Operation Dragonfly Analysis Suggests Links to Earlier Attacks

ARCHIVED STORY Operation Dragonfly Analysis Suggests Links to Earlier Attacks By Trellix · December 17, 2017 On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack was effectively Dragonfly 2.0, an update to a...

The Iranian Cyber Capability 2026

The Iranian Cyber Capability 2026 By John Fokker and Ernesto Fernández Provecho · March 5, 2026 Introduction In 2024, we published an assessment of the Islamic Republic of Iran’s cyber capabilities, outlining the structure, tradecraft, and strategic intent of Iranian-aligned threat actors. The co...

Dark Web Roast - January 2026 Edition

Dark Web Roast - January 2026 Edition By Trellix Advanced Research Center · February 11, 2026 Executive Summary Welcome to January 2026's underground intelligence roundup, where criminal masterminds continue to demonstrate that the phrase "honour among thieves" remains the greatest oxymoron in...

Hiding in Plain Sight: Multi-Actor ahost.exe Attacks

Hiding in Plain Sight: Deconstructing the Multi-Actor DLL Sideloading Campaign abusing ahost.exe By Mallikarjun Wali and Mohideen Abdul Khader · January 14, 2026 Executive summary The Trellix Advanced Research Center has uncovered an active malware campaign that exploits a DLL sideloading...

The Developer's Newest Bug: Speed

The Developer's Newest Bug: Speed By Tola Olawale · December 2, 2025 Artificial intelligence AI has unequivocally entered its “main character” era, moving from a niche tool to a universal creator. This massive shift has given rise to "vibe coding ": the practice of using AI to generate functional...

The Bug Report – August 2025 Edition

The Bug Report – August 2025 Edition By Jonathan Omakun, Tola Olawale · August 27, 2025 Why am I here? Welcome back to The Bug Report! Did you miss us? The Trellix Advanced Research Center has been playing a high-stakes game of whack-a-mole with this month's vulnerabilities. We've dug through all...

Exposing PathWiper: DCOM Abuse and Network Erasure

Exposing PathWiper: A Deep Dive into DCOM Abuse and Network Erasure With Trellix NDR By Maulik Maheta and Lishoy Mathew · August 12, 2025 Executive summary Ukraine’s national energy and telecommunications infrastructure was the primary targets of the PathWiper attack in 2025. The attack was...

Automagic Reverse Engineering

Automagic Reverse Engineering By Trellix · July 1, 2025 This blog was written by Max Kersten Over the last few years, I have looked into methods to improve the reverse engineering process. This saves essential time during the analysis, which helps while defending from well prepared threat actors...

The Growing Threat of Vishing: How Cybercriminals Are Using Multimedia to Target You

The Growing Threat of Vishing: How Cybercriminals Are Using Multimedia to Target You By Mark Joseph Marti and Sandra Pagkaliwagan · May 8, 2025 Introduction Imagine being hacked through a phone call, and you can't even complain because you were the one who provided your sensitive information or...

Cyber Threat Landscape Q&A with Trellix Head of Threat Intelligence John Fokker

Cyber Threat Landscape Q&A with Trellix Head of Threat Intelligence John Fokker By Trellix · January 27, 2025 As we step into 2025, it's time to reflect on the seismic changes that shaped the cybersecurity landscape in 2024 and anticipate what's on the horizon for 2025. The past year saw...

Resilient Security Requires Mature Cyber Threat Intelligence Capabilities

Resilient Security Requires Mature Cyber Threat Intelligence Capabilities By Trellix Advanced Research Center · August 5, 2023 Threat intelligence and the ability to add context to each technology environment to global threats has never been more important to the role of the CISO, or to the board...

Read The Manual Locker: A Private RaaS Provider

Read The Manual Locker: A Private RaaS Provider By Trellix · April 13, 2023 This blog was written by Max Kersten The underground intelligence was obtained byN074B07. Another day, another ransomware-as-a-service RaaS provider, or so it seems. We’ve observed the “Read The Manual” RTM Locker gang,...

We Don’t Just Patch – We Hack

We Don’t Just Patch – We Hack By Trellix · February 1, 2023 This blog was written by Douglas McKee If you have read any security advisories, technology news articles or even our very own Bug Report, you have continually been bombarded with the message to patch, patch, patch! Patching is critical ...

The Race to Secure eBPF for Windows

The Race to Secure eBPF for Windows By Trellix · August 11, 2022 This blog was written by Douglas McKee Innovation often improves functionality and even security; however, adoption starts slow. Adoption often doesn’t increase at a linear rate but at an exponential rate leaving behind attack...

The Race to Secure eBPF for Windows

The Race to Secure eBPF for Windows By Trellix · August 11, 2022 This blog was written by Douglas McKee Innovation often improves functionality and even security; however, adoption starts slow. Adoption often doesn’t increase at a linear rate but at an exponential rate leaving behind attack...

Get to Know Fred House

Meet Fred House Senior Director, Product Detection and Research By Trellix · July 12, 2022 This blog was written by Michael Alicea At Trellix, we celebrate and champion our people. For a long time now, I’ve been looking forward to connecting with Fred House, a Senior Director at Trellix Threat La...

The Sound of Malware

The Sound of Malware By Trellix · June 23, 2022 Do, a debugger, you often use Re, a reverse engineer Mi, a name, I call myself Anyways…. By now, you must be very thankful I reminded you of this famous song; I am sure it will be stuck in your head the rest of the day. You’re welcome! Confused on h...

Cyberattacks Rise Targeting Infrastructure and Geo Tensions

Trellix Threat Labs Research Report: Cyberattacks Targeting Critical Infrastructure Rise Along with Geopolitical Tensions By Trellix · April 27, 2022 The release of our Trellix Threat Labs Research Report: April 2022 examines cybercriminal behavior and activity related to cyber threats in the...

Cyberattacks Targeting Ukraine and HermeticWiper Protections

Trellix Global Defenders: Cyberattacks Targeting Ukraine and HermeticWiper Protections By Taylor Mullins · February 28, 2022 Trellix is monitoring the ongoing cyberattacks targeting the Ukraine and any threat activity targeting entities outside of the Ukraine. Trellix is continuing to add...

Who Will Bend the Knee in RaaS Game of Thrones in 2022?

ARCHIVED STORY Who Will Bend the Knee in RaaS Game of Thrones in 2022? By John Fokker and Raj Samani · November 07, 2021 McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into a Game of Thrones power struggle among...

Operation North Star: Summary Of Our Latest Analysis | McAfee Blogs

Operation North Star: Summary Of Our Latest Analysis By Trellix · NOV 05, 2020 McAfee’s Advanced Threat Research ATR today released research that uncovers previously undiscovered information on how Operation North Star evaluated its prospective victims and launched attacks on organizations in...

Ransomware Maze

ARCHIVED STORY Ransomware Maze Alexandre Mundo · MAR 26, 2020 Overview The Maze ransomware, previously known in the community as “ChaCha ransomware”, was discovered on May the 29th 2019 by Jerome Segura1. The main goal of the ransomware is to crypt all files that it can in an infected system and...

Ransomware Maze

ARCHIVED STORY Ransomware Maze Alexandre Mundo · MAR 26, 2020 Overview The Maze ransomware, previously known in the community as “ChaCha ransomware”, was discovered on May the 29th 2019 by Jerome Segura1. The main goal of the ransomware is to crypt all files that it can in an infected system and...

CSI: Evidence Indicators for Targeted Ransomware Attacks - Part II | McAfee Blogs

CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II Christiaan Beek · FEB 20, 2020 In our first article we discussed the growing pattern of targeted ransomware attacks where the first infection stage is often an info-stealer kind of malware used to gain credentials/access to...

Our Experiences Participating in Microsoft’s Azure Sphere Bounty Program | McAfee Blogs

CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II Christiaan Beek · FEB 20, 2020 In our first article we discussed the growing pattern of targeted ransomware attacks where the first infection stage is often an info-stealer kind of malware used to gain credentials/access to...

The Cloning of The Ring – Who Can Unlock Your Door?

ARCHIVED STORY The Cloning of The Ring - Who Can Unlock Your Door? By Eoin Carroll · January 06, 2020 Steve Povolny contributed to this report. The Cloning of The Ring McAfee’s Advanced Threat Research team performs security analysis of products and technologies across nearly every industry...

Analysis of LooCipher, a New Ransomware Family Observed This Year

ARCHIVED STORY Analysis of LooCipher, a New Ransomware Family Observed This Year By ATR Operational Intelligence Team · December 05, 2019 Co-authored by Marc RiveroLopez. Initial Discovery This year seems to again be the year for ransomware. Notorious attacks were made using ransomware and new...

Crypto Currency Laundering Service, BestMixer.io, Taken Down by Law Enforcement

ARCHIVED STORY Cryptocurrency Laundering Service, BestMixer.io, Taken Down by Law Enforcement By John Fokker · May 22, 2019 A much overlooked but essential part in financially motivated cybercrime is making sure that the origins of criminal funds are obfuscated or made to appear legitimate, a...

LockerGoga Ransomware Family Used in Targeted Attacks

ARCHIVED STORY LockerGoga Ransomware Family Used in Targeted Attacks By ATR Operational Intelligence Team · April 29, 2019 Co-authored by Marc RiveroLopez. Initial discovery Once again, we have seen a significant new ransomware family in the news. LockerGoga, which adds new features to the tried...

What’s in the Box?

ARCHIVED STORY What’s in the Box? By Sam Quinn · February 25, 2019 2018 was another record-setting year in the continuing trend for consumer online shopping. With an increase in technology and efficiency, and a decrease in cost and shipping time, consumers have clearly made a statement that...

Shamoon Returns to Wipe Systems in Middle East, Europe

ARCHIVED STORY Shamoon Returns to Wipe Systems in Middle East, Europe By Alexandre Mundo · December 14, 2018 Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or even financial aims. Destructive...

McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker

ARCHIVED STORY McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker By Trellix · December 20, 2017 In our recent research, we interviewed the actors behind ransomware campaigns. One of the interesting findings was cybercriminals seemed to...

IoT Devices: The Gift that Keeps on Giving… to Hackers

ARCHIVED STORY IoT Devices: The Gift that Keeps on Giving… to Hackers By Tim Hux · November 16, 2017 McAfee Advanced Threat Research on Most Hackable Gifts You’ve probably noticed the recent increase in Internet connected drones, digital assistants, toys, appliances and other devices hitting the...

IoT Devices: The Gift that Keeps on Giving… to Hackers

ARCHIVED STORY IoT Devices: The Gift that Keeps on Giving… to Hackers By Tim Hux · November 16, 2017 McAfee Advanced Threat Research onMost Hackable Gifts You’ve probably noticed the recent increase in Internet connected drones, digital assistants, toys, appliances and other devices hitting the...

Introducing pywintrace: A Python Wrapper for ETW

ARCHIVED STORY Introducing pywintrace: A Python Wrapper for ETW By Anthony Berglund, Kevin Boyd · September 19, 2017 Introduction Event tracing for Windows ETW is a lightweight logging facility first introduced with Windows 2000. Originally intended as a software diagnostic, troubleshooting and...

Dark Web Roast February 2026 Edition

Dark Web Roast - February 2026 Edition By Trellix Advanced Research Center · March 18, 2026 Executive Summary February 2026 delivered another stellar month in the ongoing theatre of the absurd that is the cybercriminal underground, where ransomware gangs bulk-scheduled their extortion like a...

Malware-As-A-Service Redefined: Why XWorm is outpacing every other RAT in the underground malware market

Malware-As-A-Service Redefined: Why XWorm is outpacing every other RAT in the underground malware market By Boggavarapu R S S Srinivas Gupta and Ravishankar N C · March 12, 2026 Introduction In the evolving landscape of cybercrime, threat actors are constantly pursuing the "perfect" weapon: malwa...

Turf Wars vs. Supply Chains: The Great Divergence in State Cyber Threats

Turf Wars vs. Supply Chains: The Great Divergence in State Cyber Threats By Ryan Slaney and Emma DeCarli · February 18, 2026 For years, the cybersecurity community has treated advanced persistent threat APT groups as monoliths. We assumed that if we found a specific Russian tool, we were fighting...

The Crown Jewels of Active Directory: How Trellix Helix Detects NTDS.dit Theft

The Crown Jewels of Active Directory: How Trellix Helix Detects NTDS.dit Theft By Adithya Chandra and Maulik Maheta · February 2, 2026 Executive summary Active Directory serves as the central repository for an organization's authentication infrastructure. Malicious actors frequently focus on...

From Digital Innovation to Patient Harm: Why Healthcare Cybersecurity Is Now a C-Suite Imperative

From Digital Innovation to Patient Harm: Why Healthcare Cybersecurity Is Now a C-Suite Imperative By John Fokker · January 27, 2026 For decades, healthcare systems were designed with one core principle: patient safety. Clinical devices operated in largely closed environments, disconnected from th...

Silent Domain Hijack: Detecting DCSync with Trellix NDR

Silent Domain Hijack: Uncovering the DCSync Attack and Detecting with Trellix NDR By Maulik Maheta and Chao Sun · December 10, 2025 Executive summary DCSync is one of the most powerful and stealthy techniques an attacker can use once they have gained access to an Active Directory AD environment...

Dark Web Roast – November 2025 Edition

Dark Web Roast – November 2025 Edition By Trellix Advanced Research Center · December 9, 2025 Executive summary November 2025 delivered a masterclass in underground incompetence that would make any cybersecurity professional simultaneously laugh and cry. From the Silent data-extortion group getti...

Today’s threat landscape demands a proactive OT security strategy

Today’s threat landscape demands a proactive OT security strategy By John Fokker and Mo Cashman · November 18, 2025 Overview: The operational technology OT security landscape is undergoing rapid transformation, marked by an escalation in advanced threats. As reported in Trellix’s November...

Dark Web Roast - October 2025 Edition

Dark Web Roast - October 2025 Edition By Trellix Advanced Research Center · November 13, 2025 Executive Summary Welcome to October 2025, where the cybercrime underground has officially become more absurd than a fever dream. This month’s headline was xltshirt being royally fleeced out of $3,000 fo...

Silent Pivot: Detecting Fileless Lateral Movement via Service Manager with Trellix NDR

Silent Pivot: Detecting Fileless Lateral Movement via Service Manager with Trellix NDR By Maulik Maheta and Lishoy Mathew · September 8, 2025 Executive summary The tactics of cyber adversaries continue to evolve as they attempt to bypass security vendors. Rather than traditional malware, today’s...

Gang Wars: Breaking Trust Among Cyber Criminals

Gang Wars: Breaking Trust Among Cyber Criminals By John Fokker and Jambul Tologonov · August 5, 2025 Introduction In the final, unforgettable scene of the film Reservoir Dogs , a group of criminals — once united by a common goal — stand in a Mexican standoff, guns drawn, hearts pounding. Suspicio...

Closing the Security Gap From Threat Hunting to Detection Engineering

Closing the Security Gap From Threat Hunting to Detection Engineering By Ilya Kolmanovich, Alejandro Houspanossian, Joe Malenfant and Tomer Shloman · April 16, 2025 In today's rapidly evolving AI-fueled threat landscape, every organization is trying to stop threats as early as possible. Threat...

Phobos: Stealthy Ransomware That Operated Under the Radar - Until Now

Phobos: Stealthy Ransomware That Operated Under the Radar - Until Now By Jambul Tologonov, John Fokker and Duy-Phuc Pham · November 20, 2024 On November 18th, the US Justice Department unsealed criminal charges against a Russian national for allegedly administering the sale, distribution, and...

Tale of Greatness: Journey Through Dark Roads

Tale of Greatness: Journey Through Dark Roads By Daksh Kapur, Vihar Shah, Pooja Khyadgi · May 22, 2024 Cybercriminals have a new weapon in their arsenal: Greatness, a PaaS tool specifically designed to steal your Microsoft 365 login credentials. First detected in mid-2022, it allows attackers to...

Trellix Global Defenders: Analysis and Protections for Destructive Wipers

Trellix Global Defenders: Analysis and Protections for Destructive Wipers By Ayed Al Qartah · November 17, 2022 Modern cyber warfare involves the actions of a nation-state or their proxies organized crime and hacker groups to attack and attempt to damage other nations’ computers or information...