A Flyby on the CFO's Inbox: Spear-Phishing Campaign Targeting Financial Executives with NetBird Deployment

A Flyby on the CFO's Inbox: Spear-Phishing Campaign Targeting Financial Executives with NetBird Deployment By Trellix · May 28, 2025 This blog was written by Srini Seethapathy Trellix wants to acknowledge thequick response from NetBird following our initial findings. NetBird acted immediately to...

Saints Turned Evil

Saints Turned Evil By Sushant Kumar Arya, Daksh Kapur and Rohan Shah · January 02, 2024 Attribution at the Bottom As technology advances, attackers are constantly developing new evasion mechanisms to bypass security products and stay one step ahead of security vendors and their products. We have...

Scanning Danger: Unmasking the Threats of Quishing

Scanning Danger: Unmasking the Threats of Quishing By Shyava Tripathi and Rohan Shah · December 7, 2023 This blog was also written by Raghav Kapoor Phishing, a prevalent cybercrime worldwide, is responsible for as much as 90 percent of data breaches, making it a significant avenue for the theft o...

Discord, I Want to Play a Game

Discord, I Want to Play a Game By Ernesto Fernández Provecho and David Pastor Sanz Threatray · October 16, 2023 Discord is the first choice for gamers when they want to chat with some friends while playing an online computer game. Moreover, it is also a major choice for users that simply want to...

Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT

Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT By Jonell Baltazar · August 10, 2023 This blog was also written by Antonio Ribeiro Trellix detected an ongoing campaign using fake Chrome browser updates to lure victims to install a remote administration software tool...

Skuld: The Infostealer that Speaks Golang

Skuld: The Infostealer that Speaks Golang By Ernesto Fernández Provecho · June 13, 2023 In May 2023, the Trellix Advanced Research Center discovered a new Golang stealer, known as Skuld, that compromised systems worldwide, something that security researchers had also noticed. The usage of Golang,...

Using Data Loss Prevention to Prevent Data Leakage via ChatGPT

Using Data Loss Prevention to Prevent Data Leakage via ChatGPT By Zak Krider · April 17, 2023 The rapid advancement of Artificial Intelligence AI technology has garnered much attention in recent weeks for its potential to enhance workplace productivity and efficiency. However, this focus on AI...

LockBit3.0: A Threat that Persists

LockBit3.0: A Threat that Persists By Alexandre Mundo · November 17, 2022 LockBit is a very well-known family of ransomware that has created havoc worldwide over the last few years. In March 2022, a new variant of the ransomware was discovered. The LockBit3.0 variant presented with a mix of...

A Door Isn’t a Door When It’s Ajar - Part 3

A Door Isn’t a Door When It’s Ajar - Part III By Trellix · August 25, 2022 This story was also written by Steve Povolny and Sam Quinn Contents Installing OnGuard by Third Party Vendor Exploitation and Hacking the Planet! Putting it all Together Building the Final Demo System The Demo Lessons and...

Is There Really Such a Thing as a Low-Paid Ransomware Operator?

ARCHIVED STORY Is There Really Such a Thing as a Low-Paid Ransomware Operator? By Thibault Seret · October 18, 2021 Introduction Going by recent headlines you could be forgiven for thinking all ransomware operators are raking in millions of ill-gotten dollars each year from their nefarious...

Beyond Clubhouse: Vulnerable Agora SDKs Still in Widespread Use | McAfee Blogs

Beyond Clubhouse: Vulnerable Agora SDKs Still in Widespread Use Steve Povolny · FEB 18, 2021 On February 17th, 2021, McAfee disclosed findings based on a 10-month long disclosure process with major video conferencing vendor Agora, Inc. As we disclosed the findings to Agora in April 2020, this...

On Drovorub: Linux Kernel Security Best Practices | McAfee Blogs

ARCHIVED STORY On Drovorub: Linux Kernel Security Best Practices By ATR Operational Intelligence Team/b · AUG 13, 2020 Intro In a U.S. government cyber security advisory released today, the National Security Agency and Federal Bureau of Investigation warn of a previously undisclosed piece of Linu...

What’s in the Box? Part II: Hacking the iParcelBox

ARCHIVED STORY What’s in the Box? Part II: Hacking the iParcelBox By Steve Povolny · June 18, 2020 Package delivery is just one of those things we take for granted these days. This is especially true in the age of Coronavirus, where e-commerce and at-home deliveries make up a growing portion of...

The Bug Report - January 2026 Edition

The Bug Report – January 2026 Edition By Jonathan Omakun · February 12, 2026 Why am I here? Welcome back to The Bug Report, the post-holiday edition, where we realize that while our resolutions to "go to the gym" have already failed, hackers’ resolutions to "break everything" are going strong. Fo...

The Bug Report - July 2025 Edition

The Bug Report – July 2025 Edition By Jonathan Omakun and Tola Olawale · August 6, 2025 Why am I here? July usually means barbecues, fireworks and pool parties—but this year, it brought something far more explosive: unauthenticated remote code execution, deserialization chaos, and an old-school...

Detecting and Visualizing Lateral Movement Attacks with Trellix XDR

Detecting and Visualizing Lateral Movement Attacks with Trellix Helix Connect By Maulik Maheta and Adithya Chandra · July 17, 2025 Executive summary This blog marks the third installment in our series on detecting and visualizing lateral movement attacks with Trellix Helix Connect. A lateral...

Cyberattack on Democracy: Escalating Cyber Threats Immediately Ahead of Taiwan’s 2024 Presidential Election

Cyberattack on Democracy: Escalating Cyber Threats Immediately Ahead of Taiwan’s 2024 Presidential Election By Anne An · February 13, 2024 Preface Cybersecurity has become an integral part of election security. Nation-state actors and other politically motivated groups are likely to try to...

The evolution of the Kuiper ransomware

Kuiper Ransomware’s Evolution By Trellix · January 17, 2024 This blog was written by Max Kersten The Golang-based Kuiper ransomware is presented as an opportunity for other criminals to make money by ransoming one or more targets. Additionally, RobinHood, the actor behind Kuiper, states that help...

Cybercrooks leveraging anti automation toolkit for phishing campaigns

Cybercrooks Leveraging Anti Automation Toolkit for Phishing Campaigns By Vihar Shah and Rohan Shah · December 18, 2023 Threat actors have a track record of abusing tools hosted on GitHub for malicious purposes. Last year we showed how attackers abused Python’s tarfile module. Trellix Advanced...

Genesis Market No Longer Feeds The Evil Cookie Monster

Genesis Market No Longer Feeds The Evil Cookie Monster By John Fokker, Ernesto Fernández Provecho and Max Kersten · April 05, 2023 We would like to thank Steen Pedersen and Mo Cashman for their remediation advice. On the 4th and the 5th of April, a law enforcement taskforce spanning agencies acro...

Exploiting Tragedy: Fake Donation Scams Amid Earthquake in Turkey & Syria

Exploiting Tragedy: Fake Donation Scams Amid Earthquake in Turkey & Syria By Daksh Kapur · February 23, 2023 Figure 1 image from freepik.com & flaticon.com The recent earthquake that shook Syria and Turkey left a devastating trail of destruction. The whole world has shown its support and...

Trellix Threat Labs Uncovers Critical Flaws in Widely Used Building Access Control System

Trellix Threat Labs Uncovers Critical Flaws in Widely Used Building Access Control System By Trellix · June 9, 2022 This story was also written by Steve Povolny and Sam Quinn. Today at the Hardwear.io Security Trainings and Conference, Trellix Threat Labs is sharing new research into...

Utilizing the Adaptive Defense Model Against Information Stealers

Trellix Global Defenders: Utilizing the Adaptive Defense Model Against Information Stealers By Taylor Mullins · May 23, 2022 Trellix is continuing to observe the continued growth in usage and general availability of Information Stealers that have the functionality to collect passwords, cookies,...

Nation-State Crosshairs: Australia, India & Japan

In The Nation-State Crosshairs: Australia, India & Japan By Trellix · March 28, 2022 Today Trellix and the Center for Strategic and International Studies CSIS released a global report, In the Crosshairs: Organizations and Nation-State Cyber Threats, examining security professionals’ mindsets...

Looking Over the Nation-State Actors’ Shoulders

Looking over the nation-state actors’ shoulders: Even they have a difficult day sometimes By Trellix and Marc Elias · Febraury 17, 2022 Have you ever been curious about how nation-state actors operate and what their day-to-day work looks like? This blog reveals some of these details observed base...

Return of Pseudo Ransomware

Return of Pseudo Ransomware By Trellix, Max Kersten and Raj Samani · January 20, 2022 Arnab Roy, Filippo Sitzia and Mo Cashman contributed to the research supporting this blog Recent news reports of a “ransomware” campaign targeting Ukraine has resulted in significant press coverage regarding not...

Is There Really Such a Thing as a Low-Paid Ransomware Operator?

ARCHIVED STORY Is There Really Such a Thing as a Low-Paid Ransomware Operator? By Thibault Seret · October 18, 2021 Introduction Going by recent headlines you could be forgiven for thinking all ransomware operators are raking in millions of ill-gotten dollars each year from their nefarious...

Finding 0-days with Jackalope

ARCHIVED STORY Finding 0-days with Jackalope By Douglas McKee · September 16, 2021 Overview On March 21st, 2021, the McAfee Enterprise Advanced Threat Research ATR team released several vulnerabilities it discovered in the Netop Vision Pro Education software, a popular schooling software used by...

Operation ‘Harvest’: A Deep Dive into a Long-term Campaign

ARCHIVED STORY Operation ‘Harvest’: A Deep Dive into a Long-term Campaign By Christiaan Beek · September 14, 2021 A special thanks to our Professional Services’ IR team, ShadowServer, for historical context on C2 domains, and Thomas Roccia/Leandro Velasco for malware analysis support. Executive...

Operation ‘Harvest’: A Deep Dive into a Long-term Campaign

ARCHIVED STORY Operation ‘Harvest’: A Deep Dive into a Long-term Campaign By Christiaan Beek · September 14, 2021 A special thanks to our Professional Services’ IR team,ShadowServer, for historical context on C2 domains, and Thomas Roccia/Leandro Velasco for malware analysis support. Executive...

Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and *nix Systems? | McAfee Blogs

Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and nix Systems? Thibault Seret · JUL 28, 2021 Co-written with Northwave’s Noël Keijzer. Executive Summary For a long time, ransomware gangs were mostly focused on Microsoft Windows operating systems. Yes, we observed the...

Spanish MSSP Targeted by BitPaymer Ransomware

ARCHIVED STORY Spanish MSSP Targeted by BitPaymer Ransomware By ATR Operational Intelligence Team · November 08, 2019 Co-authored by Marc RiveroLopez Initial Discovery This week the news hit that several companies in Spain were hit by a ransomware attack. Ransomware attacks themselves are not new...

Clop Ransomware

ARCHIVED STORY Clop Ransomware Alexandre Mundo · AUG 01, 2019 This new ransomware was discovered by Michael Gillespie on 8 February 2019 and it is still improving over time. This blog will explain the technical details and share information about how this new ransomware family is working. There a...

What’s in the Box?

ARCHIVED STORY What’s in the Box? By Sam Quinn · February 25, 2019 2018 was another record-setting year in the continuing trend for consumer online shopping. With an increase in technology and efficiency, and a decrease in cost and shipping time, consumers have clearly made a statement that...

MacOS Malware Surges as Corporate Usage Grows

MacOS Malware Surges as Corporate Usage Grows By Ilya Kolmanovich, Prashant Kadam and Duy-Phuc Pham · October 30, 2024 This blog was also written by Joe Malenfant and Max Kersten An apple a day keeps the doctor away, While the age-old expression does have its merits, the malware landscape on...

Unmasking ViperSoftX: In-Depth Defense Strategies Against AutoIt-Powered Threats

Trellix Global Defenders: Unmasking ViperSoftX: In-Depth Defense Strategies Against AutoIt-Powered Threats By James Murphy · August 29, 2024 There’s a common misconception that threat actors must always write complicated and custom code in every piece of their malware, skilfully evading defenses,...

JAVA-based Sophisticated Stealer Using Discord Bot as EventListener

JAVA-Based Sophisticated Stealer Using Discord Bot as EventListener By Trellix · January 18, 2024 This blog was written by Gurumoorthi Ramanathan Executive Summary: In mid-November 2023, Trellix Advanced Research Center team members observed a Java-based stealer being spread through cracked...

Scanning Danger: Unmasking the Threats of Quishing

Scanning Danger: Unmasking the Threats of Quishing By Shyava Tripathi, Raghav Kapoor and Rohan Shah · December 07, 2023 Phishing, a prevalent cybercrime worldwide, is responsible for as much as 90 percent of data breaches, making it a significant avenue for the theft of sensitive credentials and...

Trellix 2024 Threat Predictions

Trellix 2024 Threat Predictions By Trellix · October 30, 2023 Introduction This last year we have seen upheaval across the cybersecurity landscape. The need for effective, worldwide threat intelligence continues to grow as geopolitical and economic developments create an increasingly complicated...

ICYMI: Emotet Reappeared Early This Year, Unfortunately

ICYMI: Emotet Reappeared Early This Year, Unfortunately By Adithya Chandra and Joao Marques · September 1, 2023 This blog was also written by Raghav Kapoor Executive Summary Emotet first appeared in 2014 and continues to be a dangerous and resilient malware, despite attempts by law enforcement...

Uncover the Hidden Story of Ransomware Victims – They’re Not Who You Think

Uncover the Hidden Story of Ransomware Victims – They’re Not Who You Think By Trellix Advanced Research Center · July 31, 2023 Ransomware attacks against large corporations often dominate headlines. High-profile attacks against organizations like Kaseya, Colonial Pipeline, and MOVEit might make y...

Genesis Market No Longer Feeds The Evil Cookie Monster

Genesis Market No Longer Feeds The Evil Cookie Monster By John Fokker and Ernesto Fernández Provecho · April 05, 2023 This blog was also written by Max Kersten We would like to thank Steen Pedersen and Mo Cashman for their remediation advice. On the 4th and the 5th of April, a law enforcement...

Trellix HAX 2023 Capture the Flag Results!

Trellix HAX 2023 Capture the Flag Results! By Mark Bereza · March 17, 2023 This story was also written by Jesse Chick. All good things must come to an end, and our annual CTF is unfortunately no exception. When this competition began, we asked each of you to try your hand at 12 new challenges –...

Cybercrime Takes Advantage of 2023-Recession with Job-Themed Scams

Cybercrime Takes Advantage of 2023 Recession with Job-Themed Scams By Daksh Kapur · February 28, 2023 Figure 1 image from freepik.com and flaticon.com The current economic climate globally is grim because of the ongoing recession. In this environment, job-themed emails have become a prime target...

We Don’t Just Patch – We Hack

We Don’t Just Patch – We Hack By Trellix · February 1, 2023 This blog was written by Douglas McKee If you have read any security advisories, technology news articles or even our very own Bug Report, you have continually been bombarded with the message to patch, patch, patch! Patching is critical ...

2022 Election Phishing Attacks Target Election Workers

2022 Election Phishing Attacks Target Election Workers By Patrick Flynn, Fred House, Rohan Shah · October 12, 2022 Highly publicized campaign and political party breaches during the 2016 U.S. presidential campaign raised election security as a critical issue among U.S. policy makers in the years...

DotDumper: Automatically Unpacking DotNet based Malware

DotDumper: Automatically Unpacking DotNet Based Malware By Max Kersten · August 11, 2022 The automatic detection and classification of any given file in a reliable manner is often considered the holy grail of malware analysis. The trials and tribulations to get there are plenty, which is why the...

Countering Follina Attack (CVE- 2022-30190) with Trellix Intrusion Prevention System’s Advanced Detection Features

Countering Follina Attack CVE- 2022-30190 with Trellix Intrusion Prevention System's Advanced Detection Features By Trellix · July 19, 2022 This blog was also written by Chintan Shah Executive summary During the end of May 2022, independent security researchers reported a vulnerability assigned...

Get to Know Patrick Flynn

Meet Patrick Flynn Head of Advanced Programs Group at Trellix Threat Labs By Michael Alicea · May 24, 2022 At Trellix, we celebrate and champion our people. This week, I sat down with Pat Flynn, Head of Advanced Programs Group for Trellix Threat Labs. His job is a critical one and how he goes abo...

Ukrainian Companies Targeted by Wipers - Impact & Prevention

War, weapons, and wipers By Max Kersten · March 31, 2022 In the recent weeks, Ukrainian companies have been targeted by wipers, likely created by pro-Russian actors. There has been a lot of talk about a “cyber war” and the usage of “cyber weapons.” Whereas the digital domain is certainly abused,...