The threat actor is exploiting compromised AWS keys to manipulate cloud storage objects and encrypt S3 bucket data for ransom.
Tag: T1566.001
Double-Tap Campaign by UAC-0063
The threat actor is conducting a spearphishing campaign to deliver malicious attachments, maintain persistence, and establish command and control.
Hunting 4 Two Way Phish
Attackers are using phishing emails to deliver malicious Microsoft Visio attachments that redirect to credential harvesting pages.
Suspected TTPs:
- Spearphishing Attachment [T1566.001]
- Exploit Public-Facing Application [T1190]
- Drive-by Compromise [T1189]
- Command and Control [T1071]
- Exfiltration [TA0010]
- Impact [TA0040]
Engage Report: Real phishing is only two step phishing
Threat actors initiate the attack by sending phishing emails from compromised accounts. These emails often contain a Microsoft Visio (.vsdx) file hosted on SharePoint, which is used to deliver malicious URLs.
EU Phishing Campaign
The threat actors utilized phishing emails with attached PDF documents or embedded HTML links. These emails targeted European companies and organizations, aiming to harvest account credentials and take over the victim’s Microsoft Azure cloud infrastructure.
Hunting FLUX#CONSOLE
Attackers are exploiting vulnerabilities in Microsoft Management Console (MMC) snap-in files to execute malicious code.
Engage Report for Lazarus new malware
The Lazarus group targeted employees of a nuclear-related organization with phishing emails containing malicious archive files. The emails were disguised as job opportunities at prominent aerospace and defense companies, aiming to trick the victims into opening the malicious attachments.
Hunting 4 PhantomCore RAT
The attacker is using spearphishing emails with malicious attachments to deliver malware, which then establishes command and control and collects system information.
Engage Report: Head Mare Group’s PhantomCore Campaign
The Head Mare group distributes malicious ZIP archives, likely through spam emails disguised as invoices or financial documents, to deceive recipients into executing the malicious payload.
Threat Actor Targets the Manufacturing Industry with Lumma Stealer and Amadey Bot
The attack begins with a spear-phishing email containing an LNK file disguised as a PDF document. This LNK file is hosted on a remote WebDAV share and impersonates LogicalDOC, a cloud-based document management system. When executed, the LNK file launches ssh.exe to run a PowerShell command that fetches and executes a malicious payload from a remote server. This server is accessed via a URL that abuses Google’s Accelerated Mobile Pages (AMP) framework, combined with a shortened URL. The PowerShell code then triggers another malicious script hosted on Pastebin, which downloads a ZIP archive to the Temp directory, extracts its contents, and executes a legitimate executable that sideloads a malicious DLL file. This DLL injects malicious code into various processes, ultimately leading to the deployment of Lumma Stealer and Amadey Bot.