Suspected DarkHotel APT Activity Update

Suspected DarkHotel APT activity update One Hotel to rule them all, One Hotel to find them, One Hotel to bring them all and in the darkness bind them. By John Fokker · March 17, 2022 This story was also written by Thibault Seret Introduction: Our advanced threat research team has discovered a...

Cyberattacks Targeting Ukraine and HermeticWiper Protections

Trellix Global Defenders: Cyberattacks Targeting Ukraine and HermeticWiper Protections By Taylor Mullins · February 28, 2022 Trellix is monitoring the ongoing cyberattacks targeting the Ukraine and any threat activity targeting entities outside of the Ukraine. Trellix is continuing to add...

Trellix Threat Report: Log4j Attack, Ransomware & APT Threats

Trellix Threat Report: Log4j Attack, Ransomware & APT Threats By Trellix · January 31, 2022 This story was written by Raj Samani. Ransomware continues to threaten enterprises and assets around the globe, but it was the discovery of a new vulnerability affecting widely used Log4j library that...

2022 Threat Predictions

Trellix 2022 Threat Predictions By Trellix · January 19, 2022 Ransomware, nation states, social media, and a shifting reliance on a remote workforce made headlines in 2021, proving that bad actors only continue to rise to the challenge. Defiantly, they thwart solution stacks and gain momentum eac...

My Adventures Hacking the iParcelBox

ARCHIVED STORY My Adventures Hacking the iParcelBox By Sam Quinn · June 18, 2020 In 2019, McAfee Advanced Threat Research ATR disclosed a vulnerability in a product called BoxLock. Sometime after this, the CEO of iParcelBox, a U.K. company, reached out to us and offered to send a few of their...

Tales From the Trenches; a Lockbit Ransomware Story

ARCHIVED STORY Tales From the Trenches; a Lockbit Ransomware Story By ATR Operational Intelligence Team · APR 30, 2020 Co-authored by Marc RiveroLopez. In collaboration with Northwave As we highlighted previously across two blogs, targeted ransomware attacks have increased massively over the past...

Introduction and Application of Model Hacking

ARCHIVED STORY Introduction and Application of Model Hacking By Steve Povolny · Febraury 19, 2020 Catherine Huang, Ph.D., and Shivangee Trivedi contributed to this blog. The term “Adversarial Machine Learning” AML is a mouthful! The term describes a research field regarding the study and design o...

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - Crescendo

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo By Jessica Saavedra-Morales · October 20, 2019 Episode 4: Crescendo This is the final installment of the McAfee Advanced Threat Research ATR analysis of Sodinokibi and its connections to GandGrab, the most prolific...

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money

ARCHIVED STORY McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money By John Fokker · October 14, 2019 Episode 3: Follow the Money This is the third installment of the McAfee Advanced Threat Research ATR analysis of Sodinokibi and its connections to GandCrab, the mos...

In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass

ARCHIVED STORY In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass By Eoin Carroll · June 20, 2019 Process Reimaging Overview The Windows Operating System has inconsistencies in how it determines process image FILEOBJECT locations, which impacts non-EDR Endpoint Detection a...

Digging Up the Past: Windows Registry Forensics Revisited

ARCHIVED STORY Digging Up the Past: Windows Registry Forensics Revisited By David Via · Jan 08, 2019 Introduction FireEye consultants frequently utilize Windows registry data when performing forensic analysis of computer networks as part of incident response and compromise assessment missions. Th...

Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems

ARCHIVED STORY Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems By Thomas Roccia · December 19, 2018 Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon “wiper” malware attacks that struck several companies in the Middle East and Europe. In...

Apply MITRE’s ‘ATT&CK’ Model to Check Your Defenses

ARCHIVED STORY Apply MITRE’s ‘ATT&CK’ Model to Check Your Defenses By Trellix · June 18, 2018 Every week we read about adversaries attacking their targets as part of online criminal campaigns. Information gathering, strategic advantage, and theft of intellectual property are some of the...

‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine

ARCHIVED STORY ‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine By Raj Samani · October 24, 2017 This post was researched and written by Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and Raj Samani. McAfee is currently investigating a ransomware campaign known as BadRabbit, which...

‘Popcorn Time’ Ransomware Sure to Cause Indigestion

ARCHIVED STORY ‘Popcorn Time’ Ransomware Sure to Cause Indigestion By Tim Hux · December 19, 2016 In early December the new ransomware “Popcorn Time” was discovered. It gives the victim the option of paying the ransom or infecting two other individuals and getting them to pay. “Popcorn Time” is a...

Attacks on SWIFT Banking System Benefit From Insider Knowledge

ARCHIVED STORY Attacks on SWIFT Banking System Benefit From Insider Knowledge By Trellix · May 20, 2016 In recent months, we’ve seen headlines about the compromise of a bank in Bangladesh from which cybercriminals attempted to steal US$951 million. The malware they used was able to manipulate and...

Critical SharePoint Vulnerabilities Under Active Exploitation

Critical SharePoint Vulnerabilities Under Active Exploitation By Jeffrey Sman, Mo Cashman and Marc Bolz Robinson · July 23, 2025 On-premises Microsoft SharePoint servers are currently facing high-impact, ongoing threat activity due to a set of critical vulnerabilities, notably CVE-2025-49704,...

The Bug Report - June 2025 Edition

The Bug Report - June 2025 Edition By Jonathan Omakun · July 1, 2025 Why am I here? Welcome to the June 2025 edition of The Bug Report from the Trellix Advanced Research Center, where the only thing hotter than your CPU fan is the vulnerability feed. As the temperature rises and the air condition...

Supply Chain Security Leaders Collaborate to Help Developers Choose Open-Source

Supply Chain Security Leaders Collaborate to Help Developers Choose Open-Source By Trellix, Checkmarx and Illustria · September 05, 2023 Working together to keep open source safe At the beginning of 2023, top researchers from industry-leading companies established the Supply Chain Attack Research...

A Royal Analysis of Royal Ransom

A Royal Analysis of Royal Ransom By Trellix · April 3, 2023 This blog was also written by Alexandre Mundo and Max Kersten We would like to thank Advanced Cyber Services team within Trellix Professional Services for the incident response-related data. Emerging in early 2022 as a private group whic...

No More Macros? Better Watch Your Search Results!

No More Macros? Better Watch Your Search Results! By Pham Duy Phuc and Max Kersten · February 08, 2023 Threat actors often rely on the same techniques until their hand is forced, usually due to defensive changes or chance-based opportunities, to leverage a new technique. Malicious macros in...

Wipermania: An All You Can Wipe Buffet

Wipermania: An All You Can Wipe Buffet By Max Kersten · November 15, 2022 In early 2022, Ukrainian companies were struck by multiple destructive wipers, attacking various organizations across sectors. This raised questions about the usage and impact of “digital weapons” within the security...

A Door Isn’t a Door When It’s Ajar - Part 3

A Door Isn’t a Door When It’s Ajar - Part III By Trellix · August 25, 2022 This story was also written by Steve Povolny and Sam Quinn Contents Installing OnGuard by Third Party Vendor Exploitation and Hacking the Planet! Putting it all Together Building the Final Demo System The Demo Lessons and...

The Sound of Malware

The Sound of Malware By Trellix · June 23, 2022 Do, a debugger, you often use Re, a reverse engineer Mi, a name, I call myself Anyways…. By now, you must be very thankful I reminded you of this famous song; I am sure it will be stuck in your head the rest of the day. You’re welcome! Confused on h...

The Hermit Kingdom’s Ransomware Play

The Hermit Kingdom’s Ransomware play By Trellix · May 3, 2022 With a special thanks to @ValidHorizon who helped and shared information In February 2016, news broke about what is now known as the ‘Bangladesh Bank Heist’. Hackers attempted to transfer nearly one billion USD through the SWIFT system...

Conti Group Targets ESXi Hypervisors With its Linux Variant

Conti Group Targets ESXi Hypervisors With its Linux Variant By Marc Elias, Jambul Tologonov and Alexandre Mundo · Apr 20, 2022 Despite the leak of the conversations of the Conti members that happened in March 2022, which we analyzed and published recently, the group seems to continue its operatio...

Conti Group Targets ESXi Hypervisors With its Linux Variant

Conti Group Targets ESXi Hypervisors With its Linux Variant By Marc Elias, Jambul Tologonov and Alexandre Mundo · Apr 20, 2022 Despite the leak of the conversations of the Conti members that happened in March 2022, which we analyzed and published recently, the group seems to continue its operatio...

5G: The Final Frontier

5G: The Final Frontier This story was written by Kevin Mcgrath · April 7th, 2022 Today Trellix Threat Labs is excited to announce the release of a whitepaper dedicated to 5G and its potential security concerns. As we look at the potential of 5G, we foresee it impacting nearly every facet of digit...

Trellix “Catmen Sanfrancisco” Capture the Flag Results!

Trellix “Catmen Sanfrancisco” Capture the Flag Results! By Trellix · February 28, 2022 This story was written by Steve Povolny. And just like that, it’s all over! Our annual Capture the Flag contest expired at 11:59pm PST, on February 25th. We wanted to take a moment to thank all of our...

Trellix Launches Annual CTF Competition – Catmen Sanfrancisco!

Trellix Launches Annual CTF Competition – Catmen Sanfrancisco! By Trellix · February 1, 2022 This story was written by Steve Povolny. The Advanced Threat Research team, now with Trellix, is pleased to announce the return of our second annual Capture the Flag contest featuring 12 new challenges of...

Update on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence & Protections Update

Update on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence & Protections Update By Taylor Mullins, Mo Cashman and Raj Samani · January 20, 2022 Recent news reports of a “ransomware” campaign targeting Ukraine has resulted in significant press coverage regarding not only...

2022 Threat Predictions

Trellix 2022 Threat Predictions By Trellix · January 19, 2022 Ransomware, nation states, social media, and a shifting reliance on a remote workforce made headlines in 2021, proving that bad actors only continue to rise to the challenge. Defiantly, they thwart solution stacks and gain momentum eac...

Nation States Will Weaponize Social and Recruit Bad Guys with Benefits in 2022

ARCHIVED STORY Nation States Will Weaponize Social and Recruit Bad Guys with Benefits in 2022 By Raj Samani · October 31, 2021 McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into the continuingly aggressive role Nation States will...

McAfee ATR Thinks in Graphs | McAfee Blogs

ARCHIVED STORY McAfee ATR Thinks in Graphs By Valentine Mairet · MAR 08, 2021 · 19 MIN READ 0. Introduction John Lambert, a distinguished researcher specializing in threat intelligence at Microsoft, once said these words that changed perspectives: “Defenders think in lists. Attackers think in...

Dopple-Ganging Up on Facial Recognition

ARCHIVED STORY Dopple-ganging up on Facial Recognition Systems By Steve Povolny · August 25, 2020 Co-authored with Jesse Chick, OSU Senior and Former McAfee Intern, Primary Researcher. Special thanks to Dr. Catherine Huang, McAfee Advanced Analytics Team Special thanks to Kyle Baldes, Former McAf...

Dopple-Ganging Up on Facial Recognition

ARCHIVED STORY Dopple-ganging up on Facial Recognition Systems By Steve Povolny · August 25, 2020 Co-authored with Jesse Chick, OSU Senior and Former McAfee Intern, Primary Researcher. Special thanks to Dr. Catherine Huang, McAfee Advanced Analytics Team Special thanks to Kyle Baldes, Former McAf...

What’s in the Box? Part II: Hacking the iParcelBox

ARCHIVED STORY What’s in the Box? Part II: Hacking the iParcelBox By Steve Povolny · June 18, 2020 Package delivery is just one of those things we take for granted these days. This is especially true in the age of Coronavirus, where e-commerce and at-home deliveries make up a growing portion of...

Our Experiences Participating in Microsoft’s Azure Sphere Bounty Program | McAfee Blogs

CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II Christiaan Beek · FEB 20, 2020 In our first article we discussed the growing pattern of targeted ransomware attacks where the first infection stage is often an info-stealer kind of malware used to gain credentials/access to...

Introduction and Application of Model Hacking

ARCHIVED STORY Introduction and Application of Model Hacking By Steve Povolny · Febraury 19, 2020 Catherine Huang, Ph.D., and Shivangee Trivedi contributed to this blog. The term “Adversarial Machine Learning” AML is a mouthful! The term describes a research field regarding the study and design o...

CSI Evidence Indicators for Targeted Ransomware Attacks

ARCHIVED STORY CSI: Evidence Indicators for Targeted Ransomware Attacks – Part I By Trellix · Febraury 12, 2020 For many years now I have been working and teaching in the field of digital forensics, malware analysis and threat intelligence. During one of the classes we always talk about Lockard’s...

Spanish MSSP Targeted by BitPaymer Ransomware

ARCHIVED STORY Spanish MSSP Targeted by BitPaymer Ransomware By ATR Operational Intelligence Team · November 08, 2019 Co-authored by Marc RiveroLopez Initial Discovery This week the news hit that several companies in Spain were hit by a ransomware attack. Ransomware attacks themselves are not new...

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - Crescendo

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo By Jessica Saavedra-Morales · October 20, 2019 Episode 4: Crescendo This is the final installment of the McAfee Advanced Threat Research ATR analysis of Sodinokibi and its connections to GandGrab, the most prolific...

In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass

ARCHIVED STORY In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass By Eoin Carroll · June 20, 2019 Process Reimaging Overview The Windows Operating System has inconsistencies in how it determines process image FILEOBJECT locations, which impacts non-EDR Endpoint Detection a...

Ryuk Ransomware Attack: Rush to Attribution Misses the Point

ARCHIVED STORY Ryuk Ransomware Attack: Rush to Attribution Misses the Point By John Fokker · January 09, 2019 Senior analyst Ryan Sherstobitoff contributed to this report. During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing services in the United States has garner...

BIOS Boots What? Finding Evil in Boot Code at Scale! | Trellix

ARCHIVED STORY BIOS Boots What? Finding Evil in Boot Code at Scale! By Ryan Fisher, Andrew Davis · August 08, 2018 Malware continues to take advantage of a legacy component of modern systems designed in the 1980s. Despite the cyber threat landscape continuing to evolve at an ever-increasing pace,...

Taiwan Bank Heist and the Role of Pseudo Ransomware

ARCHIVED STORY Taiwan Bank Heist and the Role of Pseudo Ransomware By Trellix · October 12, 2017 Widespread reports claim the Far Eastern International Bank in Taiwan has become a victim of hacking. The attacks demonstrate the global nature of cybercrime, with the cybercriminals attempting to wir...

AIOps - Revolutionizing Incident Management with Advanced Automation and LLM Integration

AIOps - Revolutionizing Incident Management with Advanced Automation and LLM Integration By Trellix · November 14, 2024 Contributed by Chalapathy Jampal, Siddhesh Shinde, Alagiri Annadurai, Lakshmi Ram Teja Eluri and Anil Pokhrel Managing infrastructure and applications across a complex IT...

Trellix HAX 2023 Capture the Flag Results!

Trellix HAX 2023 Capture the Flag Results! By Mark Bereza · March 17, 2023 This story was also written by Jesse Chick. All good things must come to an end, and our annual CTF is unfortunately no exception. When this competition began, we asked each of you to try your hand at 12 new challenges –...

LockBit3.0: A Threat that Persists

LockBit3.0: A Threat that Persists By Trellix · November 17, 2022 This blog was written by Alexandre Mundo LockBit is a very well-known family of ransomware that has created havoc worldwide over the last few years. In March 2022, a new variant of the ransomware was discovered. The LockBit3.0...

Evolution of BazarCall Social Engineering Tactics

Evolution of BazarCall Social Engineering Tactics By Daksh Kapur · October 6, 2022 What is BazarCall? As nicely defined in this article by Microsoft: BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s ...