What happens when your identity provider becomes the kill chain
In this Help Net Security video, Colin Constable, CTO at Atsign, explains why your identity provider (IdP) has become the kill chain in cyberattacks. Attacke...
TTPs
20 articles
CIRT insights: How to help prevent unauthorized account removals from AWS Organizations
The AWS Customer Incident Response Team works with customers to help them recover from active security incidents. As part of this work, the team often uncove...
Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps
Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users. The activity, p...
New macOS infostealer impersonates Apple, Microsoft, and Google in a single attack chain
A SHub macOS infostealer variant called Reaper impersonates Apple, Microsoft, and Google to trick users into executing malicious code, then targets browser d...
JavaScript Malware Campaign Drops Crypto Clipper via PowerShell
A large-scale CountLoader campaign that uses layered obfuscation, multi-stage payload delivery, and covert command-and-control (C2) communication to deploy c...
Malaysian government-linked campaign used hidden infrastructure for years
The operation, believed to be a long-term espionage effort, has maintained its command and control infrastructure for several years by employing sophisticate...
Government Backed Hackers Abuse Cloudflare in Malaysian Espionage Campaign
A campaign linked to a suspected Malaysian government operation has been using hidden command and control infrastructure for…
Gremlin Stealer Hides Payloads in .NET Resources to Evade Detection
A newly discovered variant of the Gremlin Stealer is raising concerns among security researchers by adopting stealth-focused techniques that significantly re...
Welcome to BlackFile: Inside a Vishing Extortion Operation
Written by: Austin Larsen, Tyler McLellan, Genevieve Stark, Dan Ebreo Introduction Google Threat Intelligence Group (GTIG) has continued to track an expansiv...
Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
Unit 42 analyzes the evolution of Gremlin stealer. This variant uses advanced obfuscation, crypto clipping and session hijacking to compromise data.
New Malware Framework Enables Screen Control and UAC Bypass
A sophisticated malware framework capable of screen control, browser artifact access, and User Account Control (UAC) bypass, highlighting how attackers are i...
Fired employee sought AI help to hide deletion of hosting firm’s customer data
The apparent revenge deletion of US federal databases after the dismissal of twin brothers from an online hosting company is another reminder to IT and HR le...
ClickFix finds a backup plan in PySoxy proxy chains
ClickFix, a one-shot social engineering technique that tricks victims into executing malicious workflows disguised as fixes to technical issues in their syst...
New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots
Cybersecurity researchers have flagged a new version of the TrickMo Android banking trojan that uses The Open Network (TON) for command-and-control (C2). The...
Vidar Stealer Campaign Evades EDR to Steal Credentials
A new Vidar Stealer campaign is abusing trusted tools, multi‑stage loaders, and heavy obfuscation to bypass EDR visibility and steal credentials from infecte...
North Korea Hackers Abuse Git Hooks to Deploy Cross-Platform Malware
North Korean threat actors have introduced a stealthy new delivery mechanism in their ongoing “Contagious Interview” campaign, shifting tactics to abuse Git ...
Android banking Trojan TrickMo evolves using TON network for C2
ThreatFabric found a new TrickMo Android trojan focused on stealth and persistence, moving its command-and-control traffic to the TON network.
Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools
Unit 42 analyzes AD CS exploitation through template misconfigurations and shadow credential misuse while offering behavioral detection for defenders. The po...
TrickMo Variant Routes Android Trojan Traffic Through TON
ThreatFabric finds new TrickMo Android banking trojan variant routing C2 through The Open Network
New Quasar Linux implant targets developers with rootkit and backdoor capabilities
QLNX is designed for stealth and long-term persistence, operating in-memory and employing multiple techniques to evade detection, including log wiping, proce...