By exploiting web app services, the attackers deploy a web shell to launch malware and gather credentials, compromising IIS servers to spread the BadIIS malware. The malware facilitates proxy ware and SEO fraud by manipulating search engine rankings.

Malicious actors potentially utilized the MacroPack red-teaming framework to distribute harmful payloads like Brute Ratel and Havoc tools, as well as a new version of the PhantomCore remote access trojan.

The latest encryptor variant identified by researchers at Cisco Talos appends the file extension ‘blackbytent_h’ to encrypted files. This variant also includes the deployment of four vulnerable drivers, an increase from previous reports.

MoonPeak is an evolved form of the Xeno RAT malware previously used by North Korean actors and is capable of loading plugins, launching processes, and communicating with a command-and-control (C2) server.

A government-affiliated research organization in Taiwan was attacked by APT41 hackers, a notorious Chinese hacking group known for targeting sensitive technologies. The breach, starting in July 2023, was identified by Cisco Talos researchers.

Talos’ analysis, in coordination with CERT.NGO, reveals that Turla infected multiple systems in the compromised network of a European non-governmental organization (NGO).

Threat actors are exploiting legitimate digital document publishing (DDP) sites to host phishing lures, making it harder for traditional security controls to detect and block these attacks.

The malware comes with embedded modules for orchestration, decryption, and protection, while also conducting checks to avoid sandbox environments and targeting specific industries like manufacturing and transportation sectors.

Google Cloud Run is being exploited by threat actors to distribute banking trojans, with a significant increase in malicious email campaigns observed since September 2023 targeting victims in Latin America, Europe, and North America.

The TinyTurla-NG backdoor uses compromised WordPress websites as command and control endpoints and deploys PowerShell scripts to exfiltrate key material used to secure password databases, indicating a concerted effort to steal login credentials.