ALERTS MAY 2024  HOME  AI  APT  BOTNET  CAMPAIGN  CRIME  CRYPTOCURRENCY  EXPLOIT  HACKING  GROUP  OPERATION  PHISHING  RANSOM  SPAM  VIRUS  VULNEREBILITY | 2024  2025


2024 March(16) April(92) May(99) June(94) July(88) August(112) SEPTEMBER(67) October(13) November(80) December(6)


DATE

NAME

INFO

CATEGORY

SUBCATE

31.5.24

Malicious activity by LilacSquid threat group A recently disclosed infostealing campaign attributed to the threat group known as LilacSquid has been active since at least 2021. ALERTS GROUP

31.5.24

Unveiling cryptocurrency mining tactic of the 8220 Gang The 8220 Gang, a widely recognized threat actor based in China and driven by financial motives, has been active since 2017. ALERTS CRYPTOCURRENCY

31.5.24

SmallTiger malware campaign reported targeting Korean companies A malware campaign distributing SmallTiger malware has been reported targeting Korean companies in the defence, automobile parts, and semiconductor manufacturing sectors. ALERTS CAMPAIGN

30.5.24

BitRAT and Lumma Stealer spread as fake browser updates A new campaign delivering BitRAT and Lumma Stealer malware has been observed in the wild. The malware is spread via fake browser updates. ALERTS VIRUS

30.5.24

Metamorfo Banking Trojan Metamorfo is a banking Trojan malware (aka Casbaneiro) that is spread through malspam campaigns luring users to click on HTML attachments. ALERTS VIRUS

30.5.24

Datebug updating toolkits with Golang to be cross-platform APT group Datebug, in operation since 2013, has been observed updating their toolkit with a new data exfiltration tool written in Golang created with the goal of targeting APAC governments and defense sectors. ALERTS APT

30.5.24

NSIS-based packer usage observed in many common malware families The Nullsoft Scriptable Install System (NSIS) is a commonly seen open source software used by cybercriminals for generating malware. ALERTS VIRUS

30.5.24

CatDDoS: A rising threat across multiple sectors A rise in activity involving a Mirai distributed denial-of-service (DDoS) botnet variant called CatDDoS has been observed. ALERTS BOTNET

30.5.24

Mexican Telecom Continuously Impersonated by SpyNote Actor Since at least October 2023, a SpyNote actor has been abusing the brand of a well-known and prominent telecommunications company in Mexico that operates extensively across Latin America and the Caribbean, serving millions of customers ALERTS VIRUS

30.5.24

AllaSenha - new AllaKore malware variant AllaSenha is a new banking malware variant from the AllaKore RAT family that has recently been used in distribution campaigns targeted at banking users in Brazil. ALERTS VIRUS

30.5.24

Zonix Ransomware Zonix is a recently discovered ransomware variant from the Xorist malware family. The malware encrypts user files and appends the ".ZoN" extensions to them. ALERTS RANSOM

30.5.24

CVE-2024-32640 - SQL Injection vulnerability in Mura/Masa CMS CVE-2024-32640 is a recently disclosed SQL injection vulnerability affecting Mura/Masa CMS, which is an open source enterprise content management system. ALERTS VULNEREBILITY

30.5.24

Emergence of a new North Korean threat actor dubbed Moonstone Sleet A recent emergence in the threat landscape involves a new North Korean actor dubbed Moonstone Sleet. ALERTS APT

30.5.24

Fraudulent PDF Viewer Login Pages Phishing for User Credentials A phishing campaign was recently observed where a malicious HTML attachment masquerading as a PDF Viewer login page prompts users to verify their password to access a document. ALERTS PHISHING

30.5.24

Agent Tesla: The Uninvited Guest at Indonesia's GEMASTIK 2024 Event Symantec has recently observed a peculiar malspam campaign in Indonesia where the actor is running a sophisticated email scheme impersonating the School of Electrical Engineering and Informatics (STEI) at the Institut Teknologi Bandung (ITB) in Indonesia. ALERTS VIRUS

30.5.24

Red Akodon threat group recent activities According to recent report published by SCITUM, Red Akodon is a new threat group conducting its malicious activities prevalently in Colombia since at least April 2024. ALERTS VIRUS

30.5.24

TXZ file extension: Evolution of malware distribution in email campaigns Threat actors usually send malicious emails with attachments carrying a malicious payload, or they send out containers which include files like archives. ALERTS VIRUS

30.5.24

Gipy malware distributed under the disguise of AI voice generator tools A new malicious campaign spreading infostealing malware dubbed Gipy has been observed in the wild. ALERTS VIRUS

28.5.24

Embargo Ransomware Embargo is a new Rust-based ransomware variant identified in the wild. The malware encrypts user files and appends “.564ba1” extension to them. ALERTS RANSOM

28.5.24

Rising popularity of Arc browser overshadowed by malvertising campaign The Arc browser, developed by The Browser Company, has been gaining a lot of popularity in the market, promising to personalize the way users browse the internet. ALERTS CAMPAIGN

28.5.24

Phishing campaign targeting financial institutions impersonates medical center A phishing campaign targeting European and US financial institutions has been reported. The attacks involve sending emails impersonating a medical center, with SCR files disguised as financial documents to trick victims into downloading and executing them. ALERTS PHISHING

28.5.24

Iluria Stealer There have been reports of in-the-wild activity for a run-of-the-mill stealer known as Iluria. Like many other forks and variants of Discord Stealers, it is capable of stealing tokens, browser credentials, and payment information. ALERTS VIRUS

28.5.24

Rise of Fake AV websites hosting advanced malware Recently, there has been an increase in the number of fake antivirus (AV) websites pretending to be legitimate solutions. ALERTS VIRUS

28.5.24

CVE-2024-30268: XSS Vulnerability in Cacti CVE-2024-30268 is a reflected cross-site scripting vulnerability in Cacti, a network monitoring and fault management framework. ALERTS VULNEREBILITY

28.5.24

CVE-2024-21793 and CVE-2024-26026 - two recent vulnerabilities affecting F5 BIG-IP Next Central Manager CVE-2024-21793 and CVE-2024-26026 are two recently identified high severity vulnerabilities affecting the F5 BIG-IP Next Central Manager. ALERTS VULNEREBILITY

28.5.24

CVE-2020-17519: Directory Traversal Vulnerability in Apache Flink The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a three-year-old directory traversal vulnerability (CVE-2020-17519) in Apache Flink to the Known Exploited Vulnerabilities Catalog ALERTS VULNEREBILITY

28.5.24

Android Bankbot impersonates Uzbekistan banks In recent days, mobile users in Uzbekistan have been targeted by an Android BankBot campaign where actors are disguising their malware as fictitious banking apps (Xalq Banki Credit.apk & Bank Ipak.apk) ALERTS VIRUS

25.5.24

Path Traversal Vulnerability in Nexus Repository CVE-2024-4956 CVE-2024-4956 is a path traversal vulnerability in Sonatype Nexus Repository 3. Nexus Repository is a widely used artifact repository manager. ALERTS VULNEREBILITY

25.5.24

Operation Diplomatic Specter: A Chinese APT campaign targeting political entities in multiple regions An ongoing campaign dubbed Operation Diplomatic Specter, targeting political entities in the Middle East, Africa, and Asia, has been reported. A Chinese APT group behind the campaign has been leveraging rare email exfiltration techniques against compromised servers. ALERTS APT

25.5.24

RustDoor malware exploits JAVS Viewer vulnerability in courtroom software A Windows-based malware named RustDoor has been observed being distributed via a compromised audio-visual recording software package used in courtroom environments ALERTS VIRUS

23.5.24

Expanded operations of the Sharp Dragon APT As reported by Checkpoint, Sharp Dragon APT group (also formerly known as Sharp Panda) has been expanding its operations towards targets in Africa and in the Caribbean. ALERTS APT

23.5.24

CVE-2024-29895 - Command Injection Vulnerability in Cacti CVE-2024-29895 is a critical (CVSS score 10) command injection vulnerability affecting Cacti, which is a network monitoring and fault management framework. ALERTS VULNEREBILITY

23.5.24

Waltuhium Grabber Waltuhium is an open-source infostealer that has been observed being shared in dark web forums. It is claimed to have features such as ALERTS HACKING

23.5.24

GuLoader Impersonates an Italian Seafood Distributor GuLoader, an advanced downloader, is showing no signs of stopping, and its prevalence continues to increase with more and more campaigns observed around the world. ALERTS VIRUS

23.5.24

CLOUD#REVERSER campaign leverages cloud storage for malware delivery A new campaign dubbed CLOUD#REVERSER has been reported to abuse various cloud storage repositories such as Dropbox or Google Drive for malware delivery and C&C purposes. ALERTS CAMPAIGN

23.5.24

Acrid infostealer leverages “Heaven’s Gate” technique Acrid is a recently identified C++-based infostealing malware. In its functionality, it is very similar to other infostealer variants present currently in the threat landscape ALERTS VIRUS

23.5.24

CVE-2023-43208 - NextGen Healthcare Mirth Connect RCE vulnerability exploited in the wild CVE-2023-43208 is a Remote Code Execution (RCE) vulnerability disclosed in October last year. The vulnerability affects NextGen Healthcare Mirth Connect prior to version 4.4.1, ALERTS VULNEREBILITY

23.5.24

GhostEngine malware terminates EDR agents and deploys coin miner A multimodule malware dubbed GhostEngine has been observed in the wild. This malware leverages vulnerable drivers to terminate and delete known Endpoint Detection and Response (EDR) agents that would likely interfere with the deployed coin miner. ALERTS VIRUS

22.5.24

Smishing: Fake IRS Scare Tactic to Snatch Cryptowallets' 12-Word Recovery Phrases Symantec has recently observed a malicious SMS campaign in the US targeting mobile users' cryptowallet 12-word recovery phrases. The actors are impersonating the IRS and using a scare tactic related to cryptocurrency holdings declaration.  ALERTS PHISHING 

22.5.24

XWorm v5.6 malware A new v5.6 variant of the XWorm malware has been observed in the wild. The malware is distributed under the disguise of various applications, games or adult content, with the binaries spread through either online sharing repositories or via torrent downloads. ALERTS VIRUS

22.5.24

Malware campaign uses LNK files and MSBuild to likely deliver TinyTurla backdoor A malware campaign utilizing malicious LNK files has been observed. The threat actors behind the campaign are using human rights seminar invitations and public advisories to lure users. Once lured, MSBuild is used to execute and deliver a fileless final payload. ALERTS VIRUS

22.5.24

Keyplug backdoor distributed against organizations in Italy A new campaign attributed to the Grayfly threat group (aka APT41) has been distributing the Keyplug modular malware to various organizations in Italy. As reported by Yoroi, this C++based malware comes in variants supporting both Windows and Linux platforms. ALERTS VIRUS

21.5.24

Deuterbear RAT targets Asia-Pacific in advanced cyber espionage campaign A cyber espionage campaign has been reported targeting the Asia-Pacific region, involving the deployment of a remote access trojan (RAT) called Deuterbear ALERTS VIRUS

21.5.24

SamsStealer malware Reports have emerged of a new infostealer, dubbed SamsStealer, circulating in the threat landscape. ALERTS VIRUS

21.5.24

Bank Mellat Users in Various Countries Targeted by FakeBank Campaign Symantec has observed an Android FakeBank campaign targeting mobile users of a private Iranian bank known as Mellat, by posing as a fictitious banking app (Mellat.apk). ALERTS CAMPAIGN

21.5.24

Vultur Malware Poses as Antivirus Recently, a Vultur campaign has been observed in which the actor is disguising it as a known antivirus mobile application (<company name>_Security.apk). ALERTS VIRUS

21.5.24

HiJackLoader gets new modules to lay low HijackLoader is a multi-stage loader that has recently seen some updates. ALERTS VIRUS

21.5.24

Antidot mobile malware Antidot is a recently discovered banking trojan for Android. The malware is distributed under the disguise of a Google Play update app. ALERTS VIRUS

21.5.24

Chaos Ransomware Lures Gamers with Fake Free Discord Nitro As the Chaos Ransomware builder is widely available to the public, instances are observed on a daily basis around the world with both consumers and enterprises being targeted. ALERTS RANSOM

21.5.24

Synapse Ransomware Synapse is a ransomware written in C that can encrypt local files, files on removable drives, and files stored on network shares, with the capability of propagating to other systems on a network. Encrypted files will have the extension ALERTS RANSOM

21.5.24

Storm-1811 threat actor conducts Vishing attack via Quick Assist tool Threat actor Storm-1811 has been reported carrying out a vishing (voice phishing) attack using the client management tool Quick Assist. ALERTS GROUP

21.5.24

Springtail threat group uses new Linux backdoor in attacks In a newly released report, Symantec’s Threat Hunter Team sheds light on a recently discovered Linux backdoor developed by the North-Korean Springtail espionage group (aka Kimsuky). ALERTS APT

16.5.24

New malware Cuttlefish A new malware dubbed Cuttlefish was reported to infect small office/home office and enterprise grade routers with the intent to monitor passing data traffic and discreetly exfiltrating only authentication related information such as usernames, ALERTS VIRUS

16.5.24

Remcos RAT expands functionality with PrivateLoader module Remcos RAT, a remote access Trojan, enables unauthorized remote control and surveillance of compromised systems. Recently, Remcos RAT was observed leveraging a PrivateLoader module to augment its functionality and persistence on the victim's machine. ALERTS VIRUS

16.5.24

Malicious Minecraft mod harvests data from Windows system Many gamers prefer to enhance their gaming experience with custom mods, such as those offering the Windows Borderless feature. This feature enables multitasking and seamless switching between applications, facilitating tasks like game recording. ALERTS VIRUS

16.5.24

Atomic Stealer (AMOS) among the malware variants spread in the GitCaught operation A recent malicious campaign dubbed GitCaught has been reported to spread multiple infostealing payloads targeted at various platforms including macOS. ALERTS VIRUS

16.5.24

PureCrypter malware used in Mallox ransomware distribution campaign PureCrypter loader has been used in a recent malicious campaign leading up to the delivery of Mallox ransomware payloads ALERTS VIRUS

16.5.24

Malicious Word Document Dropping DanaBot Malware A recent Danabot malspam campaign was observed being delivered via a Word document containing a malicious external link which if clicked will launch a series of events where additional executable files will get downloaded including a command prompt ALERTS VIRUS

15.5.24

Phorpiex botnet distributes LockBit Black Ransomware via email campaign A high-volume email campaign facilitated by the Phorpiex botnet, delivering LockBit Black ransomware, has been reported. ALERTS BOTNET

15.5.24

Dracula (Samurai) Stealer Dracula (also known as Samurai Stealer) is an infostealing malware variant attributed to the threat group known as the Amnesia Team (aka Cerberus). ALERTS VIRUS

15.5.24

WaveStealer: New malware distributed on messaging platforms WaveStealer, a newly emerged sophisticated malware tool, is being distributed on platforms like Telegram and Discord for purchase at a low cost. ALERTS VIRUS

15.5.24

FIN7 malware campaign exploiting Google Ads A malware campaign exploiting Google Ads, attributed to the threat actor FIN7, has been reported in the wild. ALERTS VIRUS

15.5.24

Beast Ransomware and Vidar Infostealer delivered via disguised documents Documents like copyright violation warnings and resumes were leveraged in a recent campaign to deliver ransomware and infostealer. ALERTS RANSOM

15.5.24

GCash Users Targeted in Latest Smishing Scam Mobile wallets have transformed the financial landscape by providing convenience and accessibility, but they also present lucrative targets for cybercriminals as Symantec continues to observe a flurry of smishing around the world.  ALERTS SPAM

15.5.24

Trinity Ransomware According to a recent research published by Cyble, Trinity is a newly identified ransomware variant believed to be an updated version of the “2023Lock” ransomware. ALERTS RANSOM

15.5.24

Malspam campaign delivers ASyncRAT by way of multiple scripts In a recently observed campaign, multiple scripts were used to deliver the ASyncRAT payload. Initiated by an HTML email attachment, victims would be compromised by various non-PE files to deliver and establish persistence of ASyncRAT. ALERTS VIRUS

15.5.24

Black Basta ransomware attacks target the healthcare sector Symantec Security Response is aware of the recent joint alert from CISA, the FBI, Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) regarding a number of targeted activities observed for the Black Basta ransomware ALERTS RANSOM

15.5.24

A Mining Trojan called Hidden Shovel Researchers uncovered a new mining trojan dubbed "Hidden Shovel", discovered through network security monitoring. ALERTS VIRUS

12.5.24

CVE-2024-24506 - LimeSurvey Community Edition XSS vulnerability CVE-2024-24506 is a recently disclosed Cross Site Scripting (XSS) vulnerability affecting LimeSurvey Community Edition version 5.3.32. ALERTS VULNEREBILITY

12.5.24

CVE-2024-1313 - BOLA vulnerability in Grafana CVE-2024-1313 is a recently disclosed Broken Object-Level Authorization (BOLA) vulnerability affecting Grafana, which is a open-source data visualization web application. ALERTS VULNEREBILITY

10.5.24

Exploitation of Ivanti Pulse Secure vulnerabilities for Mirai botnet delivery In January of this year, Ivanti reported two vulnerabilities, CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection), affecting Ivanti Connect Secure and Ivanti Policy Secure Gateways. ALERTS EXPLOIT

10.5.24

Malware campaign targeting Windows and MS Office users via software cracks A malware campaign distributing RATs and coinminers via cracks for popular software, specifically targeting users of Windows and MS Office software, has been observed. ALERTS VIRUS

10.5.24

Coper Actors Abuse LiveChat CDN in Ongoing Fake Chrome Tactic Symantec continues to observe daily instances of Coper malware disguised as a fake Chrome Android application. This tactic is not new having been in use for some time now. ALERTS VIRUS

10.5.24

Malspam campaign: Password protected archive hosted on GitHub leads to AsyncRAT
Over the past two weeks, Symantec has observed an actor leveraging a peculiar attack chain to distribute highly obfuscated payload onto compromised systems. The attacks start with malicious emails containing a malicious PDF, DOCX, or SVG file (REMITIRA A TRAVES DEL SERVICIO POSTAL AUTORIZADO.docx, Radicado juridico 23156484.svg, and 99-DEMANDA .docx).
ALERTS CAMPAIGN

10.5.24

Russian bulletproof hosting services exploited for malicious activities, SocGholish malware campaigns The use of Russian bulletproof hosting services for hosting malicious activities, including command-and-control (C2) servers and phishing pages distributing SocGholish malware, has been reported. ALERTS EXPLOIT

10.5.24

Malicious Minecraft Mods: zEus stealer targets gamers A malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. ALERTS VIRUS
9.5.24 Malicious Minecraft Mods: zEus stealer targets gamers A malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. ALERTS VIRUS
9.5.24 Continuous Distribution of RokRAT Malware APT37 (ScarCruft) continues to distribute RokRAT malware via LNK files particularly targeting South Korean users. The malware, disguised within a genuine document will execute PowerShell commands after activation. ALERTS VIRUS
9.5.24 Gadfly buzzes inboxes with new phishing campaign Symantec has recently observed an uptick in phishing campaigns being delivered out of Gadfly (aka TA577). ALERTS CAMPAIGN
9.5.24 Hunt Ransomware - another Dharma/Crysis variant Hunt is another Dharma/Crysis ransomware variant discovered recently in the wild. The malware encrypts user files and appends .hunt extension to them alongside of a unique victim ID and the threat actor email address. ALERTS RANSOM
9.5.24 CVE-2024-27956 - WP-Automatic Plugin SQL Injection vulnerability exploited in the wild CVE-2024-27956 is a recently disclosed critical (CVSS score 9.8) SQL injection (SQLi) vulnerability in WP-Automatic plugin prior to version 3.92.1. ALERTS VULNEREBILITY
9.5.24 Shinra Ransomware Shinra, a recently discovered ransomware variant from the Proton malware family, encrypts files and appends the ".SHINRA3" extension while renaming file names to random strings. ALERTS RANSOM 
9.5.24 CVE-2024-2389 - Command Injection vulnerability affecting Progress Flowmon CVE-2024-2389, a recently disclosed critical vulnerability with a CVSS score of 10, affects Progress Flowmon, a widely used network performance monitoring tool. ALERTS VULNEREBILITY
9.5.24 Increase of Lockbit ransomware attacks Earlier in February this year the Lockbit ransomware family was targeted in a coordinated disruption operation called "Operation Cronos" that saw multiple members of this ransomware gang arrested, assets taken and a decryption tool released publicly. ALERTS RANSOM
7.5.24 CVE-2024-4040 - CrushFTP vulnerability exploited in the wild CVE-2024-1852 is a recently disclosed injection vulnerability affecting CrushFTP versions before 10.7.1 and 11.1.0. ALERTS VULNEREBILITY
7.5.24 Counterfeit Revenue Agency page distributing VBlogger malware A malware campaign involving a counterfeit Revenue Agency webpage hosted on an Italian domain has been reported. ALERTS VIRUS
7.5.24 Cuckoo: A new macOS malware targeting music ripping applications A new macOS malware dubbed Cuckoo has been reported. This malware is distributed through websites that offer applications for ripping music from streaming services. ALERTS VIRUS
7.5.24 Android malware used in targeted attack against Indian defense forces A socially engineered delivery through WhatsApp was leveraged to reportedly target Indian defense forces with a new Android malware by presenting itself as a defense-related application. ALERTS VIRUS

3.5.24

NiceCurl and TameCat custom backdoors leveraged by Damselfly APT NiceCurl and TameCat are two custom backdoor variants recently leveraged in malicious campaigns attributed to the Damselfly APT (also known as APT42). ALERTS APT

3.5.24

TesseractStealer malware leverages OCR engine for information extraction TesseractStealer is an infostealer recently distributed by variants of the ViperSoftX malware. This malware leverages Tesseract (an open source OCR engine) in an effort to extract text from user image files. ALERTS VIRUS

3.5.24

A recent Darkgate malspam campaign The infection chain for this campaign initiates from an email file with an HTML attachment. ALERTS CAMPAIGN

3.5.24

Latest macOS Adload variant focuses on detection evasion A recent report by SentinelOne outlines changes observed to a recent macOS malware Adload. The most recent variants of this malware family come with capabilities allowing it to evade the latest Apple XProtect signatures. ALERTS VIRUS

3.5.24

Old dogs teaching new tricks to ZLoader ZLoader, a modular trojan, has implemented anti-analysis capabilities that appear to be lifted from the ZeuS source code. ALERTS VIRUS

3.5.24

Goldoon botnet According to a recent report from FortiGuard Labs, a new botnet variant dubbed Goldoon has been observed in the wild. ALERTS BOTNET

3.5.24

BirdyClient malware leverages Microsoft Graph API for C&C communication An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services. ALERTS VIRUS

3.5.24

DarkGate loader continues to be actively distributed DarkGate loader malware has been a very actively distributed within the last year. Numerous email campaigns have leveraged various attack chains to deliver the DarkGate payload. ALERTS VIRUS

3.5.24

Dwphon mobile malware Dwphon is a recently identified malware variant targeting the Android platform.  ALERTS VIRUS

3.5.24

SpyNote using Central Bank of Kazakhstan as a lure No countries or financial institutions are exempt from having their brands abused to lure mobile users into installing Android malware—a trend that continues to grow. ALERTS VIRUS

3.5.24

GuLoader campaign targeting industries in Russian-speaking countries An actor has been observed running two email campaigns with different social engineering tactics that lead to Guloader. Both campaigns target industries in Russian-speaking countries such as Russia, Belarus, Kyrgyzstan, and Kazakhstan. ALERTS CAMPAIGN
ALERTS