Threat Research

Search Post related with “Threat Research”

*Total Collection : 5475 Threat Research (auto update every day)

Last Threat Research

  • Attackers Unleash TeamFiltration: Account Takeover Campaign (UNK_SneakyStrike) Leverages Popular Pentesting Tool

    Proofpoint researchers uncovered the UNKSneakyStrike campaign using the TeamFiltration framework to target Microsoft Entra ID accounts through large-scale user enumeration and password spraying. The campaign, active since December 2024, leverages AWS infrastructure and exploits native Microsoft applications for account takeover and data exfiltration. #UNKSneakyStrike #TeamFiltration #MicrosoftEntraID…

  • Global analysis of Adversary-in-the-Middle phishing threats

    Adversary-in-the-Middle (AitM) phishing attacks increasingly target Microsoft 365 and Google accounts, leveraging sophisticated phishing kits offered as Phishing-as-a-Service (PhaaS). These kits harvest session cookies to bypass multi-factor authentication, facilitating financial fraud and Business Email Compromise (BEC) attacks. #Tycoon2FA #Storm1167 #EvilProxy #SekoiaTDR

  • Proactive OT security: Lessons on supply chain risk management from a rogue Raspberry Pi

    ClickFix is a social engineering technique exploiting end users by disguising malicious PowerShell commands as routine verification prompts, enabling threat actors to gain network access and exfiltrate data. Since March 2024, various threat actors including APT28 and MuddyWater have leveraged this method to target multiple industries globally. #ClickFix #APT28 #MuddyWater

  • Cato CTRL™ Threat Research: Uncovering Nytheon AI – A New Platform of Uncensored LLMs 

    Nytheon AI is a Tor-based platform offering a suite of uncensored large language models (LLMs) designed for malicious activities, combining multiple open-source models with disabled safety features. Operated likely by a Russian-speaking individual from a post-Soviet country, it enables diverse attacks such as spear-phishing and turnkey API-driven exploits. #NytheonAI #Llama3 #CatoCTRL

  • APT PROFILE – MISSION2025

    MISSION2025, also known as APT41, is a Chinese state-sponsored threat group active since 2012, focusing on cyberespionage and financially motivated attacks aligned with China’s strategic goals. Their recent campaigns feature sophisticated use of cloud services for command and control and exploitation of software vulnerabilities to target governments and critical infrastructure globally. #MISSION2025 #APT41 #TOUGHPROGRESS #IvantiEPMM

  • New MITRE ATT&CK Groups for 2025: A DNS Deep Dive

    The MITRE Corporation’s April 2025 update introduced seven new threat groups along with associated IoCs, revealing new insights through expanded data analysis by WhoisXML API. The analysis uncovered numerous additional domains, IPs, and email-connected domains linked to these groups, enhancing threat detection capabilities. #APT42 #BlackByte #RedEcho #SeaTurtle #Storm1811 #VelvetAnt

  • Toxic trend: Another malware threat targets DeepSeek

    Threat actors have been exploiting the popularity of the DeepSeek-R1 large language model by distributing malware through phishing sites and malvertising campaigns that mimic its official environment. The attacks deploy the BrowserVenom implant, which reroutes browser traffic through a malicious proxy to intercept and manipulate victim data. #DeepSeekR1 #BrowserVenom #app-updater1.app

  • Gone But Not Forgotten: Black Basta’s Enduring Legacy

    The ransomware group Black Basta disbanded after internal chat leaks, but its tactics, especially mass email spam and Microsoft Teams phishing, continue to be used by former members and new groups. Emerging attack methods now include Python script execution with cURL for payload delivery, emphasizing the need for strong user education and vigilant defense strategies. #BlackBasta #MicrosoftTeamsPhishing #CactusRaaS

  • Understanding CYBEREYE RAT Builder: Capabilities and Implications

    CyberEye, also known as TelegramRAT, is a modular .NET-based Remote Access Trojan that uses Telegram Bot API for command and control, enabling stealthy surveillance and data theft without requiring attacker infrastructure. Its capabilities include credential harvesting, defense evasion by disabling Windows Defender, clipboard hijacking, and persistence via scheduled tasks, making it a significant threat for users and organizations. #CyberEye #TelegramRAT #TelegramBotAPI

  • The Week in Vulnerabilities: Cyble Warns of Rising Exploits Targeting ICS, Enterprise, and Web Systems

    Between May 28 and June 3, 2025, multiple high-severity vulnerabilities were actively exploited by various threat actors, including a China-linked APT group targeting diverse industries. Cyble Research & Intelligence Labs observed increased exploit attempts, malware campaigns, and critical infrastructure risks, emphasizing the urgency of patching and enhanced cybersecurity measures. #CVE-2024-56145 #CVE-2025-5419 #ChinaAPT #MiraiBotnet

  • CVE-2025-33053, Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage

    Check Point Research revealed a sophisticated campaign by the APT group Stealth Falcon exploiting a zero-day vulnerability (CVE-2025-33053) through malicious .url files to deliver custom malware implants such as the Horus Agent. The group targets government and defense sectors in the Middle East and Africa using spear-phishing, WebDAV exploitation, and customized post-exploitation tools including keyloggers and credential dumpers. #StealthFalcon #CVE2025-33053 #HorusAgent

  • BlackSuit Continues Social Engineering Attacks in Wake of Black Basta’s Internal Conflict

    The Black Basta ransomware group’s social engineering attacks sharply declined after December 2024, with evidence indicating that BlackSuit affiliates have adopted or absorbed their tactics. Rapid7’s analysis reveals sophisticated Java RAT and QEMU-based malware deployments, leveraging cloud services for command and control, and highlights ongoing evolution in attacker methods. #BlackBasta #BlackSuit #JavaRAT

  • Eggs in a Cloudy Basket: Skeleton Spider’s Trusted Cloud Malware Delivery

    FIN6, also known as Skeleton Spider, employs sophisticated social engineering tactics leveraging professional job platforms to distribute the Moreeggs backdoor via cloud-hosted malicious infrastructure. Their campaigns utilize fake resumes, CAPTCHA protections, and environmental filtering to evade detection and deliver ransomware and credential theft malware. #FIN6 #Moreeggs #Skeleton_Spider

  • DanaBleed: DanaBot C2 Server Memory Leak Bug

    DanaBot is a Malware-as-a-Service platform active since 2018, known for operating under an affiliate model facilitating banking fraud and credential theft. A memory leak vulnerability named DanaBleed in DanaBot’s C2 server, discovered in 2022, exposed sensitive internal data until the infrastructure was dismantled in 2025 under Operation Endgame. #DanaBot #DanaBleed #OperationEndgame

  • Stay Ahead of Cyber Threats Sweeping Container Telemetry data

    Trend Vision One™ – Threat Intelligence enhances proactive security by providing retrospective scanning and container-aware visibility to detect past and ongoing threats in diverse environments. It integrates real-time data, MITRE ATT&CK mapping, and automated investigations to enable faster, intelligence-driven incident response. #TrendVisionOne #ThreatInsights #ContainerSecurity…

  • Enhance your cybersecurity workflows with Silent Push SOAR integrations 

    Silent Push Enterprise Edition enhances security operations by enriching indicators with extensive context, enabling automated, proactive threat detection and response at scale across multiple SOAR platforms. Integrations with Cortex XSOAR, Splunk SOAR, Torq, Swimlane, Tines, and ServiceNow streamline workflows, reduce manual triage, and improve detection and mitigation of emerging threats. #SilentPush…

  • Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets

    SentinelLABS detected and thwarted reconnaissance and intrusion operations linked to the PurpleHaze and ShadowPad activity clusters, attributed with high confidence to China-nexus threat actors targeting SentinelOne and related organizations. Despite multiple sophisticated attacks between 2024 and 2025, SentinelOne’s infrastructure remained uncompromised, underscoring persistent threats to cybersecurity vendors and global industries. #PurpleHaze #ShadowPad #GOREshell #APT15 #UNC5174

  • Sleep with one eye open: how Librarian Ghouls steal data by night

    Librarian Ghouls, an APT group targeting Russian and CIS entities, employs legitimate third-party software and scripting rather than custom malware for its attacks, focusing on credential theft and deploying a crypto miner. Their ongoing campaign features phishing emails, remote access tools, and complex infection stages, with hundreds of victims primarily in Russia and neighboring countries. #LibrarianGhouls #RareWerewolf #Rezet #XMRig #AnyDesk

  • Attackers Use SVG Images to Steal Credentials

    Cybercriminals have begun using SVG files containing malicious JavaScript in phishing emails to bypass security filters and steal Microsoft 365 credentials. The attack redirects victims to a fake login page via a phishing URL embedded in the SVG file, potentially compromising corporate networks. #SVGPhishing #Microsoft365 #MutationObserver

  • Ransomware Disguised as Password Cracker (Extension Changed to .NS1419)

    AhnLab Security Intelligence Center discovered ransomware disguised as a password cracker tool that encrypts files using AES-256 in CFB mode, making data recovery impossible even after ransom payment. This ransomware tricks users into running it by mimicking legitimate hacking tools, increasing the risk of infection. #AhnLab #PyInstaller #AES256CFB #snapReadme #ransomwaredisguise…

>> Access All Threat Research

Reference for Threat Research

This Threat Research category section will FILTER and FETCH the POST (related with Analysis Report only) from the following sites:

For the sites below, automatic FETCH cannot be performed
(i need to monitor it manual, will be delay 3-7 days)

Bellow are other reference, but for some reason i’m not fetching it automatically
(i need to review the article manually, will be delay 3-5 days)

  • cleafy.com/labs (update 1-2 months)
  • guidepointsecurity.com/blog/ > category: threat advisory
  • research.openanalysis.net
  • blog.phylum.io/tag/research/
  • shadowstackre.com/analysis/
  • mssplab.github.io
  • farghlymal.github.io
  • asec.ahnlab.com/ko/
  • blog.bushidotoken.net
  • kroll.com/en/insights/publications/cyber
  • Sentinelone.com
  • blog.lumen.com

Update

  • December, 2024: securonixblog – Fixed (xpath error)
  • December, 2024: huntress – Fixed (xpath error)
  • December, 2024: nccgroup – Failed (Incapsula)
  • December, 2024: Mandiant – Removed (now part of Google Cloud)
  • December, 2024: antiy.cn – Failed (curl or xpath error)
  • December, 2024: sonicwall.com – Failed (curl error)
  • January, 2025: team-cymru.com (RSS Feed Removed)

Update January, 2025

“Due to copyright reasons, starting January 2025, this site will no longer display the full content of sourced articles. Only Summaries, Key Points, MITRE Tactics for Threat Research, and selected IoCs will be provided. To read the full article, please click on the ‘source’ link to view it on the original website.”

Views: 3247