APT reports – Page 6 – WindowsTechs.com

WinDealer dealing on the side

Posted on June 2, 2022 by GReAT

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack. Continue reading WinDealer dealing on the side→

APT trends report Q1 2022

Posted on April 27, 2022 by GReAT

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022. Continue reading APT trends report Q1 2022→

Lazarus Trojanized DeFi app for delivering malware

Posted on March 31, 2022 by GReAT

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor. Continue reading Lazarus Trojanized DeFi app for delivering malware→

MoonBounce: the dark side of UEFI firmware

Posted on January 20, 2022 by Mark Lechtik, Vasily Berdnikov, Denis Legezo, Ilya Borisov

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41. Continue reading MoonBounce: the dark side of UEFI firmware→

The BlueNoroff cryptocurrency hunt is still on

Posted on January 13, 2022 by Seongsu Park, Vitaly Kamluk

It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income. Continue reading The BlueNoroff cryptocurrency hunt is still on→

ScarCruft surveilling North Korean defectors and human rights activists

Posted on November 29, 2021 by GReAT

The ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor. Recently, we had an opportunity to perform a deeper investigation on a host compromised by this group. Continue reading ScarCruft surveilling North Korean defectors and human rights activists→

WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019

Posted on November 29, 2021 by Maher Yamout

In this report we provide details on a malicious VBS implant distributed via MS Excel droppers and a fake “Kaspersky Update Agent” which we attribute to WIRTE APT who may be linked to Gaza Cybergang. Continue reading WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019→

APT trends report Q3 2021

Posted on October 26, 2021 by GReAT

The APT trends reports are based on our threat intelligence research and provide a representative snapshot of what we have discussed in greater detail in our private APT reports. This is our latest installment, focusing on activities that we observed during Q3 2021. Continue reading APT trends report Q3 2021→

Lyceum group reborn

Posted on October 18, 2021 by Mark Lechtik, Aseel Kayal, Paul Rascagneres

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia. Continue reading Lyceum group reborn→

SAS 2021: Learning to ChaCha with APT41

Posted on October 12, 2021 by Securelist

John Southworth gives insights about APT41 and the malware used by the threat actor – the Motnug loader and its descendant, the ChaCha loader; also, shares some thoughts on the actor’s attribution and the payload, including the infamous CobaltStrike. Continue reading SAS 2021: Learning to ChaCha with APT41→