A Comprehensive Analysis of HijackLoader and its Infection Chain

A Comprehensive Analysis of HijackLoader and Its Infection Chain By Ryan Weil · August 14, 2025 Initial contact Dodi Repacks is a website that distributes pirated games. The site is listed as safe/trusted on various piracy forums, and users say that "as long as you have an adblocker installed suc...

Exposing PathWiper: DCOM Abuse and Network Erasure

Exposing PathWiper: A Deep Dive into DCOM Abuse and Network Erasure With Trellix NDR By Maulik Maheta and Lishoy Mathew · August 12, 2025 Executive summary Ukraine’s national energy and telecommunications infrastructure was the primary targets of the PathWiper attack in 2025. The attack was...

The Bug Report - July 2025 Edition

The Bug Report – July 2025 Edition By Jonathan Omakun and Tola Olawale · August 6, 2025 Why am I here? July usually means barbecues, fireworks and pool parties—but this year, it brought something far more explosive: unauthenticated remote code execution, deserialization chaos, and an old-school...

Gang Wars: Breaking Trust Among Cyber Criminals

Gang Wars: Breaking Trust Among Cyber Criminals By John Fokker and Jambul Tologonov · August 5, 2025 Introduction In the final, unforgettable scene of the film Reservoir Dogs , a group of criminals — once united by a common goal — stand in a Mexican standoff, guns drawn, hearts pounding. Suspicio...

Let’s Be Objective: A Deep Dive into 0bj3ctivityStealer's Features

Let’s Be Objective: A Deep Dive into 0bj3ctivityStealer's Features By Ernesto Fernández Provecho · July 28, 2025 The infostealer landscape keeps evolving year over year, and we are beginning to observe new features, targeting more applications and data, and the implementation of new obfuscation a...

Critical SharePoint Vulnerabilities Under Active Exploitation

Critical SharePoint Vulnerabilities Under Active Exploitation By Jeffrey Sman, Mo Cashman and Marc Bolz Robinson · July 23, 2025 On-premises Microsoft SharePoint servers are currently facing high-impact, ongoing threat activity due to a set of critical vulnerabilities, notably CVE-2025-49704,...

Dark Web Roast - June 2025 Edition

Dark Web Roast - June 2025 Edition By Trellix Advanced Research Center · July 21, 2025 Executive Summary Welcome to the very first Dark Web Roast! Each month, we're going to take a peek into the shadowy world of cybercrime and playfully "roast" some of its characters, all with a little help from...

Detecting and Visualizing Lateral Movement Attacks with Trellix XDR

Detecting and Visualizing Lateral Movement Attacks with Trellix Helix Connect By Maulik Maheta and Adithya Chandra · July 17, 2025 Executive summary This blog marks the third installment in our series on detecting and visualizing lateral movement attacks with Trellix Helix Connect. A lateral...

Detecting and Visualizing Lateral Movement Attacks with Trellix Helix Connect

Detecting and Visualizing Lateral Movement Attacks with Trellix Helix Connect By Maulik Maheta and Adithya Chandra · July 17, 2025 Executive summary This blog marks the third installment in our series on detecting and visualizing lateral movement attacks with Trellix Helix Connect. A lateral...

Threat Analysis: SquidLoader - Still Swimming Under the Radar

Threat Analysis: SquidLoader - Still Swimming Under the Radar By Charles Crofford · July 15, 2025 Executive summary A new wave of SquidLoader malware samples are actively targeting financial services institutions in Hong Kong. This sophisticated malware exhibits significant evasion capabilities,...

From Click to Compromise: Unveiling the Sophisticated Attack of DoNot APT Group on Southern European Government Entities

From Click to Compromise: Unveiling the Sophisticated Attack of DoNot APT Group on Southern European Government Entities By Aniket Choukde, Aparna Aripirala, Alisha Kadam, Akhil Reddy, Pham Duy Phuc and Alex Lanstein · July 8, 2025 Introduction The DoNot APT group, also identified by various...

Automagic Reverse Engineering

Automagic Reverse Engineering By Trellix · July 1, 2025 This blog was written by Max Kersten Over the last few years, I have looked into methods to improve the reverse engineering process. This saves essential time during the analysis, which helps while defending from well prepared threat actors...

The Bug Report - June 2025 Edition

The Bug Report - June 2025 Edition By Jonathan Omakun · July 1, 2025 Why am I here? Welcome to the June 2025 edition of The Bug Report from the Trellix Advanced Research Center, where the only thing hotter than your CPU fan is the vulnerability feed. As the temperature rises and the air condition...

The Democratization of Phishing: Popularity of PhaaS platforms on the rise

The Democratization of Phishing: Popularity of PhaaS Platforms on the Rise By Ryan Slaney · June 30, 2025 The phishing industry is being profoundly reshaped by the surge of Phishing-as-a-Service PhaaS platforms. These accessible, often Artificial Intelligence AI-powered, offerings are democratizi...

OneClik: A ClickOnce-Based APT Campaign Targeting Energy, Oil and Gas Infrastructure

OneClik: A ClickOnce-Based Red Team Campaign Simulating APT Tactics in Energy Infrastructure By Nico Paulo Yturriaga and Pham Duy Phuc · Updated : June 30, 2025 The Trellix Advanced Research Center previously uncovered what appeared to be a sophisticated APT malware campaign, which we dubbed...

OneClik: A ClickOnce-Based APT Campaign Targeting Energy, Oil and Gas Infrastructure

OneClik: A ClickOnce-Based APT Campaign Targeting Energy, Oil and Gas Infrastructure By Nico Paulo Yturriaga and Pham Duy Phuc · June 24, 2025 The Trellix Advanced Research Center has uncovered a sophisticated APT malware campaign that we’ve dubbed OneClik. It specifically targets the energy, oil...

Understanding Iranian Capabilities and Hacktivist Activities

Understanding Iranian Capabilities and Hacktivist Activities By John Fokker · June 23, 2025 As geopolitical tensions flare again in the Middle East, cyber operations are increasingly becoming an extension of physical conflict. State-aligned threat actors, patriotic hackers, and ideologically...

Hidden Malware Discovered in jQuery Migrate: A Stealthy Supply Chain Threat

Hidden Malware Discovered in jQuery Migrate: A Stealthy Supply Chain Threat By Trellix · June 18, 2025 This blog was also written by Trishaan Kalra Introduction What happens when a trusted open source library becomes a conduit for stealthy malware delivery? That question became reality when the...

Inside LockBit's Admin Panel Leak

Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto By Jambul Tologonov · June 12, 2025 Introduction On May 7, 2025, the LockBit admin panel was hacked by an anonymous actor who replaced their TOR website with the text ‘ Don’t do crime CRIME IS BAD xoxo from Prague ’...

Demystifying Myth Stealer: A Rust Based InfoStealer

Demystifying Myth Stealer: A Rust Based InfoStealer By Niranjan Hegde, Vasantha Lakshmanan Ambasankar and Adarsh S · June 5, 2025 Introduction During regular proactive threat hunting, the Trellix Advanced Research Center identified a fully undetected infostealer malware sample written in Rust. Up...

A Flyby on the CFO's Inbox: Spear-Phishing Campaign Targeting Financial Executives with NetBird Deployment

A Flyby on the CFO's Inbox: Spear-Phishing Campaign Targeting Financial Executives with NetBird Deployment By Trellix · May 28, 2025 This blog was written by Srini Seethapathy Trellix wants to acknowledge thequick response from NetBird following our initial findings. NetBird acted immediately to...

The Growing Threat of Vishing: How Cybercriminals Are Using Multimedia to Target You

The Growing Threat of Vishing: How Cybercriminals Are Using Multimedia to Target You By Mark Joseph Marti and Sandra Pagkaliwagan · May 8, 2025 Introduction Imagine being hacked through a phone call, and you can't even complain because you were the one who provided your sensitive information or...

The Bug Report - April 2025 Edition

The Bug Report - April 2025 Edition By Jonathan Omakun · May 8, 2025 Why am I here? Ah, spring. The season of blossoms, allergies, and — apparently — auth bypasses, remote code execution, and buffer overflows is in full bloom. Welcome to The Bug Report – April 2025 Edition, where we roll up our...

A Deep Dive into the Latest Version of Lumma InfoStealer

Unmasking the Evolving Threat: A Deep Dive into the Latest Version of Lumma InfoStealer with Code Flow Obfuscation By Mohideen Abdul Khader · April 21, 2025 Summary Lumma Stealer, first identified in 2022, remains a significant threat to this day, continuously evolving its tactics, techniques, an...

Closing the Security Gap From Threat Hunting to Detection Engineering

Closing the Security Gap From Threat Hunting to Detection Engineering By Ilya Kolmanovich, Alejandro Houspanossian, Joe Malenfant and Tomer Shloman · April 16, 2025 In today's rapidly evolving AI-fueled threat landscape, every organization is trying to stop threats as early as possible. Threat...

The Bug Report - March 2025 Edition

The Bug Report - March 2025 Edition By Jonathan Omakun · April 3, 2025 Why am I here? Welcome to the March 2025 edition of The Bug Report—where the bracket-breaking isn’t just happening on the court. While US college basketball fans are busy filling out brackets and chasing Cinderella stories,...

Analysis of Black Basta Ransomware Chat Leaks

Analysis of Black Basta Ransomware Chat Leaks By Jambul Tologonov and John Fokker · March 18, 2025 Introduction On Feb 11, 2025 a Telegram user @ExploitWhispers shared via their Telegram channel ‘shopotbasta’ EN: ‘basta whisper’ Black Basta RaaS Ransomware as a Service Matrix chat leaks containin...

The Bug Report - January 2025 Edition

The Bug Report - January 2025 Edition By Jonathan Omakun · January 30, 2025 Why am I here? Ah, January—the month of resolutions, regrets, and, apparently, really bad code. While you’re trying to get back to the gym or cut down on caffeine, attackers have been busy exploiting vulnerabilities faste...

Cyber Threat Landscape Q&A with Trellix Head of Threat Intelligence John Fokker

Cyber Threat Landscape Q&A with Trellix Head of Threat Intelligence John Fokker By Trellix · January 27, 2025 As we step into 2025, it's time to reflect on the seismic changes that shaped the cybersecurity landscape in 2024 and anticipate what's on the horizon for 2025. The past year saw...

Blurring the Lines: How Nation-States and Organized Cybercriminals Are Becoming Alike

Blurring the Lines: How Nation-States and Organized Cybercriminals Are Becoming Alike By Tomer Shloman · January 7, 2025 The distinction between nation-state actors and organized cybercriminals is becoming increasingly blurred in our rapidly evolving cyber landscape. Historically, these groups ha...

Safeguarding Election Integrity: Threat Hunting for the U.S. Elections

Safeguarding Election Integrity: Threat Hunting for the U.S. Elections By Ernesto Provecho and John Fokker · December 20, 2024 This blog was also written by Max Kersten With 2024 being a major election year globally, the stakes for election security were and remain high. More than 60 countries,...

Hacktivist Groups: The Shadowy Links to Nation-State Agendas

Hacktivist Groups: The Shadowy Links to Nation-State Agendas By Ernesto Fernández Provecho · December 16, 2024 Introduction Hacktivism, the intersection of hacking and activism, has emerged as a potent force in the digital age. It involves using technology to achieve social or political goals,...

Anatomy of Celestial Stealer: Malware-as-a-Service Revealed

Anatomy of Celestial Stealer: Malware-as-a-Service Revealed By Niranjan Hegde, Adarsh S and Shashikala Piddannavar · December 3, 2024 Introduction During proactive hunting, Trellix Advanced Research Center found samples belonging to Celestial Stealer, a JavaScript-based infostealer which is...

Phobos: Stealthy Ransomware That Operated Under the Radar - Until Now

Phobos: Stealthy Ransomware That Operated Under the Radar - Until Now By Jambul Tologonov, John Fokker and Duy-Phuc Pham · November 20, 2024 On November 18th, the US Justice Department unsealed criminal charges against a Russian national for allegedly administering the sale, distribution, and...

When Guardians Become Predators: How Malware Corrupts the Protectors

When Guardians Become Predators: How Malware Corrupts the Protectors By Trellix · November 20, 2024 This blog was also written by Trishaan Kalra Introduction We often trust our security software to stand as an unbreakable wall against malware and attacks, but what happens when that very wall is...

Transforming Threat Actor Research into a Strong Defense Strategy

Transforming Threat Actor Research into a Strong Defense Strategy By James Murphy, Ale Houspanossian, Leandro Velasco LV and Ilya Kolmanovich · November 14, 2024 What does it take to transform threat actor research into detection engineering? If we look at threat intelligence at its core, then we...

AIOps - Revolutionizing Incident Management with Advanced Automation and LLM Integration

AIOps - Revolutionizing Incident Management with Advanced Automation and LLM Integration By Trellix · November 14, 2024 Contributed by Chalapathy Jampal, Siddhesh Shinde, Alagiri Annadurai, Lakshmi Ram Teja Eluri and Anil Pokhrel Managing infrastructure and applications across a complex IT...

New Stealer Uses Invalid Cert To Compromise Systems

New Stealer Uses Invalid Cert To Compromise Systems By Mohinder Gill, Mallikarjun Wali and Sangram Mohapatro · November 07, 2024 A new Stealer has been making the rounds. Its name: Fickle. Fickle Stealer is a new Rust-based information stealer that spreads through various attack vectors, includin...

MacOS Malware Surges as Corporate Usage Grows

MacOS Malware Surges as Corporate Usage Grows By Ilya Kolmanovich, Prashant Kadam and Duy-Phuc Pham · October 30, 2024 This blog was also written by Joe Malenfant and Max Kersten An apple a day keeps the doctor away, While the age-old expression does have its merits, the malware landscape on...

Cyber Threats Targeting the US Government During the Democratic National Convention

Cyber Threats Targeting the US Government During the Democratic National Convention By Anne An · October 2, 2024 Introduction Trellix global sensors detected increased threat activities during the days that the Democratic National Convention DNC was held in August 2024, culminating into a massive...

The Iranian Cyber Capability

The Iranian Cyber Capability By Ernesto Fernández Provecho, Pham Duy Phuc, and John Fokker · September 19, 2024 Introduction In recent years, The Islamic Republic of Iran has extensively promoted the execution of cyber campaigns to protect its national interests, deter adversaries, and conduct...

Unmasking the Hidden Threat: Inside a Sophisticated Excel-Based Attack Delivering Fileless Remcos RAT

Unmasking the Hidden Threat: Inside a Sophisticated Excel-Based Attack Delivering Fileless Remcos RAT By Trellix · September 11, 2024 This blog was also written by Trishaan Kalra Introduction In the rapidly evolving landscape of cybersecurity, attackers are continuously refining their methods to...

Unmasking ViperSoftX: In-Depth Defense Strategies Against AutoIt-Powered Threats

Trellix Global Defenders: Unmasking ViperSoftX: In-Depth Defense Strategies Against AutoIt-Powered Threats By James Murphy · August 29, 2024 There’s a common misconception that threat actors must always write complicated and custom code in every piece of their malware, skilfully evading defenses,...

The Bug Report - August 2024 Edition

The Bug Report - August 2024 Edition By Jonathan Omakun · August 26, 2024 Why am I Here August isn’t just about heat waves and summer getaways for the Northern Hemisphere; it’s also when things get serious for students and cybersecurity pros. As organizations prep for the end of the fiscal year,...

No symbols? No problem!

No symbols? No problem! By Trellix · August 9, 2024 This blog was written by Max Kersten Malware analysts know it all too well: the ominous feeling that washes over you when opening an unknown file in your favorite analysis tool and being greeted with hundreds or thousands of unknown functions,...

OneDrive Pastejacking

OneDrive Pastejacking: The crafty phishing and downloader campaign By Rafael Pena · July 29, 2024 Over the past few weeks, the Trellix Advanced Research Center has observed a sophisticated Phishing/downloader campaign targeting Microsoft OneDrive users. This campaign heavily relies on social...

Handala’s Wiper Targets Israel

Handala’s Wiper Targets Israel By Tomer Shloman · July 26, 2024 This blog was also written by Mathanraj Thangaraju and Max Kersten CrowdStrike’s Falcon agent caused downtime for millions of computers across the globe beginning July 19. This event caused panic and chaos, which threat actors quickl...

Managing Risk During the CrowdStrike Global Tech Outage

Managing Risk During the CrowdStrike Global Tech Outage By Mo Cashman & Trellix Advanced Research Center · July 19, 2024 Updated: July 25, 2024 How it Happened A defective content update provided by cybersecurity firm CrowdStrike caused Microsoft Windows systems to crash, disrupting airline trave...

Cactus Ransomware: New strain in the market

Cactus Ransomware: New strain in the market By Aishwarya Gentyal · July 11, 2024 Ransomware malware has been around for many years now and it continues to dominate the headlines. It's an attacker's top choice for cyber extortion and is one of the most active and profound threats facing...

The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution

The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution By Sijo Jacob · July 9, 2024 This blog was also written by Mathanraj Thangaraju Threat Summary In the dynamic landscape of cyber threats, ViperSoftX has emerged as a highly sophisticated malware, adept at...