GOLD CABIN (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

GOLD CABIN (Back to overview)

aka: Shakthak, TA551, ATK236, G0127, Monster Libra

GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.

Associated Families

win.isfb win.icedid win.emotet win.qakbot

References

2022-09-13 ⋅ AdvIntel ⋅ Advanced Intelligence
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022
Conti Cobalt Strike Emotet Ryuk TrickBot

2022-09-12 ⋅ The DFIR Report ⋅ The DFIR Report
Dead or Alive? An Emotet Story
Cobalt Strike Emotet

2022-09-07 ⋅ Google ⋅ Pierre-Marc Bureau, Google Threat Analysis Group
Initial access broker repurposing techniques in targeted attacks against Ukraine
AnchorMail Cobalt Strike IcedID

2022-09-06 ⋅ Zscaler ⋅ Brett Stone-Gross
The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA
Ares QakBot

2022-09-01 ⋅ Trend Micro ⋅ Trend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot

2022-08-24 ⋅ Trellix ⋅ Adithya Chandra, Sushant Kumar Arya
Demystifying Qbot Malware
QakBot

2022-08-24 ⋅ Elastic ⋅ Cyril François
QBOT Malware Analysis
QakBot

2022-08-23 ⋅ Darktrace ⋅ Eugene Chua, Paul Jennings, Hanah Darley
Emotet Resurgence: Cross-Industry Campaign Analysis
Emotet

2022-08-19 ⋅ vmware ⋅ Oleg Boyarchuk, Stefano Ortolani
How to Replicate Emotet Lateral Movement
Emotet

2022-08-12 ⋅ SANS ISC ⋅ Brad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID

2022-08-10 ⋅ BitSight ⋅ João Batista
Emotet SMB Spreader is Back
Emotet

2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader

2022-08-04 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
IcedID leverages PrivateLoader
IcedID PrivateLoader

2022-07-27 ⋅ Elastic ⋅ Cyril François, Derek Ditch
QBOT Configuration Extractor
QakBot

2022-07-27 ⋅ SANS ISC ⋅ Brad Duncan
IcedID (Bokbot) with Dark VNC and Cobalt Strike
DarkVNC IcedID

2022-07-27 ⋅ cyble ⋅ Cyble Research Labs
Targeted Attacks Being Carried Out Via DLL SideLoading
Cobalt Strike QakBot

2022-07-27 ⋅ Elastic ⋅ Cyril François, Andrew Pease, Seth Goodwin
Exploring the QBOT Attack Pattern
QakBot

2022-07-24 ⋅ Bleeping Computer ⋅ Bill Toulas
QBot phishing uses Windows Calculator sideloading to infect devices
QakBot

2022-07-19 ⋅ Fortinet ⋅ Xiaopeng Zhang
New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails
QakBot

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Monster Libra
Valak IcedID GOLD CABIN

2022-07-17 ⋅ Resecurity ⋅ Resecurity
Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise
AsyncRAT BumbleBee Emotet IcedID QakBot

2022-07-12 ⋅ Zscaler ⋅ Tarun Dewan, Aditya Sharma
Rise in Qakbot attacks traced to evolving threat techniques
QakBot

2022-07-12 ⋅ Cyren ⋅ Kervin Alintanahin
Example Analysis of Multi-Component Malware
Emotet Formbook

2022-07-07 ⋅ Fortinet ⋅ Erin Lin
Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot

2022-07-07 ⋅ SANS ISC ⋅ Brad Duncan
Emotet infection with Cobalt Strike
Cobalt Strike Emotet

2022-07-07 ⋅ IBM ⋅ Ole Villadsen, Charlotte Hammond, Kat Weinberger
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter

2022-07-05 ⋅ Soc Investigation ⋅ Priyadharshini Balaji
QBot Spreads via LNK Files – Detection & Response
QakBot

2022-06-30 ⋅ Trend Micro ⋅ Kenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes, Melvin Singwa
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot

2022-06-27 ⋅ Netskope ⋅ Gustavo Palazolo
Emotet: Still Abusing Microsoft Office Macros
Emotet

2022-06-24 ⋅ Soc Investigation ⋅ BalaGanesh
IcedID Banking Trojan returns with new TTPS – Detection & Response
IcedID

2022-06-24 ⋅ Group-IB ⋅ Albert Priego
We see you, Gozi Hunting the latest TTPs used for delivering the Trojan
ISFB

2022-06-21 ⋅ McAfee ⋅ Lakshya Mathur
Rise of LNK (Shortcut files) Malware
BazarBackdoor Emotet IcedID QakBot

2022-06-17 ⋅ Github (NtQuerySystemInformation) ⋅ Twitter (@kasua02)
A reverse engineer primer on Qakbot Dll Stager: From initial execution to multithreading.
QakBot

2022-06-16 ⋅ ESET Research ⋅ Rene Holt
How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security
Emotet

2022-06-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)
QakBot

2022-06-07 ⋅ McAfee ⋅ Jyothi Naveen, Kiran Raj
Phishing Campaigns featuring Ursnif Trojan on the Rise
ISFB

2022-06-02 ⋅ Mandiant ⋅ Mandiant
TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot

2022-05-30 ⋅ Matthieu Walter
Automatically Unpacking IcedID Stage 1 with Angr
IcedID

2022-05-27 ⋅ Kroll ⋅ Cole Manaster, George Glass, Elio Biasiotto
Emotet Analysis: New LNKs in the Infection Chain – The Monitor, Issue 20
Emotet

2022-05-25 ⋅ vmware ⋅ Oleg Boyarchuk, Stefano Ortolani
Emotet Config Redux
Emotet

2022-05-24 ⋅ Deep instinct ⋅ Bar Block
Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them
Dridex Emotet

2022-05-24 ⋅ BitSight ⋅ João Batista, Pedro Umbelino, BitSight
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC

2022-05-19 ⋅ Trend Micro ⋅ Adolph Christian Silverio, Jeric Miguel Abordo, Khristian Joseph Morales, Maria Emreen Viray
Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware
Emotet QakBot

2022-05-19 ⋅ IBM ⋅ Charlotte Hammond, Ole Villadsen, Golo Mühr
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
IcedID ISFB Mount Locker

2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot

2022-05-17 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Emotet Summary: November 2021 Through January 2022
Emotet

2022-05-16 ⋅ vmware ⋅ Oleg Boyarchuk, Stefano Ortolani, Jason Zhang, Threat Analysis Unit
Emotet Moves to 64 bit and Updates its Loader
Emotet

2022-05-12 ⋅ Intel 471 ⋅ Intel 471
What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver

2022-05-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader

2022-05-11 ⋅ IronNet ⋅ Blake Cahen, IronNet Threat Research
Detecting a MUMMY SPIDER campaign and Emotet infection
Emotet

2022-05-11 ⋅ HP ⋅ HP Wolf Security
Threat Insights Report Q1 - 2022
AsyncRAT Emotet Mekotio Vjw0rm

2022-05-09 ⋅ Netresec ⋅ Erik Hjelmvik
Emotet C2 and Spam Traffic Video
Emotet

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-09 ⋅ Cybereason ⋅ Lior Rochberger
Cybereason vs. Quantum Locker Ransomware
IcedID Mount Locker

2022-05-08 ⋅ Qualys ⋅ Amit Gadhave
Ursnif Malware Banks on News Events for Phishing Attacks
ISFB

2022-05-06 ⋅ Netskope ⋅ Gustavo Palazolo
Emotet: New Delivery Mechanism to Bypass VBA Protection
Emotet

2022-05-04 ⋅ Twitter (@felixw3000) ⋅ Felix
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader

2022-05-04 ⋅ Sophos ⋅ Andreas Klopsch
Attacking Emotet’s Control Flow Flattening
Emotet

2022-04-28 ⋅ Symantec ⋅ Karthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot

2022-04-27 ⋅ Cybleinc ⋅ Cyble
Emotet Returns With New TTPs And Delivers .Lnk Files To Its Victims
Emotet

2022-04-26 ⋅ Proofpoint ⋅ Axel F
Emotet Tests New Delivery Techniques
Emotet

2022-04-26 ⋅ Intel 471 ⋅ Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot

2022-04-26 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Emotet malware now installs via PowerShell in Windows shortcut files
Emotet

2022-04-25 ⋅ The DFIR Report ⋅ The DFIR Report
Quantum Ransomware
Cobalt Strike IcedID

2022-04-24 ⋅ forensicitguy ⋅ Tony Lambert
Shortcut to Emotet, an odd TTP change
Emotet

2022-04-20 ⋅ CISA ⋅ CISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader

2022-04-20 ⋅ SANS ISC ⋅ Brad Duncan
'aa' distribution Qakbot (Qbot) infection with DarkVNC traffic
QakBot

2022-04-20 ⋅ CISA ⋅ CISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet

2022-04-19 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus
#Emotet Update: 64 bit upgrade of Epoch 5
Emotet

2022-04-19 ⋅ Bleeping Computer ⋅ Bill Toulas
Emotet botnet switches to 64-bit modules, increases activity
Emotet

2022-04-18 ⋅ Fortinet ⋅ Erin Lin
Trends in the Recent Emotet Maldoc Outbreak
Emotet

2022-04-17 ⋅ Malwarology ⋅ Gaetano Pellegrino
Qakbot Series: API Hashing
QakBot

2022-04-17 ⋅ BushidoToken Blog ⋅ BushidoToken
Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot

2022-04-16 ⋅ Malwarology ⋅ Gaetano Pellegrino
Qakbot Series: Process Injection
QakBot

2022-04-14 ⋅ Cert-UA ⋅ Cert-UA
Cyberattack on Ukrainian state organizations using IcedID malware (CERT-UA#4464)
IcedID

2022-04-14 ⋅ Avast Decoded ⋅ Vladimir Martyanov
Zloader 2: The Silent Night
ISFB Raccoon Zloader

2022-04-14 ⋅ Bleeping Computer ⋅ Bill Toulas
Hackers target Ukrainian govt with IcedID malware, Zimbra exploits
IcedID

2022-04-13 ⋅ Kaspersky ⋅ AMR
Emotet modules and recent attacks
Emotet

2022-04-13 ⋅ Malwarology ⋅ Gaetano Pellegrino
Qakbot Series: Configuration Extraction
QakBot

2022-04-12 ⋅ AhnLab ⋅ ASEC Analysis Team
SystemBC Being Used by Various Attackers
Emotet SmokeLoader SystemBC

2022-04-12 ⋅ Tech Times ⋅ Joseph Henry
Qbot Botnet Deploys Malware Payloads Through Malicious Windows Installers
QakBot

2022-04-12 ⋅ Check Point ⋅ Check Point Research
March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance
Alien FluBot Agent Tesla Emotet

2022-04-11 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Qbot malware switches to new Windows Installer infection vector
QakBot

2022-04-10 ⋅ Malwarology ⋅ Gaetano Pellegrino
Qakbot Series: String Obfuscation
QakBot

2022-04-08 ⋅ ReversingLabs ⋅ Paul Roberts
ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles
Conti Emotet TrickBot

2022-04-04 ⋅ The DFIR Report ⋅ @0xtornado, @yatinwad, @MettalicHack, @_pete_0
Stolen Images Campaign Ends in Conti Ransomware
Conti IcedID

2022-04-02 ⋅ Github (pl-v) ⋅ Player-V
Emotet Analysis Part 1: Unpacking
Emotet

2022-03-31 ⋅ Trellix ⋅ John Fokker, Jambul Tologonov
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot

2022-03-31 ⋅ nccgroup ⋅ Nikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team
Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot

2022-03-30 ⋅ Prevailion ⋅ Prevailion
Wizard Spider continues to confound
BazarBackdoor Cobalt Strike Emotet

2022-03-29 ⋅ vmware ⋅ Oleg Boyarchuk, Jason Zhang, Threat Analysis Unit
Emotet C2 Configuration Extraction and Analysis
Emotet

2022-03-29 ⋅ Threat Post ⋅ Elizabeth Montalbano
Exchange Servers Speared in IcedID Phishing Campaign
IcedID

2022-03-28 ⋅ Fortinet ⋅ James Slaughter, Val Saengphaibul, Fred Gutierrez
Spoofed Invoice Used to Drop IcedID
IcedID

2022-03-28 ⋅ Bleeping Computer ⋅ Bill Toulas
Microsoft Exchange targeted for IcedID reply-chain hijacking attacks
IcedID

2022-03-28 ⋅ Cisco ⋅ María José Erquiaga, Onur Erdogan, Adela Jezkova
Emotet is Back
Emotet

2022-03-28 ⋅ Intezer ⋅ Joakim Kennedy, Ryan Robinson
New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader

2022-03-25 ⋅ SANS ISC ⋅ Xavier Mertens
XLSB Files: Because Binary is Stealthier Than XML
QakBot

2022-03-23 ⋅ Fortinet ⋅ Shunichi Imano, Val Saengphaibul
Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams
Emotet

2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot

2022-03-23 ⋅ NVISO Labs ⋅ Bart Parys
Hunting Emotet campaigns with Kusto
Emotet

2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot

2022-03-23 ⋅ Fortinet ⋅ Xiaopeng Zhang
MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II
Emotet

2022-03-21 ⋅ Info Security ⋅ Vinugayathri Chinnasamy
Emotet Is Back and Is Deadlier Than Ever! A Rundown of the Emotet Malware
Emotet

2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID

2022-03-17 ⋅ Github (eln0ty) ⋅ Abdallah Elnoty
IcedID Analysis
IcedID

2022-03-17 ⋅ Trend Micro ⋅ Trend Micro Research
Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil

2022-03-16 ⋅ SANS ISC ⋅ Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot

2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin

2022-03-16 ⋅ Dragos ⋅ Josh Hanrahan
Suspected Conti Ransomware Activity in the Auto Manufacturing Sector
Conti Emotet

2022-03-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot

2022-03-09 ⋅ nikpx ⋅ xors
BokBot Technical Analysis
IcedID

2022-03-08 ⋅ Lumen ⋅ Black Lotus Labs
What Global Network Visibility Reveals about the Resurgence of One of the World’s Most Notorious Botnets
Emotet

2022-03-07 ⋅ Fortinet ⋅ Xiaopeng Zhang
MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part I
Emotet

2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research
Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate

2022-03-02 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Conti Ransomware Group Diaries, Part II: The Office
Conti Emotet Ryuk TrickBot

2022-03-01 ⋅ Twitter (@ContiLeaks) ⋅ ContiLeaks
Tweet on Emotet final server scheme
Emotet

2022-02-26 ⋅ LinkedIn (Zayed AlJaberi) ⋅ Zayed AlJaberi
Hunting Recent QakBot Malware
QakBot

2022-02-26 ⋅ Mandiant ⋅ Mandiant
TRENDING EVIL Q1 2022
KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot

2022-02-25 ⋅ CyberScoop ⋅ Joe Warminsky
TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators
BazarBackdoor Emotet TrickBot

2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan
Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure
BazarBackdoor Emotet TrickBot

2022-02-24 ⋅ Cynet ⋅ Max Malyutin
New Wave of Emotet – When Project X Turns Into Y
Cobalt Strike Emotet

2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan
TrickBot Gang Likely Shifting Operations to Switch to New Malware
BazarBackdoor Emotet QakBot TrickBot

2022-02-23 ⋅ cyber.wtf blog ⋅ Luca Ebach
What the Pack(er)?
Cobalt Strike Emotet

2022-02-22 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader

2022-02-21 ⋅ The DFIR Report
Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot

2022-02-16 ⋅ Threat Post ⋅ Elizabeth Montalbano
Emotet Now Spreading Through Malicious Excel Files
Emotet

2022-02-16 ⋅ SOC Prime ⋅ Alla Yurchenko
QBot Malware Detection: Old Dog New Tricks
QakBot

2022-02-16 ⋅ Security Onion ⋅ Doug Burks
Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08
Cobalt Strike Emotet

2022-02-15 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Increase in Emotet Activity and Cobalt Strike Deployment
Cobalt Strike Emotet

2022-02-15 ⋅ Palo Alto Networks Unit 42 ⋅ Saqib Khanzada, Tyler Halfpop, Micah Yates, Brad Duncan
New Emotet Infection Method
Emotet

2022-02-13 ⋅ NetbyteSEC ⋅ Taqi, Rosamira, Fareed
Technical Malware Analysis: The Return of Emotet
Emotet

2022-02-10 ⋅ Cybereason ⋅ Cybereason Global SOC Team
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot

2022-02-08 ⋅ BleepingComputer ⋅ Bill Toulas
Qbot needs only 30 minutes to steal your credentials, emails
QakBot

2022-02-07 ⋅ The DFIR Report ⋅ The DFIR Report
Qbot Likes to Move It, Move It
QakBot

2022-02-07 ⋅ vmware ⋅ Jason Zhang, Threat Analysis Unit
Emotet Is Not Dead (Yet) – Part 2
Emotet

2022-02-02 ⋅ VMRay ⋅ VMRay Labs Team, Mateusz Lukaszewski
Malware Analysis Spotlight: Emotet’s Use of Cryptography
Emotet

2022-01-27 ⋅ Threat Lab Indonesia ⋅ Threat Lab Indonesia
Malware Analysis Emotet Infection
Emotet

2022-01-25 ⋅ SANS ISC ⋅ Brad Duncan
Emotet Stops Using 0.0.0.0 in Spambot Traffic
Emotet

2022-01-23 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien
[QuickNote] Emotet epoch4 & epoch5 tactics
Emotet

2022-01-22 ⋅ Atomic Matryoshka ⋅ z3r0day_504
Malware Headliners: Emotet
Emotet

2022-01-21 ⋅ Trend Micro ⋅ Ian Kenefick
Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware
Emotet

2022-01-21 ⋅ vmware ⋅ Jason Zhang, Threat Analysis Unit
Emotet Is Not Dead (Yet)
Emotet

2022-01-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
0.0.0.0 in Emotet Spambot Traffic
Emotet

2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk

2022-01-18 ⋅ Recorded Future ⋅ Insikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot

2022-01-17 ⋅ forensicitguy ⋅ Tony Lambert
Emotet's Excel 4.0 Macros Dropping DLLs
Emotet

2022-01-15 ⋅ Atomic Matryoshka ⋅ z3r0day_504
Malware Headliners: Qakbot
QakBot

2022-01-14 ⋅ RiskIQ ⋅ Jordan Herman
RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers
Dridex Emotet

2022-01-13 ⋅ Trustwave ⋅ Lloyd Macrohon, Rodel Mendrez
Decrypting Qakbot’s Encrypted Registry Keys
QakBot

2022-01-11 ⋅ Cybereason ⋅ Omri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle

2022-01-11 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
Signed DLL campaigns as a service
Cobalt Strike ISFB Zloader

2022-01-07 ⋅ muha2xmad ⋅ Muhammad Hasan Ali
Unpacking Emotet malware part 02
Emotet

2022-01-06 ⋅ muha2xmad ⋅ Muhammad Hasan Ali
Unpacking Emotet malware part 01
Emotet

2022-01-01 ⋅ forensicitguy ⋅ Tony Lambert
Analyzing an IcedID Loader Document
IcedID

2021-12-22 ⋅ Cloudsek ⋅ Anandeshwar Unnikrishnan
Emotet 2.0: Everything you need to know about the new Variant of the Banking Trojan
Emotet

2021-12-17 ⋅ Trend Micro ⋅ Abraham Camba, Jonna Santos, Gilbert Sison, Jay Yaneza
Staging a Quack: Reverse Analyzing a Fileless QAKBOT Stager
QakBot

2021-12-16 ⋅ Red Canary ⋅ The Red Canary Team
Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle

2021-12-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
How the "Contact Forms" campaign tricks people
IcedID

2021-12-13 ⋅ Zscaler ⋅ Dennis Schwarz, Avinash Kumar
Return of Emotet: Malware Analysis
Emotet

2021-12-11 ⋅ YouTube (AGDC Services) ⋅ AGDC Services
How To Extract & Decrypt Qbot Configs Across Variants
QakBot

2021-12-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
A closer look at Qakbot’s latest building blocks (and how to knock them down)
QakBot

2021-12-09 ⋅ HP ⋅ Patrick Schläpfer
Emotet’s Return: What’s Different?
Emotet

2021-12-08 ⋅ Check Point Research ⋅ Raman Ladutska, Aliaksandr Trafimchuk, David Driker, Yali Magiel
When old friends meet again: why Emotet chose Trickbot for rebirth
Emotet TrickBot

2021-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Cobalt Strike Emotet

2021-12-03 ⋅ SANS ISC InfoSec Forums ⋅ Brad Duncan
TA551 (Shathak) pushes IcedID (Bokbot)
IcedID

2021-11-30 ⋅ Deep instinct ⋅ Ron Ben Yizhak
The Re-Emergence of Emotet
Emotet

2021-11-25 ⋅ DSIH ⋅ Charles Blanc-Rolin
Emotet de retour, POC Exchange, 0-day Windows : à quelle sauce les attaquants prévoient de nous manger cette semaine?
Emotet

2021-11-23 ⋅ Anomali ⋅ Anomali Threat Research
Mummy Spider’s Emotet Malware is Back After a Year Hiatus; Wizard Spider’s TrickBot Observed in Its Return
Emotet

2021-11-21 ⋅ Twitter (@tylabs) ⋅ Tyler McLellan, Twitter (@ffforward)
Twitter Thread about UNC1500 phishing using QAKBOT
QakBot

2021-11-20 ⋅ Twitter (@eduardfir) ⋅ Eduardo Mattos
Tweet on Velociraptor artifact analysis for Emotet
Emotet

2021-11-20 ⋅ Youtube (HEXORCIST) ⋅ Nicolas Brulez
Unpacking Emotet and Reversing Obfuscated Word Document
Emotet

2021-11-20 ⋅ Advanced Intelligence ⋅ Yelisey Boguslavskiy, Vitali Kremez
Corporate Loader "Emotet": History of "X" Project Return for Ransomware
Emotet

2021-11-19 ⋅ CRONUP ⋅ Germán Fernández
La Botnet de EMOTET reinicia ataques en Chile y LATAM
Emotet

2021-11-19 ⋅ Trend Micro ⋅ Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle

2021-11-19 ⋅ LAC WATCH ⋅ LAC WATCH
Malware Emotet resumes its activities for the first time in 10 months, and Japan is also the target of the attack
Emotet

2021-11-18 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy
Netskope Threat Coverage: The Return of Emotet
Emotet

2021-11-18 ⋅ eSentire ⋅ eSentire
Emotet Activity Identified
Emotet

2021-11-18 ⋅ Red Canary ⋅ The Red Canary Team
Intelligence Insights: November 2021
Andromeda Conti LockBit QakBot Squirrelwaffle

2021-11-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot

2021-11-16 ⋅ Twitter (@kienbigmummy) ⋅ m4n0w4r
Tweet on short analysis of QakBot
QakBot

2021-11-16 ⋅ Malwarebytes ⋅ Malwarebytes Threat Intelligence Team
TrickBot helps Emotet come back from the dead
Emotet TrickBot

2021-11-16 ⋅ Zscaler ⋅ Deepen Desai
Return of Emotet malware
Emotet

2021-11-16 ⋅ Hornetsecurity ⋅ Security Lab
Comeback of Emotet
Emotet

2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil

2021-11-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Emotet Returns
Emotet

2021-11-15 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Emotet malware is back and rebuilding its botnet via TrickBot
Emotet

2021-11-15 ⋅ cyber.wtf blog ⋅ Luca Ebach
Guess who’s back
Emotet

2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot

2021-11-13 ⋅ Trend Micro ⋅ Ian Kenefick, Vladimir Kropotov
QAKBOT Loader Returns With New Techniques and Tools
QakBot

2021-11-13 ⋅ YouTube (AGDC Services) ⋅ AGDC Services
Automate Qbot Malware String Decryption With Ghidra Script
QakBot

2021-11-12 ⋅ Recorded Future ⋅ Insikt Group®
The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot

2021-11-12 ⋅ Trend Micro ⋅ Ian Kenefick, Vladimir Kropotov
The Prelude to Ransomware: A Look into Current QAKBOT Capabilities and Global Activities
QakBot

2021-11-11 ⋅ Cynet ⋅ Max Malyutin
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot

2021-11-11 ⋅ vmware ⋅ Jason Zhang, Stefano Ortolani, Giovanni Vigna, Threat Analysis Unit
Research Recap: How To Automate Malware Campaign Detection With Telemetry Peak Analyzer
Phorpiex QakBot

2021-11-10 ⋅ CIRCL ⋅ CIRCL
TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders
QakBot

2021-11-09 ⋅ MinervaLabs ⋅ Minerva Labs
A New DatopLoader Delivers QakBot Trojan
QakBot Squirrelwaffle

2021-11-04 ⋅ splunk ⋅ Splunk Threat Research Team
Detecting IcedID... Could It Be A Trickbot Copycat?
IcedID

2021-11-03 ⋅ Twitter (@Corvid_Cyber) ⋅ CORVID
Tweet on a unique Qbot debugger dropped by an actor after compromise
QakBot

2021-11-03 ⋅ Team Cymru ⋅ tcblogposts
Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader

2021-10-26 ⋅ ANSSI
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil

2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle

2021-10-25 ⋅ Cleafy ⋅ Cleafy
Digital banking fraud: how the Gozi malware works
ISFB

2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker

2021-10-15 ⋅ Trend Micro ⋅ Fernando Mercês
Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker

2021-10-07 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle

2021-09-29 ⋅ Proofpoint ⋅ Selena Larson, Proofpoint Staff
TA544 Targets Italian Organizations with Ursnif Malware
ISFB

2021-09-03 ⋅ IBM ⋅ Camille Singleton, Andrew Gorecki, John Dwyer
Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight
Valak QakBot REvil

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2021-09-02 ⋅ Kaspersky ⋅ Anton Kuzmenko, Oleg Kupreev, Haim Zigel
QakBot Technical Analysis
QakBot

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-08-05 ⋅ Group-IB ⋅ Viktor Okorokov, Nikita Rostovcev
Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot

2021-08-05 ⋅ The Record ⋅ Catalin Cimpanu
Meet Prometheus, the secret TDS behind some of today’s malware campaigns
Buer campoloader IcedID QakBot

2021-07-30 ⋅ HP ⋅ Patrick Schläpfer
Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot

2021-07-26 ⋅ vmware ⋅ Quentin Fois, Pavankumar Chaudhari
Hunting IcedID and unpacking automation with Qiling
IcedID

2021-07-24 ⋅ 0ffset Blog ⋅ Daniel Bunce
Quack Quack: Analysing Qakbot’s Browser Hooking Module – Part 1
QakBot

2021-07-23 ⋅ Github (Lastline-Inc) ⋅ Quentin Fois, Pavankumar Chaudhari
YARA rules, IOCs and Scripts for extracting IcedID C2s
IcedID

2021-07-19 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID and Cobalt Strike vs Antivirus
Cobalt Strike IcedID

2021-07-14 ⋅ Cerium Networks ⋅ Blumira
Threat of the Month: IcedID Malware
IcedID

2021-07-12 ⋅ The Record ⋅ Catalin Cimpanu
Over 780,000 email accounts compromised by Emotet have been secured
Emotet

2021-07-08 ⋅ vmware ⋅ Quentin Fois, Pavankumar Chaudhari
IcedID: Analysis and Detection
IcedID

2021-06-30 ⋅ Cynet ⋅ Max Malyutin
Shelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration
Conti IcedID

2021-06-30 ⋅ The Record ⋅ Catalin Cimpanu
Gozi malware gang member arrested in Colombia
Gozi ISFB

2021-06-24 ⋅ Kaspersky ⋅ Anton Kuzmenko
Malicious spam campaigns delivering banking Trojans
IcedID QakBot

2021-06-24 ⋅ SentinelOne ⋅ Marco Figueroa
Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros
IcedID

2021-06-23 ⋅ IBM ⋅ Itzik Chimino
Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy
ISFB

2021-06-20 ⋅ The DFIR Report ⋅ The DFIR Report
From Word to Lateral Movement in 1 Hour
Cobalt Strike IcedID

2021-06-16 ⋅ S2 Grupo ⋅ CSIRT-CV (the ICT Security Center of the Valencian Community)
Emotet campaign analysis
Emotet QakBot

2021-06-16 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford, Garrett M. Graff
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker

2021-06-16 ⋅ Twitter (@ChouchWard) ⋅ ch0uch ward
Tweet on Qbot operators left their web server's access.log file unsecured
QakBot

2021-06-15 ⋅ Perception Point ⋅ Shai Golderman
Insights Into an Excel 4.0 Macro Attack using Qakbot Malware
QakBot

2021-06-10 ⋅ ZEIT Online ⋅ Von Kai Biermann, Astrid Geisler, Herwig G. Höller, Karsten Polke-Majewski, Zachary Kamel
On the Trail of the Internet Extortionists
Emotet Mailto

2021-06-10 ⋅ ZAYOTEM ⋅ İlker Verimoğlu, Emre Doğan, Kaan Binen, Abdulkadir Binan, Emrah Sarıdağ
QakBot Technical Analysis Report
QakBot

2021-06-10 ⋅ Tagesschau ⋅ Hakan Tanriverdi, Maximilian Zierer
Schadsoftware Emotet: BKA befragt Schlüsselfigur
Emotet

2021-06-08 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
From QBot...with REvil Ransomware: Initial Attack Exposure of JBS
QakBot REvil

2021-06-02 ⋅ Bleeping Computer ⋅ Lawrence Abrams
FUJIFILM shuts down network after suspected ransomware attack
QakBot

2021-05-29 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani
Analysis of ICEID Malware Installer DLL
IcedID

2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader

2021-05-26 ⋅ Check Point ⋅ Alex Ilgayev
Melting Ice – Tracking IcedID Servers with a few simple steps
IcedID

2021-05-19 ⋅ Team Cymru ⋅ Josh Hopkins, Andy Kraus, Nick Byers
Tracking BokBot Infrastructure Mapping a Vast and Currently Active BokBot Network
IcedID

2021-05-19 ⋅ Intel 471 ⋅ Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot

2021-05-18 ⋅ RECON INFOSEC ⋅ Andrew Cook
An Encounter With TA551/Shathak
IcedID

2021-05-17 ⋅ Github (telekom-security) ⋅ Deutsche Telekom Security GmbH
icedid_analysis
IcedID

2021-05-17 ⋅ Telekom ⋅ Thomas Barabosch
Let’s set ice on fire: Hunting and detecting IcedID infections
IcedID

2021-05-12 ⋅ The DFIR Report
Conti Ransomware
Cobalt Strike Conti IcedID

2021-05-10 ⋅ Wirtschaftswoche ⋅ Thomas Kuhn
How one of the largest hacker networks in the world was paralyzed
Emotet

2021-05-10 ⋅ MALWATION ⋅ malwation
IcedID Malware Technical Analysis Report
IcedID

2021-05-10 ⋅ Mal-Eats ⋅ mal_eats
Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader

2021-05-04 ⋅ NCC Group ⋅ fumik0, NCC RIFT
RM3 – Curiosities of the wildest banking malware
ISFB RM3

2021-05-04 ⋅ Seguranca Informatica ⋅ Pedro Tavares
A taste of the latest release of QakBot
QakBot

2021-05-04 ⋅ Fox-IT ⋅ fumik0, the RIFT Team, Fox IT
RM3 – Curiosities of the wildest banking malware
ISFB

2021-04-30 ⋅ MADRID Labs ⋅ Odin Bernstein
Qbot: Analyzing PHP Proxy Scripts from Compromised Web Server
QakBot

2021-04-28 ⋅ IBM ⋅ David Bisson
QBot Malware Spotted Using Windows Defender Antivirus Lure
QakBot

2021-04-28 ⋅ Reversing Labs ⋅ Karlo Zanki
Spotting malicious Excel4 macros
QakBot

2021-04-22 ⋅ Github (@cecio) ⋅ @red5heep
EMOTET: a State-Machine reversing exercise
Emotet

2021-04-22 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon

2021-04-19 ⋅ Netresec ⋅ Erik Hjelmvik
Analysing a malware PCAP with IcedID and Cobalt Strike traffic
Cobalt Strike IcedID

2021-04-19 ⋅ Twitter (@_alex_il_) ⋅ Alex Ilgayev
Tweet on QakBot's additional decryption mechanism
QakBot

2021-04-17 ⋅ YouTube (Worcester DEFCON Group) ⋅ Joel Snape, Nettitude
Inside IcedID: Anatomy Of An Infostealer
IcedID

2021-04-15 ⋅ AT&T ⋅ Dax Morrow, Ofer Caspi
The rise of QakBot
QakBot

2021-04-13 ⋅ Silent Push ⋅ Martijn Grooten
Malicious infrastructure as a service
IcedID PhotoLoader QakBot

2021-04-12 ⋅ Trend Micro ⋅ Raphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, Frankylnn Uy
A Spike in BazarCall and IcedID Activity Detected in March
BazarBackdoor IcedID

2021-04-12 ⋅ Twitter (@elisalem9) ⋅ Eli Salem
Tweets on QakBot
QakBot

2021-04-12 ⋅ PTSecurity ⋅ PTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader

2021-04-11 ⋅ 4rchibld ⋅ 4rchibld
IcedID on my neck I’m the coolest
IcedID

2021-04-10 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani
Malware Analysis: IcedID Banking Trojan JavaScript Dropper
IcedID

2021-04-09 ⋅ aaqeel01 ⋅ Ali Aqeel
IcedID Analysis
IcedID

2021-04-09 ⋅ Microsoft ⋅ Emily Hacker, Justin Carroll, Microsoft 365 Defender Threat Intelligence Team
Investigating a unique “form” of email delivery for IcedID malware
IcedID

2021-04-09 ⋅ Palo Alto Networks Unit 42 ⋅ Yanhui Jia, Chris Navarrete
Emotet Command and Control Case Study
Emotet

2021-04-07 ⋅ Uptycs ⋅ Ashwin Vamshi, Abhijit Mohanta
IcedID campaign spotted being spiced with Excel 4 Macros
IcedID

2021-04-07 ⋅ Minerva ⋅ Minerva Labs
IcedID - A New Threat In Office Attachments
IcedID

2021-04-06 ⋅ Intel 471 ⋅ Intel 471
EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot

2021-04-01 ⋅ Reversing Labs ⋅ Robert Simmons
Code Reuse Across Packers and DLL Loaders
IcedID SystemBC

2021-03-31 ⋅ Silent Push ⋅ Martijn Grooten
IcedID Command and Control Infrastructure
IcedID PhotoLoader

2021-03-31 ⋅ Kaspersky ⋅ Kaspersky
Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus

2021-03-31 ⋅ Red Canary ⋅ Red Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot

2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report
Sodinokibi (aka REvil) Ransomware
Cobalt Strike IcedID REvil

2021-03-26 ⋅ Trend Micro ⋅ Trend Micro
Alleged Members of Egregor Ransomware Cartel Arrested
Egregor QakBot

2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot

2021-03-19 ⋅ MITRE ⋅ MITRE ATT&CK
TA551
GOLD CABIN

2021-03-18 ⋅ VinCSS ⋅ Tran Trung Kien
[RE021] Qakbot analysis – Dangerous malware has been around for more than a decade
QakBot

2021-03-17 ⋅ HP ⋅ HP Bromium
Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader

2021-03-12 ⋅ Binary Defense ⋅ James Quinn
IcedID GZIPLOADER Analysis
IcedID

2021-03-08 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Yanhui Jia, Matthew Tennis, Durgesh Sangvikar, Rongbo Shao
Attack Chain Overview: Emotet in December 2020 and January 2021
Emotet

2021-03-04 ⋅ F5 ⋅ Dor Nizar, Roy Moshailov
IcedID Banking Trojan Uses COVID-19 Pandemic to Lure New Victims
IcedID

2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team

2021-02-28 ⋅ NetbyteSEC
Deobfuscating Emotet Macro Document and Powershell Command
Emotet

2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil

2021-02-25 ⋅ ANSSI ⋅ CERT-FR
Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot

2021-02-25 ⋅ FireEye ⋅ Bryce Abdo, Brendan McKeague, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC

2021-02-25 ⋅ JPCERT/CC ⋅ Ken Sajo
Emotet Disruption and Outreach to Affected Users
Emotet

2021-02-24 ⋅ IBM ⋅ IBM SECURITY X-FORCE
X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot

2021-02-24 ⋅ Allsafe ⋅ Shota Nakajima, Hara Hiroaki
Malware Analysis at Scale - Defeating Emotet by Ghidra
Emotet

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-17 ⋅ Politie NL ⋅ Politie NL
Politie bestrijdt cybercrime via Nederlandse infrastructuur
Emotet

2021-02-17 ⋅ YouTube (AGDC Services) ⋅ AGDC Services
How Malware Can Resolve APIs By Hash
Emotet Mailto

2021-02-16 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team
Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes
Emotet Ryuk NARWHAL SPIDER TA800

2021-02-15 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
Tweet on Qakbot post infection discovery activity
QakBot

2021-02-12 ⋅ CERT-FR ⋅ CERT-FR
The Malware-Aa-A-Service Emotet
Emotet

2021-02-08 ⋅ GRNET CERT ⋅ Dimitris Kolotouros, Marios Levogiannis
Reverse engineering Emotet – Our approach to protect GRNET against the trojan
Emotet

2021-02-03 ⋅ Digital Shadows ⋅ Stefano De Blasi
Emotet Disruption: what it means for the cyber threat landscape
Emotet

2021-02-03 ⋅ Mimecast, Nettitude
TA551/Shathak Threat Research
IcedID

2021-02-03 ⋅ ZDNet ⋅ Charlie Osborne
Ursnif Trojan has targeted over 100 Italian banks
ISFB Snifula

2021-02-02 ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-02-01 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot

2021-01-29 ⋅ Malwarebytes ⋅ Threat Intelligence Team
Cleaning up after Emotet: the law enforcement file
Emotet

2021-01-28 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Emotet Botnet Takedown
Emotet

2021-01-28 ⋅ Department of Homeland Security ⋅ Department of Justice
Emotet Botnet Disrupted in International Cyber Operation
Emotet

2021-01-28 ⋅ NTT ⋅ Dan Saunders
Emotet disruption - Europol counterattack
Emotet

2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction

2021-01-28 ⋅ InfoSec Handlers Diary Blog ⋅ Daniel Wesemann
Emotet vs. Windows Attack Surface Reduction
Emotet

2021-01-27 ⋅ Team Cymru ⋅ James Shank
Taking Down Emotet How Team Cymru Leveraged Visibility and Relationships to Coordinate Community Efforts
Emotet

2021-01-27 ⋅ KrebsOnSecurity ⋅ Brian Krebs
International Action Targets Emotet Crimeware
Emotet

2021-01-27 ⋅ Youtube (Національна поліція України) ⋅ Національна поліція України
Кіберполіція викрила транснаціональне угруповання хакерів у розповсюдженні вірусу EMOTET
Emotet

2021-01-27 ⋅ Bundeskriminalamt ⋅ Bundeskriminalamt
Infrastruktur der Emotet-Schadsoftware zerschlagen
Emotet

2021-01-27 ⋅ Twitter (@milkr3am) ⋅ milkream
Tweet on all Emotet epoch pushing payload to self remove emotet malware on 2021-04-25
Emotet

2021-01-27 ⋅ Intel 471 ⋅ Intel 471
Emotet takedown is not like the Trickbot takedown
Emotet

2021-01-27 ⋅ Eurojust ⋅ Eurojust
World’s most dangerous malware EMOTET disrupted through global action
Emotet

2021-01-19 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot

2021-01-19 ⋅ Medium elis531989 ⋅ Eli Salem
Funtastic Packers And Where To Find Them
Get2 IcedID QakBot

2021-01-18 ⋅ tccontre Blog ⋅ tcontre
Extracting Shellcode in ICEID .PNG Steganography
IcedID

2021-01-14 ⋅ Netskope ⋅ Ghanashyam Satpathy, Dagmawi Mulugeta
You Can Run, But You Can’t Hide: Advanced Emotet Updates
Emotet

2021-01-13 ⋅ VinCSS ⋅ Tran Trung Kien, m4n0w4r
[RE019] From A to X analyzing some real cases which used recent Emotet samples
Emotet

2021-01-12 ⋅ Fortinet ⋅ Xiaopeng Zhang
New Variant of Ursnif Continuously Targeting Italy
ISFB

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2021-01-08 ⋅ 0xC0DECAFE ⋅ Thomas Barabosch
The malware analyst’s guide to aPLib decompression
ISFB Rovnix

2021-01-07 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
TA551: Email Attack Campaign Switches from Valak to IcedID
IcedID

2021-01-06 ⋅ FBI ⋅ FBI
PIN Number 20210106-001: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data
Egregor QakBot

2021-01-05 ⋅ r3mrum blog ⋅ R3MRUM
Manual analysis of new PowerSplit maldocs delivering Emotet
Emotet

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD CABIN
GOLD CABIN

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD LAGOON
QakBot MALLARD SPIDER

2021 ⋅ AWAKE ⋅ Awake Security
Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)
Cobalt Strike IcedID PhotoLoader

2020-12-31 ⋅ Cert-AgID ⋅ Cert-AgID
Simplify Emotet parsing with Python and iced x86
Emotet

2020-12-30 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Emotet malware hits Lithuania's National Public Health Center
Emotet

2020-12-21 ⋅ Cisco Talos ⋅ JON MUNSHAW
2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader

2020-12-15 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
QakBot reducing its on disk artifacts
Egregor PwndLocker QakBot

2020-12-12 ⋅ Medium 0xthreatintel ⋅ 0xthreatintel
Reversing QakBot [ TLP: White]
QakBot

2020-12-10 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff
Malware Triage Analyzing PrnLoader Used To Drop Emotet
Emotet

2020-12-10 ⋅ NRI SECURE ⋅ NeoSOC
マルウェア「IcedID」の検知傾向と感染に至るプロセスを徹底解説
IcedID

2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk

2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Recent Qakbot (Qbot) activity
Cobalt Strike QakBot

2020-12-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team
EDR in block mode stops IcedID cold
IcedID

2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)
Cobalt Strike DoppelPaymer QakBot REvil

2020-12-04 ⋅ Kaspersky Labs ⋅ Oleg Kupreev
The chronicles of Emotet
Emotet

2020-12-03 ⋅ Recorded Future ⋅ Insikt Group®
Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot
Egregor QakBot

2020-12-02 ⋅ CyberInt ⋅ Cyberint Research
IcedID Stealer Man-in-the-browser Banking Trojan
IcedID

2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary)
Tweet on increased #Qbot activity delivering Cobalt Strike & #Egregor ransomware
Cobalt Strike Egregor QakBot

2020-12-01 ⋅ Group-IB ⋅ Group-IB, Oleg Skulkin, Semyon Rogachev, Roman Rezvukhin
Egregor ransomware: The legacy of Maze lives on
Egregor QakBot

2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall
It's not FINished The Evolving Maturity in Ransomware Operations
Cobalt Strike DoppelPaymer MimiKatz QakBot REvil

2020-11-27 ⋅ malware.love ⋅ Robert Giczewski
Having fun with a Ursnif VBS dropper
ISFB Snifula

2020-11-27 ⋅ Fiducia & GAD IT AG ⋅ Frank Boldewin
When ransomware hits an ATM giant - The Diebold Nixdorf case dissected
PwndLocker QakBot

2020-11-26 ⋅ VirusTotal ⋅ Emiliano Martinez
Using similarity to expand context and map out threat campaigns
Emotet

2020-11-26 ⋅ Cybereason ⋅ Lior Rochberger, Cybereason Nocturnus
Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot

2020-11-22 ⋅ Irshad's Blog ⋅ Irshad Muhammad
Analyzing an Emotet Dropper and Writing a Python Script to Statically Unpack Payload.
Emotet

2020-11-20 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
The Locking Egregor
Egregor QakBot

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-11-18 ⋅ Cisco ⋅ Nick Biasini, Edmund Brumaghin, Jaeson Schultz
Back from vacation: Analyzing Emotet’s activity in 2020
Emotet

2020-11-12 ⋅ Intrinsec ⋅ Jean Bichet
Egregor – Prolock: Fraternal Twins ?
Egregor PwndLocker QakBot

2020-11-06 ⋅ Security Soup Blog ⋅ Ryan Campbell
Quick Post: Spooky New PowerShell Obfuscation in Emotet Maldocs
Emotet

2020-11-06 ⋅ LAC WATCH ⋅ Matsumoto, Takagen, Ishikawa
分析レポート：Emotetの裏で動くバンキングマルウェア「Zloader」に注意
Emotet Zloader

2020-11-05 ⋅ Brim Security ⋅ Oliver Rochford
Hunting Emotet with Brim and Zeek
Emotet

2020-10-29 ⋅ Palo Alto Networks Unit 42 ⋅ Ruian Duan, Zhanhao Chen, Seokkyung Chung, Janos Szurdi, Jingwei Fan
Domain Parking: A Gateway to Attackers Spreading Emotet and Impersonating McAfee
Emotet

2020-10-29 ⋅ CERT-FR ⋅ CERT-FR
LE MALWARE-AS-A-SERVICE EMOTET
Dridex Emotet ISFB QakBot

2020-10-28 ⋅ Bitdefender ⋅ Ruben Andrei Condor
A Decade of WMI Abuse – an Overview of Techniques in Modern Malware
sLoad Emotet Maze

2020-10-20 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ BSI
Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot

2020-10-19 ⋅ SPAM Auditor ⋅ Thomas
The Many Faces of Emotet
Emotet

2020-10-16 ⋅ Proofpoint ⋅ Cassandra A., Proofpoint Threat Research Team
Geofenced Amazon Japan Credential Phishing Volumes Rival Emotet
Emotet

2020-10-15 ⋅ Department of Justice ⋅ Department of Justice
Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals
Dridex ISFB TrickBot

2020-10-14 ⋅ CrowdStrike ⋅ The Falcon Complete Team
Duck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3
QakBot

2020-10-12 ⋅ DeepInstinct ⋅ Ron Ben Yizhak
Why Emotet’s Latest Wave is Harder to Catch Than Ever Before – Part 2
Emotet

2020-10-07 ⋅ CrowdStrike ⋅ The Falcon Complete Team
Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2
QakBot Zloader

2020-10-01 ⋅ CrowdStrike ⋅ Dylan Barker, Quinten Bowen, Ryan Campbell
Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1
QakBot MALLARD SPIDER

2020-10-01 ⋅ Proofpoint ⋅ Axel F, Proofpoint Threat Research Team
Emotet Makes Timely Adoption of Political and Elections Lures
Emotet

2020-09-29 ⋅ PWC UK ⋅ Andy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker

2020-09-29 ⋅ Microsoft ⋅ Microsoft
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot

2020-09-29 ⋅ Seqrite ⋅ Prashant Tilekar
The return of the Emotet as the world unlocks!
Emotet

2020-09-11 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33

2020-09-10 ⋅ QuoSec GmbH ⋅ Quosec Blog
grap: Automating QakBot strings decryption
QakBot

2020-09-10 ⋅ Group-IB ⋅ Oleg Skulkin, Semyon Rogachev
Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting
PwndLocker QakBot

2020-09-07 ⋅ CERT-FR ⋅ CERT-FR
Bulletin d'alerte du CERT-FR: Recrudescence d’activité Emotet en France
Emotet

2020-09-07 ⋅ CERT NZ ⋅ CERT NZ
Emotet Malware being spread via email
Emotet

2020-09-04 ⋅ QuoSec GmbH ⋅ Quosec Blog
Navigating QakBot samples with grap
QakBot

2020-09-02 ⋅ Cisco Talos ⋅ Holger Unterbrink, Edmund Brumaghin
Salfram: Robbing the place without removing your name tag
Ave Maria ISFB SmokeLoader Zloader

2020-08-31 ⋅ Inde ⋅ Chris Campbell
Analysis of the latest wave of Emotet malicious documents
Emotet

2020-08-28 ⋅ Proofpoint ⋅ Axel F, Proofpoint Threat Research Team