1025 matches found
Head Mare and Twelve join forces to attack Russian entities
Introduction In September 2024, a series of attacks targeted Russian companies, revealing indicators of compromise and tactics associated with two hacktivist groups: Head Mare and Twelve. Our investigation showed that Head Mare relied heavily on tools previously associated with Twelve...
Incident response analyst report 2024
Kaspersky provides rapid and fully informed incident response services to organizations, ensuring impact analysis and effective remediation. Our annual report shares anonymized data about the investigations carried out by the Kaspersky Global Emergency Response Team GERT, as well as statistics an...
DCRat backdoor returns
Since the beginning of the year, we've been tracking in our telemetry a new wave of DCRat distribution, with paid access to the backdoor provided under the Malware-as-a-Service MaaS model. The cybercriminal group behind it also offers support for the malware and infrastructure setup for hosting t...
SideWinder targets the maritime and nuclear sectors with an updated toolset
Last year, we published an article about SideWinder, a highly prolific APT group whose primary targets have been military and government entities in Pakistan, Sri Lanka, China, and Nepal. In it, we described activities that had mostly happened in the first half of the year. We tried to draw...
Trojans disguised as AI: Cybercriminals exploit DeepSeek’s popularity
Introduction Among the most significant events in the AI world in early 2025 was the release of DeepSeek-R1 – a powerful reasoning large language model LLM with open weights. It's available both for local use and as a free service. Since DeepSeek was the first service to offer access to a reasoni...
Undercover miner: how YouTubers get pressed into distributing SilentCryptoMiner as a restriction bypass tool
In recent months, we've seen an increase in the use of Windows Packet Divert drivers to intercept and modify network traffic in Windows systems. This technology is used in various utilities, including ones for bypassing blocks and restrictions of access to resources worldwide. Over the past six...
Mobile malware evolution in 2024
These statistics are based on detection alerts from Kaspersky products, collected from users who consented to provide statistical data to Kaspersky Security Network. The statistics for previous years may differ from earlier publications due to a data and methodology revision implemented in 2024...
The SOC files: Chasing the web shell
Web shells have evolved far beyond their original purpose of basic remote command execution, and many now function more like lightweight exploitation frameworks. These tools often include features such as in-memory module execution and encrypted command-and-control C2 communication, giving...
Exploits and vulnerabilities in Q4 2024
Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept PoC instances decreased compared to 2023. Among notable techniques in Q4, attackers leveraged...
The GitVenom campaign: cryptocurrency theft using GitHub
In our modern world, it's difficult to underestimate the impact that open-source code has on software development. Over the years, the global community has managed to publish a tremendous number of projects with freely accessible code that can be viewed and enhanced by anyone on the planet. Very...
Angry Likho: Old beasts in a new forest
Angry Likho referred to as Sticky Werewolf by some vendors is an APT group we've been monitoring since 2023. It bears a strong resemblance to Awaken Likho, which we've analyzed before, so we classified it within the Likho malicious activity cluster. However, Angry Likho's attacks tend to be...
Managed detection and response in 2024
Kaspersky Managed Detection and Response service MDR provides round-the-clock monitoring and threat detection, based on Kaspersky technologies and expertise. The annual MDR analyst report presents insights based on the analysis of incidents detected by Kaspersky's SOC team. It sheds light on the...
Spam and phishing in 2024
The year in figures 27% of all emails sent worldwide and 48.57% of all emails sent in the Russian web segment were spam 18% of all spam emails were sent from Russia Kaspersky Mail Anti-Virus blocked 125,521,794 malicious email attachments Our Anti-Phishing system thwarted 893,216,170 attempts to...
StaryDobry ruins New Year’s Eve, delivering miner instead of presents
Introduction On December 31, cybercriminals launched a mass infection campaign, aiming to exploit reduced vigilance and increased torrent traffic during the holiday season. Our telemetry detected the attack, which lasted for a month and affected individuals and businesses by distributing the XMRi...
Investors, Trump and the Illuminati: What the “Nigerian prince” scams became in 2024
"Nigerian" spam is a collective term for messages designed to entice victims with alluring offers and draw them into an email exchange with scammers, who will try to defraud them of their money. The original "Nigerian" spam emails were sent in the name of influential and wealthy individuals from...
Take my money: OCR crypto stealers in Google Play and App Store
Update 07.02.2025: Google removed malicious apps from Google Play. Update 06.02.2025: Apple removed malicious apps from the App Store. In March 2023, researchers at ESET discovered malware implants embedded into various messaging app mods. Some of these scanned users' image galleries in search of...
One policy to rule them all
Windows group policies are a powerful management tool that allows administrators to define and control user and computer settings within a domain environment in a centralized manner. While group policies offer functionality and utility, they are unfortunately a prime target for attackers. In...
No need to RSVP: a closer look at the Tria stealer campaign
Introduction Since mid-2024, we've observed a malicious Android campaign leveraging wedding invitations as a lure to social-engineer victims into installing a malicious Android app APK, which we have named "Tria Stealer" after unique strings found in campaign samples. The primary targets of the...
Threat predictions for industrial enterprises 2025
Key global cyberthreat landscape development drivers Hunt for innovations Innovations are changing our lives. Today, the world is on the threshold of another technical revolution. Access to new technologies is a ticket to the future, a guarantee of economic prosperity and political sovereignty...
Mercedes-Benz Head Unit security research report
Introduction This report covers the research of the Mercedes-Benz Head Unit, which was made by our team. Mercedes-Benz's latest Head Unit infotainment system is called Mercedes-Benz User Experience MBUX. We performed analysis of the first generation MBUX. MBUX was previously analysed by KeenLab...
EAGERBEE, with updated and novel components, targets the Middle East
Introduction In our recent investigation into the EAGERBEE backdoor, we found that it was being deployed at ISPs and governmental entities in the Middle East. Our analysis uncovered new components used in these attacks, including a novel service injector designed to inject the backdoor into a...
Threat landscape for industrial automation systems in Q3 2024
Statistics across all threats In the third quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 1.5 pp to 22% when compared to the previous quarter. Percentage of ICS computers on which malicious objects were blocked, by quarter, 2022–2024 Compared...
Cloud Atlas seen using a new tool in its attacks
Introduction Known since 2014, Cloud Atlas targets Eastern Europe and Central Asia. We're shedding light on a previously undocumented toolset, which the group used heavily in 2024. Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formul...
BellaCPP: Discovering a new BellaCiao variant written in C++
Introduction BellaCiao is a .NET-based malware family that adds a unique twist to an intrusion, combining the stealthy persistence of a webshell with the power to establish covert tunnels. It surfaced for the first time in late April 2023 and has since been publicly attributed to the APT actor...
Attackers exploiting a patched FortiClient EMS vulnerability in the wild
Introduction During a recent incident response, Kaspersky's GERT team identified a set of TTPs and indicators linked to an attacker that infiltrated a company's networks by targeting a Fortinet vulnerability for which a patch was already available. This vulnerability is an improper filtering of S...
Lazarus group evolves its infection chain with old and new malware
Over the past few years, the Lazarus group has been distributing its malicious software by exploiting fake job opportunities targeting employees in various industries, including defense, aerospace, cryptocurrency, and other global sectors. This attack campaign is called the DeathNote campaign and...
Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations
About C.A.S C.A.S Cyber Anarchy Squad is a hacktivist group that has been attacking organizations in Russia and Belarus since 2022. Besides data theft, its goal is to inflict maximum damage, including reputational. To this end, the group's attacks exploit vulnerabilities in publicly available...
Download a banker to track your parcel
In late October 2024, a new scheme for distributing a certain Android banking Trojan called "Mamont" was uncovered. The victim would receive an instant message from an unknown sender asking to identify a person in a photo. The attackers would then send what appeared to be the photo itself but was...
Dark web threats and dark market predictions for 2025
Review of last year's predictions The number of services providing AV evasion for malware cryptors will increase We continuously monitor underground markets for the emergence of new "cryptors," which are tools specifically designed to obfuscate the code within malware samples. The primary purpose...
Careto is back: what’s new after 10 years of silence?
During the first week of October, Kaspersky took part in the 34th Virus Bulletin International Conference, one of the longest-running cybersecurity events. There, our researchers delivered multiple presentations, and one of our talks focused on newly observed activities by the Careto threat actor...
Story of the Year: global IT outages and supply chain attacks
A faulty update by cybersecurity firm CrowdStrike triggered one of the largest IT outages in history, impacting approximately 8.5 million systems worldwide. This incident serves as a stark reminder of the critical risks posed by global IT disruptions and supply chain weaknesses. With large-scale...
Exploits and vulnerabilities in Q3 2024
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log...
Our secret ingredient for reverse engineering
Nowadays, a lot of cybersecurity professionals use IDA Pro as their primary tool for reverse engineering. While IDA is a complex tool that implements a multitude of features useful for dissecting binaries, many reverse engineers use various plugins to add further functionality to this software. W...
Kaspersky Security Bulletin 2024. Statistics
All statistics in this report come from Kaspersky Security Network KSN, a global cloud service that receives information from components in our security solutions voluntarily provided by Kaspersky users. Millions of Kaspersky users around the globe assist us in collecting information about...
Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT
Recent months have seen a surge in mailings with lookalike email attachments in the form of a ZIP archive containing JScript scripts. The script files – disguised as requests and bids from potential customers or partners – bear names such as "Запрос цены и предложения от Индивидуального...
IT threat evolution in Q3 2024. Non-mobile statistics
IT threat evolution in Q3 2024 IT threat evolution in Q3 2024. Non-mobile statistics IT threat evolution in Q3 2024. Mobile statistics The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data...
IT threat evolution in Q3 2024. Mobile statistics
IT threat evolution in Q3 2024 IT threat evolution in Q3 2024. Non-mobile statistics IT threat evolution in Q3 2024. Mobile statistics Quarterly figures According to Kaspersky Security Network, in Q3 2024: As many as 6.7 million attacks involving malware, adware or potentially unwanted mobile app...
IT threat evolution Q3 2024
IT threat evolution in Q3 2024 IT threat evolution in Q3 2024. Non-mobile statistics IT threat evolution in Q3 2024. Mobile statistics Targeted attacks New APT threat actor targets Russian government entities In May 2024, we discovered a new APT targeting Russian government organizations...
APT trends report Q3 2024
Kaspersky's Global Research and Analysis Team GReAT has been releasing quarterly summaries of advanced persistent threat APT activity for over seven years now. Based on our threat intelligence research, these summaries offer a representative overview of what we've published and discussed in more...
Consumer and privacy predictions for 2025
Overview of 2024 consumer cyberthreats and trends predictions Part of the Kaspersky Security Bulletin, our predictions for 2024 identified key consumer cyberthreats and trends shaped by global events, technological advances and evolving user behavior. Last year, we suggested that charity-related...
Analysis of Elpaco: a Mimic variant
Introduction In a recent incident response case, we dealt with a variant of the Mimic ransomware with some interesting customization features. The attackers were able to connect via RDP to the victim's server after a successful brute force attack and then launch the ransomware. After that, the...
Advanced threat predictions for 2025
We at Kaspersky's Global Research and Analysis Team monitor over 900 APT advanced persistent threat groups and operations. At the end of each year, we take a step back to assess the most complex and sophisticated attacks that have shaped the threat landscape. These insights enable us to anticipat...
Scammer Black Friday offers: Online shopping threats and dark web sales
Intro The e-commerce market continues to grow every year. According to FTI consulting, in Q1 2024, online retail comprised 57% of total sales in the US, and it is expected to increase by 9.8% over 2023 by the end of this year. In Europe, 72% of those aged 16–74 buy online, their share growing by...
Сrimeware and financial cyberthreats in 2025
Kaspersky's Global Research and Analysis Team constantly monitors known and emerging cyberthreats directed at the financial industry, with banks and fintech companies being the most targeted. We also closely follow threats that aim to infiltrate a wider range of industries, namely ransomware...
Threats in space (or rather, on Earth): internet-exposed GNSS receivers
What is GNSS? Global Navigation Satellite Systems GNSS are collections, or constellations of satellite positioning systems. There are several GNSSs launched by different countries currently in operation: GPS US, GLONASS Russia, Galileo EU, BeiDou Navigation Satellite System BDS, China, Navigation...
Ymir: new stealthy ransomware in the wild
Introduction In a recent incident response case, we discovered a new and notable ransomware family in active use by the attackers, which we named "Ymir". The artifact has interesting features, including a large set of operations performed in memory with the help of the malloc , memmove and memcmp...
QSC: A multi-plugin framework used by CloudComputating group in cyberespionage campaigns
Introduction In 2021, we began to investigate an attack on the telecom industry in South Asia. During the investigation, we discovered QSC: a multi-plugin malware framework that loads and runs plugins modules in memory. The framework includes a Loader, a Core module, a Network module, a Command...
New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency
Introduction In August 2024, our team identified a new crimeware bundle, which we named "SteelFox". Delivered via sophisticated execution chains including shellcoding, this threat abuses Windows services and drivers. It spreads via forums posts, torrent trackers and blogs, imitating popular...
Loose-lipped neural networks and lazy scammers
One topic being actively researched in connection with the breakout of LLMs is capability uplift – when employees with limited experience or resources in some area become able to perform at a much higher level thanks to LLM technology. This is especially important in information security, where...
Risk reduction redefined: How compromise assessment helps strengthen cyberdefenses
Introduction Organizations often rely on a layered defense strategy, yet breaches still occur, slipping past multiple levels of protection unnoticed. This is where compromise assessment enters the game. The primary objective of these services is risk reduction. They help discover active...