Profile avatar
virusbtn.bsky.social
Security information portal, testing and certification body. Organisers of the annual Virus Bulletin conference.
153 posts 307 followers 43 following
Prolific Poster
Posts 50 Comments 0

Zscaler researchers look into a DeepSeek-themed malware campaign that deceives users & delivers Vidar stealer. The campaign uses a fake CAPTCHA page to conduct clipboard injection, secretly copying a malicious PowerShell command for users to execute. www.zscaler.com/blogs/securi...

submitted 13 hours ago • 0 comments

Malwarebytes researcher Jérôme Segura identified a malicious Google Chrome installer distributed via Google Ads and abusing Google’s free website builder. The final redirect eventually downloads a large executable that drops a malware payload known as SecTopRAT. www.malwarebytes.com/blog/news/20...

submitted 13 hours ago • 0 comments

SentinelLABS researcher Tom Hegel writes about an extension of the long-running Ghostwriter campaign targeting opposition activists in Belarus as well as Ukrainian military and government organizations with weaponized Excel documents lures. www.sentinelone.com/labs/ghostwr...

submitted 13 hours ago • 0 comments

New stealer logs: 23B rows of "ALIEN TXTBASE" logs with 284M unique email addresses have been added to HIBP. New APIs can now search these by email domain and the domain of the website they were captured on. 69% were already in @haveibeenpwned.com . Read more: www.troyhunt.com/processing-2...

submitted 1 day ago • 3 comments

A financially motivated group (UAC-0173) is hacking notary offices in Ukraine to make changes to government state registers. CERT Ukraine believes the hacks are part of a hacker-for-hire scheme where the group makes changes to government DBs in exchange for a fee. cert.gov.ua/article/6282...

submitted 1 day ago • 0 comments

2025-02-25 (Tuesday): #VenomRAT from #malspam uses zip attachment containing a VHD file containing a VBS file. Calls Pastebin link for C2 server information. Details at github.com/malware-traf...

submitted 1 day ago • 0 comments

Palo Alto Networks' Unit42 team discovered Auto-color, a new evasive Linux backdoor that allows threat actors full remote access to compromised machines. unit42.paloaltonetworks.com/new-linux-ba...

submitted 1 day ago • 0 comments

Google Mandiant researchers have observed a notable increase in phishing attacks targeting the education sector. The attacks, timed to coincide with key dates in the academic calendar, exploit trust within academic institutions to deceive students, faculty & staff. cloud.google.com/blog/topics/...

submitted 1 day ago • 0 comments

Intel471 researchers analyse TgToxic Android trojan updates and capabilities observed in a campaign from November 2024. TgToxic is designed to steal user credentials, cryptocurrency from digital wallets, and funds from banking and finance apps. intel471.com/blog/android...

submitted 1 day ago • 0 comments

Check Point researchers uncovered an ongoing large-scale campaign involving thousands of first-stage malicious samples exploiting the legacy version 2.0.2 of the Truesight driver to deploy an EDR/AV killer module in its initial stage. research.checkpoint.com/2025/large-s...

submitted 1 day ago • 0 comments

ESET researchers analyse a campaign delivering malware bundled with job interview challenges. DeceptiveDevelopment targets freelance software developers through spear-phishing on job-hunting/freelancing sites to steal cryptocurrency wallets & login information. www.welivesecurity.com/en/eset-rese...

submitted 2 days ago • 0 comments

A new article from The DFIR Report provides details of an intrusion that began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, ultimately leading to the deployment of LockBit ransomware across the environment. thedfirreport.com/2025/02/24/c...

submitted 2 days ago • 0 comments

booking .com 🏨 themed #ClickFix campaign using a fake cookie 🍪 banner, downloading a JavaScript file dropping XWorm 🔥 JS: 📜 bazaar.abuse.ch/sample/01a2f... EXE: 📄 bazaar.abuse.ch/sample/6ccf4... URLs: 🌐 urlhaus.abuse.ch/host/185.7.2... XWorm botnet C2s: 📡185.7.214.108:4411 📡185.7.214.54:4411

submitted 2 days ago • 0 comments

A recent report by Livia Tibirna, Coline Chavane and Sekoia TDR provides an overview of the main actors involved in malicious campaigns impacting the financial sector in 2024. blog.sekoia.io/cyber-threat...

submitted 5 days ago • 0 comments

Trend Micro's Daniel Lunghi shows how Shadowpad is being used to deploy a new undetected ransomware family. Attackers deploy the malware by exploiting weak passwords and bypassing multi-factor authentication. www.trendmicro.com/en_us/resear...

submitted 5 days ago • 0 comments

Orange & Trend Micro researchers look into the Green Nailao campaign targeting European organizations. The campaign relied on DLL search-order hijacking to deploy ShadowPad & PlugX. In at least two cases, the intrusion ended up with NailaoLocker ransomware. www.orangecyberdefense.com/global/blog/...

submitted 5 days ago • 0 comments

Infrawatch researchers explore GhostSocks, a Golang-based SOCKS5 backconnect proxy malware, detailing its integration with LummaC2 and its command-and-control infrastructure. infrawatch.app/blog/ghostso...

submitted 5 days ago • 0 comments

Kandji's Christopher Lopez analyses a recent case attributed to the North Korea Contagious Interview campaign, in which malicious applications are presented to victims as part of a fake job interview process. www.kandji.io/blog/drivere...

submitted 6 days ago • 0 comments

Google Threat Intelligence Group (GTIG) has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russian intelligence services. cloud.google.com/blog/topics/...

submitted 6 days ago • 0 comments

Quick Tip for Hunting #Lumma Domains By Checking WHOIS Records 🏹 Lumma actors often create #C2 domains in (likely automated) batches, leading to clusters of domains sharing extremely similar registration times that can be queried with a Silent Push #WHOIS search 👀

submitted 7 days ago • 0 comments

FortiGuard Labs researcher Kevin Su analyses a variant of the Snake keylogger (also known as 404 Keylogger) distributed in an AutoIt-compiled binary, which adds an additional layer of obfuscation to hinder detection and analysis. www.fortinet.com/blog/threat-...

submitted 7 days ago • 0 comments

Proofpoint researchers identified FrigidStealer, a new MacOS malware delivered via web inject campaigns. They also found two new threat actors, TA2726 and TA2727, operating components of web inject campaigns. www.proofpoint.com/us/blog/thre...

submitted 7 days ago • 0 comments

Mauro Eldritch has published a technical breakdown of a new infostealer known as Zhong Stealer. The malware has been used in campaigns targeting the fintech and cryptocurrency industries. any.run/cybersecurit...

submitted 8 days ago • 0 comments

2024-11-25 (Monday): What's that winningwriters[.]com? You want me to paste some script into a run window? Sure thing! Hope my lab host doesn't get infected... Oh my! It got infected. I could also replicate the entire thing on Any.Run, which tags it as #hijackloader app.any.run/tasks/fe0e9b...

submitted 92 days ago • 2 comments

In the latest @CyberAlliance webinar (February 25th 10PM ET/February 26th APAC) speakers will explore how cyber threats could manifest in 2025 and what issues will continue to drive the cybersecurity industry. us06web.zoom.us/webinar/regi...

submitted 8 days ago • 0 comments

CloudSEK's Mayank Sahariya looks into an ongoing malware campaign distributing the Lumma Stealer infostealer. The campaign's primary infection vector involves using malicious LNK (shortcut) files that are crafted to appear as legitimate PDF documents. www.cloudsek.com/blog/lumma-s...

submitted 8 days ago • 0 comments

Volexity researchers write about multiple Russian threat actors they observed conducting social-engineering & spear-phishing campaigns targeting organizations with the ultimate goal of compromising Microsoft 365 accounts via Device Code Authentication phishing. www.volexity.com/blog/2025/02...

submitted 8 days ago • 0 comments

Trend Micro’s Nathaniel Morales & Nick Dai discuss the latest technique used by Earth Preta (Mustang Panda), in which the APT group leverages MAVInject & Setup Factory to deploy payloads, bypass ESET antivirus, & maintain control over compromised systems. www.trendmicro.com/en_us/resear...

submitted 8 days ago • 0 comments

🚨 Major international operation targets Phobos & 8Base ransomware groups. Four arrests & 27 servers seized in a coordinated effort across 14 countries. Read more in our press release ⤵️ www.europol.europa.eu/media-press/...

submitted 15 days ago • 0 comments

Zscaler ThreatLabz researchers present the second part of a technical analysis of Xloader versions 6 & 7, covering how Xloader obfuscates the command-and-control (C2), and the network communication protocol. www.zscaler.com/blogs/securi...

submitted 9 days ago • 0 comments

TRAC Labs analyses SocGholish/FakeUpdates. The infection chain starts with a fake browser update delivered via compromised websites & a malicious JavaScript file, leading to an obfuscated MintsLoader payload that delivers the GhostWeaver PowerShell backdoor. trac-labs.com/dont-ghost-t...

submitted 9 days ago • 0 comments

eSentire researchers summarise a recent investigation into an attack by the RedCurl/EarthKapre APT against an organization within the legal services industry. The group primarily targets private-sector organizations with a focus on corporate espionage. www.esentire.com/blog/unravel...

submitted 9 days ago • 0 comments

Large increase in web login brute forcing attacks against edge devices seen last few weeks in our honeypots, with up to 2.8M IPs per day seen with attempts (especially Palo Alto Networks, Ivanti, SonicWall etc). Over 1M from Brazil. Source IPs shared in shadowserver.org/what-we-do/n...

submitted 19 days ago • 1 comment

Researchers from Seqrite Labs' APT-Team explore the technical details of the XELERA ransomware campaign, which involves fake job descriptions targeted towards individuals aiming for various technical job positions at at the Food Corporation of India (FCI). www.seqrite.com/blog/xelera-...

submitted 12 days ago • 0 comments

Elastic Security Labs researchers look into the REF7707 campaign targeting the foreign ministry of a South American country. The intrusion set utilized by REF7707 includes novel malware families such as FINALDRAFT, GUIDLOADER and PATHLOADER. www.elastic.co/security-lab...

submitted 12 days ago • 0 comments

Recorded Future’s Insikt Group recently identified a campaign attributed to the Chinese state-sponsored group RedMike. RedMike exploits unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers. www.recordedfuture.com/research/red...

submitted 12 days ago • 0 comments

Elastic Security Labs researchers describe FINALDRAFT, a malware family that leverages Outlook as a communication channel via the Microsoft Graph API. The post-exploitation kit includes a loader, a backdoor & multiple submodules that enable post-exploitation activities www.elastic.co/security-lab...

submitted 13 days ago • 0 comments

Researchers from LAC's Cyber ​​Emergency Center analyse the "RevivalStone" campaign operated by China-based threat group Winnti. The campaign targeted Japanese companies in the manufacturing, materials, and energy sectors. www.lac.co.jp/lacwatch/rep...

submitted 13 days ago • 0 comments

Microsoft Threat Intelligence researchers look into recently observed tactics, techniques and procedures (TTPs) used in the BadPilot campaign operated by a subgroup within the Russian state actor Seashell Blizzard. www.microsoft.com/en-us/securi...

submitted 13 days ago • 0 comments

China's Salt Typhoon hackers are still breaching telecom networks worldwide, including two in the US in Dec-Jan, says Recorded Future. Lately they're exploiting Cisco devices with unpatched 2023 bugs and seem undeterred by high profile exposure and sanctions. www.wired.com/story/chinas...

submitted 13 days ago • 11 comments

EclecticIQ's Arda Büyükkaya looks into an espionage campaign by Sandworm (APT44, UAC-0145) against Ukrainian Windows users, likely ongoing since late 2023. Pirated Microsoft KMS activators & fake Windows updates are leveraged to deliver a new version of BACKORDER. blog.eclecticiq.com/sandworm-apt...

submitted 14 days ago • 0 comments

Sekoia's Pierre Le Bourhis analyses I2PRAT, a recent multi-stage RAT distributed as a ClickFix payload. blog.sekoia.io/ratatouille-...

submitted 14 days ago • 0 comments

2025-02-10 (Monday): Social media post on #StrelaStealer I assisted on for my employer at www.linkedin.com/posts/unit42... and x.com/Unit42_Intel... #pcap, email and malware samples at malware-traffic-analysis.net/2025/02/10/i...

submitted 15 days ago • 0 comments

JPCERT/CC researchers show how the CVE-2025-0282 vulnerability in Ivanti Connect Secure led to an updated version of the SPAWN family. The SPAWNCHIMERA malware combines the updated functions of SPAWNANT, SPAWNMOLE and SPAWNSNAIL into one. blogs.jpcert.or.jp/ja/2025/02/s...

submitted 14 days ago • 0 comments

In a new report the Google Threat Intelligence Group (GTIG) discusses the current state of cybercrime, emphasizing why - regardless of the motivation of the actors behind them- these attacks must be considered threats to national security. cloud.google.com/blog/topics/...

submitted 14 days ago • 0 comments

Intezer's Nicole Fishbein, Joakim Kennedy & Justin Lentz provide an in-depth analysis of XE Group’s recent operations, looking at the exploits used, persistence mechanisms, and attack methodologies. intezer.com/blog/researc...

submitted 15 days ago • 0 comments

Trend Micro's Ted Lee & Lenart Bermejo analyse an SEO manipulation campaign targeting countries in Asia including India, Thailand & Vietnam. Threat actors exploit vulnerable IIS servers to install the BadIIS malware on the compromised servers. www.trendmicro.com/en_us/resear...

submitted 15 days ago • 0 comments

Harfanglab researchers describe exploitation of Ivanti CSA vulnerabilities, which started in Q4 2024 & led to webshell deployments, and detail malicious activities conducted by a threat actor within an organization following Ivanti CSA device compromise. harfanglab.io/insidethelab...

submitted 15 days ago • 0 comments

Cert Central .org is live! We track and report abused code-signing certs. By submitting to the website, you contribute to the DB of >800 certs—a DB you can access and view. Want to get more involved? Check out the Training and Research pages to learn more. 1/2

submitted 16 days ago • 1 comment

BumbleBee has recently switched their DGA 👀. The threat actor not only changed the seed but also moved from TLD .life to .click ☝️ They also apparently used #DeepSeek as a lure 🎣 🌱 Seed: 335f5f96de576fb5 Sample: 📄 bazaar.abuse.ch/sample/31b72... C2 domains: 📡 threatfox.abuse.ch/browse/malwa...

submitted 16 days ago • 0 comments