GOLD CABIN  (Back to overview)

aka: ATK236, G0127, Monster Libra, Shakthak, TA551

GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.

Associated Families
win.bumblebee win.emotet win.icedid win.isfb win.qakbot

Largest ever operation against botnets hits dropper malware ecosystem
BumbleBee IcedID SmokeLoader SystemBC TrickBot
2024-05-26ZW01fMohamed Ezat
QakBOT v5 Deep Malware Analysis
2024-05-16ElasticDaniel Stepanic, Samir Bousseaden
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID
IcedID Unidentified 111 (Latrodectus)
2024-05-15X (@bryceabdo)Bryce Abdo
Tweet on UNC5449 exploiting CVE-2024-30051 to deliver QAKBOT
2024-05-15MicrosoftMicrosoft Threat Intelligence
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Black Basta Cobalt Strike QakBot
2024-05-14KasperskyBoris Larin, Mert Degirmenci
QakBot attacks with Windows zero-day (CVE-2024-30051)
Cobalt Strike QakBot
2024-04-29The DFIR ReportThe DFIR Report
From IcedID to Dagon Locker Ransomware in 29 Days
IcedID Mount Locker
2024-04-24kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] Qakbot 5.0 – Decrypt strings and configuration
IcedID – Technical Analysis of an IcedID Lightweight x64 DLL
2024-04-04ProofpointProofpoint Threat Research Team, Team Cymru, TEAM CYMRU S2 THREAT RESEARCH
Latrodectus: This Spider Bytes Like Ice
IcedID Unidentified 111 (Latrodectus)
2024-04-01The DFIR ReportThe DFIR Report
From OneNote to RansomNote: An Ice Cold Intrusion
Cobalt Strike IcedID Nokoyawa Ransomware PhotoLoader
2024-03-26Medium zyadlzyatsocZyad Elzyat
Comprehensive Analysis of EMOTET Malware: Part 1
2024-03-17Technical EvolutionSimon
Carving the IcedId - Part 3
2024-02-28Security IntelligenceGolo Mühr, Ole Villadsen
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023
404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos
2024-02-21Invoke REJosh Reynolds
Automating Qakbot Malware Analysis with Binary Ninja
2024-02-21YouTube (Invoke RE)Josh Reynolds
Analyzing Qakbot Using Binary Ninja Automation Part 3
2024-02-16Malcatmalcat team
Writing a Qakbot 5.0 config extractor with Malcat
2024-02-15Bleeping ComputerSergiu Gatlan
Zeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison
Egregor IcedID Maze Zeus
2024-02-15Department of JusticeOffice of Public Affairs
Foreign National Pleads Guilty to Role in Cybercrime Schemes Involving Tens of Millions of Dollars in Losses
Egregor IcedID Maze Zeus
2024-02-13ProofpointAxel F, Selena Larson
Bumblebee Buzzes Back in Black
2024-02-11Estrellas's BlogOtávio M.
Unpacking an Emotet trojan
2024-02-09CensysCensys, Embee_research
A Beginners Guide to Tracking Malware Infrastructure
AsyncRAT BianLian Cobalt Strike QakBot
2024-02-09YouTube (Invoke RE)Josh Reynolds
Analyzing and Unpacking Qakbot Using Binary Ninja Automation Part 2
2024-01-31ZscalerJavier Vicente
Tracking 15 Years of Qakbot Development
2024-01-23YouTube (Invoke RE)Josh Reynolds
Analyzing and Unpacking Qakbot using Binary Ninja Automation
2024-01-16Medium walmartglobaltechJason Reaves, Jonathan Mccay, Joshua Platt
Keyhole Analysis
IcedID Keyhole
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2024-01-12YouTube (BSides Cambridge UK)Cian Heasley
Slipping The Net: Qakbot, Emotet And Defense Evasion
Emotet QakBot
2024-01-09Recorded FutureInsikt Group
2023 Adversary Infrastructure Report
AsyncRAT Cobalt Strike Emotet PlugX ShadowPad
IcedID – Technical Malware Analysis [Second Stage]
IcedID PhotoLoader
2024-01-04K7 SecuritySaikumaravel
Qakbot Returns
Malware development: persistence - part 23. LNK files. Simple Powershell example.
2023-12-05YouTube (SecureWorks)Austin Graham
Emulating Qakbot with Austin Graham
2023-11-30Twitter (@embee_research)Embee_research
Advanced Threat Intel Queries - Catching 83 Qakbot Servers with Regex, Censys and TLS Certificates
2023-11-22Twitter (@embee_research)Embee_research
Practical Queries for Malware Infrastructure - Part 3 (Advanced Examples)
BianLian Xtreme RAT NjRAT QakBot RedLine Stealer Remcos
2023-11-20CofenseDylan Duncan
Are DarkGate and PikaBot the new QakBot?
DarkGate Pikabot QakBot
2023-10-13Twitter (@JAMESWT_MHT)JamesWT
Tweets on Wikiloader delivering ISFB
ISFB WikiLoader
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-10-12NetresecErik Hjelmvik
Forensic Timeline of an IcedID Infection
Cobalt Strike IcedID IcedID Downloader
2023-10-05TalosGuilherme Venere
Qakbot-affiliated actors distribute Ransom Knight malware despite infrastructure takedown
2023-10-04Twitter (@Intrisec)CTI Intrinsec
Tweet about new Bumblebee campaign leveraging CVE-2023-38831
2023-09-15Johannes Bader's BlogJohannes Bader
The DGA of BumbleBee
2023-09-11Github (m4now4r)m4n0w4r
Unveiling Qakbot Exploring one of the Most Active Threat Actors
2023-09-11Twitter (@Artilllerie)@Artilllerie
Tweet on BumbleBee sample containing a DGA
2023-09-07Twitter (@Intrisec)CTI Intrinsec
Tweets on Bumblebee campaign spreading via Html smuggling downloading RAR archive with European Central Bank PDF lure and folder containing Bumblebee EXE payload.
2023-09-01VMRayEmre Güler
Understanding BumbleBee: BumbleBee’s malware configuration and clusters
2023-08-29US Department of JusticeUS Department of Justice
Qakbot Malware Disrupted in International Cyber Takedown
2023-08-29SecureworksCounter Threat Unit ResearchTeam
Law Enforcement Takes Down QakBot
FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown
2023-08-29KrebsOnSecurityBrian Krebs
U.S. Hacks QakBot, Quietly Removes Botnet Infections
2023-08-29The Shadowserver FoundationShadowserver Foundation
Qakbot Botnet Disruption
2023-08-29US Department of JusticeDepartment of Justice
Documents and Resources related to the Disruption of the QakBot Malware and Botnet
2023-08-29SpamhausSpamhaus Team
Qakbot - the takedown and the remediation
2023-08-28The DFIR ReportThe DFIR Report
HTML Smuggling Leads to Domain Wide Ransomware
Cobalt Strike IcedID Nokoyawa Ransomware
2023-08-23Department of JusticeUnited States District Court for the Central District of California
Application and Affidavit for a Seizure Warrant by Telephone or other Reliable Electronic Means
2023-08-21Department of JusticeUnited States District Court for the Central District of California
Application for a Warrant by Telephone or other reliable Electronic Means
2023-08-18VMRayEmre Güler
Understanding BumbleBee: The malicious behavior of BumbleBee
2023-08-09VMRayEmre Güler
Understanding BumbleBee: The delivery of Bumblee
2023-08-07Team CymruS2 Research Team
Visualizing Qakbot Infrastructure Part II: Uncharted Territory
What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot
LokiBot DarkGate Emotet
2023-07-31ProofpointKelsey Merriman, Pim Trouerbach
Out of the Sandbox: WikiLoader Digs Sophisticated Evasion
ISFB WikiLoader
2023-07-31d01aMohamed Adel
Pikabot deep analysis
Pikabot QakBot
2023-07-28Red CanaryStef Rand
Drop It Like It's Qbot: Separating malicious droppers, loaders, and crypters from their payloads
CloudEyE QakBot
2023-07-28YouTube (SANS Cyber Defense)Stef Rand
Drop It Like It's Qbot: Separating malicious droppers, loaders, and crypters from their payloads
CloudEyE QakBot
2023-07-28Team CymruS2 Research Team
Inside the IcedID BackConnect Protocol (Part 2)
2023-07-25ZscalerMeghraj Nandanwar, Pradeep Mahato, Satyam Singh
Hibernating Qakbot: A Comprehensive Study and In-depth Campaign Analysis
2023-07-23Medium infoSec Write-upsmov_eax_27
Unpacking an Emotet Trojan
2023-07-18Kostas TSKostas
Ursnif VS Italy: Il PDF del Destino
Gozi ISFB Snifula
2023-07-11SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-07-06WeLiveSecurityJakub Kaloč
What’s up with Emotet?
2023-06-22DeepInstinctDeep Instinct Threat Lab, Mark Vaitzman, Shaul Vilkomir-Preisman
PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID
PindOS BumbleBee PhotoLoader
2023-06-10The DFIR ReportThe DFIR Report
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
BlackCat Cobalt Strike IcedID
2023-06-08Twitter (@embee_research)Embee_research
Practical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries
Amadey AsyncRAT Cobalt Strike QakBot Quasar RAT Sliver solarmarker
2023-06-08VMRayPatrick Staubmann
Busy Bees - The Transformation of BumbleBee
BumbleBee Cobalt Strike Conti Meterpreter Sliver
2023-06-01LumenBlack Lotus Labs
Qakbot: Retool, Reinfect, Recycle
2023-05-30Palo Alto Networks Unit 42Brad Duncan
Cold as Ice: Answers to Unit 42 Wireshark Quiz for IcedID
IcedID PhotoLoader
2023-05-22The DFIR ReportThe DFIR Report
IcedID Macro Ends in Nokoyawa Ransomware
IcedID Nokoyawa Ransomware PhotoLoader
2023-05-21Github (0xThiebaut)Maxime Thiebaut
IcedID QakBot
2023-05-18IntezerRyan Robinson
How Hackers Use Binary Padding to Outsmart Sandboxes and Infiltrate Your Systems
2023-05-17Team CymruTeam Cymru
Visualizing QakBot Infrastructure
Hunting for Ursnif
ISFB Royal Ransom
2023-05-04ElasticCyril François
Unpacking ICEDID
IcedID PhotoLoader
2023-05-03unpac.meSean Wilson
UnpacMe Weekly: New Version of IcedId Loader
IcedID PhotoLoader
2023-05-03Palo Alto Networks Unit 42Bob Jung, Daniel Raygoza, Mark Lim
Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale
IcedID PhotoLoader
IcedID Malware: Traversing Through its Various Incarnations
2023-04-28DISCARDED PodcastJoe Wise, Pim Trouerbach
Beyond Banking: IcedID Gets Forked
IcedID PhotoLoader
2023-04-21SophosColin Cowie, Paul Jaramillo
IcedID: Defrosting a Recent Campaign Illustrating evolving tactics and shared infrastructure
IcedID PhotoLoader
2023-04-20SecureworksCounter Threat Unit ResearchTeam
Bumblebee Malware Distributed Via Trojanized Installer Downloads
BumbleBee Cobalt Strike
2023-04-18Rapid7 LabsMatt Green
Automating Qakbot Detection at Scale With Velociraptor
2023-04-18Twitter (@threatinsight)Threat Insight
Tweet on TA581 using Keitaro TDS URL to download a .MSI file to deliver BumbleBee malware
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-04-16BotconfSuweera De Souza
Tracking Bumblebee’s Development
2023-04-16YouTube (botconf eu)Crowdstrike Technical Analysis Cell (TAC), Suweera De Souza
Tracking Bumblebee’s Development
2023-04-13SublimeSam Scholten
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction
2023-04-12SANS ISCBrad Duncan
Recent IcedID (Bokbot) activity
2023-04-12loginsoftBhargav koduru
Maximizing Threat Detections of Qakbot with Osquery
2023-04-12InfoSec Handlers Diary BlogBrad Duncan
Recent IcedID (Bokbot) activity
IcedID PhotoLoader
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-04-11Twitter (@Unit42_Intel)Unit42
Tweet on change of IcedID backconnect traffic port from 8080 to 443
2023-04-11SEC ConsultAngelo Violetti
BumbleBee hunting with a Velociraptor
2023-04-10Check PointCheck Point
March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee
2023-04-05velociraptorMatt Green
Automating Qakbot Decode At Scale
2023-04-03The DFIR ReportThe DFIR Report
Malicious ISO File Leads to Domain Wide Ransomware
Cobalt Strike IcedID Mount Locker
2023-03-30United States District Court (Eastern District of New York)Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-03-30loginsoftSaharsh Agrawal
From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2023-03-30eSentireeSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: BatLoader
BATLOADER Cobalt Strike ISFB SystemBC Vidar
2023-03-29KrakzPierre Le Bourhis
BumbleBee notes
2023-03-28CerberoErik Pistelli
Reversing Complex PowerShell Malware
2023-03-27ProofpointJoe Wise, Kelsey Merriman, Pim Trouerbach
Fork in the Ice: The New Era of IcedID
Bypassing Qakbot Anti-Analysis
2023-03-22Cisco TalosEdmund Brumaghin, Jaeson Schultz
Emotet Resumes Spam Operations, Switches to OneNote
2023-03-20NVISO LabsMaxime Thiebaut
IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole
2023-03-190xToxin Labs@0xToxin
Gozi - Italian ShellCode Dance
2023-03-17ElasticCyril François, Daniel Stepanic
Thawing the permafrost of ICEDID Summary
IcedID PhotoLoader
QBot: Laying the Foundations for Black Basta Ransomware Activity
Black Basta QakBot
2023-03-13TrendmicroIan Kenefick
Emotet Returns, Now Adopts Binary Padding for Evasion
2023-03-09eSentireeSentire Threat Response Unit (TRU)
BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif
2023-03-07BleepingComputerLawrence Abrams
Emotet malware attacks return after three-month break
2023-03-07TrellixAlejandro Houspanossian, John Fokker, Mathanraj Thangaraju, Pham Duy Phuc, Raghav Kapoor
Qakbot Evolves to OneNote Malware Distribution
Emotet Sending Malicious Emails After Three-Month Hiatus
2023-03-040xToxin Labs@0xToxin
Bumblebee DocuSign Campaign
2023-03-02NetresecErik Hjelmvik
QakBot C2 Traffic
2023-03-02Youtube (Microsoft Security Response Center (MSRC))Ben Magee, Daniel Taylor
BlueHat 2023: Hunting Qakbot with Daniel Taylor & Ben Magee
2023-03-01ZscalerMeghraj Nandanwar, Shatak Jain
OneNote: A Growing Threat for Malware Distribution
AsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer
2023-02-28Intel 471Intel 471
Malvertising Surges to Distribute Malware
EugenLoader BATLOADER IcedID
2023-02-27PRODAFT Threat IntelligencePRODAFT
RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader
2023-02-26Medium IlanduIlan Duhin, Yossi Poberezsky
Emotet Campaign
2023-02-24Medium walmartglobaltechJason Reaves, Jonathan Mccay, Joshua Platt, Kirk Sayre
Qbot testing malvertising campaigns?
2023-02-24Team CymruTeam Cymru
Desde Chile con Malware (From Chile with Malware)
IcedID PhotoLoader
The Many Faces of Qakbot Malware: A Look at Its Diverse Distribution Methods
2023-02-15NetresecErik Hjelmvik
How to Identify IcedID Network Traffic
2023-02-14DSIHCharles Blanc-Rolin
Comment Qbot revient en force avec OneNote ?
2023-02-08NTT SecurityRyu Hiyoshi
SteelClover Attacks Distributing Malware Via Google Ads Increased
2023-02-06SophosAndrew Brandt
Qakbot mechanizes distribution of malicious OneNote notebooks
2023-02-03MandiantGenevieve Stark, Kimberly Goody
Float Like a Butterfly Sting Like a Bee
BazarBackdoor BumbleBee Cobalt Strike
2023-01-30CheckpointArie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2023-01-26AcronisIlan Duhin
Unpacking Emotet Malware
2023-01-23KrollElio Biasiotto, Stephen Green
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC
2023-01-20BlackberryBlackBerry Research & Intelligence Team
Emotet Returns With New Methods of Evasion
Emotet IcedID
2023-01-19CiscoGuilherme Venere
Following the LNK metadata trail
BumbleBee PhotoLoader QakBot
2023-01-12EclecticIQEclecticIQ Threat Research Team
QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature
2023-01-09IntrinsecCTI Intrinsec, Intrinsec
Emotet returns and deploys loaders
BumbleBee Emotet IcedID PHOTOLITE
2023-01-09The DFIR ReportThe DFIR Report
Unwrapping Ursnifs Gifts
2022-12-28Micah Babinski
HTML Smuggling Detection
2022-12-23TrendmicroIan Kenefick
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
Qakbot Being Distributed via Virtual Disk Files (*.vhd)
2022-12-21Team CymruS2 Research Team
Inside the IcedID BackConnect Protocol
2022-12-19kienmanowar Blogm4n0w4r, Tran Trung Kien
[Z2A]Bimonthly malware challege – Emotet (Back From the Dead)
2022-12-18ZAYOTEMBerkay DOĞAN, Dilara BEHAR, Rabia EKŞİ, Zafer Yiğithan DERECİ
IcedID Technical Analysis Report
2022-12-15ISCBrad Duncan
Google ads lead to fake software pages pushing IcedID (Bokbot)
2022-12-06EuRepoCCamille Borrett, Kerstin Zettl-Schabath, Lena Rottinger
Conti/Wizard Spider
BazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER
2022-12-05CybereasonKotaro Ogino, Ralph Villanueva, Robin Plumer
Threat Analysis: MSI - Masquerading as a Software Installer
Magniber Matanbuchus QakBot
2022-12-02Github (binref)Jesko Hüttenhain
The Refinery Files 0x06: Qakbot Decoder
2022-12-01splunkSplunk Threat Research Team
From Macros to No Macros: Continuous Malware Improvements by QakBot
2022-11-30Tidal Cyber Inc.Scott Small
Identifying and Defending Against QakBot's Evolving TTPs
2022-11-28The DFIR ReportThe DFIR Report
Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
Emotet Mount Locker
2022-11-23CybereasonCybereason Global SOC Team
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
Black Basta QakBot
2022-11-21BSides SydneyThomas Roccia
X-Ray of Malware Evasion Techniques - Analysis, Dissection, Cure?
2022-11-16ProofpointAxel F, Pim Trouerbach
A Comprehensive Look at Emotet Virus’ Fall 2022 Return
BumbleBee Emotet PHOTOLITE
2022-11-14Twitter (@embee_research)Matthew
Twitter thread on Yara Signatures for Qakbot Encryption Routines
IcedID QakBot
2022-11-10IntezerNicole Fishbein
How LNK Files Are Abused by Threat Actors
BumbleBee Emotet Mount Locker QakBot
Black Basta Ransomware | Attacks deploy Custom EDR Evasion Tools tied to FIN7 Threat Actor
Black Basta QakBot SocksBot
2022-10-31CynetMax Malyutin
Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware
Black Basta Cobalt Strike QakBot
2022-10-31ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Seth Goodwin
ICEDIDs network infrastructure is alive and well
2022-10-31Security homeworkChristophe Rieunier
QakBot CCs prioritization and new record types
2022-10-28Elastic@rsprooten, Elastic Security Intelligence & Analytics Team
EMOTET dynamic config extraction
2022-10-27MicrosoftMicrosoft Threat Intelligence
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
FAKEUPDATES BumbleBee Clop Fauppod Raspberry Robin Roshtyak Silence DEV-0950 Mustard Tempest
2022-10-27MicrosoftMicrosoft Security Threat Intelligence
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
FAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak
2022-10-24Medium CSIS TechblogBenoît Ancel
Chapter 1 — From Gozi to ISFB: The history of a mythical malware family.
Gozi ISFB Snifula
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-10-13SyrionRaffaele Sabato
QAKBOT BB Configuration and C2 IPs List
2022-10-12Trend MicroIan Kenefick, Lucas Silva, Nicole Hernandez
Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike
Black Basta Brute Ratel C4 Cobalt Strike QakBot
2022-10-12NetresecErik Hjelmvik
IcedID BackConnect Protocol
2022-10-07Team CymruS2 Research Team
A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon
IcedID PhotoLoader
2022-10-06Twitter (@ESETresearch)ESET Research
Tweet on Bumblebee being modularized like trickbot
2022-10-03Check PointMarc Salinas Fernandez
Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar
2022-10-03vmwareThreat Analysis Unit
Emotet Exposed: A Look Inside the Cybercriminal Supply Chain
2022-09-26The DFIR ReportThe DFIR Report
BumbleBee: Round Two
BumbleBee Cobalt Strike Meterpreter
2022-09-13AdvIntelAdvanced Intelligence
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022
Conti Cobalt Strike Emotet Ryuk TrickBot
2022-09-12The DFIR ReportThe DFIR Report
Dead or Alive? An Emotet Story
Cobalt Strike Emotet
2022-09-07GoogleGoogle Threat Analysis Group, Pierre-Marc Bureau
Initial access broker repurposing techniques in targeted attacks against Ukraine
AnchorMail Cobalt Strike IcedID
Bumblebee Returns With New Infection Technique
BumbleBee Cobalt Strike
2022-09-06ZscalerBrett Stone-Gross
The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA
Ares QakBot
2022-09-05Infinitum ITArda Büyükkaya
Bumblebee Loader Malware Analysis
2022-09-01Medium michaelkoczwaraMichael Koczwara
Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-09-01Trend MicroTrend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot
2022-08-25Palo Alto Networks Unit 42Amer Elsad
Threat Assessment: Black Basta Ransomware
Black Basta QakBot
2022-08-24ElasticCyril François
QBOT Malware Analysis
2022-08-24MicrosoftMicrosoft Security Experts
Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks
BumbleBee Sliver
2022-08-24TrellixAdithya Chandra, Sushant Kumar Arya
Demystifying Qbot Malware
2022-08-24Deep instinctDeep Instinct Threat Lab
The Dark Side of Bumblebee Malware Loader
2022-08-23DarktraceEugene Chua, Hanah Darley, Paul Jennings
Emotet Resurgence: Cross-Industry Campaign Analysis
2022-08-19vmwareOleg Boyarchuk, Stefano Ortolani
How to Replicate Emotet Lateral Movement
2022-08-18IBMCharlotte Hammond, Ole Villadsen
From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers
BumbleBee Karius Ramnit TrickBot Vawtrak
2022-08-17CybereasonCybereason Global SOC Team
Bumblebee Loader – The High Road to Enterprise Domain Control
BumbleBee Cobalt Strike
2022-08-12SANS ISCBrad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID
2022-08-10BitSightJoão Batista
Emotet SMB Spreader is Back
2022-08-10WeixinRed Raindrop Team
Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe
BumbleBee Cobalt Strike
2022-08-08Medium CSIS TechblogBenoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-08-08The DFIR ReportThe DFIR Report
BumbleBee Roasts Its Way to Domain Admin
BumbleBee Cobalt Strike
2022-08-04Medium walmartglobaltechJason Reaves, Joshua Platt
IcedID leverages PrivateLoader
IcedID PrivateLoader
2022-08-04CloudsekAastha Mittal, Anandeshwar Unnikrishnan
Technical Analysis of Bumblebee Malware Loader
2022-08-03Palo Alto Networks Unit 42Brad Duncan
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-07-27ElasticAndrew Pease, Cyril François, Seth Goodwin
Exploring the QBOT Attack Pattern
2022-07-27ElasticCyril François, Derek Ditch
QBOT Configuration Extractor
2022-07-27SANS ISCBrad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
DarkVNC IcedID
2022-07-27cybleCyble Research Labs
Targeted Attacks Being Carried Out Via DLL SideLoading
Cobalt Strike QakBot
2022-07-24Bleeping ComputerBill Toulas
QBot phishing uses Windows Calculator sideloading to infect devices
2022-07-19FortinetXiaopeng Zhang
New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails
2022-07-18Palo Alto Networks Unit 42Unit 42
Monster Libra
Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise
AsyncRAT BumbleBee Emotet IcedID QakBot
2022-07-12ZscalerAditya Sharma, Tarun Dewan
Rise in Qakbot attacks traced to evolving threat techniques
2022-07-12CyrenKervin Alintanahin
Example Analysis of Multi-Component Malware
Emotet Formbook
2022-07-07SANS ISCBrad Duncan
Emotet infection with Cobalt Strike
Cobalt Strike Emotet
2022-07-07FortinetErin Lin
Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot
2022-07-07IBMCharlotte Hammond, Kat Weinberger, Ole Villadsen
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter
2022-07-05Soc InvestigationPriyadharshini Balaji
QBot Spreads via LNK Files – Detection & Response
2022-06-30Trend MicroEmmanuel Panopio, James Panlilio, John Kenneth Reyes, Kenneth Adrian Apostol, Melvin Singwa, Mirah Manlapig, Paolo Ronniel Labrador
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot
2022-06-28SymantecThreat Hunter Team, Vishal Kamble
Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem
2022-06-27NetskopeGustavo Palazolo
Emotet: Still Abusing Microsoft Office Macros
2022-06-24Group-IBAlbert Priego
We see you, Gozi Hunting the latest TTPs used for delivering the Trojan
2022-06-24Soc InvestigationBalaGanesh
IcedID Banking Trojan returns with new TTPS – Detection & Response
2022-06-21McAfeeLakshya Mathur
Rise of LNK (Shortcut files) Malware
BazarBackdoor Emotet IcedID QakBot
2022-06-17Github (NtQuerySystemInformation)Twitter (@kasua02)
A reverse engineer primer on Qakbot Dll Stager: From initial execution to multithreading.
2022-06-16ESET ResearchRene Holt
How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security
2022-06-14RiskIQJordan Herman
RiskIQ: Identifying BumbleBee Command and Control Servers
2022-06-13SekoiaThreat & Detection Research Team
BumbleBee: a new trendy loader for Initial Access Brokers
2022-06-09InfoSec Handlers Diary BlogBrad Duncan
TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)
2022-06-07McAfeeJyothi Naveen, Kiran Raj
Phishing Campaigns featuring Ursnif Trojan on the Rise
Bumblebee Loader on The Rise
BumbleBee Cobalt Strike
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot
2022-05-30Matthieu Walter
Automatically Unpacking IcedID Stage 1 with Angr
2022-05-27KrollCole Manaster, Elio Biasiotto, George Glass
Emotet Analysis: New LNKs in the Infection Chain – The Monitor, Issue 20
Buzz of the Bumblebee – A new malicious loader
2022-05-25Team CymruS2 Research Team
Bablosoft; Lowering the Barrier of Entry for Malicious Actors
BlackGuard BumbleBee RedLine Stealer
2022-05-25vmwareOleg Boyarchuk, Stefano Ortolani
Emotet Config Redux
2022-05-24Deep instinctBar Block
Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them
Dridex Emotet
2022-05-24BitSightBitSight, João Batista, Pedro Umbelino
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC
2022-05-19InfoSec Handlers Diary BlogBrad Duncan
Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike
2022-05-19InfoSec Handlers Diary BlogBrad Duncan
Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike
2022-05-19IBMCharlotte Hammond, Golo Mühr, Ole Villadsen
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
2022-05-19Trend MicroAdolph Christian Silverio, Jeric Miguel Abordo, Khristian Joseph Morales, Maria Emreen Viray
Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware
Emotet QakBot
2022-05-17Palo Alto Networks Unit 42Brad Duncan
Emotet Summary: November 2021 Through January 2022
2022-05-17Trend MicroTrend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot
2022-05-16vmwareJason Zhang, Oleg Boyarchuk, Stefano Ortolani, Threat Analysis Unit
Emotet Moves to 64 bit and Updates its Loader
2022-05-12Intel 471Intel 471
What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver
2022-05-12OALabsSergei Frankoff
Taking a look at Bumblebee loader
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-11SANS ISCBrad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
2022-05-11HPHP Wolf Security
Threat Insights Report Q1 - 2022
AsyncRAT Emotet Mekotio Vjw0rm
2022-05-11IronNetBlake Cahen, IronNet Threat Research
Detecting a MUMMY SPIDER campaign and Emotet infection
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09CybereasonLior Rochberger
Cybereason vs. Quantum Locker Ransomware
IcedID Mount Locker
2022-05-09NetresecErik Hjelmvik
Emotet C2 and Spam Traffic Video
2022-05-08QualysAmit Gadhave
Ursnif Malware Banks on News Events for Phishing Attacks
2022-05-08Threat hunting with hints of incident responseJouni Mikkola
Bzz.. Bzz.. Bumblebee loader
2022-05-06NetskopeGustavo Palazolo
Emotet: New Delivery Mechanism to Bypass VBA Protection
2022-05-04Twitter (@felixw3000)Felix
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-05-04SophosAndreas Klopsch
Attacking Emotet’s Control Flow Flattening
2022-04-29NCC GroupMike Stokkel, Nikolaos Pantazopoulos, Nikolaos Totosis
Adventures in the land of BumbleBee – a new malicious loader
BazarBackdoor BumbleBee Conti
2022-04-28ProofpointKelsey Merriman, Pim Trouerbach
This isn't Optimus Prime's Bumblebee but it's Still Transforming
BumbleBee TA578 TA579
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-28Bleeping ComputerIonut Ilascu
New Bumblebee malware replaces Conti's BazarLoader in cyberattacks
Emotet Returns With New TTPs And Delivers .Lnk Files To Its Victims
2022-04-27Medium elis531989Eli Salem
The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection
BumbleBee TrickBot
2022-04-26Intel 471Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot
2022-04-26ProofpointAxel F
Emotet Tests New Delivery Techniques
2022-04-26Bleeping ComputerIonut Ilascu
Emotet malware now installs via PowerShell in Windows shortcut files
2022-04-25The DFIR ReportThe DFIR Report
Quantum Ransomware
Cobalt Strike IcedID
2022-04-24forensicitguyTony Lambert
Shortcut to Emotet, an odd TTP change
2022-04-20CISAAustralian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI, Government Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky
2022-04-20SANS ISCBrad Duncan
'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic
2022-04-19Bleeping ComputerBill Toulas
Emotet botnet switches to 64-bit modules, increases activity
2022-04-19Twitter (@Cryptolaemus1)Cryptolaemus
#Emotet Update: 64 bit upgrade of Epoch 5
2022-04-18FortinetErin Lin
Trends in the Recent Emotet Maldoc Outbreak
2022-04-17MalwarologyGaetano Pellegrino
Qakbot Series: API Hashing
2022-04-17BushidoToken BlogBushidoToken
Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot
2022-04-16MalwarologyGaetano Pellegrino
Qakbot Series: Process Injection
2022-04-14Avast DecodedVladimir Martyanov
Zloader 2: The Silent Night
ISFB Raccoon Zloader
2022-04-14Bleeping ComputerBill Toulas
Hackers target Ukrainian govt with IcedID malware, Zimbra exploits
Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)
2022-04-14CynetMax Malyutin
Orion Threat Alert: Flight of the BumbleBee
BumbleBee Cobalt Strike
Emotet modules and recent attacks
2022-04-13MalwarologyGaetano Pellegrino
Qakbot Series: Configuration Extraction
2022-04-12Check PointCheck Point Research
March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance
Alien FluBot Agent Tesla Emotet
2022-04-12AhnLabASEC Analysis Team
SystemBC Being Used by Various Attackers
Emotet SmokeLoader SystemBC
2022-04-12Tech TimesJoseph Henry
Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers
2022-04-11Bleeping ComputerSergiu Gatlan
Qbot malware switches to new Windows Installer infection vector
2022-04-10MalwarologyGaetano Pellegrino
Qakbot Series: String Obfuscation
2022-04-08ReversingLabsPaul Roberts
ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles
Conti Emotet TrickBot
2022-04-04The DFIR Report@0xtornado, @MettalicHack, @yatinwad, @_pete_0
Stolen Images Campaign Ends in Conti Ransomware
Conti IcedID
2022-04-02Github (pl-v)Player-V
Emotet Analysis Part 1: Unpacking
2022-03-31TrellixJambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-31nccgroupAlex Jessop, Nikolaos Pantazopoulos, RIFT: Research and Intelligence Fusion Team, Simon Biggs
Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot