T1027.002 – D E C E I V E R . I O

Engage Report: HeartCrypt Packer-as-a-Service

The HeartCrypt packer utilizes several obfuscation techniques, including:

Packing malware into legitimate binaries
Employing position-independent code (PIC)
Implementing control flow obfuscation through stack strings, dynamic API resolution, jump instructions, and junk bytes
Utilizing multiple layers of encoding and byte substitution
Hiding shellcode in resources disguised as bitmap images

Hunt: Snowblind – The Invisible Hand of Secret Blizzard

A sophisticated attacker, potentially the “Secret Blizzard” group, has gained access to the network and is actively attempting to establish persistence, evade detection, escalate privileges, and collect sensitive data. They are likely using custom malware with advanced anti-analysis capabilities and are targeting specific systems and data.

Threat Hunting Report: CyberVolk

The CyberVolk group is actively developing and deploying ransomware, potentially targeting organizations based on geopolitical motivations.

Ursnif Banking Trojan

The Ursnif banking trojan may be present in the environment, utilizing memory injection techniques to evade detection and maintain persistence.

Tag: T1027.002

Engage Report: HeartCrypt Packer-as-a-Service

Hunt: Snowblind – The Invisible Hand of Secret Blizzard

Threat Hunting Report: CyberVolk

Ursnif Banking Trojan

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense