Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles

ARCHIVED STORY Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles Steve Povolny · FEB 19, 2020 The last several years have been fascinating for those of us who have been eagerly observing the steady move towards autonomous driving. While semi-autonomous vehicles have existed for many...

We Be Jammin’ – Bypassing Chamberlain myQ Garage Doors

ARCHIVED STORY We Be Jammin’ – Bypassing Chamberlain myQ Garage Doors Sam Quinn · JAN 06, 2020 The idea of controlling your garage door remotely and verifying that everything is secure at home, or having packages delivered directly into your garage is enticing for many people. The convenience tha...

Analysis of LooCipher, a New Ransomware Family Observed This Year

ARCHIVED STORY Analysis of LooCipher, a New Ransomware Family Observed This Year By ATR Operational Intelligence Team · December 05, 2019 Co-authored by Marc RiveroLopez. Initial Discovery This year seems to again be the year for ransomware. Notorious attacks were made using ransomware and new...

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money

ARCHIVED STORY McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money By John Fokker · October 14, 2019 Episode 3: Follow the Money This is the third installment of the McAfee Advanced Threat Research ATR analysis of Sodinokibi and its connections to GandCrab, the mos...

Avaya Deskphone: Decade-Old Vulnerability Found in Phone's Firmware

ARCHIVED STORY Avaya Deskphone: Decade-Old Vulnerability Found in Phone’s Firmware By Philippe Laulheret · August 08, 2019 Avaya is the second largest VOIP solution provider source with an install base covering 90% of the Fortune 100 companies source, with products targeting a wide spectrum of...

Ryuk, Exploring the Human Connection

ARCHIVED STORY Ryuk, Exploring the Human Connection By John Fokker · Febraury 19, 2019 In collaboration with Bill Siegel and Alex Holdtman from Coveware At the beginning of 2019, McAfee ATR published an article describing how the hasty attribution of Ryuk ransomware to North Korea was missing the...

Digging Up the Past: Windows Registry Forensics Revisited

ARCHIVED STORY Digging Up the Past: Windows Registry Forensics Revisited By David Via · Jan 08, 2019 Introduction FireEye consultants frequently utilize Windows registry data when performing forensic analysis of computer networks as part of incident response and compromise assessment missions. Th...

BIOS Boots What? Finding Evil in Boot Code at Scale! | Trellix

ARCHIVED STORY BIOS Boots What? Finding Evil in Boot Code at Scale! By Ryan Fisher, Andrew Davis · August 08, 2018 Malware continues to take advantage of a legacy component of modern systems designed in the 1980s. Despite the cyber threat landscape continuing to evolve at an ever-increasing pace,...

Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks

ARCHIVED STORY Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks By John Fokker · July 11, 2018 Thanks to my colleague Christiaan Beek for his advice and contributions. While researching underground hacker marketplaces, the McAfee Advanced Threat Research team has...

DDoS Attacks in the Netherlands Reveal Teen Gamers on Troublesome Path

ARCHIVED STORY DDoS Attacks in the Netherlands Reveal Teen Gamers on Troublesome Path By John Fokker · Febraury 22, 2018 At the end of January, the Netherlands was plagued by distributed denial of service DDoS attacks targeting various financial institutions, tech sites, and the Dutch tax...

PureRAT: A Multi-Stage, Fileless RAT Utilizing Image Steganography and Process Hollowing

PureRAT: A Multi-Stage, Fileless RAT Utilizing Image Steganography and Process Hollowing By Prashanth A N and Mallikarjun Wali · April 20, 2026 PureRAT is an advanced remote access trojan RAT characterized by its complex infection stages. The intrusion sequence is initiated by a malicious .LNK fi...

Masjesu Rising: The Commercial IoT Botnet Built for Stealth, DDoS, and IoT Evasion

Masjesu Rising: The Commercial IoT Botnet Built for Stealth, DDoS, and IoT Evasion By Mohideen Abdul Khader F · April 7, 2026 Botnet overview The Masjesu botnet, a sophisticated, commercially-run Internet of Things IoT threat, has been operational and evolving since early 2023, continuing into...

Technical Deep Dive: The Monero Mining Campaign

Technical Deep Dive: The Monero Mining Campaign By Aswath A · February 17, 2026 Executive summary In the contemporary threat landscape, while ransomware grabs headlines with high-impact disruptions, cryptojacking operations have quietly evolved into sophisticated, persistent threats. This report...

When SPNs Go Rogue: Detection and Remediation with Trellix NDR

When SPNs Go Rogue: Detection and Remediation with Trellix NDR By Maulik Maheta and Henry Bernabe · February 10, 2026 Executive summary Service Principal Names SPNs are essential for Kerberos authentication in Active Directory AD, but misconfigurations, such as assigning SPNs to standard user...

APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 and Cloud C2 Infrastructure

APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 and Cloud C2 Infrastructure By Pham Duy Phuc and Alex Lanstein · February 4, 2026 Updated February 9, 2026: This analysis has been updated to clarify malware naming conventions. Introduction Russian state-sponsored threat group APT28...

From the Shadows to the Headlines: A Decade of State-Sponsored Cyber Leaks

From the Shadows to the Headlines: A Decade of State-Sponsored Cyber Leaks By Ryan Slaney and Emma DeCarli · January 20, 2026 Executive summary The December 2, 2025, publication of a massive leak revealing the inner workings of the IRGC-linked Department 40 a.k.a. APT35, Charming Kitten, and Fres...

The Unfriending Truth: How to Spot a Facebook Phishing Scam Before It's Too Late

The Unfriending Truth: How to Spot a Facebook Phishing Scam Before It's Too Late By Mark Joseph Marti · January 12, 2026 Introduction As one of the world's largest social media platforms, with over 3 billion active users, Facebook is a frequent target for phishing scams. Hackers aim to hijack use...

Dark Web Roast - September 2025 Edition

Dark Web Roast - September 2025 Edition By Trellix Advanced Research Center · October 14, 2025 Executive Summary September 2025 brought us a delightful buffet of underground incompetence that makes one wonder if cybercriminals are actively competing for the "Most Spectacular Failure" award. From...

The Silent, Fileless Threat of VShell

The Silent, Fileless Threat of VShell By Sagar Bade · August 21, 2025 Introduction Linux environments are often seen as bastions of security, favored by developers, sysadmins, and security professionals for their stability, transparency, and resistance to malware. Compared to Windows, the attack...

The Democratization of Phishing: Popularity of PhaaS platforms on the rise

The Democratization of Phishing: Popularity of PhaaS Platforms on the Rise By Ryan Slaney · June 30, 2025 The phishing industry is being profoundly reshaped by the surge of Phishing-as-a-Service PhaaS platforms. These accessible, often Artificial Intelligence AI-powered, offerings are democratizi...

No symbols? No problem!

No symbols? No problem! By Trellix · August 9, 2024 This blog was written by Max Kersten Malware analysts know it all too well: the ominous feeling that washes over you when opening an unknown file in your favorite analysis tool and being greeted with hundreds or thousands of unknown functions,...

The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution

The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution By Sijo Jacob · July 9, 2024 This blog was also written by Mathanraj Thangaraju Threat Summary In the dynamic landscape of cyber threats, ViperSoftX has emerged as a highly sophisticated malware, adept at...

Cybercrooks leveraging anti automation toolkit for phishing campaigns

Cybercrooks Leveraging Anti Automation Toolkit for Phishing Campaigns By Vihar Shah and Rohan Shah · December 18, 2023 Threat actors have a track record of abusing tools hosted on GitHub for malicious purposes. Last year we showed how attackers abused Python’s tarfile module. Trellix Advanced...

AI is the Solution, Not the Problem

AI is the Solution, Not the Problem By Trellix · August 07, 2023 This story was also written by Oded Margalit. AI Artificial Intelligence / ML Machine Learning has recently been painted as the master evil. In this blog I would like to suggest a different view, where we can use it to make a better...

China-Taiwan Tensions Spark Surge in Cyberattacks on Taiwan

China-Taiwan Tensions Spark Surge in Cyberattacks on Taiwan By Daksh Kapur, Leandro Velasco · May 17, 2023 Figure 1 image from freepik.com “In the past few years, we noticed that geopolitical conflicts are one of the main drivers for cyber-attacks on a variety of industries and institutions...

Shining Light on Dark Power: Yet Another Ransomware Gang

Shining Light on Dark Power: Yet Another Ransomware Gang By Pham Duy Phuc and Tomer Shloman · March 23, 2023 This blog was also written by Max Kersten Another day, another ransomware gang. The Dark Power ransomware gang is new on the block, and is trying to make a name for itself. This blog dives...

No More Macros? Better Watch Your Search Results!

No More Macros? Better Watch Your Search Results! By Pham Duy Phuc · February 08, 2023 This blog was also written by Max Kersten Threat actors often rely on the same techniques until their hand is forced, usually due to defensive changes or chance-based opportunities, to leverage a new technique...

GuLoader: The NSIS Vantage Point

GuLoader: The NSIS Vantage Point By Nico Paulo Yturriaga · January 24, 2023 GuLoader is an advanced shellcode downloader infamous for using anti-analysis tricks to evade detection and obstruct reverse engineering. As of this writing, the GuLoader campaign is aggressively ongoing. Trellix’s...

Email Cyberattacks on Arab Countries Rise in Lead to Global Football Tournament

Email Cyberattacks on Arab Countries Rise in Lead to Global Football Tournament By Daksh Kapur · November 17, 2022 This story was also written by Sparsh Jain. Figure 1 Global eyes are soon to be turned to the first global football tournament to be held in the Arab world kicking off on November 20...

Wipermania: An All You Can Wipe Buffet

Wipermania: An All You Can Wipe Buffet By Trellix · November 15, 2022 This blog was written by Max Kersten In early 2022, Ukrainian companies were struck by multiple destructive wipers, attacking various organizations across sectors. This raised questions about the usage and impact of “digital...

2022 Election Phishing Attacks Target Election Workers

2022 Election Phishing Attacks Target Election Workers By Rohan Shah · October 12, 2022 This blog was written by Patrick Flynn and Fred House Highly publicized campaign and political party breaches during the 2016 U.S. presidential campaign raised election security as a critical issue among U.S...

Get to Know Anne An

Meet Anne An Senior Security Researcher By Michael Alicea · August 25, 2022 At Trellix, we celebrate and champion our people. I’ve been hearing a lot recently about one of my colleagues, Anne An. My sources tell me she is a highly technical and “intuitive” researcher embedded on our frontlines as...

Utilizing the Adaptive Defense Model Against Information Stealers

Trellix Global Defenders: Utilizing the Adaptive Defense Model Against Information Stealers By Taylor Mullins · May 23, 2022 Trellix is continuing to observe the continued growth in usage and general availability of Information Stealers that have the functionality to collect passwords, cookies,...

Who Will Bend the Knee in RaaS Game of Thrones in 2022?

ARCHIVED STORY Who Will Bend the Knee in RaaS Game of Thrones in 2022? By John Fokker and Raj Samani · November 07, 2021 McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into a Game of Thrones power struggle among...

Nation States Will Weaponize Social and Recruit Bad Guys with Benefits in 2022

ARCHIVED STORY Nation States Will Weaponize Social and Recruit Bad Guys with Benefits in 2022 By Raj Samani · October 31, 2021 McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into the continuingly aggressive role Nation States will...

Babuk Ransomware

ARCHIVED STORY Babuk Ransomware By Alexandre Mundo · February 23, 2021 Executive Summary Babuk ransomware is a new ransomware threat discovered in 2021 that has impacted at least five big enterprises, with one already paying the criminals $85,000 after negotiations. As with other variants, this...

Additional Analysis into the SUNBURST Backdoor | McAfee Blogs

ARCHIVED STORY Additional Analysis into the SUNBURST Backdoor Christiaan Beek · DEC 17, 2020 Executive Summary There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the broader campaign has resulted in detection against specific IoC...

‘Insight’ into Home Automation Reveals Vulnerability in Simple IoT Product

ARCHIVED STORY ‘Insight’ into Home Automation Reveals Vulnerability in Simple IoT Product By Douglas McKee · August 18, 2020 Eoin Carroll, Charles McFarland, Kevin McGrath, and Mark Bereza contributed to this report. The Internet of Things promises to make our lives easier. Want to remotely turn...

Six Hundred Million Reasons to Celebrate: No More Ransom Turns FOUR!!

ARCHIVED STORY Six Hundred Million Reasons to Celebrate: No More Ransom Turns FOUR!! By John Fokker · July 27, 2020 Happy Birthday! Today we mark the fourth anniversary of the NoMoreRansom initiative with over 4.2 million visitors, from 188 countries, stopping an estimated $632 million in ransom...

Ransomware Maze

ARCHIVED STORY Ransomware Maze Alexandre Mundo · MAR 26, 2020 Overview The Maze ransomware, previously known in the community as “ChaCha ransomware”, was discovered on May the 29th 2019 by Jerome Segura1. The main goal of the ransomware is to crypt all files that it can in an infected system and...

CSI Evidence Indicators for Targeted Ransomware Attacks

ARCHIVED STORY CSI: Evidence Indicators for Targeted Ransomware Attacks – Part I By Trellix · Febraury 12, 2020 For many years now I have been working and teaching in the field of digital forensics, malware analysis and threat intelligence. During one of the classes we always talk about Lockard’s...

The Cloning of The Ring – Who Can Unlock Your Door?

ARCHIVED STORY The Cloning of The Ring - Who Can Unlock Your Door? By Eoin Carroll · January 06, 2020 Steve Povolny contributed to this report. The Cloning of The Ring McAfee’s Advanced Threat Research team performs security analysis of products and technologies across nearly every industry...

McAfee ATR Aids Police in Arrest of Rubella & Dryad Office Macro Builder

ARCHIVED STORY McAfee ATR Aids Police in Arrest of Rubella & Dryad Office Macro Builder By John Fokker · July 16, 2019 Everyday thousands of people receive emails with malicious attachments in their email inbox. Disguised as a missed payment or an invoice, a cybercriminal sender tries to entice a...

Mr. Coffee with WeMo: Double Roast

ARCHIVED STORY Mr. Coffee with WeMo: Double Roast By Sam Quinn · May 30, 2019 McAfee Advanced Threat Research recently released a blog detailing a vulnerability in the Mr. Coffee Coffee Maker with WeMo. Please refer to the earlier blog to catch up with the processes and techniques I used to...

Crypto Currency Laundering Service, BestMixer.io, Taken Down by Law Enforcement

ARCHIVED STORY Cryptocurrency Laundering Service, BestMixer.io, Taken Down by Law Enforcement By John Fokker · May 22, 2019 A much overlooked but essential part in financially motivated cybercrime is making sure that the origins of criminal funds are obfuscated or made to appear legitimate, a...

Your Smart Coffee Maker is Brewing Up Trouble

ARCHIVED STORY Your Smart Coffee Maker is Brewing Up Trouble By Sam Quinn · Febraury 25, 2019 IOT devices are notoriously insecure and this claim can be backed up with a laundry list of examples. With more devices “needing” to connect to the internet, the possibility of your WiFi enabled toaster...

Ryuk Ransomware Attack: Rush to Attribution Misses the Point

ARCHIVED STORY Ryuk Ransomware Attack: Rush to Attribution Misses the Point By John Fokker · January 09, 2019 Senior analyst Ryan Sherstobitoff contributed to this report. During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing services in the United States has garner...

80 to 0 in Under 5 Seconds: Falsifying a Medical Patient's Vitals

ARCHIVED STORY 80 to 0 in Under 5 Seconds: Falsifying a Medical Patient's Vitals By Douglas McKee · August 11, 2018 The author thanks Shaun Nordeck, MD, for his assistance with this report. With the explosion of growth in technology and its influence on our lives, we have become increasingly...

Gandcrab Ransomware Puts Pinch On Victims

ARCHIVED STORY GandCrab Ransomware Puts the Pinch on Victims By Alexandre Mundo · July 31, 2018 Update: On August 9 we added our analysis of Versions 4.2.1 and 4.3. The GandCrab ransomware first appeared in January and has been updated rapidly during its short life. It is the leading ransomware...

Cybercrime in the Spotlight: How Crooks Capitalize on Cultural Events

ARCHIVED STORY Cybercrime in the Spotlight: How Crooks Capitalize on Cultural Events By John Fokker · July 03, 2018 Every four years, everyone’s head around the globe turns toward the television. The Olympics, the World Cup – world events like these have all eyes viewing friendly competition...