Cyber Threat Reports
Onyx Sleet uses array of malware to gather intelligence for North Korea
Following an indictment by the US Department of Justice linked to the intrusion set Microsoft track as Onyx Sleet, this report includes details of ...
APT45: North Korea’s Digital Military Machine
This report from threat intelligence analysts at Google's Mandiant marks the graduation of this cyber actor to a fully designated APT - APT45. The ...
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
APT41 Has Arisen From the DUST
This report from Mandiant outlines APT41 activity observed since 2023 including successful compromises of logistic, media, technology and ...
Cloaked and Covert: Uncovering UNC3886 Espionage Operations
This article by researchers from Google's Mandiant outlines intrusion activity by UNC3886, a suspected China-nexus cyber espionage group. The ...
MUDDLING MEERKAT: THE GREAT FIREWALL MANIPULATOR
This research from infoblox details a sophisticated cyber operation involving DNS queries, open DNS resolvers, and China's Great Firewall, ...
ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
This blog post from Cisco Talos discusses ArcaneDoor, an espionage-focused campaign targeting perimeter network devices, which are crucial for ...
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
This blog post by researchers at Microsoft Threat Intelligence outlines activity they observed by Forest Blizzard using a tool they named ...
UAC-0133 (Sandworm) plans for cyber sabotage at almost 20 critical infrastructure facilities in Ukraine
This medium post translates a UA-CERT alert and adds additional technical analysis of the QUEUESEED/KAPEKA backdoor which has been used against ...
AA24-109A StopRansomware: Akira Ransomware
This is a joint #StopRansomware advisory issued by CISA and partners covering Akira ransomware attacks. According to the report, the group has ...
APT44: Unearthing Sandworm
This report from researchers at Mandiant marks the graduation of the Sandworm intrusion set to the Mandiant APT label: APT44. It provides a ...
KAPEKA A novel backdoor spotted in Eastern Europe
This report from researchers at WithSecure unveils a novel backdoor: 'Kapeka'. Kapeka has been used against victims in Eastern Europe ...
Threat Group FIN7 Targets the U.S. Automotive Industry
In late 2023, BlackBerry analysts discovered a targeted attack by FIN7 on a U.S. automotive manufacturer, exploiting IT employees with higher ...
From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering
This blog post from Proofpoint's Threat Research Team details the TA427 group who they link to Kimsuky and attribute to North Korea. TA427 conduct ...
ANALYSIS OF THE APT31 INDICTMENT
Blog post providing analysis of a March 2024 US Department of Justice indictment of 7 hackers associated with APT31. The post details attribution ...
GOLD IONIC DEPLOYS INC RANSOMWARE
This blog post from Secureworks describes the intrusion set they track as GOLD IONIC, also known as INC Ransom Group. The post outlines GOLD IONIC ...
Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
This blog post from Volexity details exploitation of CVE-2024-3400 in the GlobalProtect feature of Palo Alto Networks PAN-OS. The threat actor, ...
Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear
This blog post from researchers at Trend Micro discusses the cyberespionage group Earth Hundun and its malware, Waterbear and Deuterbear, which ...
Connect:fun Detailing an exploitation campaign targeting FortiClient EMS via CVE-2023-48788
This report from Vedere Labs at Forescout Research details an exploitation campaign which they have designated Connect:fun. The attacks exploit ...
Muddled Libra’s Evolution to the Cloud
Researchers at Unit 42 report on evolution of the Muddled Libra group as the target SaaS (software-as-a-service) applications and CSP (cloud ...
eXotic Visit campaign: Tracing the footprints of Virtual Invaders
ESET describe a targeted Android espionage campaign with approximately 380 victims predominantly in India and Pakistan. The attackers compromise ...
Starry Addax targets human rights defenders in North Africa with new malware
This blog post from researchers at Cisco Talos describes a new threat actor 'Starry Addax'. Starry Addax have been observered conducting a ...
CVE-2024-3273: D-Link NAS RCE Exploited in the Wild
A blog post from GreyNoise outlining observed exploitation of CVE-2024-3273 in D-Link NAS devices. According to the post approximately 5500 ...
Holding down the Fortinet vulnerability
This report from Red Canary outlines activity they have observed related to the exploitation of CVE-2023-48788 in FortiClient enterprise ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
Alert: CVE-2024-3094, a serious backdoor in XZ Utils, permits RCE
This alert from Vulcan's Voyager18 team outlines a potential supply chain attack against the XZ Utils package for multiple Linux distributions. ...
We're All in this Together - A Year in Review of Zero-Days Exploited In-the-Wild in 2023
This report from Mandiant and Google Threat Analysis Group (TAG) presents combined analysis of zero day vulnerability exploitation in 2023. The ...
APT29 Uses WINELOADER to Target German Political Parties
This blog post by Mandiant describes activity by APT29, linked to Russia's SVR, which targeted German political parties with a new backdoor: ...
AcidPour - New Embedded Wiper Variant of AcidRain Appears in Ukraine
This blog post by researchers at SentinelLabs describes a new variant of the AcidRain malware which they call AcidPour. The report includes ...
Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention
This article by researchers at Unit 42 discusses the FalseFont backdoor used by Curious Serpens, an Iranian-affiliated espionage group targeting ...
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
Review of the Summer 2023 Microsoft Exchange Online Intrusion
This report by the US Cyber Safety Review Board presents the findings of an investigation into compromise of Microsoft Exchange Online mailboxes ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
This report by TrendMicro's Zero Day Initiative describes a campaign associated with the DarkGate ransomware. According to the post, DarkGate ...
Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns
This Security Intelligence blog post by researchers at IBM's X-Force describes activity by ITG05 - a group which shows overlap with APT28/Forest ...
Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities - Check Point Research
This blog post from CheckPoint Research describes a campaign targeting Ivanti, Magento, Qlink Sense and possibly Apache ActiveMQ systems which ...
Evasive Panda leverages Monlam Festival to target Tibetans
This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...
I-Soon leak: KELA’s insights
This blog post outlines KELA's analysis of the 2024 I-SOON data leak. According to the article, I-Soon had relationships with Chinese governmental ...
Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence
The blog entry details an investigation by Trend Micro's Managed Extended Detection and Response (MDR) team into a cyberespionage incident ...
TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant
Blog post from Kroll which describes the exploitation of vulnerabilities in ConnectWise ScreenConnect to deploy TODDLERSHARK malware which the ...
GhostSec’s joint ransomware operation and evolution of their arsenal
This Threat Spotlight from Cisco Talos describes the evolution of GhostSec's ransomware operations including their work with the Stormous ...
Predator Spyware Operators Rebuild Multi-Tier Infrastructure to Target Mobile Devices
This report from Recorded Future's Insikt Group describes recent TTPs and infrastructure used for the deployment of the Predator spyware. Predator ...
StopRansomware: Phobos Ransomware
This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...
The Predator spyware ecosystem is not dead
This blog post from analysts at Sekoia outlines infrastructure and potential customer governments associated with the Predator spyware. Sekoia ...
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog post gives a detailed analysis of two critical vulnerabilities (CVE-2024-1708 and CVE-2024-1709) affecting ConnectWise ScreenConnect ...
StopRansomware: ALPHV Blackcat
This '#StopRansomware' advisory from CISA and partners outlines technical details and mitigations for the ALPHV Blackcat 'Ransomware as a ...
Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
Blog post from researchers at Trend Micro discussing Earth Lusca and potential links to Chinese contractor I-Soon. Earth Lusca is a China-linked ...
SVR cyber actors adapt tactics for initial cloud access
This advisory from the UK's National Cyber Security Centre (NCSC) outlines tactics, techniques and procedures (TTPs) used by the cyber actors ...
Earth Preta Campaign Uses DOPLUGS to Target Asia
This blog post by researchers from Trend Micro describes the use of a customized PlugX backdoor which they name DOPLUGS. The DOPLUGS malware uses ...
Pelmeni Wrapper: New Wrapper of Kazuar (Turla Backdoor)
Technical analysis of the 'Pelmeni Wrapper' using samples found on VirusTotal by researchers from Lab52. The investigation outlines how Pelmeni is ...
Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign
The Insikt Group has observed the TAG-70 using cross-site scripting (XSS) vulnerabilities to target Roundcube webmail servers in Europe. The ...
VOLTZITE Espionage Operations Targeting U.S. Critical Systems
This report details activity related to the VOLTZITE intrusion set as observed by Dragos. The report identifies sectors and geographies targeted ...
NetScalers are under attack. Or… they were…
This report by CyberCX’s Digital Forensics and Incident Response (DFIR) team looks into the exploitation of known vulnerabilities in Citrix ...
CharmingCypress: Innovating Persistence
This report by Volexity outlines campaigns conducted by the actor they call CharmingCypress (aka Charming Kitten). The report describes targeting ...
TinyTurla Next Generation - Turla APT spies on Polish NGOs
'TinyTurla-NG' is a backdoor identified by Cisco Talos researchers which shows similarities to a previously used implant 'TinyTurla' - both used ...
Bumblebee Buzzes Back in Black
This report describes the return of the Bumblebee malware in February 2024. Bumblebee was first observed in 2022 but use appeared to stop after ...
Ivanti Connect Secure: Journey to the core of the DSLog backdoor
The CERT at Orange report on the exploitation of multiple vulnerabilities in Ivanti products. Following successful exploitation, the attackers ...
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
Ministry of Defence of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT
This report by the Dutch AIVD and MIVD is a cybersecurity advisory covering activity which they attribute to Chinese threat actors. The report ...
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
This report by the DFIR Report outlines a Trigona Ransomware attack. It describes how the actors went from initial access (by exposed RDP) to data ...
Midnight Blizzard: Guidance for responders on nation-state attack
Following a compromise of Microsoft corporate systems by Midnight Blizzard which was detected on 12th January 2024, this blog post outlines ...
Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide
This presentation from TeamT5 describes the intrusion set they refer to as TeleBoyi and was presented at JPCERT's JSAC2024 conference on January ...
Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021
This short post from Mandiant researchers details how UNC3886 were observed exploiting a zero-day vulnerability in VMWare tools for approximately ...
Detailed Analysis of DarkGate
This post on Medium by S2W presents a technical analysis of DarkGate malware and the operator behind it. According to the report, DarkGate is a ...
#StopRansomware: Play Ransomware
This is a Cybersecurity Advisory from CISA with US and international partners which outlines TTPs (tactics, techniques and procedures) and IoCs ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities
This advisory from CISA and partners describes activity by IRGC-affiliated cyber actors "CyberAv3ngers". According to the advisory, the ...
Scattered Spider Advisory AA23-320A
This advisory from CISA outlines tactics, techniques and procedures used by the Scattered Spider threat actors, as observed by the FBI up until ...
StopRansomware: Rhysida Ransomware
This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...
People's Republic of China-Linked Cyber Actors Hide in Router Firmware
This Cybersecurity Advisory from CISA and partners details activities of the People's Republic of China (PRC)-linked cyber actors known as ...
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
This blog post by Microsoft Threat Intelligence outlines the Flax Typhoon intrusion set and TTPs demonstrated by the group. It describes the actor ...
Investigating New INC Ransom Group Activity
This blog post from huntress discusses the ransomware group known as 'INC', breaking down the stages of an attack day by day. The Huntress team ...
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
This report from Recorded Future's Insikt Group outlines activity by the Red Hotel intrusion set. RedHotel is identified as a prominent Chinese ...
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...
CACTUS Ransomware: Prickly New Variant Evades Detection
This report by Kroll outlines TTPs and IoCs associated with CACTUS ransomware actors.
Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets
This report from Microsoft Threat Intelligence describes a subset of activity related to the Mint Sandstorm actor. The campaign includes the theft ...
Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe
Proofpoint researchers describe espionage activity targeting US elected officials and staffers which they attribute to TA473 (also known as Winter ...
Winter Vivern: Uncovering a Wave of Global Espionage
SentinelLabs conducted an investigation into the Winter Vivern Advanced Persistent Threat (APT) group, in part leveraging observations made by The ...
#StopRansomware: LockBit 3.0
This #StopRansomware Cybersecurity Advisory from CISA and partners describes the operations associated with LockBit 3.0 which operates as a ...
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
This blog post by threat researchers at Mandiant outlines intrusions activity by the UNC3886 intrusion set which involved the deployment of ...
Ransomware Spotlight: Black Basta
This report from Trend Micro outlines tactics, techniques and procedures used by the Black Basta Ransomware group. According to the report, Black ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
APT41 (Double Dragon): A Dual Espionage and Cyber Crime Operation
This 2022 report by researchers at FireEye threat intelligence outlines the intrusion set they designate as APT41. They describe the group as 'a ...
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
This isn't Optimus Prime's Bumblebee but it's Still Transforming
Since March 2022, Proofpoint observed a malicious email campaign delivering the Bumblebee downloader. Multiple groups have been observed utilising ...
Winter Vivern – all Summer
This report by researchers from Lab52 details an infection campaign which they attribute to Winter Vivern. The report provides technical analysis ...
FamousSparrow: A suspicious hotel guest
This blog post by researchers from ESET describes the FamousSparrow APT group and associated custom backdoor 'SparrowDoor'. According to the post, ...
The Operations of Winnti group
This report from researchers at NTT describes activity which they attribute to the Winnti Group (who they refer to as ENT-1) and identify overlaps ...
Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages
This report by DomainTools researchers identifies a cyber threat group they call "Winter Vivern". The report describes malicious Excel macros used ...
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
HAFNIUM targeting Exchange Servers with 0-day exploits
In March 2021 Microsoft detected multiple zero-day exploits being used as part of a widespread campaign by HAFNIUM / Silk Typhoon. This report ...
Threat Assessment: EKANS Ransomware
This threat assessment from researchers at Palo Alto's Unit 42 covers the EKANS ransomware. According to the report, EKANS was first observed in ...
EKANS Ransomware and ICS Operations
This blog post by researchers at Dragos talks about the EKANS ransomware variant. EKANS targets industrial control system (ICS) operations, and ...
TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
This blog post by FireEye intelligence outlines how they attributed TEMP.Veles to a Russian government sponsored research institute - CNIIHM. ...
APT37 (REAPER) - The Overlooked North Korean Actor
This special report by FireEye discusses an investigation into APT37, a suspected North Korean cyber espionage group. According to the report, ...
Operation Blockbuster: Unraveling the Long Thread of the Sony Attack
This report by Novetta covers 'Operation Blockbuster' which was a Novetta-led coalition of private industry partners aiming to understand and ...
Project CAMERASHY
This report by ThreatConnect and Defense Group Inc outlines activities by the Naikon APT (advanced persistent threat) group and attributes them to ...
Dragonfly: Cyberespionage Attacks Against Energy Suppliers
This report by Symantec details activities of the cyberespionage group known as Dragonfly. The reporting covers a campaign which initially focused ...
Putter Panda Intelligence Report
This intelligence report published by CrowdStrike outlines cyber espionage activity against Western companies which they attribute to Putter ...
APT1: Exposing One of China's Cyber Espionage Units
The APT1 report represents years of work by Mandiant, who analysed data across hundreds of breaches globally. The report identifies APT1 as a ...