T1204 – D E C E I V E R . I O

Deceive, Detect, Engage

Hunting all around for TA397 RATs

Attackers are using phishing emails to deliver malicious attachments that gather system information and exfiltrate it to a remote server.

COLDRIVER – UNC4057, Star Blizzard and Callisto

The attacker, impersonating experts or affiliates, sends a phishing link or document containing a link to a “decryption” utility. This utility is malware (SPICA backdoor) that gives the attacker access to the victim’s machine. The malware establishes persistence, communicates with a C2 server using JSON over WebSockets, and then collects and exfiltrates data.

Tag: T1204

Hunting all around for TA397 RATs

COLDRIVER – UNC4057, Star Blizzard and Callisto

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense