Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence

Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence By John Fokker · September 29, 2022 We’ve recently seen reports that the REvil ransomware gang is back online after the January 2022 arrests of several its members by Russian authorities claiming to dismantle the group and...

Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence

Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence By John Fokker · September 29, 2022 We’ve recently seen reports that the REvil ransomware gang is back online after the January 2022 arrests of several its members by Russian authorities claiming to dismantle the group and...

Get to Know Fred House

Meet Fred House Senior Director, Product Detection and Research By Michael Alicea · July 12, 2022 At Trellix, we celebrate and champion our people. For a long time now, I’ve been looking forward to connecting with Fred House, a Senior Director at Trellix Threat Labs and a consummate and “driven”...

Growling Bears Make Thunderous Noise

Growling Bears Make Thunderous Noise By Trellix · June 6, 2022 Per public attribution, Russian cybercriminal groups have always been active. Their tactics, techniques, and procedures TTPs have not significantly evolved over time, although some changes have been observed. Lately, the threat...

Get to Know Steve Povolny

Meet Steve Povolny Head of Advanced Threat Research for Trellix Threat Labs By Trellix · May 17, 2022 This blog was written by Michael Alicea At Trellix, we celebrate and champion our people. This week, I sat down with Steve Povolny, Head of Advanced Threat Research for Trellix Threat Labs. As he...

Detection of ‘Leave Behinds’ From Nation-State Actors

Who left the backdoor open? By Trellix · March 28, 2022 In our recent report, In the Crosshairs: Companies and Nation-State Cyber Threats, over 800 IT decision makers from around the world were interviewed on their experiences with nation-state cyber attacks. One of the questions sought to...

PlugX: A Talisman to Behold

PlugX: A Talisman to Behold By Max Kersten, Marc Elias, Leandro Velasco, and Alexandre Mundo Alguacil · March 28, 2022 For over a decade, the PlugX malware has been observed internationally with different variants found around the world. This blog covers a PlugX variant that we have named Talisma...

Trellix Global Defenders: BlackCat Ransomware as a Service - The Cat is certainly out of the bag!

Trellix Global Defenders: BlackCat Ransomware as a Service - The Cat is certainly out of the bag! By Trellix · February 8, 2022 Research Contributions and Analysis: Filippo Sitzia This story was written by Arnab Roy Threat Summary Blackcat also known as ALPHV/Noberus is a Ransomware as a Service...

Trellix Global Defenders: Invasion of the Information Snatchers - Protecting against RedLine Infostealer

Trellix Global Defenders: Invasion of the Information Snatchers - Protecting against RedLine Infostealer By Taylor Mullins · February 7, 2022 What information are you storing in your Browsers? Storing credentials and other important information in web browsers is a helpful method to not have to...

Breaking the Security Barrier of a Globally Deployed Infusion Pump

ARCHIVED STORY Overmedicated: Breaking the Security Barrier of a Globally Deployed Infusion Pump By Douglas McKee, Steve Povolny and Philippe Laulheret · August 24, 2021 Cyberattacks on medical centers are one of the most despicable forms of cyber threat there is. For instance, on October 28th,...

Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and *nix Systems? | McAfee Blogs

Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and nix Systems? Thibault Seret · JUL 28, 2021 Co-written with Northwave’s Noël Keijzer. Executive Summary For a long time, ransomware gangs were mostly focused on Microsoft Windows operating systems. Yes, we observed the...

Operation North Star: Behind The Scenes | McAfee Blogs

ARCHIVED STORY Operation North Star: Behind The Scenes Christiaan Beek · NOV 05, 2020 Executive Summary It is rare to be provided an inside view on how major cyber espionage campaigns are conducted within the digital realm. The only transparency afforded is a limited view of victims, a malware...

Securing Space 4.0 – One Small Step or a Giant Leap? - Part 2

ARCHIVED STORY Securing Space 4.0 – One Small Step or a Giant Leap? Part 2 By Eoin Carroll · September 30, 2020 McAfee Advanced Threat Research ATR is collaborating with Cork Institute of Technology CIT and its Blackrock Castle Observatory BCO and the National Space Center in Cork, Ireland. In th...

‘Insight’ into Home Automation Reveals Vulnerability in Simple IoT Product

ARCHIVED STORY ‘Insight’ into Home Automation Reveals Vulnerability in Simple IoT Product By Douglas McKee · August 18, 2020 Eoin Carroll, Charles McFarland, Kevin McGrath, and Mark Bereza contributed to this report. The Internet of Things promises to make our lives easier. Want to remotely turn...

Triton Malware Spearheads Latest Attacks on Industrial Systems | McAfee Blogs

ARCHIVED STORY Triton Malware Spearheads Latest Attacks on Industrial Systems Alexandre Mundo · MAR 26, 2020 Malware that attacks industrial control systems ICS, such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that...

Iran Cyber Threat Update

ARCHIVED STORY Iran Cyber Threat Update By Trellix · January 08, 2020 Recent political tensions in the Middle East region have led to significant speculation of increased cyber-related activities. McAfee is on a heightened state of alert to monitor the evolving threats and rapidly implement...

Mr. Coffee with WeMo: Double Roast

ARCHIVED STORY Mr. Coffee with WeMo: Double Roast By Sam Quinn · May 30, 2019 McAfee Advanced Threat Research recently released a blog detailing a vulnerability in the Mr. Coffee Coffee Maker with WeMo. Please refer to the earlier blog to catch up with the processes and techniques I used to...

Ryuk, Exploring the Human Connection

ARCHIVED STORY Ryuk, Exploring the Human Connection By John Fokker · Febraury 19, 2019 In collaboration with Bill Siegel and Alex Holdtman from Coveware At the beginning of 2019, McAfee ATR published an article describing how the hasty attribution of Ryuk ransomware to North Korea was missing the...

Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims

ARCHIVED STORY Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims By John Fokker · October 30, 2018 Alexandr Solad and Daniel Hatheway of Recorded Future are coauthors of this post. Read Recorded Future’s version of this analysis. Rising from the deep, Kraken Cryptor ransomware has...

Apply MITRE’s ‘ATT&CK’ Model to Check Your Defenses

ARCHIVED STORY Apply MITRE’s ‘ATT&CK’ Model to Check Your Defenses By Trellix · June 18, 2018 Every week we read about adversaries attacking their targets as part of online criminal campaigns. Information gathering, strategic advantage, and theft of intellectual property are some of the...

Operation Dragonfly Analysis Suggests Links to Earlier Attacks

ARCHIVED STORY Operation Dragonfly Analysis Suggests Links to Earlier Attacks By Trellix · December 17, 2017 On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack was effectively Dragonfly 2.0, an update to a...

Attacks on SWIFT Banking System Benefit From Insider Knowledge

ARCHIVED STORY Attacks on SWIFT Banking System Benefit From Insider Knowledge By Trellix · May 20, 2016 In recent months, we’ve seen headlines about the compromise of a bank in Bangladesh from which cybercriminals attempted to steal US$951 million. The malware they used was able to manipulate and...

SideWinder's Shifting Sands: Click Once for Espionage

SideWinder's Shifting Sands: Click Once for Espionage By Ernesto Fernández Provecho and Pham Duy Phuc · October 22, 2025 In September 2025, the Trellix Advanced Research Center ARC detected a campaign targeting a European embassy located in New Delhi, India. Further investigation led to the...

Dark Web Roast - July 2025 Edition

Dark Web Roast - July 2025 Edition By Trellix Advanced Research Center · August 19, 2025 Executive Summary July 2025 delivered a masterclass in cybercriminal mediocrity that would make even the most charitable threat intelligence analyst weep into their coffee. After extensive hunts across the da...

The Coordinated Embassy Hunt: Unmasking the DPRK-linked GitHub C2 Espionage Campaign

The Coordinated Embassy Hunt: Unmasking the DPRK-linked GitHub C2 Espionage Campaign By Pham Duy Phuc and Alex Lanstein · August 18, 2025 The Trellix Advanced Research Center uncovered a sophisticated espionage operation targeting diplomatic missions across several regions in South Korea during...

A Deep Dive into the Latest Version of Lumma InfoStealer

Unmasking the Evolving Threat: A Deep Dive into the Latest Version of Lumma InfoStealer with Code Flow Obfuscation By Mohideen Abdul Khader · April 21, 2025 Summary Lumma Stealer, first identified in 2022, remains a significant threat to this day, continuously evolving its tactics, techniques, an...

Safeguarding Election Integrity: Threat Hunting for the U.S. Elections

Safeguarding Election Integrity: Threat Hunting for the U.S. Elections By Ernesto Provecho and John Fokker · December 20, 2024 This blog was also written by Max Kersten With 2024 being a major election year globally, the stakes for election security were and remain high. More than 60 countries,...

New Stealer Uses Invalid Cert To Compromise Systems

New Stealer Uses Invalid Cert To Compromise Systems By Mohinder Gill, Mallikarjun Wali and Sangram Mohapatro · November 07, 2024 A new Stealer has been making the rounds. Its name: Fickle. Fickle Stealer is a new Rust-based information stealer that spreads through various attack vectors, includin...

Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion

Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion By Ale Houspanossian · June 17, 2024 Case Summary It was a quiet Monday morning in March 2024 when the EDR researchers with our Trellix Advanced Research Center identifi...

Discord, I Want to Play a Game

Discord, I Want to Play a Game By Ernesto Fernández Provecho and David Pastor Sanz Threatray · October 16, 2023 Discord is the first choice for gamers when they want to chat with some friends while playing an online computer game. Moreover, it is also a major choice for users that simply want to...

QakBot's Endgame: The Final Move Before the Takedown

QakBot's Endgame: The Final Move Before the Takedown By Daksh Kapur, Nico Paulo Yturriaga and Alfred Alvarado · September 06, 2023 Figure 1 Attribution at the bottom Qakbot, known under aliases like QBot, QuakBot, and Pinkslipbot, represents an intricately advanced malware strain that has...

Supply Chain Security Leaders Collaborate to Help Developers Choose Open-Source

Supply Chain Security Leaders Collaborate to Help Developers Choose Open-Source By Trellix, Checkmarx and Illustria · September 05, 2023 Working together to keep open source safe At the beginning of 2023, top researchers from industry-leading companies established the Supply Chain Attack Research...

AI is the Solution, Not the Problem

AI is the Solution, Not the Problem By Trellix · August 07, 2023 This story was also written by Oded Margalit. AI Artificial Intelligence / ML Machine Learning has recently been painted as the master evil. In this blog I would like to suggest a different view, where we can use it to make a better...

ChatGPT: A tool for offensive cyber operations?! Not so fast!

ChatGPT: A tool for offensive cyber operations?! Not so fast! By Trellix · March 09, 2023 This story was also written by John Rodriguez. To ChatGPT or to not ChatGPT? That is a predominant question in the cyber landscape these days. It’s no surprise that AI bots have taken society by storm. On th...

Get to Know Anne An

Meet Anne An Senior Security Researcher By Trellix · August 25, 2022 This blog was written by Michael Alicea At Trellix, we celebrate and champion our people. I’ve been hearing a lot recently about one of my colleagues, Anne An. My sources tell me she is a highly technical and “intuitive”...

Get To Know John Fokker

Meet John Fokker Head of Cyber Investigations for Trellix Threat Labs By Trellix · April 28, 2022 This blog was written by Michael Alicea At Trellix, we celebrate and champion our people. This week, I sat down with John Fokker, Head of Cyber Investigations for Trellix Threat Labs and one of the...

Nation-State Crosshairs: France, Germany & United Kingdom

In the Nation-State Crosshairs: France, Germany & the United Kingdom By Trellix · March 28, 2022 Today Trellix and the Center for Strategic and International Studies CSIS released a global report, In the Crosshairs: Organizations and Nation-State Cyber Threats, examining security professionals’...

Nation-State Crosshairs: France, Germany & United Kingdom

In the Nation-State Crosshairs: France, Germany & the United Kingdom By Trellix · March 28, 2022 Today Trellix and the Center for Strategic and International Studies CSIS released a global report, In the Crosshairs: Organizations and Nation-State Cyber Threats, examining security professionals’...

Executive Summary: Organizations and Nation-State Cyber Threats

Executive Summary: Organizations and Nation-State Cyber Threats By John Fokker · March 28, 2022 Traditionally when we talk about threat actors, we first need to make the split between cybercrime and nation-state sponsored operations. Where cybercrime is mostly focused on financial gain,...

Trellix “Catmen Sanfrancisco” Capture the Flag Results!

Trellix “Catmen Sanfrancisco” Capture the Flag Results! By Trellix · February 28, 2022 This story was written by Steve Povolny. And just like that, it’s all over! Our annual Capture the Flag contest expired at 11:59pm PST, on February 25th. We wanted to take a moment to thank all of our...

Looking Over the Nation-State Actors’ Shoulders

Looking over the nation-state actors’ shoulders: Even they have a difficult day sometimes By Trellix and Marc Elias · Febraury 17, 2022 Have you ever been curious about how nation-state actors operate and what their day-to-day work looks like? This blog reveals some of these details observed base...

Trellix Global Defenders: BlackCat Ransomware as a Service - The Cat is certainly out of the bag!

Trellix Global Defenders: BlackCat Ransomware as a Service - The Cat is certainly out of the bag! By Trellix · February 8, 2022 Research Contributions and Analysis: Filippo Sitzia This story was written by Arnab Roy Threat Summary Blackcat also known as ALPHV/Noberus is a Ransomware as a Service...

Detecting Credential Stealing Attacks Through Active In-Network Defense

ARCHIVED STORY Detecting Credential Stealing Attacks Through Active In-Network Defense By Chintan Shah · September 22, 2021 Executive Summary Today, enterprises tend to use multiple layers of security defenses, ranging from perimeter defense on network entry points to host based security solution...

Breaking the Security Barrier of a Globally Deployed Infusion Pump

ARCHIVED STORY Overmedicated: Breaking the Security Barrier of a Globally Deployed Infusion Pump By Douglas McKee, Steve Povolny and Philippe Laulheret · August 24, 2021 Cyberattacks on medical centers are one of the most despicable forms of cyber threat there is. For instance, on October 28th,...

Operation Dianxun Cyberespionage Campaign Targeting Telecommunication Companies

ARCHIVED STORY Operation Diànxùn: Cyberespionage Campaign Targeting Telecommunication Companies By Thomas Roccia · MAR 16, 2021 In this report the McAfee Advanced Threat Research ATR Strategic Intelligence team details an espionage campaign, targeting telecommunication companies, dubbed Operation...

Operation Dianxun Cyberespionage Campaign Targeting Telecommunication Companies

ARCHIVED STORY Operation Diànxùn: Cyberespionage Campaign Targeting Telecommunication Companies By Thomas Roccia · MAR 16, 2021 In this report the McAfee Advanced Threat Research ATR Strategic Intelligence team details an espionage campaign, targeting telecommunication companies, dubbed Operation...

Additional Analysis into the SUNBURST Backdoor | McAfee Blogs

ARCHIVED STORY Additional Analysis into the SUNBURST Backdoor Christiaan Beek · DEC 17, 2020 Executive Summary There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the broader campaign has resulted in detection against specific IoC...

Robot Character Analysis Reveals Trust Issues

ARCHIVED STORY Robot Character Analysis Reveals Trust Issues By Douglas McKee · August 05, 2020 Retired Marine fighter pilot and Top Gun instructor Dave Berke said “Every single thing you do in your life, every decision you make, is an OODA Loop.” OODA Loop? Observe–Orient–Decide–Act, the “OODA...

Six Hundred Million Reasons to Celebrate: No More Ransom Turns FOUR!!

ARCHIVED STORY Six Hundred Million Reasons to Celebrate: No More Ransom Turns FOUR!! By John Fokker · July 27, 2020 Happy Birthday! Today we mark the fourth anniversary of the NoMoreRansom initiative with over 4.2 million visitors, from 188 countries, stopping an estimated $632 million in ransom...

RagnarLocker Ransomware Threatens to Release Confidential Information | McAfee Blogs

ARCHIVED STORY RagnarLocker Ransomware Threatens to Release Confidential Information Alexandre Mundo · JUN 09, 2020 EXECUTIVE SUMMARY The RagnarLocker ransomware first appeared in the wild at the end of December 2019 as part of a campaign against compromised networks targeted by its operators. Th...