The backdoor uses techniques such as multiple stages of DLL sideloading and DNS tunneling for command-and-control (C2) communication as a means to evade endpoint and network security solutions, respectively.

Previous versions of Pikabot used advanced string encryption techniques, which have been replaced with simpler algorithms. Previously, the strings were encrypted using a combination of AES-CBC and RC4 algorithms.

The attackers leverage YouTube by enticing users to watch videos on "How to increase FPS" that contain links to their Discord groups. Once they join, the attackers provide them with links to malicious files disguised as game tweaks and modifications.

The attackers used fake Russian-language online meeting sites hosted on a single IP address to distribute malicious APK and BAT files targeting Windows and Android users.

The adversary used a PDF file posing as an invitation from the Ambassador of India to a wine-tasting event, which contained a malicious link leading to the WINELOADER malware.

The Zloader static configuration is now encrypted using RC4 with a hardcoded alphanumeric key, and the network encryption employs 1,024-bit RSA with RC4 and the Zeus "visual encryption" algorithms.

DreamBus is a sophisticated malware that targets various applications and exploits vulnerabilities such as CVE-2023-38646 and CVE-2023-33246 to deploy modules and mine cryptocurrency.

The Agent Tesla malware uses obfuscated VBS files and steganography techniques to download a Base64-encoded DLL, which is then decoded and loaded to carry out malicious procedures.

By developing a SketchUp fuzzing harness and using a dumb file format fuzzer, 20 unique vulnerabilities, including use-after-free and stack buffer overflow, were discovered in just one month.

HijackLoader has been observed loading various malware families such as Danabot, SystemBC, and RedLine Stealer. The malware uses syscalls to evade security solutions, has anti-analysis techniques, and delays code execution at different stages.