed before, many for some years. However, some of them have reached a critical mass of creeping changes, which could lead to a qualitative shift in the threat landscap...
Operation Triangulation: iOS devices targeted with previously unknown malware
While monitoring the network traffic of our own corporate Wi-Fi network dedicated for mobile devices using the Kaspersky Unified Monitoring and Analysis Platform KUMA, we noticed suspicious activity that originated from several iOS-based phones. Since it is impossible to inspect modern iOS device...
Following the Lazarus group by tracking DeathNote campaign
The Lazarus group is a high-profile Korean-speaking threat actor with multiple sub-campaigns. We have previously published information about the connections of each cluster of this group. In this blog, well focus on an active cluster that we dubbed DeathNote because the malware responsible for...
Overview of Google Play threats sold on the dark web
In 2022, Kaspersky security solutions detected 1,661,743 malware or unwanted software installers, targeting mobile users. Although the most common way of distributing such installers is through third-party websites and dubious app stores, their authors every now and then manage to upload them to...
Indicators of compromise (IOCs): how we collect and use them
It would hardly be an exaggeration to say that the phrase "indicators of compromise" or IOCs can be found in every report published on the Securelist. Usually after the phrase there are MD5 hashes1, IP addresses and other technical data that should help information security specialists to counter...
DTrack activity targeting Europe and Latin America
Introduction DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. For example, weve seen it being used in financial environments where ATMs were breached, in...
Mass email campaign with a pinch of targeted spam
Most mass malicious mailing campaigns are very primitive and hardly diverse, with the content limited to several sentences offering the user to download archives that supposedly contain some urgent bills or unpaid fines. The email messages may contain no signatures or logos, with typos and other...
IT threat evolution Q1 2022
IT threat evolution in Q1 2022 IT threat evolution in Q1 2022. Non-mobile statistics IT threat evolution in Q1 2022. Mobile statistics Targeted attacks MoonBounce: the dark side of UEFI firmware Late last year, we became aware of a UEFI firmware-level compromise through logs from our firmware...
Evaluation of cyber activities and the threat landscape in Ukraine
Introduction When the war in Ukraine broke out, many analysts were surprised to discover that what was simultaneously happening in the cyber domain did not match their predictions1. Since the beginning of the fighting, new cyberattacks taking place in Ukraine have been identified every week, whic...
Kaspersky Security Bulletin 2021. Statistics
All statistics in this report are from the global cloud service Kaspersky Security Network KSN, which receives information from components in our security solutions. The data was obtained from users who had given their consent to it being sent to KSN. Millions of Kaspersky users around the globe...
ScarCruft surveilling North Korean defectors and human rights activists
The ScarCruft group also known as APT37 or Temp.Reaper is a nation-state sponsored APT actor we first reported in 2016. ScarCruft is known to target North Korean defectors, journalists who cover North Korea-related news and government organizations related to the Korean Peninsula, between others...
IT threat evolution in Q3 2021. Mobile statistics
IT threat evolution Q3 2021 IT threat evolution in Q3 2021. PC statistics IT threat evolution in Q3 2021. Mobile statistics These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data. Quarterly figures According to Kaspersk...
Incident response analyst report 2020
Download full report PDF The Incident response analyst report provides insights into incident investigation services conducted by Kaspersky in 2020. We deliver a range of services to help organizations when they are in need: incident response, digital forensics and malware analysis. Data in the...
GReAT thoughts: Awesome IDA Pro plugins
The Global Research & Analysis Team here at Kaspersky has a tradition of meeting up once a month and sharing cutting-edge research, interesting techniques and useful tools. We recently took the unprecedented decision to make our internal meetings public for a few months and present them as a seri...
Sleep with one eye open: how Librarian Ghouls steal data by night
Introduction Librarian Ghouls, also known as "Rare Werewolf" and "Rezet", is an APT group that targets entities in Russia and the CIS. Other security vendors are also monitoring this APT and releasing analyses of its campaigns. The group has remained active through May 2025, consistently targetin...
How ToddyCat tried to hide behind AV software
To hide their activity in infected systems, APT groups resort to various techniques to bypass defenses. Most of these techniques are well known and detectable by both EPP solutions and EDR threat-monitoring and response tools. For example, to hide their activity in Windows systems, cybercriminals...
APT trends report Q3 2024
Kaspersky's Global Research and Analysis Team GReAT has been releasing quarterly summaries of advanced persistent threat APT activity for over seven years now. Based on our threat intelligence research, these summaries offer a representative overview of what we've published and discussed in more...
Memory corruption vulnerabilities in Suricata and FreeRDP
As a cybersecurity company, before we release our products, we perform penetration tests on them to make sure they are secure. Recently, new versions of KasperskyOS-based products were released, namely Kaspersky Thin Client KTC and Kaspersky IoT Secure Gateway KISG. As part of the pre-release...
A journey into forgotten Null Session and MS-RPC interfaces
A journey into forgotten Null Session and MS-RPC interfaces PDF It has been almost 24 years since the null session vulnerability was discovered. Back then, it was possible to access SMB named pipes using empty credentials and collect domain information. Most often, attackers leveraged null sessio...
The mobile malware threat landscape in 2023
The figures above are based on detection statistics received from Kaspersky users who consented to sharing usage data with Kaspersky Security Network. The data for years preceding 2023 may differ from that published previously, as the calculation methodology was refined, and the data was...
Andariel’s silly mistakes and a new malware family
Introduction Andariel, a part of the notorious Lazarus group, is known for its use of the DTrack malware and Maui ransomware in mid-2022. During the same period, Andariel also actively exploited the Log4j vulnerability as reported by Talos and Ahnlab. Their campaign introduced several new malware...
Selecting the right MSSP: Guidelines for making an objective decision
Managed Security Service Providers MSSPs have become an increasingly popular choice for organizations nowadays following the trend to outsource security services. Meanwhile, with the growing number of MSSPs in the market, it can be difficult for organizations to determine which provider will fit ...
Summer 2021: Friday Night Funkin’, Måneskin and pop it
This summer, several events that were postponed from 2020 due to the pandemic took place. Some of them interested children, while others barely registered by them. It is worth noting that childrens hobbies typically do not change from winter to summer — the only difference is that they devote mor...
Dero miner zombies biting through Docker APIs to build a cryptojacking horde
Introduction Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new "zombies" that will mine for Dero currency...
Lazarus group evolves its infection chain with old and new malware
Over the past few years, the Lazarus group has been distributing its malicious software by exploiting fake job opportunities targeting employees in various industries, including defense, aerospace, cryptocurrency, and other global sectors. This attack campaign is called the DeathNote campaign and...
The Crypto Game of Lazarus APT: Investors vs. Zero-days
Introduction Lazarus APT and its BlueNoroff subgroup are a highly sophisticated and multifaceted Korean-speaking threat actor. We closely monitor their activities and quite often see them using their signature malware in their attacks — a full-feature backdoor called Manuscrypt. According to our...
State of ransomware in 2024
Ransomware attacks continue to be one of the biggest contemporary cybersecurity threats, affecting organizations and individuals alike on a global scale. From high-profile breaches in healthcare and industrial sectors – compromising huge volumes of sensitive data or halting production entirely – ...
SoumniBot: the new Android banker’s unique techniques
The creators of widespread malware programs often employ various tools that hinder code detection and analysis, and Android malware is no exception. As an example of this, droppers, such as Badpack and Hqwar, designed for stealthily delivering Trojan bankers or spyware to smartphones, are very...
QR codes in email phishing
QR codes are everywhere: you can see them on posters and leaflets, ATM screens, price tags and merchandise, historical buildings and monuments. People use them to share information, promote various online resources, pay for their goodies, and pass verification. And yet you dont see lots of QR cod...
Common TTPs of attacks against industrial organizations
In 2022 we investigated a series of attacks against industrial organizations in Eastern Europe. In the campaigns, the attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. Based on similarities found between these campaigns and...
How scammers employ IPFS for email phishing
The idea of creating Web 3.0 has been around since the end of 2000s. The new version of the world wide web should repair the weak points of Web 2.0., some of which are: featureless content, prevalence of proprietary solutions, and lack of safety in a centralized user data storage environment, whe...
Come to the dark side: hunting IT professionals on the dark web
The dark web is a collective name for a variety of websites and marketplaces that bring together individuals willing to engage in illicit or shady activities. Dark web forums contain ads for selling and buying stolen data, offers to code malware and hack websites, posts seeking like-minded...
What your SOC will be facing in 2023
As the role of cybersecurity in large businesses increases remarkably year over year, the importance of Security Operations Centers SOCs is becoming paramount. This years Kaspersky Security Bulletin ends with tailored predictions for SOCs – from external and internal points of view. The first par...
Kaspersky Security Bulletin 2022. Statistics
All statistics in this report are from the global cloud service Kaspersky Security Network KSN, which receives information from components in our security solutions. The data was obtained from users who had given their consent to it being sent to KSN. Millions of Kaspersky users around the globe...
APT10: Tracking down LODEINFO 2022, part I
Kaspersky has been tracking activities involving the LODEINFO malware family since 2019, looking for new modifications and thoroughly investigating any attacks utilizing those new variants. LODEINFO is sophisticated fileless malware first named in a blogpost from JPCERT/CC in February 2020. The...
Router security in 2021
A router is a gateway from the internet to a home or office — despite being conceived quite the opposite. Routers are forever being hacked and infected, and used to infiltrate local networks. Keeping this gate locked so that no one can stroll right through is no easy task. It is not always clear...
How and why do we attack our own Anti-Spam?
We often use machine-learning ML technologies to improve the quality of cybersecurity systems. But machine-learning models can be susceptible to attacks that aim to "fool" them into delivering erroneous results. This can lead to significant damage to both our company and our clients. Therefore, i...
Detection evasion in CLR and tips on how to detect such attacks
In terms of costs, the age-old battle that pits attacker versus defender has become very one sided in recent years. Almost all modern attacks and ethical offensive exercises use Mimikatz, SharpHound, SeatBelt, Rubeus, GhostPack and other toolsets available to the community. This so-called...
Trojan watch
We continue to research how proliferation of IoT devices affects the daily lives of users and their information security. In our previous study, we touched upon ways of intercepting authentication data using single-board microcomputers. This time, we turned out attention to wearable devices:...
Dvmap: the first Android malware with code injection
In April 2017 we started observing new rooting malware being distributed through the Google Play Store. Unlike other rooting malware, this Trojan not only installs its modules into the system, it also injects malicious code into the system runtime libraries. Kaspersky Lab products detect it as...
Zanubis in motion: Tracing the active evolution of the Android banking malware
Introduction Zanubis is a banking Trojan for Android that emerged in mid-2022. Since its inception, it has targeted banks and financial entities in Peru, before expanding its objectives to virtual cards and crypto wallets. The main infection vector of Zanubis is impersonating legitimate Peruvian...
No need to RSVP: a closer look at the Tria stealer campaign
Introduction Since mid-2024, we've observed a malicious Android campaign leveraging wedding invitations as a lure to social-engineer victims into installing a malicious Android app APK, which we have named "Tria Stealer" after unique strings found in campaign samples. The primary targets of the...
Cracked software beats gold: new macOS backdoor stealing cryptowallets
A month ago, we discovered some cracked apps circulating on pirating websites and infected with a Trojan proxy. The malicious actors repackaged pre-cracked applications as PKG files with an embedded Trojan proxy and a post-install script initiating the infection. We recently caught sight of a new...
Black Friday shoppers beware: online threats so far in 2022
The shopping event of the year, Black Friday, is almost here, and while the big day does not officially arrive until Friday, November 25th, deals are already starting. The day kickstarts the frenzied holiday shopping season with eye-catching promotional deals that lure shoppers into spending more...
Crimeware and financial cyberthreats in 2023
A look back on the year 2022 and what to expect in 2023 Every year, as part of the Kaspersky Security Bulletin, we predict which major trends will be followed in the coming year by attackers, who target financial organizations. The predictions, based on our extensive experience, help individuals...
NullMixer: oodles of Trojans in a single dropper
Executive Summary NullMixer is a dropper leading to an infection chain of a wide variety of malware families. NullMixer spreads via malicious websites that can be found mainly via search engines. These websites are often related to crack, keygen and activators for downloading software illegally,...
HTML attachments in phishing e-mails
The use of embedded HTML documents in phishing e-mails is a standard technique employed by cybercriminals. It does away with the need to put links in the e-mail body, which antispam engines and e-mail antiviruses usually detect with ease. HTML offers more possibilities than e-mail for camouflagin...
The life cycle of phishing pages
Introduction In this study, we analyzed how long phishing pages survive as well as the signs they show when they become inactive. In addition to the general data, we provided a number of options for classifying phishing pages according to formal criteria and analyzed the results for each of them...
The dangers of “connected” healthcare: predictions for 2022
For a second consecutive year, the time for Kaspersky to make its predictions for the healthcare sector comes amid the global COVID-19 pandemic. Unfortunately, the virus still dominates most aspects of our lives, and, of course, the pandemic remained the biggest and most-discussed topic in...
DDoS attacks in Q3 2021
News overview Q3 2021 brought two new DDoS attack vectors, potentially posing a serious threat, including for major web resources. A team of researchers from the University of Maryland and the University of Colorado Boulder found a way to spoof the victims IP address over TCP. To date,...