Threat Details and Score Threat Group: UNC2970 (North Korea-linked) Threat Type: Cyber-Espionage Malware (Backdoor) Exploited Vulnerabilities: None exploited, uses modified open-source software Malware Used: MISTPEN, BURNBOOK, TEARPAGE Threat Score: High (8.3/10) Last Observation: September 18, 2024 (Mandiant) Overview: The UNC2970 threat group, associated with North Korea, has been

Threat Group: Amadey Threat Type: Credential theft (Browser lock, Kiosk mode exploitation) Exploited Vulnerabilities: No direct system vulnerability, but uses deceptive phishing techniques to trick users into entering credentials. Malware Used: Amadey malware loader, StealC info stealer, and AutoIt Credential Flusher Threat Score: High (7.8/10) — This campaign is

Threat Group: Unclear attribution, though linked to prior infrastructure used by TeamTNT and 8220 Gang. Threat Type: Cryptominer and Botnet, with potential future ransomware connections. Exploited Vulnerabilities: Weak credentials and misconfigured Oracle WebLogic servers. Malware Used: Hadooken (deploys both a cryptominer and Tsunami botnet). Threat Score: High (7.5/10)

Threat Group: Mustang Panda (also known as Earth Preta, Bronze President, HoneyMyte) Threat Type: Cyber-Espionage Exploited Vulnerabilities: Phishing, DLL Side-loading, Removable Media Propagation Malware Used: PUBLOAD, FDMTP, PTSOCKET, HIUPAN Worm Threat Score: Critical (9.0/10) — Due to widespread targeting of government entities, advanced data exfiltration techniques, and consistent evolution

Threat Group: Unknown Threat Type: Info-stealing malware Exploited Vulnerabilities: User accounts, browser data, cryptocurrency wallets Malware Used: Stepasha.exe, MotherRussia.exe Threat Score: High (8.0/10) — Due to its ability to exfiltrate sensitive data stealthily via Telegram and the comprehensive data it targets. Last Threat Observation: September 2024, observed

Threat Group: Citrine Sleet (North Korea-linked APT group) Threat Type: Advanced Persistent Threat (APT) Exploited Vulnerability: Google Chrome Zero-Day (CVE-2024-7971) Malware Used: FudModule Rootkit Overview A North Korea-linked APT group, known as Citrine Sleet, has been identified exploiting a newly discovered zero-day vulnerability in Google Chrome (CVE-2024-7971). This vulnerability, a

Summary Cybersecurity researchers have identified a new malware campaign targeting users in the Middle East. The malware, disguised as the Palo Alto Networks GlobalProtect VPN tool, demonstrates a sophisticated infection chain and utilizes advanced Command and Control (C&C) infrastructure to evade detection. This advisory provides a detailed analysis

Overview PEAKLIGHT is a sophisticated memory-only malware recently identified by cybersecurity researchers at Mandiant. This malware is particularly concerning due to its stealthy nature, residing exclusively in a computer's RAM, which allows it to evade traditional antivirus solutions that rely on disk scanning. The infection is initiated through

Overview Styx Stealer is a sophisticated information-stealing malware targeting Windows systems, with a primary focus on cryptocurrency theft and data exfiltration. It is an advanced variant of the older Phemedrone Stealer and has been actively distributed since April 2024. This malware exploits vulnerabilities in outdated Windows Defender versions, making it

Overview DeerStealer is a recent and increasingly concerning information-stealing malware. It has gained notoriety for its use of deceptive distribution methods, specifically by disguising itself as legitimate applications such as Google Authenticator. The malware is typically spread through fake advertisements and malicious downloads. Once installed, DeerStealer harvests sensitive data including

Overview ACR Stealer is a sophisticated information-stealing malware actively distributed as Malware-as-a-Service (MaaS). It has evolved from its predecessor, GrMsk Stealer, and is known for its advanced obfuscation and anti-analysis techniques, making it a significant threat to user data security. Technical Details ACR Stealer targets sensitive user information by employing

Security Advisory Report: FakeBat Malware Summary FakeBat, also known as EugenLoader or PaykLoader, has emerged as a significant threat in 2024, spreading through drive-by download attacks and malvertising campaigns. Distributed under a Loader-as-a-Service (LaaS) model by the Russian-speaking threat actor Eugenfest, FakeBat targets victims through compromised websites, fake browser updates,

Overview Fickle Stealer, a sophisticated piece of malware written in Rust, has been identified as a significant threat targeting Windows users. Initially observed in May 2024, this malware leverages Rust's performance and safety features, making it challenging for researchers to detect and analyze. Distributed via multiple vectors, including

Overview WarmCookie is a sophisticated piece of malware that emerged in late 2023, primarily targeting Google accounts by exploiting vulnerabilities in Google's authentication process. Recent alerts from malware databases indicate an uptick in activity associated with this malware. WarmCookie allows attackers to hijack user sessions even after passwords

Overview Hijack Loader, also known as IDAT Loader, has evolved with enhanced evasion techniques aimed at increasing its stealth and persistence within infected systems. Recent variants demonstrate advanced tactics such as process hollowing and User Account Control (UAC) bypass. Technical Details The malware initiates an attack by deploying a first-stage

Overview The ZLoader malware, also known as Terdot, DELoader, or Silent Night, has recently undergone significant updates, enhancing its capabilities and evading detection mechanisms. Originally derived from the Zeus banking trojan, ZLoader has evolved to support a broader range of malicious activities, including the distribution of ransomware. Recent Developments As

Overview: Sharpil RAT, initially identified as a Remote Access Trojan (RAT), has been reclassified as a remote-controlled data stealer. It targets a wide range of data, notably from gaming platforms and applications. A new variant, referred to as Sharp Stealer, emerged in 2024, exhibiting similar malicious functionalities and focusing particularly

Overview SteganoAmor is a malicious malware campaign orchestrated by the TA558 hacking group, employing steganography to embed malicious code within images. This technique disguises the malware within benign-looking files to evade detection by users and security software. TA558, active since 2018, primarily targets the hospitality and tourism sectors, especially in

Executive Summary Recent discoveries and analysis have highlighted the resurgence and evolution of ScrubCrypt malware, a sophisticated cyberthreat aimed at Microsoft Windows platforms. This malware is associated with deploying the RedLine Stealer malware, broadening the attack vector to include credential theft, cryptocurrency wallet exfiltration, and facilitating account takeover and fraud.

Overview: The Latrodectus malware, a sophisticated and adaptable threat in the cyber landscape, has been actively distributed via email phishing campaigns since at least late November 2023. Emerging as a potential successor to the IcedID loader, it has shown significant capabilities in evasion and payload delivery. Distribution and Tactics: The

Overview The StrelaStealer malware has emerged as a significant cybersecurity threat, primarily through phishing campaigns targeting over 100 organizations across the European Union and the United States. The malware is designed to exfiltrate email login credentials from popular clients like Outlook and Thunderbird, sending the stolen data to an attacker-controlled

Overview: A new malware strain named WogRAT has been identified targeting both Windows and Linux systems. This malware exploits the online notepad service "aNotepad" as a covert channel for storing and retrieving malicious payloads. The primary function and distribution method of WogRAT, including its impact on infected systems,

Overview SSH-Snake is a sophisticated malware that targets SSH (Secure Shell) services. It is a self-propagating, self-replicating, file-less script designed for post-exploitation tasks such as SSH private key and host discovery. Its main goal is to automate the discovery and exploitation of SSH services by utilizing found private keys to

Overview Volt Typhoon, identified as a state-sponsored cyber threat group by various cybersecurity organizations, has been actively targeting U.S. critical infrastructure with a focus on espionage, information gathering, and potentially disruptive activities against critical communications infrastructure. This group, attributed to the People's Republic of China, has been

Executive Summary Mystic Stealer is an information-stealing malware first advertised in April 2023. It is designed to pilfer credentials from nearly 40 web browsers and more than 70 browser extensions, targeting also cryptocurrency wallets, Steam, and Telegram accounts. The malware exhibits advanced obfuscation techniques including polymorphic string obfuscation, hash-based import