ALERTS APRIL 2024  HOME  AI  APT  BOTNET  CAMPAIGN  CRIME  CRYPTOCURRENCY  EXPLOIT  HACKING  GROUP  OPERATION  PHISHING  RANSOM  SPAM  VIRUS  VULNEREBILITY | 2024  2025


2024 March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67) October(13) November(80) December(6)


DATE

NAME

INFO

CATEGORY

SUBCATE

30.4.24 New DragonForce Ransomware variant A new variant of ransomware called DragonForce has been observed using a leaked ransomware builder from the LockBit ransomware group. ALERTS RANSOM
30.4.24 Security vendor applications impersonated in recent malware campaign Impersonating legitimate applications is a common tactic observed in attack campaigns. Among the simpler methods of impersonation is to convince a victim to execute content by leveraging a legitimate filename. ALERTS VIRUS
30.4.24 Ziraat Stealer disguised as data recovery tool The Ziraat Stealer, a .NET infostealer, has been discovered masquerading as a Data Recovery tool. This malware is capable of extracting passwords and credentials from browsers, social media platforms, ALERTS VIRUS
30.4.24 Rising trend of FakeBat malware campaigns, exploiting MSIX installers and malvertising Many campaigns involving the FakeBat malware have been reported recently, showing an increasing trend. FakeBat utilizes multiple delivery tactics, with malvertising being the primary strategy. ALERTS VIRUS
27.4.24 Multiple vulnerabilities in OpenMetadata OpenMetadata is an open source metadata platform that can be used for data discovery, cataloging and collaboration. ALERTS VULNEREBILITY
27.4.24 KageNoHitobito ransomware KageNoHitobito ransomware came on the scene in March 2024. This is a no frills ransomware with basic old school functionality; file encryption (only on the local drive), drops ransom notes, and requires interaction with the attack group via Tor. ALERTS RANSOM
27.4.24 Brokewell mobile malware Brokewell is a new mobile malware variant discovered in the wild. According to a recent report, the malware is delivered to Android users via a fake Google Chrome browser update package. ALERTS VIRUS
27.4.24 Amadey malware family remains an active threat in the landscape Amadey is an infostealer variant enriched with additional functionalities allowing it to download and execute malicious payloads such as ransomware. ALERTS VIRUS
25.4.24 SSLoad and Cobalt Strike leveraged in compromised "Contact Form" campaign A new loader has emerged called SSLoad, distinct from SLoad. Reports reveal a campaign where attackers were observed abusing and sending malicious links via contact forms. ALERTS APT
25.4.24 SpyNote campaign using Vietnam's National Public Service as bait SpyNote remote access trojan and its variants are proliferating globally, with groups and individuals employing various social engineering tactics to target mobile users. ALERTS APT
25.4.24 APT43 exploits Dropbox in TutorialRAT distribution campaign The APT43 group has been observed distributing TutorialRAT by actively exploiting Dropbox cloud storage as a base for their attacks to evade threat monitoring. ALERTS APT
25.4.24 CryptBot among the infostealer variants distributed in latest CoralRaider campaign According to a recent report, three distinct infostealers variants Cryptbot, LummaC2 and Rhadamanthys have been distributed in a newly discovered campaign attributed to the threat actor known as CoralRaider. ALERTS VIRUS
25.4.24 Seedworm exploits Atera Agent in a spear-phishing Campaign Seedworm (also known as MuddyWater), is actively exploiting the legitimate remote monitoring and management (RMM) tool Atera Agent in its spear-phishing campaign. ALERTS CAMPAIGN
25.4.24 Fake Job App Steals SMS Messages From Oil Industry Job Seekers Symantec has recently observed a malicious actor targeting mobile users who are looking for jobs in the oil industry. ALERTS GROUP
25.4.24 More Fake MetaMask Android Apps Circulating, Targeting Users' Wallets More fake MetaMask Android applications have been observed targeting mobile users' wallet via phishing tactics, all of which are being hosted on malicious domains mimicking MetaMask and leveraging typosquatting techniques. ALERTS VIRUS
25.4.24 GooseEgg, a post-explotation malware Researchers at Microsoft have reported on ongoing activities of the Russian-based threat actor Forest Blizzard identified by Symantec as Swallowtail (aka STRONTIUM) utilizing a custom tool dubbed GooseEgg. ALERTS VIRUS
23.4.24 Kapeka backdoor Kapeka is a recently identified backdoor variant leveraged in malicious campaigns targeted at various entities from Eastern Europe since at least 2022. ALERTS VIRUS
23.4.24 Sharpil RAT malware - possible precursor to Sharp Stealer Sharpil is a new Remote Access Trojan (RAT) discovered in the threat landscape. This C#-based malware features basic infostealing functionality including system info collection and data gathering from various web browsers. ALERTS VIRUS
22.4.24 Core Werewolf APT group targets Russian defense organizations in espionage campaign Espionage activity of the Core Werewolf APT group targeting Russian defense organizations was observed around mid-April. ALERTS APT
22.4.24 Megazord Ransomware Megazord ransomware is a Rust-based malware that targets healthcare, education, and government entities. ALERTS RANSOM
22.4.24 OfflRouter observed infecting Ukrainian DOC files Threat researchers have recently discovered OfflRouter infections in various DOC files observed in the wild. ALERTS VIRUS
20.4.24 Coreid (aka Fin7) uses backdoor against US Automaker victims A recent report provided details of activity by the Coreid (aka Fin7) threat group in which victims in the US automaker industry were targeted. ALERTS APT
20.4.24 APT Group exploits Web3 gaming hype in campaign for cryptocurrency earnings A campaign centered around imitating web3 gaming projects has been observed, likely operated by a Russian-language APT group aiming for potential cryptocurrency earnings by leveraging the allure of blockchain-based gaming. ALERTS APT
20.4.24 Akira ransomware remains an active threat on the landscape Symantec Security Response is aware of the recent joint alert from CISA, the FBI, Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL) ALERTS RANSOM
20.4.24 XAgent spyware targeting iOS devices An XAgent spyware targeting iOS devices has been identified, linked to the Swallowtail group (APT28). Primarily targeting political and government entities in Western Europe ALERTS VIRUS
19.4.24 Malware campaign distributing MadMxShell backdoor via masquerade websites A new backdoor called MadMxShell has surfaced as part of a malware campaign. The threat actors responsible for the campaign are hosting masquerade websites that impersonate legitimate IP scanner software sites. ALERTS CAMPAIGN
19.4.24 CR4T malware implant distributed in the DuneQuixote campaign Malicious campaign dubbed DuneQuixote has been reported to distribute new variants of the CR4T malware implant. The campaign targets various organizations and entities in the Middle East. ALERTS VIRUS
19.4.24 Mamont Android banking trojan Mamont is a recently identified banking trojan for Android. The malware has been distributed disguised as a Google Chrome installer package. ALERTS VIRUS
18.4.24 Google Firebase and Clearbit abused in Phishing campaigns Phishing actors employ a plethora of tactics to make their phishing attempts more persuasive, ranging from hosting services to social engineering. ALERTS CAMPAIGN
18.4.24 TP-Link Archer AX21 CVE-2023-1389 still being exploited by botnets Last year an unauthenticated command injection vulnerability, CVE-2023-1389, was disclosed for the web management interface of the TP-Link Archer AX21 (AX1800) router. ALERTS VULNEREBILITY
17.4.24 CVE-2024-1852 - WordPress WP-Members Membership Plugin vulnerability CVE-2024-1852 is a high severity cross-site scripting (XSS) vulnerability affecting WordPress WP-Members Membership Plugin. ALERTS VULNEREBILITY
17.4.24 SoumniBot - Android banking malware SoumniBot is a new banking malware variant for Android. ALERTS VIRUS
17.4.24 Rincrypt Ransomware Rincrypt is one more run-of-the-mill ransomware variant recently observed on the threat landscape. When executed, it targets files with the specific extensions according to a pre-defined list. The malware appends the encrypted files with “.rincrypt” extension. ALERTS RANSOM
17.4.24 Tax-Themed phishing campaign deploys XWorm RAT An email phishing campaign has been reported deploying the Remote Access Trojan (RAT) XWorm. ALERTS VIRUS
17.4.24 Risen Ransomware A ransomware actor known as "Risen" has been detected in the wild. According to their ransom note ($Risen_Note.txt and $risen_guide.hta), the threat actors appear to employ double-extortion tactics by threatening to sell or leak stolen information if the ransom payment is not made. ALERTS RANSOM
16.4.24 SteganoAmor campaign attributed to TA558 threat group A new malicious campaign dubbed as SteganoAmor has been attributed to the TA558 threat actor. ALERTS GROUP
16.4.24 L00KUPRU Ransomware L00KUPRU is a new Xorist ransomware variant recently discovered in the wild. The malware encrypts user files and adds the .L00KUPRU extension to them. ALERTS RANSOM
16.4.24 SolarMarker malware campaign adapts with PyInstaller for obfuscation A SolarMarker malware campaign has been observed utilizing PyInstaller to obfuscate first-stage PowerShell scripts instead of Inno Setup and PS2EXE, showcasing the adaptability of threat actors in evading detection mechanisms targeting SolarMarker. ALERTS VIRUS
16.4.24 Hive0051c malware campaign distributing GammaLoad in Ukraine Hive0051c has been observed conducting a malware campaign distributing the GammaLoad malware in Ukraine. ALERTS VIRUS
16.4.24 FatalRAT Distributed Through Fake Cryptocurrency App Website A new malicious campaign has been identified where the attackers attempt to distribute FatalRAT malware via a webpage masqueraded as a legitimate cryptocurrency application download website specifically designed for Chinese users. ALERTS VIRUS
16.4.24 Fake Anti Radar App SpyNote RAT Targets French Drivers Speed cameras are quite prevalent in France, and their numbers have increased significantly over the years as part of road safety measures. ALERTS VIRUS
16.4.24 XploitSPY Android malware An active malicious campaign dubbed "eXotic Visit" has been recently spreading a customized variant of the XploitSPY Android malware. ALERTS VIRUS
13.4.24 Signed backdoor found in screen mirroring software A recent report identified a signed backdoor present in LaiXi Android screen mirroring software. According to the report, attackers abused the Microsoft Windows Hardware Compatibility Program to get the malware signed. ALERTS VIRUS
12.4.24 LightSpy malware implant LightSpy is a modular surveillance tool with variants supporting both Android and iOS platforms. ALERTS VIRUS
12.4.24 Rhadamanthys malware deployments attributed to TA547 A new Rhadamanthys infostealer deployment campaign attributed to the TA547 threat actor has been discovered in the wild. The campaign targets a wide range of industries in Germany. ALERTS VIRUS
11.4.24 Pupy RAT continues to be used in attacks against Linux systems Pupy RAT continues to be leveraged in attacks conducted by miscellaneous threat operators. ALERTS VIRUS
11.4.24 Metasploit Meterpreter observed in attacks targeting vulnerable Redis servers Meterpreter is an advanced Metasploit attack payload leveraged in penetration testing that uses in-memory DLL injection stagers. ALERTS HACKING
11.4.24 Nitrogen malware delivery campaign A new malicious campaign spreading the Nitrogen malware has been observed in the wild. The attack leverages malvertising techniques via Google Ads and the malware binaries are masqueraded as PuTTY or FileZilla software installers. ALERTS CAMPAIGN
9.4.24 SpyNote mobile malware spread under the disguise of INPS Mobile application A recent campaign targeted at mobile users in Italy has been distributing SpyNote malware under the disguise of the INPS Mobile application. ALERTS VIRUS
9.4.24 Nova Stealer among the malware variants distributed via Facebook ads advertising fake AI services A new infostealer distribution campaign has been reported in the wild with attackers leveraging compromised Facebook accounts to advertise fake AI services impersonating well-known brands such as MidJourney, SORA AI, Evoto, ChatGPT-5 and DALL-E 3. ALERTS VIRUS
8.4.24 CVE-2023-7102, New Zero-Day vulnerability in Barracuda's ESG Appliance exploited A Chinese threat actor, UNC4841, has been reported exploiting a new zero-day vulnerability identified as CVE-2023-7102 in Barracuda Email Security Gateway (ESG) appliances. ALERTS VULNEREBILITY
8.4.24 New phishing run spoofs International Card Services (ICS)
Symantec has observed a new wave of phish runs spoofing International Card Services BV to steal credentials. In this run, threat actors have not hyperlinked the phishing URL but included it in plain text along with the email content.
ALERTS PHISHING
8.4.24 TISAK Ransomware TISAK is a new ransomware variant observed in the wild. The malware appears to be a strain of the Proxima/BlackShadow ransomware family. It encrypts user data and appends .Tisak extension to the files. ALERTS RANSOM
8.4.24 Spoofed Adobe Creative Cloud email notifications appear in phish runs Adobe Creative Cloud provides a collection of applications for graphic design, video editing, web development, photography and more. ALERTS PHISHING
8.4.24 CVE-2023-41266 A path traversal vulnerability in Qlik Sense Enterprise under active exploitation CVE-2023-41266 is a path traversal vulnerability affecting Qlik Sense Enterprise. If successfully exploited, this vulnerability allows an unauthenticated remote attacker to generate an anonymous session. ALERTS VULNEREBILITY
8.4.24 Xamalicious Android malware Xamalicious is a backdoor malware targeting the Android platform. The malware is built using Xamarin framework which is an open source platform for creating apps with .NET and C#. ALERTS VIRUS
8.4.24 Binance Turkey Users Lured with MASAK Audit Scare More Binance smishing is being observed around the world, and in a recent example, Symantec has observed an actor targeting Turkish Binance users. ALERTS CRIME
8.4.24 Continuous activities of UAC-0099 threat group against Ukraine "UAC-0099" is a threat group known to be targeting Ukraine since at least mid-2022. In some of the recent campaigns the attackers have been leveraging self extracting RAR .SFX archives ALERTS GROUP
8.4.24 Bandook malware - an older threat remains active in the wild
Bandook is a remote access trojan discovered way back in 2007. While it is quite an old malware family, new variants of Bandook reemerge in the wild with new distribution campaigns to this day.
ALERTS VIRUS
8.4.24 Malicious SMS Targets BDO Unibank users Banco De Oro (BDO) Unibank is the largest bank in the Philippines and among the top 20 banks in Southeast Asia. Over the past few weeks, ALERTS VIRUS
8.4.24 No Christmas Break for Agent Tesla: Riyad Bank Impersonated in a Malspam Campaign Usually over Christmas there is somewhat less malware activity, but that does not mean there isn't any. Attacks from all fronts (e.g., email, drive downloads, vulnerabilities, etc.) keep on going ALERTS VIRUS
8.4.24 Truist Bank users targeted with new phishing emails Truist Bank is one of the top U.S. commercial banks headquartered in Charlotte, North Carolina. Recently, Symantec has observed a new wave of phish runs spoofing Truist Bank services with fake account notifications. ALERTS PHISHING
8.4.24 MetaStealer distributed via malvertising MetaStealer is an infostealer variant discovered back in 2022. It is known to be delivered via malspam campaigns as well as bundled with pirated software. ALERTS VIRUS
8.4.24 New variant of Chameleon Android malware allows for biometric authentication bypass Chameleon is an Android banking malware that first emerged at the beginning of 2023 ALERTS VIRUS
8.4.24 Operation HamsaUpdate Operation HamsaUpdate is a recently identified campaign targeting Israeli customers using F5’s network devices. ALERTS OPERATION
8.4.24 Fictitious OnlyFans premium mobile app revealed as SpyNote OnlyFans' popularity worldwide has grown exponentially over the past few years. Positioned as a social media service, it has become a lucrative means of livelihood for many individuals. ALERTS VIRUS
8.4.24 Old MS Office vulnerability CVE-2017-11882 still leveraged for Agent Tesla delivery CVE-2017-11882 is an older vulnerability affecting the Equation Editor component in Microsoft Office. Successful exploitation of this flaw might allow attackers for remote code execution on the infected machines. ALERTS VULNEREBILITY
8.4.24 Movable Type API CVE-2021-20837 vulnerability under active exploitation CVE-2021-20837 is a critical (CVSS score 9.8) command injection vulnerability affecting Movable Type API. If successfully exploited, this vulnerability enables remote code execution. ALERTS VULNEREBILITY
8.4.24 GuLoader campaign: From Seoul to Brussels GuLoader's prevalence remains unwavering, and Symantec continues to observe actors conducting campaigns worldwide. One particular case has caught our attention, as the actor exhibits behavior reminiscent of a locust colony, traversing from field to field. ALERTS VIRUS
8.4.24 Xray Ransomware Xray is yet another ransomware actor that has been observed in the threat landscape, targeting companies' servers and clients. Capability-wise, it's a generic ransomware that allows the actor to determine which folders to encrypt and which to skip. ALERTS RANSOM
8.4.24 New phishing run spoofs Mexican Postal Service (Correos de Mexico) Symantec has observed a new wave of phish runs spoofing Mexican Postal Service (Correos de Mexico) to steal credentials. The email content is kept specific and mentions an undelivered package. ALERTS PHISHING
8.4.24 TA544 activities involving IDAT Loader A new set of malicious activities attributed to the TA544 (aka Narwal Spider) threat group has been reported in the wild. This threat actor has been known to target various Italian organizations and entities in the past. ALERTS VIRUS
8.4.24 JaskaGO infostealer for Windows and macOS JaskaGO is a new Go-based infostealer developed for both Windows and macOS platforms. The malware collects a wide range of data from the compromised machines including credentials, cookies, browser history, files from local folders, ALERTS VIRUS
8.4.24 Splunk Remote Code Execution (RCE) vulnerability CVE-2023-46214 CVE-2023-46214 is a recently disclosed remote code execution (RCE) vulnerability affecting Splunk Enterprise platform. Due to a flaw in processing of user-supplied extensible stylesheet language transformations (XSLT), ALERTS VULNEREBILITY
8.4.24 Zimbra Collaboration XSS vulnerability CVE-2023-37580 CVE-2023-37580 is a recently disclosed 0-day (CVSS score: 6.1) Cross-Site Scripting vulnerability affecting Zimbra Collaboration suite. ALERTS VULNEREBILITY
8.4.24 Play Ransomware - latest attacks against enterprises Symantec Security Response is aware of the recent CISA, FBI and ASD's ACSC alert regarding a number of recent targeted activities observed for the Play (aka PlayCrypt) ransomware. ALERTS RANSOM
8.4.24 "No One Was Home" themed Evri phishing emails are making the rounds Evri is a parcel delivery company based in United Kingdom. As the holiday season has started, spoofed emails masqueraded as Evri parcel notifications have been observed. ALERTS PHISHING
8.4.24 CVE-2023-49070 Apache OFBiz RCE vulnerability CVE-2023-49070 is a critical (CVSS score 9.8) pre-auth remote code execution vulnerability in Apache OFBiz. ALERTS VULNEREBILITY
8.4.24 African based telecommunications organizations targeted by Iranian Seedworm group The Symantec Threat Hunter Team, part of Broadcom, observed a recent campaign by the Seedworm threat actor group, targeting telecommunications organizations in North and East Africa. This activity, ALERTS APT
8.4.24 Fake NordVPN Installer Delivering SecTopRAT While monitoring for new stealers, Symantec has observed an actor who has set up a Telegram channel for a stealer dubbed Vortex. After following breadcrumbs, it appears that there are ongoing test-related activities. ALERTS VIRUS
5.4.24 New JsOutProx malware variant observed in campaigns targeted at financial sector A new JsOutProx malware variant has been observed in recent campaigns targeted at financial sector in the Africa, the Middle East, South Asia, and Southeast Asia. JsOutProx RAT is attributed to a threat group known as Solar Spider. ALERTS VIRUS
5.4.24 Byakugan malware Byakugan is a modular infostealer variant observed recently in the wild. The malware has been distributed under the disguise of a Adobe Reader installer. ALERTS VIRUS
5.4.24 Phorpiex malware campaign targets finance sector in Europe and North America A malware campaign distributing Phorpiex botnet has been observed targeting entities in the finance sector across Europe and North America. ALERTS VIRUS
5.4.24 Indonesia – Wedding invites used as lure by an SMS thief In mid-2023, an actor have been observed sending SMS messages to mobile users in Indonesia, enticing them to install an application posing as a wedding invitation. ALERTS SPAM
5.4.24 Latrodectus malware Latrodectus loader is a malware variant first discovered in November 2023. The malware has been recently distributed in malicious campaigns attributed to the TA577 and TA578 threat groups. ALERTS VIRUS
5.4.24 Backdoor code found in XZ Utils library On March 29th a security alert was issued warning users about malicious backdoor code embedded in certain versions of XZ Utils, a popular library of data compression tools that is present in nearly every Linux distribution. ALERTS VIRUS
5.4.24 MacOS Users targeted with Infostealers MacOS users continue to be targeted with infostealers via malicious advertisements and fake websites. In a recent campaign, a counterfeit website offering free group meeting scheduling software was observed. ALERTS VIRUS
5.4.24 TA588 continues espionage activities in Latin America The TA558 group, known for targeting various sectors across Latin America, has recently been observed employing spam emails with malicious attachments to distribute Venom RAT, a remote access trojan derived from Quasar RAT. ALERTS GROUP
5.4.24 YouTube Hijacking: Rise in Attack Campaigns Distributing Infostealers An increase in attack campaigns utilizing YouTube has been observed, with threat actors hijacking existing popular YouTube accounts to distribute Vidar and LummaC2 Infostealer malwares. ALERTS HACKING
3.4.24 Napoli Ransomware Napoli, a variant of Chaos ransomware, has recently been discovered in the wild. The malware encrypts user files, adds the .napoli extension and also changes the desktop wallpaper on the infected endpoints. ALERTS RANSOM
3.4.24 Emergence of new Vultur banking trojan variant in mobile threat landscape A newer version of the Vultur banking trojan for Android has been observed in the wild. This version features enhanced evasion techniques and advanced remote control capabilities. ALERTS VIRUS
3.4.24 Indonesian Businesses Targeted in an Agent Tesla Campaign Symantec has recently observed an individual or group running a targeted malspam campaign against Indonesian organizations, although instances have been seen in neighboring countries. ALERTS VIRUS