T1021 – D E C E I V E R . I O

Engage Report: Head Mare Group’s PhantomCore Campaign

The Head Mare group distributes malicious ZIP archives, likely through spam emails disguised as invoices or financial documents, to deceive recipients into executing the malicious payload.

Engage Report: Zloader Trojan Analysis

Zloader has been observed to utilize legitimate remote management tools like AnyDesk, TeamViewer, and Microsoft Quick Assist for initial access. Threat actors leverage social engineering tactics to convince victims to grant them remote access to their systems. Once they gain remote access, the attackers proceed to deploy Zloader.

Technique: System Access [T1078] –> Remote Services [T1021] –> Remote Desktop Protocol [T1021.001]

China attacks U.S. Companies

The attackers leveraged WMI, Microsoft’s command-line tool, to execute commands on a remote computer, indicating a possible exploitation of external remote services for gaining initial access to the network.

Exploitation of Firefox and Windows zero-day vulnerabilities

The RomCom threat actors are actively exploiting Firefox and Windows zero-day vulnerabilities to compromise systems, escalate privileges, establish persistence, and exfiltrate sensitive data.

Tag: T1021

Engage Report: Head Mare Group’s PhantomCore Campaign

Engage Report: Zloader Trojan Analysis

China attacks U.S. Companies

Exploitation of Firefox and Windows zero-day vulnerabilities

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense