#INC ransomware has been busy with updates to their payment and data leak sites. The latest ransom note which now includes a web-based data leak site (accessible without TOR) has been uploaded to our repository here: github.com/threatlabz/ran…

The text of the #BlackBasta ransomware note has been updated for the first time in over 2 years: github.com/threatlabz/ran…

#ValleyRAT developers have updated the malware with new features including device fingerprinting and desktop screen capturing. See our technical analysis here: zscaler.com/blogs/security…

In preparation for #OperationEndgame, ThreatLabz researchers performed technical analysis for all versions of #SmokeLoader dating back to 2011. The downloader has proven to be remarkably resilient with continuous improvements to the network communication, encryption, and

⚠️ There is a new #ransomware group calling themselves #BrainCipher. Ransom note: github.com/threatlabz/ran…

🕷️ The initial access broker using #Latrodectus is back! The group has resurrected the malware loader less than a month after #OperationEndgame. #BruteRatel is currently being used to drop Latrodectus. Sample BruteRatel SHA256 hash:

New #Latrodectus C2s added: https://filomeranta[.]com/live/ https://lettecoft[.]com/live/ The current Latrodectus backconnect C2 is located at 64.7.198.158:443

#Lockbit has just released data that is allegedly from the Federal Reserve... except this data appears to be from a bank that was recently penalized by the Federal Reserve for "deficiencies in the bank’s anti-money laundering, risk management, and consumer compliance programs."

In March 2024, ThreatLabz spotted #Kimsuky (aka #APT43) leveraging #TRANSLATEXT to target the South Korean education sector as part of an intelligence collection operation. Read our analysis here: zscaler.com/blogs/security…

Check out part 2 of our #SmokeLoader series, which analyzes the malware's advancements from 2015 to 2022. The improvements include updates to the network communications, code obfuscation, and anti-analysis techniques: zscaler.com/blogs/security…

🦠ThreatLabz has detected another malicious Android app that is currently live in the Google Play store with over 1K downloads located at: play.google[.]com/store/apps/details?id=com.appsdevelopmentmegastudio.filecontrolandqrreader. The app is disguised as a QR

ThreatLabz has uncovered new tools from #APT41 including #DodgeBox and #MoonWalk. DodgeBox utilizes EDR evasion techniques including call stack spoofing, unhooking APIs, and bypassing Control Flow Guard. The purpose of DodgeBox is to deploy the MoonWalk backdoor, which leverages

Check out Part 2 of our technical analysis of the new #MoonWalk backdoor used by #APT41 that uses obscure Windows Fibers (an alternative to threads) to evade EDR and implements an encrypted custom binary protocol using @GoogleDrive to blend in with legitimate network traffic.

⚠️Threat actors are taking advantage of the CrowdStrike BSOD bug to spread malware. ThreatLabz identified a lure that uses a Microsoft Word document that contains instructions on how to recover from the issue. However, the document contains a malicious macro that, when enabled,

💸ThreatLabz has uncovered a record breaking $75 million payment made by a Fortune 50 company to the #DarkAngels ransomware group. The payment is the single largest ransomware-related transaction ever reported. For more details, check out our annual ransomware report:

Check out our technical analysis of the #Copybara Android malware family. The latest variant uses the MQTT protocol for C2 communication and contains a significant number of capabilities including keylogging, audio & video recording, SMS hijacking, screen capturing, credential

#BlindEagle has been targeting the Colombian insurance sector with #BlotchyQuasar. Check out our technical analysis of these malware campaigns here: zscaler.com/blogs/security…