Ripple20 Vulnerability Mitigation Best Practices

ARCHIVED STORY Ripple20 Vulnerability Mitigation Best Practices By Kevin McGrath · June 22, 2020 On June 16th, the Department of Homeland Security and CISA ICS-CERT issued a critical security advisory warning covering multiple newly discovered vulnerabilities affecting Internet-connected devices...

Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems

ARCHIVED STORY Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems By Thomas Roccia · December 19, 2018 Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon “wiper” malware attacks that struck several companies in the Middle East and Europe. In...

Trellix Global Defenders: LAPSUS$ Data Breaches and Proactive Protections

Trellix Global Defenders: LAPSUS$ Data Breaches and Proactive Protections By Taylor Mullins · March 23, 2022 Trellix is continuing to monitor the threat activity related to the LAPSUS$ threat group and their recent breaches of large organizations such as NVIDIA, Samsung, Microsoft, and Okta. This...

Suspected DarkHotel APT Activity Update

Suspected DarkHotel APT activity update One Hotel to rule them all, One Hotel to find them, One Hotel to bring them all and in the darkness bind them. By John Fokker · March 17, 2022 This story was also written by Thibault Seret Introduction: Our advanced threat research team has discovered a...

Update on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence & Protections Update

Update on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence & Protections Update By Taylor Mullins, Mo Cashman and Raj Samani · January 20, 2022 Recent news reports of a “ransomware” campaign targeting Ukraine has resulted in significant press coverage regarding not only...

Vulnerabilities in Globally Used B. Braun Infusion Pump

ARCHIVED STORY McAfee Enterprise ATR Uncovers Vulnerabilities in Globally Used B. Braun Infusion Pump Douglas McKee and Philippe Laulheret · Aug 24, 2021 Overview As part of our continued goal to provide safer products for enterprises and consumers, we at McAfee Advanced Threat Research ATR...

Call an Exorcist! My Robot! My Robot's Possessed!

ARCHIVED STORY Call an Exorcist! My Robot’s Possessed! By Mark Bereza · AUG 05, 2020 · 69 MIN READ Overview As part of our continued goal of helping developers provide safer products for businesses and consumers, we here at McAfee Advanced Threat Research ATR recently investigated temi , a...

HVACking: Understanding the Delta Between Security and Reality

ARCHIVED STORY HVACking: Understanding the Delta Between Security and Reality By Douglas McKee · August 09, 2019 The McAfee Labs Advanced Threat Research team is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and...

The Bug Report – September 2025 Edition

The Bug Report – September 2025 Edition By Jonathan Omakun · October 7, 2025 Why am I here? Ah, September. When the leaves change colors, so do the threat landscapes! As summer fades into autumn, cybersecurity professionals are harvesting a bumper crop of vulnerabilities that would make any pumpk...

OneClik: A ClickOnce-Based APT Campaign Targeting Energy, Oil and Gas Infrastructure

OneClik: A ClickOnce-Based Red Team Campaign Simulating APT Tactics in Energy Infrastructure By Nico Paulo Yturriaga and Pham Duy Phuc · Updated : June 30, 2025 The Trellix Advanced Research Center previously uncovered what appeared to be a sophisticated APT malware campaign, which we dubbed...

OneClik: A ClickOnce-Based APT Campaign Targeting Energy, Oil and Gas Infrastructure

OneClik: A ClickOnce-Based APT Campaign Targeting Energy, Oil and Gas Infrastructure By Nico Paulo Yturriaga and Pham Duy Phuc · June 24, 2025 The Trellix Advanced Research Center has uncovered a sophisticated APT malware campaign that we’ve dubbed OneClik. It specifically targets the energy, oil...

Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT

Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT By Jonell Baltazar and Antonio Ribeiro · August 10, 2023 Trellix detected an ongoing campaign using fake Chrome browser updates to lure victims to install a remote administration software tool called NetSupport Manager...

Detecting and Visualizing Lateral Movement Attacks with Trellix XDR - Part 2

Detecting and Visualizing Lateral Movement Attacks with Trellix Helix Connect - Part 2 By Maulik Maheta · May 21, 2023 This blog was also written by Chintan Shah Executive summary In the part 1 of this series we discussed in depth about the known Lateral movement attacks like abusing weak service...

Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti

Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti By Jambul Tologonov· November 22, 2022 Introduction On October 31, 2022, Yanluowang’s TOR site was hacked displaying a message “check and mate!! Yanluowang Matrix chat hacked @yanluowangleaks Time’s...

Targeted attack on Government Agencies

Targeted Attack on Government Agencies By Sushant Kumar Arya, Mohsin Dalla · July 13, 2022 Executive summary The Trellix Email Security Research Team has discovered a malicious campaign targeting government agencies of Afghanistan, India, Italy, Poland, and the United States since 2021. The attac...

Keeping A Critical Eye on IoT Devices

Keeping a Critical Eye on IoT Devices By Sam Quinn · April 21, 2022 Trellix Labs is excited to announce the beginning of a new video series which captures one of our senior vulnerability researchers work on hacking an IoT device from beginning to end. This will conclude with the releasing of a ne...

Call an Exorcist! My Robot! My Robot's Possessed!

ARCHIVED STORY Call an Exorcist! My Robot’s Possessed! By Mark Bereza · AUG 05, 2020 · 69 MIN READ Overview As part of our continued goal of helping developers provide safer products for businesses and consumers, we here at McAfee Advanced Threat Research ATR recently investigated temi, a...

Pouring Acid Rain

Pouring Acid Rain By Trellix · April 30, 2024 This blog was written by Max Kersten In two recent major geopolitical conflicts, in Ukraine and in Israel, wipers - malware used to destroy access to files and commonly used to halt telecom operations - were used to destroy digital infrastructure. The...

The Threat Lurking in Data Centers – Hack Power Management Systems, Take All the Power

The Threat Lurking in Data Centers – Hack Power Management Systems, Take All the Power By Trellix · August 12, 2023 This story was also written by Jesse Chick, Philippe Laulheret and Sam Quinn. Summary In a modern working environment where many employees are working from home or in hybrid office...

Uncover the Hidden Story of Ransomware Victims – They’re Not Who You Think

Uncover the Hidden Story of Ransomware Victims – They’re Not Who You Think By Trellix Advanced Research Center · July 31, 2023 Ransomware attacks against large corporations often dominate headlines. High-profile attacks against organizations like Kaseya, Colonial Pipeline, and MOVEit might make y...

Trellix HAX 2023 CTF Competition

Trellix HAX 2023 CTF Competition Now Open for Registration! By Mark Bereza · February 17, 2023 This story was also written by John Dunlap. Introduction Trellix’s Advanced Research Center is happy to announce the launch of Trellix HAX 2023, our third annual capture the flag CTF competition! With 1...

5G: The Final Frontier

5G: The Final Frontier This story was written by Kevin Mcgrath · April 7th, 2022 Today Trellix Threat Labs is excited to announce the release of a whitepaper dedicated to 5G and its potential security concerns. As we look at the potential of 5G, we foresee it impacting nearly every facet of digit...

BlackMatter Ransomware Analysis; The Dark Side Returns

ARCHIVED STORY BlackMatter Ransomware Analysis; The Dark Side Returns By Alexandre Mundo and Marc Elias · September 22, 2021 BlackMatter is a new ransomware threat discovered at the end of July 2021. This malware started with a strong group of attacks and some advertising from its developers that...

Amadey Exploiting Self-Hosted GitLab to Distribute StealC

Amadey Exploiting Self-Hosted GitLab to Distribute StealC By Rahul Sharma · December 18, 2025 Executive summary Amadey is a malware loader that has been active since 2018, primarily used to distribute second-stage payloads and infostealers. While Amadey has been previously known to distribute...

Threat Analysis: SquidLoader - Still Swimming Under the Radar

Threat Analysis: SquidLoader - Still Swimming Under the Radar By Charles Crofford · July 15, 2025 Executive summary A new wave of SquidLoader malware samples are actively targeting financial services institutions in Hong Kong. This sophisticated malware exhibits significant evasion capabilities,...

The Ongoing Saga of Job-Themed Attacks

The Ongoing Saga of Job-Themed Attacks By Daksh Kapur and Alfred Alvarado · January 23, 2024 Figure 1 - Job Themed Cyberattacks Attribution at the Bottom In late 2023, Trellix Security Researchers identified an ongoing trend where cybercriminals exploit job-themed attack vectors to target both jo...

Trellix 2024 Threat Predictions

Trellix 2024 Threat Predictions By Trellix · October 30, 2023 Introduction This last year we have seen upheaval across the cybersecurity landscape. The need for effective, worldwide threat intelligence continues to grow as geopolitical and economic developments create an increasingly complicated...

Peeling off QR Code Phishing Onion

Peeling off QR Code Phishing Onion: Revealing the Hidden Layers of Deceit By Neel H. Pathak and Pratik Sunil Kadam · October 10, 2023 Introduction: Malicious actors always seek innovative ways to bypass detection. The Trellix Advanced Research Center recently noticed an attack campaign with an...

Demystifying Qbot Malware

Demystifying Qbot Malware By Adithya Chandra · August 24, 2022 This blog was also written by Sushant Kumar Arya Executive summary The Trellix SecOps Team has observed an uptick in the Qbot malware infections in recent months. Qbot has been an active threat for over 14 years and continues to evolv...

Growling Bears Make Thunderous Noise

Growling Bears Make Thunderous Noise By Trellix · June 6, 2022 Per public attribution, Russian cybercriminal groups have always been active. Their tactics, techniques, and procedures TTPs have not significantly evolved over time, although some changes have been observed. Lately, the threat...

White House Executive Order – Navigating EDR Implementation

White House Executive Order – Navigating Endpoint Detection and Response EDR Implementation Tom Gann · March 08, 2022 This is the fourth in a series of blogs on the Biden Administration’s Executive Order EO on Improving the Nation’s Cybersecurity. I encourage you to read those you may have missed...

Return of Pseudo Ransomware

Return of Pseudo Ransomware By Trellix, Max Kersten and Raj Samani · January 20, 2022 Arnab Roy, Filippo Sitzia and Mo Cashman contributed to the research supporting this blog Recent news reports of a “ransomware” campaign targeting Ukraine has resulted in significant press coverage regarding not...

See Ya Sharp: A Loaders Tale | McAfee Blogs

ARCHIVED STORY See Ya Sharp: A Loader’s Tale Max Kersten · Aug 04, 2021 Introduction The DotNet based CyaX-Sharp loader, also known as ReZer0, is known to spread commodity malware, such as AgentTesla. In recent years, this loader has been referenced numerous times, as it was used in campaigns...

Beyond Clubhouse: Vulnerable Agora SDKs Still in Widespread Use | McAfee Blogs

Beyond Clubhouse: Vulnerable Agora SDKs Still in Widespread Use Steve Povolny · FEB 18, 2021 On February 17th, 2021, McAfee disclosed findings based on a 10-month long disclosure process with major video conferencing vendor Agora, Inc. As we disclosed the findings to Agora in April 2020, this...

Operation North Star: Behind The Scenes | McAfee Blogs

ARCHIVED STORY Operation North Star: Behind The Scenes Christiaan Beek · NOV 05, 2020 Executive Summary It is rare to be provided an inside view on how major cyber espionage campaigns are conducted within the digital realm. The only transparency afforded is a limited view of victims, a malware...

On Drovorub: Linux Kernel Security Best Practices | McAfee Blogs

ARCHIVED STORY On Drovorub: Linux Kernel Security Best Practices By ATR Operational Intelligence Team/b · AUG 13, 2020 Intro In a U.S. government cyber security advisory released today, the National Security Agency and Federal Bureau of Investigation warn of a previously undisclosed piece of Linu...

Tales From the Trenches; a Lockbit Ransomware Story

ARCHIVED STORY Tales From the Trenches; a Lockbit Ransomware Story By ATR Operational Intelligence Team · APR 30, 2020 Co-authored by Marc RiveroLopez. In collaboration with Northwave As we highlighted previously across two blogs, targeted ransomware attacks have increased massively over the past...

Decoding the DNA of Ransomware Attacks: Unveiling the Anatomy Behind the Threat

Decoding the DNA of Ransomware Attacks: Unveiling the Anatomy Behind the Threat By Trellix Advanced Research Center · August 28, 2023 Introduction Ransomware, a malicious software that encrypts valuable data and demands a ransom for its release, has a notorious history marked by its evolution fro...

Trucking on with DotDumper

Trucking on with DotDumper By Trellix · May 11, 2023 This blog was written by Max Kersten On the 11th of August 2022, the initial public version of DotDumper was released. A brief refresh: DotDumper is an open-source automatic unpacker for DotNet Framework targeting files. This blog marks a publi...

Qakbot Evolves to OneNote Malware Distribution

Qakbot Evolves to OneNote Malware Distribution By Pham Duy Phuc, John Fokker J.E. and Alejandro Houspanossian · March 07, 2023 This blog was also written by Raghav Kapoor and Mathanraj Thangaraju Qakbot aka QBot, QuakBot, and Pinkslipbot is a sophisticated piece of malware that has been active...

A Door Isn’t a Door When It’s Ajar - Part 2

A Door Isn’t a Door When It’s Ajar - Part II By Trellix · August 18, 2022 This story was also written by Steve Povolny and Sam Quinn Contents Introduction Software Hacking Software Hacking Shopping List Vulnerabilities Discovered CVE-2022-31479: Command injection via the web interface Vulnerable...

PlugX: A Talisman to Behold

PlugX: A Talisman to Behold By Max Kersten, Marc Elias, Leandro Velasco, and Alexandre Mundo Alguacil · March 28, 2022 For over a decade, the PlugX malware has been observed internationally with different variants found around the world. This blog covers a PlugX variant that we have named Talisma...

BlackMatter Ransomware Analysis; The Dark Side Returns

ARCHIVED STORY BlackMatter Ransomware Analysis; The Dark Side Returns By Alexandre Mundo and Marc Elias · September 22, 2021 BlackMatter is a new ransomware threat discovered at the end of July 2021. This malware started with a strong group of attacks and some advertising from its developers that...

Netop Vision Pro - Distance Learning Software is 20/20 in Hindsight

ARCHIVED STORY Netop Vision Pro – Distance Learning Software is 20/20 in Hindsight By Sam Quinn · MAR 21, 2021 · 27 MIN READ The McAfee Labs Advanced Threat Research team is committed to uncovering security issues in both software and hardware to help developers provide safer products for...

Netop Vision Pro - Distance Learning Software is 20/20 in Hindsight

ARCHIVED STORY Netop Vision Pro – Distance Learning Software is 20/20 in Hindsight By Sam Quinn · MAR 21, 2021 · 27 MIN READ The McAfee Labs Advanced Threat Research team is committed to uncovering security issues in both software and hardware to help developers provide safer products for...

ATR Team Finds Vulnerability in Agora Video SDK

ARCHIVED STORY Don’t Call Us We’ll Call You: McAfee ATR Finds Vulnerability in Agora Video SDK Douglas McKee · FEB 17, 2021 The McAfee Advanced Threat Research ATR team is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesse...

CSI: Evidence Indicators for Targeted Ransomware Attacks - Part II | McAfee Blogs

CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II Christiaan Beek · FEB 20, 2020 In our first article we discussed the growing pattern of targeted ransomware attacks where the first infection stage is often an info-stealer kind of malware used to gain credentials/access to...

Avaya Deskphone: Decade-Old Vulnerability Found in Phone's Firmware

ARCHIVED STORY Avaya Deskphone: Decade-Old Vulnerability Found in Phone’s Firmware By Philippe Laulheret · August 08, 2019 Avaya is the second largest VOIP solution provider source with an install base covering 90% of the Fortune 100 companies source, with products targeting a wide spectrum of...

LockerGoga Ransomware Family Used in Targeted Attacks

ARCHIVED STORY LockerGoga Ransomware Family Used in Targeted Attacks By ATR Operational Intelligence Team · April 29, 2019 Co-authored by Marc RiveroLopez. Initial discovery Once again, we have seen a significant new ransomware family in the news. LockerGoga, which adds new features to the tried...

Introducing pywintrace: A Python Wrapper for ETW

ARCHIVED STORY Introducing pywintrace: A Python Wrapper for ETW By Anthony Berglund, Kevin Boyd · September 19, 2017 Introduction Event tracing for Windows ETW is a lightweight logging facility first introduced with Windows 2000. Originally intended as a software diagnostic, troubleshooting and...