LATEST THREAT INTELLIGENCE.
BlackBasta ransomware
Description: Members of the Conti ransomware group appear to have splintered into multiple threat groups including BlackBasta, which has become one of the most significant ransomware threats. ThreatLabz has observed more than five victims that have been compromised by BlackBasta 2.0 since the new version’s release in mid-November 2022. This demonstrates that the threat group is very successful at compromising organizations and the latest version of the ransomware will likely enable them to better evade antivirus and EDRs.
Created at: 2022-12-02T12:22:12.999000
Updated at: 2025-02-21T16:19:54.678000
Targeted supply chain attack against Chrome browser extensions
Description: In December 2024, a threat actor successfully compromised around a dozen legitimate Chrome browser extensions by exploiting extension developers' permissions gained through phishing attacks. The malicious code injected into the compromised extensions aimed to harvest sensitive user data like API keys, session cookies, and authentication tokens from websites such as ChatGPT and Facebook for Business. The analysis sheds light on the targeted phishing campaign, the adversary's infrastructure, and provides remediation steps along with technical indicators.
Created at: 2025-01-22T16:27:16.545000
Updated at: 2025-02-21T16:00:53.144000
LightSpy Malware Now Targets Facebook & Instagram Data
Description: LightSpy, a modular surveillance framework, has expanded its capabilities to target Facebook and Instagram data. The malware, initially focused on mobile devices, now compromises Windows, macOS, Linux, and routers. Recent analysis reveals a significant expansion in its command list, with over 100 commands spanning multiple platforms. New Android commands specifically target Facebook and Instagram database files, potentially allowing attackers to collect private messages, contact lists, and account metadata. The infrastructure analysis uncovered previously unreported components, including a core version dated 2021-12-31. Windows plugins focus on keylogging, audio recording, video capture, and USB interaction. The exposure of admin panel authentication endpoints provides insights into the malware's operational framework.
Created at: 2025-02-21T15:28:00.106000
Updated at: 2025-02-21T15:34:18.134000
Sophisticated Payment Card Skimming Campaign Conceals Itself by Leveraging Stripe API
Description: A new payment card skimming campaign has been discovered, demonstrating advanced techniques to evade detection. The attack exploits Stripe's deprecated API to verify card details before exfiltration, ensuring only valid payment information is stolen while maintaining a seamless customer experience. The multi-stage compromise begins with a compromised first-party script that targets checkout pages. The attackers then remove legitimate Stripe payment elements, inject visually identical but compromised elements, and capture payment details. The stolen data is validated through Stripe's API before being exfiltrated to an unidentified malicious domain. This sophisticated approach allows the attack to operate seamlessly, making detection extremely challenging for both users and security researchers.
Created at: 2025-02-21T05:58:35.665000
Updated at: 2025-02-21T15:20:01.263000
Finance Report: Who Targets Financial Institutions?
Description: This report provides an overview of key cybercrime and state-sponsored threat actors targeting the financial sector in 2024. It highlights the critical role of Initial Access Brokers in enabling large-scale attacks, the persistent threat of ransomware and extortion groups, and the increasing sophistication of banking malware campaigns. The report also examines the rise of Phishing-as-a-Service models and their impact on financial institutions. Additionally, it explores state-sponsored Advanced Persistent Threats (APTs) targeting the sector, including North Korean groups focused on bypassing sanctions, and the growing collaboration between APTs and cybercriminal operators. The analysis covers the actors' motivations, victimology, infection vectors, and tools used in their campaigns against financial entities.
Created at: 2025-02-20T20:48:48.504000
Updated at: 2025-02-21T15:17:57.148000
Targeting of freelance developers
Description: North Korea-aligned cybercriminals are targeting freelance software developers through fake job offers and coding challenges containing malware. The campaign, dubbed DeceptiveDevelopment, uses two main malware families - BeaverTail and InvisibleFerret - to steal cryptocurrency wallets and login credentials. Attackers pose as recruiters on platforms like LinkedIn and GitHub, providing trojanized projects as part of fake interview processes. The malware steals browser data, cryptocurrency wallets, and system information, and can deploy remote access tools. Hundreds of victims globally have been observed across Windows, Linux and macOS systems. The operation shows increasing sophistication and is expected to continue evolving its tactics to target cryptocurrency users.
Created at: 2025-02-21T05:58:33.035000
Updated at: 2025-02-21T15:17:37.374000
The Bleeding Edge of Phishing: darcula-suite 3.0 Enables DIY Phishing of Any Brand
Description: The darcula-suite 3.0 represents a significant advancement in phishing capabilities, allowing criminals to easily create customized phishing campaigns targeting any brand. This new version, set to launch in February 2025, builds upon the previous darcula V2 platform, which has already impacted over 200 brands worldwide. The suite utilizes browser automation tools to clone legitimate websites and create convincing phishing versions. It features improved admin dashboards, performance statistics, and Telegram notifications for criminals. The platform's ease of use and advanced deception techniques, such as unique deployment paths and IP filtering, make it a significant threat to brands previously not targeted. Netcraft has detected and blocked over 90,000 darcula phishing domains and taken down more than 20,000 fraudulent websites since March 2024.
Created at: 2025-02-20T20:48:50.414000
Updated at: 2025-02-21T15:14:32.304000
Demystifying PKT and Monero Cryptocurrency deployed on MSSQL servers
Description: This analysis examines a recent cryptocurrency mining operation targeting MSSQL servers, focusing on PKT Classic and Monero cryptocurrencies. The attack exploits vulnerabilities to deploy mining tools, including PacketCrypt for PKT and XMRIG for Monero. The process involves using Windows utilities and PowerShell scripts to download and execute malicious files. The miners consume significant system resources, potentially degrading performance and causing hardware wear. The attackers utilize GitHub repositories, obfuscation techniques, and multi-stage attacks to evade detection. The article provides details on the attack chain, wallet information, and file analysis, highlighting the sophisticated nature of the operation. Mitigation strategies include regular software updates, strong authentication measures, and robust antivirus protection.
Created at: 2025-02-20T13:44:21.193000
Updated at: 2025-02-21T15:01:52.703000
Stately Taurus Activity in Southeast Asia Links to Bookworm Malware
Description: Unit 42 researchers have discovered connections between Stately Taurus, a threat actor targeting ASEAN countries, and the Bookworm malware family. Analysis of infrastructure and code overlaps revealed links between recent Stately Taurus attacks and Bookworm samples dating back to 2015. The group has been using both Bookworm and ToneShell malware in their operations. Bookworm has undergone minimal changes since 2015, demonstrating its versatility and continued effectiveness. The malware's modular design allows for flexible packaging to meet operational needs. Stately Taurus is expected to continue developing and utilizing Bookworm in future attacks targeting Southeast Asian organizations.
Created at: 2025-02-20T19:47:44.548000
Updated at: 2025-02-21T15:00:39.106000
Updated Shadowpad Malware Leads to Ransomware Deployment
Description: A recent investigation revealed Shadowpad malware being used to deploy a new ransomware family in Europe. The threat actor targeted 21 companies across 15 countries, primarily in the manufacturing sector. Access was gained through remote network attacks, exploiting weak passwords and bypassing multi-factor authentication. The Shadowpad malware showed enhancements in anti-debugging techniques and encryption methods. Unusually, a previously unreported ransomware was deployed in some cases, mimicking the appearance of Kodex Evil Extractor but with different functionality. The attackers also used tools like CQHashDumpv2 and Impacket for post-exploitation activities. While attribution remains uncertain, there are weak links to the Teleboyi threat actor.
Created at: 2025-02-20T10:44:32.401000
Updated at: 2025-02-21T14:54:26.744000
