SWEED  (Back to overview)

Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans. SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).

---

Associated Families

---

References

2023-07-12 ⋅ Fortinet ⋅ Cara Lin @online{lin:20230712:lokibot:f77d705, author = {Cara Lin}, title = {{LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros}}, date = {2023-07-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros}, language = {English}, urldate = {2023-07-19} } LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros Loki Password Stealer (PWS)

2023-07-06 ⋅ kienmanowar Blog ⋅ Tran Trung Kien, m4n0w4r @online{kien:20230706:quicknote:20dc1f1, author = {Tran Trung Kien and m4n0w4r}, title = {{[QuickNote] Examining Formbook Campaign via Phishing Emails}}, date = {2023-07-06}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/}, language = {English}, urldate = {2023-07-13} } [QuickNote] Examining Formbook Campaign via Phishing Emails Formbook

2023-06-30 ⋅ Github (itaymigdal) ⋅ Itay Migdal @online{migdal:20230630:formbook:9f7bd1b, author = {Itay Migdal}, title = {{Formbook unpacking}}, date = {2023-06-30}, organization = {Github (itaymigdal)}, url = {https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md}, language = {English}, urldate = {2023-07-05} } Formbook unpacking Formbook

2023-06-05 ⋅ Malware Traffic Analysis ⋅ Brad Duncan @online{duncan:20230605:30:f0b7756, author = {Brad Duncan}, title = {{30 DAYS OF FORMBOOK: DAY 1, MONDAY 2023-06-05}}, date = {2023-06-05}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2023/06/05/index.html}, language = {English}, urldate = {2023-06-06} } 30 DAYS OF FORMBOOK: DAY 1, MONDAY 2023-06-05 Formbook

2023-05-07 ⋅ Twitter (@embee_research) ⋅ Matthew @online{matthew:20230507:agenttesla:65bf8af, author = {Matthew}, title = {{AgentTesla - Full Loader Analysis - Resolving API Hashes Using Conditional Breakpoints}}, date = {2023-05-07}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/agenttesla-full-analysis-api-hashing/}, language = {English}, urldate = {2023-05-08} } AgentTesla - Full Loader Analysis - Resolving API Hashes Using Conditional Breakpoints Agent Tesla

2023-04-16 ⋅ OALabs ⋅ Sergei Frankoff @online{frankoff:20230416:xorstringsnet:79d9991, author = {Sergei Frankoff}, title = {{XORStringsNet}}, date = {2023-04-16}, organization = {OALabs}, url = {https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html}, language = {English}, urldate = {2023-05-02} } XORStringsNet Agent Tesla RedLine Stealer

2023-04-10 ⋅ Check Point ⋅ Check Point @online{point:20230410:march:144c1ad, author = {Check Point}, title = {{March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files}}, date = {2023-04-10}, organization = {Check Point}, url = {https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/}, language = {English}, urldate = {2023-04-12} } March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee

2023-04-07 ⋅ Elastic ⋅ Salim Bitam @online{bitam:20230407:attack:aed6a32, author = {Salim Bitam}, title = {{Attack chain leads to XWORM and AGENTTESLA}}, date = {2023-04-07}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla}, language = {English}, urldate = {2023-05-08} } Attack chain leads to XWORM and AGENTTESLA Agent Tesla XWorm

2023-03-30 ⋅ Zscaler ⋅ Javier Vicente, Brett Stone-Gross, Nikolaos Pantazopoulos @online{vicente:20230330:technical:99c71e1, author = {Javier Vicente and Brett Stone-Gross and Nikolaos Pantazopoulos}, title = {{Technical Analysis of Xloader’s Code Obfuscation in Version 4.3}}, date = {2023-03-30}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-xloaders-code-obfuscation-version-43}, language = {English}, urldate = {2023-09-07} } Technical Analysis of Xloader’s Code Obfuscation in Version 4.3 Formbook

2023-03-30 ⋅ loginsoft ⋅ Saharsh Agrawal @online{agrawal:20230330:from:7b46ae0, author = {Saharsh Agrawal}, title = {{From Innocence to Malice: The OneNote Malware Campaign Uncovered}}, date = {2023-03-30}, organization = {loginsoft}, url = {https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/}, language = {English}, urldate = {2023-04-14} } From Innocence to Malice: The OneNote Malware Campaign Uncovered Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm

2023-03-23 ⋅ Logpoint ⋅ Anish Bogati @online{bogati:20230323:emerging:3b75884, author = {Anish Bogati}, title = {{Emerging Threats: AgentTesla – A Review and Detection Strategies}}, date = {2023-03-23}, organization = {Logpoint}, url = {https://www.logpoint.com/en/blog/agentteslas-capabilities-review-detection-strategies/}, language = {English}, urldate = {2023-04-12} } Emerging Threats: AgentTesla – A Review and Detection Strategies Agent Tesla

2023-03-16 ⋅ Trend Micro ⋅ Cedric Pernet, Jaromír Hořejší, Loseway Lu @online{pernet:20230316:ipfs:6f479ce, author = {Cedric Pernet and Jaromír Hořejší and Loseway Lu}, title = {{IPFS: A New Data Frontier or a New Cybercriminal Hideout?}}, date = {2023-03-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout}, language = {English}, urldate = {2023-03-20} } IPFS: A New Data Frontier or a New Cybercriminal Hideout? Agent Tesla Formbook RedLine Stealer Remcos

2023-02-28 ⋅ ANY.RUN ⋅ ANY.RUN @online{anyrun:20230228:xloaderformbook:bdcb64a, author = {ANY.RUN}, title = {{XLoader/FormBook: Encryption Analysis and Malware Decryption}}, date = {2023-02-28}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/}, language = {English}, urldate = {2023-09-07} } XLoader/FormBook: Encryption Analysis and Malware Decryption Formbook

2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein @online{olshtein:20230130:following:e442fcc, author = {Arie Olshtein}, title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}}, date = {2023-01-30}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/}, language = {English}, urldate = {2023-01-31} } Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot

2023-01-24 ⋅ Trellix ⋅ Daksh Kapur, Tomer Shloman, Robert Venal, John Fokker @online{kapur:20230124:cyberattacks:0a05372, author = {Daksh Kapur and Tomer Shloman and Robert Venal and John Fokker}, title = {{Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity}}, date = {2023-01-24}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html}, language = {English}, urldate = {2023-01-25} } Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity Andromeda Formbook Houdini Remcos

2023-01-16 ⋅ Difesa & Sicurezza ⋅ Francesco Bussoletti @online{bussoletti:20230116:cybercrime:56e622c, author = {Francesco Bussoletti}, title = {{Cybercrime, RFQ from Turkey carries AgentTesla and zgRAT}}, date = {2023-01-16}, organization = {Difesa & Sicurezza}, url = {https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/}, language = {English}, urldate = {2023-09-18} } Cybercrime, RFQ from Turkey carries AgentTesla and zgRAT Agent Tesla zgRAT

2022-12-18 ⋅ SANS ISC ⋅ Guy Bruneau @online{bruneau:20221218:infostealer:12fb43f, author = {Guy Bruneau}, title = {{Infostealer Malware with Double Extension}}, date = {2022-12-18}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354}, language = {English}, urldate = {2022-12-20} } Infostealer Malware with Double Extension Agent Tesla

2022-12-08 ⋅ Trustwave ⋅ Rodel Mendrez, Phil Hay, Diana Lopera @online{mendrez:20221208:trojanized:bd135b7, author = {Rodel Mendrez and Phil Hay and Diana Lopera}, title = {{Trojanized OneNote Document Leads to Formbook Malware}}, date = {2022-12-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/}, language = {English}, urldate = {2022-12-19} } Trojanized OneNote Document Leads to Formbook Malware Formbook

2022-11-21 ⋅ Malwarebytes ⋅ Malwarebytes @techreport{malwarebytes:20221121:20221121:f4c6d35, author = {Malwarebytes}, title = {{2022-11-21 Threat Intel Report}}, date = {2022-11-21}, institution = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf}, language = {English}, urldate = {2022-11-25} } 2022-11-21 Threat Intel Report 404 Keylogger Agent Tesla Formbook Hive Remcos

2022-11-16 ⋅ splunk ⋅ Splunk Threat Research Team @online{team:20221116:inside:6c4f291, author = {Splunk Threat Research Team}, title = {{Inside the Mind of a ‘Rat’ - Agent Tesla Detection and Analysis}}, date = {2022-11-16}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html}, language = {English}, urldate = {2022-11-28} } Inside the Mind of a ‘Rat’ - Agent Tesla Detection and Analysis Agent Tesla

2022-11-09 ⋅ Cisco Talos ⋅ Edmund Brumaghin @online{brumaghin:20221109:threat:151d926, author = {Edmund Brumaghin}, title = {{Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns}}, date = {2022-11-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/ipfs-abuse/}, language = {English}, urldate = {2022-11-11} } Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns Agent Tesla

2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs @techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022 FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm

2022-10-05 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20221005:excel:ac2668c, author = {Xiaopeng Zhang}, title = {{Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II}}, date = {2022-10-05}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two}, language = {English}, urldate = {2022-11-15} } Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II Formbook RedLine Stealer

2022-09-23 ⋅ Kaspersky ⋅ Roman Dedenok, Artem Ushkov @online{dedenok:20220923:mass:217302e, author = {Roman Dedenok and Artem Ushkov}, title = {{Mass email campaign with a pinch of targeted spam}}, date = {2022-09-23}, organization = {Kaspersky}, url = {https://securelist.com/agent-tesla-malicious-spam-campaign/107478/}, language = {English}, urldate = {2022-09-27} } Mass email campaign with a pinch of targeted spam Agent Tesla

2022-09-19 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20220919:excel:0e222e2, author = {Xiaopeng Zhang}, title = {{Excel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I}}, date = {2022-09-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882}, language = {English}, urldate = {2022-11-15} } Excel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I Formbook RedLine Stealer

2022-09-15 ⋅ Sekoia ⋅ Threat & Detection Research Team @online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer

2022-09-13 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White @online{white:20220913:originlogger:92a4758, author = {Jeff White}, title = {{OriginLogger: A Look at Agent Tesla’s Successor}}, date = {2022-09-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/originlogger/}, language = {English}, urldate = {2022-09-16} } OriginLogger: A Look at Agent Tesla’s Successor Agent Tesla OriginLogger

2022-08-29 ⋅ 360 netlab ⋅ wanghao @online{wanghao:20220829:purecrypter:4d81329, author = {wanghao}, title = {{PureCrypter Loader continues to be active and has spread to more than 10 other families}}, date = {2022-08-29}, organization = {360 netlab}, url = {https://blog.netlab.360.com/purecrypter}, language = {Chinese}, urldate = {2022-09-06} } PureCrypter Loader continues to be active and has spread to more than 10 other families 404 Keylogger Agent Tesla AsyncRAT Formbook RedLine Stealer

2022-08-17 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20220817:darktortilla:9a00612, author = {Counter Threat Unit ResearchTeam}, title = {{DarkTortilla Malware Analysis}}, date = {2022-08-17}, organization = {Secureworks}, url = {https://www.secureworks.com/research/darktortilla-malware-analysis}, language = {English}, urldate = {2023-01-05} } DarkTortilla Malware Analysis Agent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer

2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel @online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader

2022-08-05 ⋅ 0xIvan ⋅ Twitter (@viljoenivan) @online{viljoenivan:20220805:lokibot:bb5fd5d, author = {Twitter (@viljoenivan)}, title = {{LokiBot Analysis}}, date = {2022-08-05}, organization = {0xIvan}, url = {https://ivanvza.github.io/posts/lokibot_analysis}, language = {English}, urldate = {2022-08-17} } LokiBot Analysis Loki Password Stealer (PWS)

2022-08-04 ⋅ ConnectWise ⋅ Stu Gonzalez @online{gonzalez:20220804:formbook:f3addb8, author = {Stu Gonzalez}, title = {{Formbook and Remcos Backdoor RAT by ConnectWise CRU}}, date = {2022-08-04}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/formbook-remcos-rat}, language = {English}, urldate = {2022-08-08} } Formbook and Remcos Backdoor RAT by ConnectWise CRU Formbook Remcos

2022-07-30 ⋅ cocomelonc @online{cocomelonc:20220730:malware:0f84be1, author = {cocomelonc}, title = {{Malware AV evasion - part 8. Encode payload via Z85}}, date = {2022-07-30}, url = {https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html}, language = {English}, urldate = {2022-12-01} } Malware AV evasion - part 8. Encode payload via Z85 Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector

2022-07-25 ⋅ Cert-UA ⋅ Cert-UA @online{certua:20220725:mass:92104f0, author = {Cert-UA}, title = {{Mass distribution of desktops (Formbook, Snake Keylogger) and use of Malware RelicRace/RelicSource as a means of delivery (CERT-UA#5056)}}, date = {2022-07-25}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/955924}, language = {Ukrainian}, urldate = {2022-07-28} } Mass distribution of desktops (Formbook, Snake Keylogger) and use of Malware RelicRace/RelicSource as a means of delivery (CERT-UA#5056) 404 Keylogger Formbook RelicRace

2022-07-20 ⋅ Cert-UA ⋅ Cert-UA @online{certua:20220720:cyberattack:3450ba8, author = {Cert-UA}, title = {{Cyberattack on State Organizations of Ukraine using the topic OK "South" and the malicious program AgentTesla (CERT-UA#4987)}}, date = {2022-07-20}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/861292}, language = {Ukrainian}, urldate = {2022-07-25} } Cyberattack on State Organizations of Ukraine using the topic OK "South" and the malicious program AgentTesla (CERT-UA#4987) Agent Tesla

2022-07-12 ⋅ Team Cymru ⋅ Kyle Krejci @online{krejci:20220712:analysis:de83dd7, author = {Kyle Krejci}, title = {{An Analysis of Infrastructure linked to the Hagga Threat Actor}}, date = {2022-07-12}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2022/07/12/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor}, language = {English}, urldate = {2022-07-15} } An Analysis of Infrastructure linked to the Hagga Threat Actor Agent Tesla

2022-07-12 ⋅ Cyren ⋅ Kervin Alintanahin @online{alintanahin:20220712:example:ae62e81, author = {Kervin Alintanahin}, title = {{Example Analysis of Multi-Component Malware}}, date = {2022-07-12}, organization = {Cyren}, url = {https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware}, language = {English}, urldate = {2022-07-18} } Example Analysis of Multi-Component Malware Emotet Formbook

2022-07-01 ⋅ cyble ⋅ Cyble @online{cyble:20220701:xloader:dd3b118, author = {Cyble}, title = {{Xloader Returns With New Infection Technique}}, date = {2022-07-01}, organization = {cyble}, url = {https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/}, language = {English}, urldate = {2022-07-01} } Xloader Returns With New Infection Technique Formbook

2022-06-30 ⋅ Cyber Geeks (CyberMasterV) ⋅ Vlad Pasca @online{pasca:20220630:how:78e5c24, author = {Vlad Pasca}, title = {{How to Expose a Potential Cybercriminal due to Misconfigurations}}, date = {2022-06-30}, organization = {Cyber Geeks (CyberMasterV)}, url = {https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/}, language = {English}, urldate = {2022-07-05} } How to Expose a Potential Cybercriminal due to Misconfigurations Loki Password Stealer (PWS)

2022-06-30 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV @online{cybermasterv:20220630:how:035d973, author = {CyberMasterV}, title = {{How to Expose a Potential Cybercriminal due to Misconfigurations}}, date = {2022-06-30}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations}, language = {English}, urldate = {2022-08-31} } How to Expose a Potential Cybercriminal due to Misconfigurations Loki Password Stealer (PWS)

2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20220519:net:ecf311c, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord (PureCrypter)}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord}, language = {English}, urldate = {2022-06-09} } .NET Stubs: Sowing the Seeds of Discord (PureCrypter) Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate

2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20220519:net:64662b5, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?}, language = {English}, urldate = {2022-05-23} } .NET Stubs: Sowing the Seeds of Discord Agent Tesla Quasar RAT WhisperGate

2022-05-12 ⋅ Palo Alto Networks Unit 42 ⋅ Tyler Halfpop @online{halfpop:20220512:harmful:163b756, author = {Tyler Halfpop}, title = {{Harmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla}}, date = {2022-05-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/}, language = {English}, urldate = {2022-05-17} } Harmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla Agent Tesla

2022-05-05 ⋅ Malwarebytes Labs ⋅ Threat Intelligence Team @online{team:20220505:nigerian:4c047d9, author = {Threat Intelligence Team}, title = {{Nigerian Tesla: 419 scammer gone malware distributor unmasked}}, date = {2022-05-05}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/}, language = {English}, urldate = {2022-05-08} } Nigerian Tesla: 419 scammer gone malware distributor unmasked Agent Tesla

2022-04-20 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20220420:malware:b20963e, author = {cocomelonc}, title = {{Malware development: persistence - part 1. Registry run keys. C++ example.}}, date = {2022-04-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 1. Registry run keys. C++ example. Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky

2022-04-17 ⋅ Malcat ⋅ malcat team @online{team:20220417:reversing:4e53a3a, author = {malcat team}, title = {{Reversing a NSIS dropper using quick and dirty shellcode emulation}}, date = {2022-04-17}, organization = {Malcat}, url = {https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation/}, language = {English}, urldate = {2022-04-29} } Reversing a NSIS dropper using quick and dirty shellcode emulation Loki Password Stealer (PWS)

2022-04-15 ⋅ Center for Internet Security ⋅ CIS @online{cis:20220415:top:62c8245, author = {CIS}, title = {{Top 10 Malware March 2022}}, date = {2022-04-15}, organization = {Center for Internet Security}, url = {https://www.cisecurity.org/insights/blog/top-10-malware-march-2022}, language = {English}, urldate = {2023-02-17} } Top 10 Malware March 2022 Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus

2022-04-12 ⋅ Check Point ⋅ Check Point Research @online{research:20220412:march:2c56dc6, author = {Check Point Research}, title = {{March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance}}, date = {2022-04-12}, organization = {Check Point}, url = {https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/}, language = {English}, urldate = {2022-04-20} } March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance Alien FluBot Agent Tesla Emotet

2022-03-31 ⋅ APNIC ⋅ Debashis Pal @online{pal:20220331:how:c5195a9, author = {Debashis Pal}, title = {{How to: Detect and prevent common data exfiltration attacks}}, date = {2022-03-31}, organization = {APNIC}, url = {https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/}, language = {English}, urldate = {2022-05-05} } How to: Detect and prevent common data exfiltration attacks Agent Tesla DNSMessenger PingBack Rising Sun

2022-03-26 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220326:agenttesla:edea93d, author = {Tony Lambert}, title = {{An AgentTesla Sample Using VBA Macros and Certutil}}, date = {2022-03-26}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/agenttesla-vba-certutil-download/}, language = {English}, urldate = {2022-03-28} } An AgentTesla Sample Using VBA Macros and Certutil Agent Tesla

2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP) @online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-08-05} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22 Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT

2022-03-11 ⋅ Netskope ⋅ Gustavo Palazolo @online{palazolo:20220311:new:68467fb, author = {Gustavo Palazolo}, title = {{New Formbook Campaign Delivered Through Phishing Emails}}, date = {2022-03-11}, organization = {Netskope}, url = {https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails}, language = {English}, urldate = {2022-03-14} } New Formbook Campaign Delivered Through Phishing Emails Formbook

2022-03-07 ⋅ Fortinet ⋅ James Slaughter, Fred Gutierrez, Val Saengphaibul @online{slaughter:20220307:fake:8999835, author = {James Slaughter and Fred Gutierrez and Val Saengphaibul}, title = {{Fake Purchase Order Used to Deliver Agent Tesla}}, date = {2022-03-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla}, language = {English}, urldate = {2022-03-08} } Fake Purchase Order Used to Deliver Agent Tesla Agent Tesla

2022-03-07 ⋅ LAC WATCH ⋅ Cyber ​​Emergency Center @online{center:20220307:i:aadcf34, author = {Cyber ​​Emergency Center}, title = {{I CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND JSOC DETECTION TRENDS}}, date = {2022-03-07}, organization = {LAC WATCH}, url = {https://www.lac.co.jp/lacwatch/report/20220307_002893.html}, language = {Japanese}, urldate = {2022-04-05} } I CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND JSOC DETECTION TRENDS Xloader Agent Tesla Formbook Loki Password Stealer (PWS)

2022-03-04 ⋅ Bleeping Computer ⋅ Bill Toulas @online{toulas:20220304:russiaukraine:60c3069, author = {Bill Toulas}, title = {{Russia-Ukraine war exploited as lure for malware distribution}}, date = {2022-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/}, language = {English}, urldate = {2022-03-04} } Russia-Ukraine war exploited as lure for malware distribution Agent Tesla Remcos

2022-03-04 ⋅ Bitdefender ⋅ Alina Bizga @online{bizga:20220304:bitdefender:44d1f32, author = {Alina Bizga}, title = {{Bitdefender Labs Sees Increased Malicious and Scam Activity Exploiting the War in Ukraine}}, date = {2022-03-04}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine}, language = {English}, urldate = {2022-03-04} } Bitdefender Labs Sees Increased Malicious and Scam Activity Exploiting the War in Ukraine Agent Tesla Remcos

2022-02-28 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20220228:change:c9b5e5c, author = {ASEC Analysis Team}, title = {{Change in Distribution Method of Malware Disguised as Estimate (VBS Script)}}, date = {2022-02-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/32149/}, language = {English}, urldate = {2022-03-02} } Change in Distribution Method of Malware Disguised as Estimate (VBS Script) Formbook

2022-02-23 ⋅ Weixin ⋅ 360 Threat Intelligence Center @online{center:20220223:aptc58:fb10a0a, author = {360 Threat Intelligence Center}, title = {{APT-C-58 (Gorgon Group) attack warning}}, date = {2022-02-23}, organization = {Weixin}, url = {https://mp.weixin.qq.com/s/X0kAIHOSldiFDthb4IsmbQ}, language = {Chinese}, urldate = {2022-03-01} } APT-C-58 (Gorgon Group) attack warning Agent Tesla

2022-02-11 ⋅ Cisco Talos ⋅ Talos @online{talos:20220211:threat:fcad762, author = {Talos}, title = {{Threat Roundup for February 4 to February 11}}, date = {2022-02-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html}, language = {English}, urldate = {2022-02-14} } Threat Roundup for February 4 to February 11 DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus

2022-02-11 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220211:xloaderformbook:1f69d72, author = {Tony Lambert}, title = {{XLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets}}, date = {2022-02-11}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/}, language = {English}, urldate = {2022-02-14} } XLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets Formbook

2022-02-06 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220206:agenttesla:6d362f7, author = {Tony Lambert}, title = {{AgentTesla From RTF Exploitation to .NET Tradecraft}}, date = {2022-02-06}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/}, language = {English}, urldate = {2022-02-07} } AgentTesla From RTF Exploitation to .NET Tradecraft Agent Tesla

2022-02-02 ⋅ Qualys ⋅ Ghanshyam More @online{more:20220202:catching:aca19c0, author = {Ghanshyam More}, title = {{Catching the RAT called Agent Tesla}}, date = {2022-02-02}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla}, language = {English}, urldate = {2022-02-04} } Catching the RAT called Agent Tesla Agent Tesla

2022-01-28 ⋅ Atomic Matryoshka ⋅ z3r0day_504 @online{z3r0day504:20220128:malware:3628b1b, author = {z3r0day_504}, title = {{Malware Headliners: LokiBot}}, date = {2022-01-28}, organization = {Atomic Matryoshka}, url = {https://www.atomicmatryoshka.com/post/malware-headliners-lokibot}, language = {English}, urldate = {2022-02-01} } Malware Headliners: LokiBot Loki Password Stealer (PWS)

2022-01-25 ⋅ Palo Alto Networks Unit 42 ⋅ Yaron Samuel @online{samuel:20220125:weaponization:3f900f4, author = {Yaron Samuel}, title = {{Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies}}, date = {2022-01-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/}, language = {English}, urldate = {2022-01-28} } Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies Agent Tesla

2022-01-24 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy @online{palazolo:20220124:infected:65db665, author = {Gustavo Palazolo and Ghanashyam Satpathy}, title = {{Infected PowerPoint Files Using Cloud Services to Deliver Multiple Malware}}, date = {2022-01-24}, organization = {Netskope}, url = {https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware}, language = {English}, urldate = {2022-01-28} } Infected PowerPoint Files Using Cloud Services to Deliver Multiple Malware Agent Tesla

2022-01-24 ⋅ Proofpoint ⋅ Proofpoint @online{proofpoint:20220124:dtpacker:6d34c1b, author = {Proofpoint}, title = {{DTPacker – a .NET Packer with a Curious Password}}, date = {2022-01-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1}, language = {English}, urldate = {2022-01-25} } DTPacker – a .NET Packer with a Curious Password Agent Tesla

2022-01-21 ⋅ Zscaler ⋅ Javier Vicente, Brett Stone-Gross @online{vicente:20220121:analysis:419182f, author = {Javier Vicente and Brett Stone-Gross}, title = {{Analysis of Xloader’s C2 Network Encryption}}, date = {2022-01-21}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption}, language = {English}, urldate = {2022-01-25} } Analysis of Xloader’s C2 Network Encryption Xloader Formbook

2022-01-21 ⋅ MalGamy ⋅ Gameel Ali @online{ali:20220121:deep:fe5caf7, author = {Gameel Ali}, title = {{Deep Analysis Agent Tesla Malware}}, date = {2022-01-21}, organization = {MalGamy}, url = {https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/}, language = {English}, urldate = {2022-01-25} } Deep Analysis Agent Tesla Malware Agent Tesla

2022-01-18 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin @online{ditch:20220118:formbook:3f03c56, author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin}, title = {{FORMBOOK Adopts CAB-less Approach}}, date = {2022-01-18}, organization = {Elastic}, url = {https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/}, language = {English}, urldate = {2022-01-25} } FORMBOOK Adopts CAB-less Approach Formbook

2022-01-12 ⋅ MalGamy @online{malgamy:20220112:deep:e4c8f1e, author = {MalGamy}, title = {{Deep analysis agent tesla malware}}, date = {2022-01-12}, url = {https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/}, language = {English}, urldate = {2022-01-25} } Deep analysis agent tesla malware Agent Tesla

2022-01-12 ⋅ Guillaume Orlando @online{orlando:20220112:2021:d68b80f, author = {Guillaume Orlando}, title = {{2021 Gorgon Group APT Operation}}, date = {2022-01-12}, url = {https://guillaumeorlando.github.io/GorgonInfectionchain}, language = {English}, urldate = {2022-01-13} } 2021 Gorgon Group APT Operation Agent Tesla

2022-01-03 ⋅ forensicitguy ⋅ Tony Lambert @online{lambert:20220103:tale:bfd0711, author = {Tony Lambert}, title = {{A Tale of Two Dropper Scripts for Agent Tesla}}, date = {2022-01-03}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/a-tale-of-two-dropper-scripts/}, language = {English}, urldate = {2022-01-25} } A Tale of Two Dropper Scripts for Agent Tesla Agent Tesla

2021-12-31 ⋅ InfoSec Handlers Diary Blog ⋅ Jan Kopriva @online{kopriva:20211231:do:8a36b66, author = {Jan Kopriva}, title = {{Do you want your Agent Tesla in the 300 MB or 8 kB package?}}, date = {2021-12-31}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28202}, language = {English}, urldate = {2022-01-05} } Do you want your Agent Tesla in the 300 MB or 8 kB package? Agent Tesla

2021-12-30 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan @online{duncan:20211230:agent:2b24ea4, author = {Brad Duncan}, title = {{Agent Tesla Updates SMTP Data Exfiltration Technique}}, date = {2021-12-30}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28190}, language = {English}, urldate = {2022-01-03} } Agent Tesla Updates SMTP Data Exfiltration Technique Agent Tesla

2021-12-20 ⋅ InfoSec Handlers Diary Blog ⋅ Jan Kopriva, Alef Nula @online{kopriva:20211220:powerpoint:917c614, author = {Jan Kopriva and Alef Nula}, title = {{PowerPoint attachments, Agent Tesla and code reuse in malware}}, date = {2021-12-20}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/}, language = {English}, urldate = {2021-12-31} } PowerPoint attachments, Agent Tesla and code reuse in malware Agent Tesla

2021-12-17 ⋅ Yoroi ⋅ Luigi Martire, Carmelo Ragusa, Luca Mella @online{martire:20211217:serverless:1d4e81c, author = {Luigi Martire and Carmelo Ragusa and Luca Mella}, title = {{Serverless InfoStealer delivered in Est European Countries}}, date = {2021-12-17}, organization = {Yoroi}, url = {https://yoroi.company/research/serverless-infostealer-delivered-in-est-european-countries/}, language = {English}, urldate = {2021-12-17} } Serverless InfoStealer delivered in Est European Countries Agent Tesla

2021-12-08 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal @online{vinopal:20211208:full:4bf6148, author = {Jiří Vinopal}, title = {{Full malware analysis Work-Flow of AgentTesla Malware}}, date = {2021-12-08}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://youtu.be/QQuRp7Qiuzg}, language = {English}, urldate = {2021-12-08} } Full malware analysis Work-Flow of AgentTesla Malware Agent Tesla

2021-12-06 ⋅ MalwareBookReports ⋅ muzi @online{muzi:20211206:agent:5a2c732, author = {muzi}, title = {{AGENT TESLAGGAH}}, date = {2021-12-06}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/agent-teslaggah/}, language = {English}, urldate = {2021-12-07} } AGENT TESLAGGAH Agent Tesla

2021-12-02 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20211202:spreading:82866e8, author = {ASEC Analysis Team}, title = {{Spreading AgentTesla through more sophisticated malicious PPT}}, date = {2021-12-02}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/29133/}, language = {Korean}, urldate = {2021-12-07} } Spreading AgentTesla through more sophisticated malicious PPT Agent Tesla

2021-11-23 ⋅ HP ⋅ Patrick Schläpfer @online{schlpfer:20211123:ratdispenser:4677686, author = {Patrick Schläpfer}, title = {{RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild}}, date = {2021-11-23}, organization = {HP}, url = {https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/}, language = {English}, urldate = {2021-11-29} } RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild AdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos

2021-11-22 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal @online{vinopal:20211122:powershell:37baf25, author = {Jiří Vinopal}, title = {{Powershell and DnSpy tricks in .NET reversing – AgentTesla [Part1]}}, date = {2021-11-22}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://youtu.be/hxaeWyK8gMI}, language = {English}, urldate = {2021-11-26} } Powershell and DnSpy tricks in .NET reversing – AgentTesla [Part1] Agent Tesla

2021-11-22 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal @online{vinopal:20211122:powershell:b15c355, author = {Jiří Vinopal}, title = {{Powershell and DnSpy tricks in .NET reversing – AgentTesla [Part2]}}, date = {2021-11-22}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://youtu.be/BM38OshcozE}, language = {English}, urldate = {2021-11-26} } Powershell and DnSpy tricks in .NET reversing – AgentTesla [Part2] Agent Tesla

2021-11-17 ⋅ Infoblox ⋅ Gaetano Pellegrino @techreport{pellegrino:20211117:deep:404458b, author = {Gaetano Pellegrino}, title = {{Deep Analysis of a Recent Lokibot Attack}}, date = {2021-11-17}, institution = {Infoblox}, url = {https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf}, language = {English}, urldate = {2022-01-03} } Deep Analysis of a Recent Lokibot Attack Loki Password Stealer (PWS)

2021-11-16 ⋅ Yoroi ⋅ Luigi Martire, Carmelo Ragusa, Luca Mella @online{martire:20211116:office:2dba65a, author = {Luigi Martire and Carmelo Ragusa and Luca Mella}, title = {{Office Documents: May the XLL technique change the threat Landscape in 2022?}}, date = {2021-11-16}, organization = {Yoroi}, url = {https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/}, language = {English}, urldate = {2021-11-17} } Office Documents: May the XLL technique change the threat Landscape in 2022? Agent Tesla Dridex Formbook

2021-11-12 ⋅ Living Code ⋅ Dominik Degroot @online{degroot:20211112:agenttesla:d69002b, author = {Dominik Degroot}, title = {{AgentTesla dropped via NSIS installer}}, date = {2021-11-12}, organization = {Living Code}, url = {http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/}, language = {English}, urldate = {2021-11-17} } AgentTesla dropped via NSIS installer Agent Tesla

2021-11-02 ⋅ InQuest ⋅ Dmitry Melikov @online{melikov:20211102:adults:cc39000, author = {Dmitry Melikov}, title = {{Adults Only Malware Lures}}, date = {2021-11-02}, organization = {InQuest}, url = {https://inquest.net/blog/2021/11/02/adults-only-malware-lures}, language = {English}, urldate = {2021-11-08} } Adults Only Malware Lures Agent Tesla

2021-10-06 ⋅ zimperium ⋅ Jordan Herman @online{herman:20211006:malware:7f7f055, author = {Jordan Herman}, title = {{Malware Distribution with Mana Tools}}, date = {2021-10-06}, organization = {zimperium}, url = {https://community.riskiq.com/article/56e28880}, language = {English}, urldate = {2021-10-11} } Malware Distribution with Mana Tools Agent Tesla Azorult

2021-09-30 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20210930:threat:d31cc55, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: xLoader Infostealer}}, date = {2021-09-30}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer}, language = {English}, urldate = {2021-10-11} } Threat Thursday: xLoader Infostealer Xloader Formbook

2021-09-29 ⋅ Trend Micro ⋅ Aliakbar Zahravi, William Gamazo Sanchez, Kamlapati Choubey, Peter Girnus @online{zahravi:20210929:formbook:54b9f08, author = {Aliakbar Zahravi and William Gamazo Sanchez and Kamlapati Choubey and Peter Girnus}, title = {{FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal}}, date = {2021-09-29}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html}, language = {English}, urldate = {2021-10-05} } FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal Formbook

2021-09-15 ⋅ Telsy ⋅ Telsy @online{telsy:20210915:remcos:83c0670, author = {Telsy}, title = {{REMCOS and Agent Tesla loaded into memory with Rezer0 loader}}, date = {2021-09-15}, organization = {Telsy}, url = {https://www.telsy.com/download/4832/}, language = {English}, urldate = {2021-09-23} } REMCOS and Agent Tesla loaded into memory with Rezer0 loader Agent Tesla Remcos

2021-09-08 ⋅ Juniper ⋅ Paul Kimayong @online{kimayong:20210908:aggah:8508369, author = {Paul Kimayong}, title = {{Aggah Malware Campaign Expands to Zendesk and GitHub to Host Its Malware}}, date = {2021-09-08}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware}, language = {English}, urldate = {2021-09-10} } Aggah Malware Campaign Expands to Zendesk and GitHub to Host Its Malware Agent Tesla

2021-09-06 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20210906:av:215e5aa, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 2}}, date = {2021-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html}, language = {English}, urldate = {2023-07-24} } AV engines evasion for C++ simple malware: part 2 Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze

2021-08-25 ⋅ Trend Micro ⋅ William Gamazo Sanchez, Bin Lin @online{sanchez:20210825:new:f09ef7d, author = {William Gamazo Sanchez and Bin Lin}, title = {{New Campaign Sees LokiBot Delivered Via Multiple Methods}}, date = {2021-08-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html}, language = {English}, urldate = {2021-08-31} } New Campaign Sees LokiBot Delivered Via Multiple Methods Loki Password Stealer (PWS)

2021-08-23 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal @online{vinopal:20210823:2:0b5dba8, author = {Jiří Vinopal}, title = {{[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite}}, date = {2021-08-23}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=N0wAh26wShE}, language = {English}, urldate = {2021-08-25} } [2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite CloudEyE Loki Password Stealer (PWS)

2021-08-16 ⋅ Malcat ⋅ malcat team @online{team:20210816:statically:665b400, author = {malcat team}, title = {{Statically unpacking a simple .NET dropper}}, date = {2021-08-16}, organization = {Malcat}, url = {https://malcat.fr/blog/statically-unpacking-a-simple-net-dropper/}, language = {English}, urldate = {2022-01-05} } Statically unpacking a simple .NET dropper Loki Password Stealer (PWS)

2021-07-28 ⋅ RiskIQ ⋅ Jennifer Grob, Jordan Herman @online{grob:20210728:use:8287989, author = {Jennifer Grob and Jordan Herman}, title = {{Use of XAMPP Web Component to Identify Agent Tesla Infrastructure}}, date = {2021-07-28}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/40000d46}, language = {English}, urldate = {2021-07-29} } Use of XAMPP Web Component to Identify Agent Tesla Infrastructure Agent Tesla

2021-07-24 ⋅ InfoSec Handlers Diary Blog ⋅ Xavier Mertens @online{mertens:20210724:agenttesla:2876aef, author = {Xavier Mertens}, title = {{Agent.Tesla Dropped via a .daa Image and Talking to Telegram}}, date = {2021-07-24}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27666}, language = {English}, urldate = {2021-07-26} } Agent.Tesla Dropped via a .daa Image and Talking to Telegram Agent Tesla

2021-07-21 ⋅ Quick Heal ⋅ Rumana Siddiqui @online{siddiqui:20210721:formbook:e6e3f64, author = {Rumana Siddiqui}, title = {{FormBook Malware Returns: New Variant Uses Steganography and In-Memory Loading of multiple stages to steal data}}, date = {2021-07-21}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/}, language = {English}, urldate = {2021-07-26} } FormBook Malware Returns: New Variant Uses Steganography and In-Memory Loading of multiple stages to steal data Formbook

2021-07-12 ⋅ IBM ⋅ Melissa Frydrych, Claire Zaboeva, Dan Dash @online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation 404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos

2021-07-12 ⋅ Cipher Tech Solutions ⋅ Melissa Frydrych, Claire Zaboeva, Dan Dash @online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation 404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos

2021-07-07 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal @online{vinopal:20210707:2:85ce7e9, author = {Jiří Vinopal}, title = {{[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python}}, date = {2021-07-07}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=-FxyzuRv6Wg}, language = {English}, urldate = {2021-07-20} } [2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python CloudEyE Loki Password Stealer (PWS)

2021-07-06 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal @online{vinopal:20210706:1:be25f45, author = {Jiří Vinopal}, title = {{[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2}}, date = {2021-07-06}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=K3Yxu_9OUxU}, language = {English}, urldate = {2021-07-20} } [1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2 CloudEyE Loki Password Stealer (PWS)

2021-06-29 ⋅ Yoroi ⋅ Luigi Martire, Luca Mella @online{martire:20210629:wayback:fc8fa84, author = {Luigi Martire and Luca Mella}, title = {{The "WayBack” Campaign: a Large Scale Operation Hiding in Plain Sight}}, date = {2021-06-29}, organization = {Yoroi}, url = {https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/}, language = {English}, urldate = {2021-06-29} } The "WayBack” Campaign: a Large Scale Operation Hiding in Plain Sight Agent Tesla Cobian RAT Oski Stealer

2021-06-24 ⋅ Trustwave ⋅ Diana Lopera @online{lopera:20210624:yet:5a8a4c5, author = {Diana Lopera}, title = {{Yet Another Archive Format Smuggling Malware}}, date = {2021-06-24}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/}, language = {English}, urldate = {2021-06-29} } Yet Another Archive Format Smuggling Malware Agent Tesla

2021-06-24 ⋅ Blackberry ⋅ The BlackBerry Research and Intelligence Team @online{team:20210624:threat:54b5162, author = {The BlackBerry Research and Intelligence Team}, title = {{Threat Thursday: Agent Tesla Infostealer}}, date = {2021-06-24}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware}, language = {English}, urldate = {2021-07-02} } Threat Thursday: Agent Tesla Infostealer Agent Tesla

2021-06-11 ⋅ NSFOCUS ⋅ Fuying Laboratory @online{laboratory:20210611:nigerian:201d2fa, author = {Fuying Laboratory}, title = {{Nigerian Hacker Organization SWEED is Distributing Phishing Documents Targeting the Logistics Industry}}, date = {2021-06-11}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/sweed-611/}, language = {Chinese}, urldate = {2021-06-16} } Nigerian Hacker Organization SWEED is Distributing Phishing Documents Targeting the Logistics Industry Agent Tesla

2021-06-08 ⋅ ilbaroni @online{ilbaroni:20210608:lokibot:26e4005, author = {ilbaroni}, title = {{LOKIBOT - A commodity malware}}, date = {2021-06-08}, url = {http://reversing.fun/posts/2021/06/08/lokibot.html}, language = {English}, urldate = {2022-01-05} } LOKIBOT - A commodity malware Loki Password Stealer (PWS)

2021-06-04 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20210604:phishing:20bdfa5, author = {Xiaopeng Zhang}, title = {{Phishing Malware Hijacks Bitcoin Addresses and Delivers New Agent Tesla Variant}}, date = {2021-06-04}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant}, language = {English}, urldate = {2021-06-16} } Phishing Malware Hijacks Bitcoin Addresses and Delivers New Agent Tesla Variant Agent Tesla

2021-06-02 ⋅ Sophos ⋅ Sean Gallagher @online{gallagher:20210602:amsi:084d0ba, author = {Sean Gallagher}, title = {{AMSI bypasses remain tricks of the malware trade}}, date = {2021-06-02}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/}, language = {English}, urldate = {2021-06-09} } AMSI bypasses remain tricks of the malware trade Agent Tesla Cobalt Strike Meterpreter

2021-05-18 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani @online{kasmani:20210518:malware:5921c55, author = {AhmedS Kasmani}, title = {{Malware Analysis: Agent Tesla Part 1/2 Extraction of final payload from dropper.}}, date = {2021-05-18}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=Q9_1xNbVQPY}, language = {English}, urldate = {2021-05-19} } Malware Analysis: Agent Tesla Part 1/2 Extraction of final payload from dropper. Agent Tesla

2021-05-11 ⋅ VMRay ⋅ VMRay Labs Team, Mateusz Lukaszewski @online{team:20210511:threat:2b02a9b, author = {VMRay Labs Team and Mateusz Lukaszewski}, title = {{Threat Bulletin: Exploring the Differences and Similarities of Agent Tesla v2 & v3}}, date = {2021-05-11}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/}, language = {English}, urldate = {2021-08-20} } Threat Bulletin: Exploring the Differences and Similarities of Agent Tesla v2 & v3 Agent Tesla

2021-05-11 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence @online{intelligence:20210511:snip3:69a4650, author = {Microsoft Security Intelligence}, title = {{Tweet on Snip3 crypter delivering AsyncRAT or AgentTesla}}, date = {2021-05-11}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1392219299696152578}, language = {English}, urldate = {2021-05-13} } Tweet on Snip3 crypter delivering AsyncRAT or AgentTesla Agent Tesla AsyncRAT

2021-05-07 ⋅ Morphisec ⋅ Nadav Lorber @online{lorber:20210507:revealing:add3b8a, author = {Nadav Lorber}, title = {{Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader}}, date = {2021-05-07}, organization = {Morphisec}, url = {https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader}, language = {English}, urldate = {2021-05-13} } Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader Agent Tesla AsyncRAT NetWire RC Revenge RAT

2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Mohd Sadique, Manohar Ghule @online{dolas:20210505:catching:ace83fc, author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule}, title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}}, date = {2021-05-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols}, language = {English}, urldate = {2021-05-08} } Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos

2021-04-22 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20210422:deep:44cd560, author = {Xiaopeng Zhang}, title = {{Deep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part II}}, date = {2021-04-22}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii}, language = {English}, urldate = {2021-04-28} } Deep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part II Formbook

2021-04-21 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt @online{gallagher:20210421:nearly:53964a7, author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt}, title = {{Nearly half of malware now use TLS to conceal communications}}, date = {2021-04-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/}, language = {English}, urldate = {2021-04-28} } Nearly half of malware now use TLS to conceal communications Agent Tesla Cobalt Strike Dridex SystemBC

2021-04-12 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20210412:deep:dc35f85, author = {Xiaopeng Zhang}, title = {{Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part I}}, date = {2021-04-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I}, language = {English}, urldate = {2021-04-14} } Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part I Formbook

2021-04-06 ⋅ InfoSec Handlers Diary Blog ⋅ Jan Kopriva @online{kopriva:20210406:malspam:817a035, author = {Jan Kopriva}, title = {{Malspam with Lokibot vs. Outlook and RFCs}}, date = {2021-04-06}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27282}, language = {English}, urldate = {2021-04-06} } Malspam with Lokibot vs. Outlook and RFCs Loki Password Stealer (PWS)

2021-04-04 ⋅ menshaway blogspot ⋅ Mahmoud Morsy @online{morsy:20210404:technical:197b7c7, author = {Mahmoud Morsy}, title = {{Technical report of AgentTesla}}, date = {2021-04-04}, organization = {menshaway blogspot}, url = {https://menshaway.blogspot.com/2021/04/agenttesla-malware.html}, language = {English}, urldate = {2021-04-06} } Technical report of AgentTesla Agent Tesla

2021-03-17 ⋅ HP ⋅ HP Bromium @techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } Threat Insights Report Q4-2020 Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader

2021-03-11 ⋅ YouTube ( Malware_Analyzing_&_RE_Tips_Tricks) ⋅ Jiří Vinopal @online{vinopal:20210311:formbook:31931b9, author = {Jiří Vinopal}, title = {{Formbook Reversing - Part1 [Formbook .NET loader/injector analyzing, decrypting, unpacking, patching]}}, date = {2021-03-11}, organization = {YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)}, url = {https://youtu.be/aQwnHIlGSBM}, language = {English}, urldate = {2021-03-12} } Formbook Reversing - Part1 [Formbook .NET loader/injector analyzing, decrypting, unpacking, patching] Formbook

2021-02-28 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team

2021-02-25 ⋅ Minerva ⋅ Minerva Labs @online{labs:20210225:preventing:c968dbc, author = {Minerva Labs}, title = {{Preventing AgentTelsa Infiltration}}, date = {2021-02-25}, organization = {Minerva}, url = {https://blog.minerva-labs.com/preventing-agenttesla}, language = {English}, urldate = {2021-02-25} } Preventing AgentTelsa Infiltration Agent Tesla

2021-02-12 ⋅ InfoSec Handlers Diary Blog ⋅ Xavier Mertens @online{mertens:20210212:agenttesla:228400f, author = {Xavier Mertens}, title = {{AgentTesla Dropped Through Automatic Click in Microsoft Help File}}, date = {2021-02-12}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27092}, language = {English}, urldate = {2021-02-18} } AgentTesla Dropped Through Automatic Click in Microsoft Help File Agent Tesla

2021-02-12 ⋅ Trustwave ⋅ Rodel Mendrez, Diana Lopera @online{mendrez:20210212:many:560778f, author = {Rodel Mendrez and Diana Lopera}, title = {{The Many Roads Leading To Agent Tesla}}, date = {2021-02-12}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/}, language = {English}, urldate = {2021-02-18} } The Many Roads Leading To Agent Tesla Agent Tesla

2021-02-11 ⋅ InfoSec Handlers Diary Blog ⋅ Jan Kopriva @online{kopriva:20210211:agent:e27e397, author = {Jan Kopriva}, title = {{Agent Tesla hidden in a historical anti-malware tool}}, date = {2021-02-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27088}, language = {English}, urldate = {2021-02-20} } Agent Tesla hidden in a historical anti-malware tool Agent Tesla

2021-01-21 ⋅ DENEXUS ⋅ Markel Picado @techreport{picado:20210121:spear:3893769, author = {Markel Picado}, title = {{Spear Phishing Targeting ICS Supply Chain - Analysis}}, date = {2021-01-21}, institution = {DENEXUS}, url = {https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf}, language = {English}, urldate = {2021-03-05} } Spear Phishing Targeting ICS Supply Chain - Analysis Agent Tesla

2021-01-11 ⋅ ESET Research ⋅ Matías Porolli @online{porolli:20210111:operation:409662d, author = {Matías Porolli}, title = {{Operation Spalax: Targeted malware attacks in Colombia}}, date = {2021-01-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/}, language = {English}, urldate = {2021-01-18} } Operation Spalax: Targeted malware attacks in Colombia Agent Tesla AsyncRAT NjRAT Remcos

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli @online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2021-01-06 ⋅ Talos ⋅ Irshad Muhammad, Holger Unterbrink @online{muhammad:20210106:deep:8fa3a1f, author = {Irshad Muhammad and Holger Unterbrink}, title = {{A Deep Dive into Lokibot Infection Chain}}, date = {2021-01-06}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html}, language = {English}, urldate = {2021-01-10} } A Deep Dive into Lokibot Infection Chain Loki Password Stealer (PWS)

2021 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2021:threat:9cb31b0, author = {SecureWorks}, title = {{Threat Profile: GOLD GALLEON}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-galleon}, language = {English}, urldate = {2021-06-01} } Threat Profile: GOLD GALLEON Agent Tesla HawkEye Keylogger Pony GOLD GALLEON

2020-12-21 ⋅ Cisco Talos ⋅ JON MUNSHAW @online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader

2020-12-18 ⋅ Trend Micro ⋅ Matthew Camacho, Raphael Centeno, Junestherry Salvador @online{camacho:20201218:negasteal:e5b291f, author = {Matthew Camacho and Raphael Centeno and Junestherry Salvador}, title = {{Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware}}, date = {2020-12-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware}, language = {English}, urldate = {2020-12-26} } Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware Agent Tesla Dharma

2020-12-15 ⋅ Cofense ⋅ Aaron Riley @online{riley:20201215:strategic:653455d, author = {Aaron Riley}, title = {{Strategic Analysis: Agent Tesla Expands Targeting and Networking Capabilities}}, date = {2020-12-15}, organization = {Cofense}, url = {https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/}, language = {English}, urldate = {2020-12-17} } Strategic Analysis: Agent Tesla Expands Targeting and Networking Capabilities Agent Tesla

2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC @online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus

2020-12-07 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team @online{team:20201207:commodity:027b864, author = {Proofpoint Threat Research Team}, title = {{Commodity .NET Packers use Embedded Images to Hide Payloads}}, date = {2020-12-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads}, language = {English}, urldate = {2020-12-10} } Commodity .NET Packers use Embedded Images to Hide Payloads Agent Tesla Loki Password Stealer (PWS) Remcos

2020-12-04 ⋅ Inde ⋅ Chris Campbell @online{campbell:20201204:inside:9f2f036, author = {Chris Campbell}, title = {{Inside a .NET Stealer: AgentTesla}}, date = {2020-12-04}, organization = {Inde}, url = {https://www.inde.nz/blog/inside-agenttesla}, language = {English}, urldate = {2022-04-29} } Inside a .NET Stealer: AgentTesla Agent Tesla

2020-12-03 ⋅ Telsy ⋅ Telsy Research Team @techreport{team:20201203:when:0269579, author = {Telsy Research Team}, title = {{When a false flagdoesn’t work: Exploring the digital-crimeunderground at campaign preparation stage}}, date = {2020-12-03}, institution = {Telsy}, url = {https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf}, language = {English}, urldate = {2020-12-14} } When a false flagdoesn’t work: Exploring the digital-crimeunderground at campaign preparation stage Agent Tesla

2020-11-27 ⋅ HP ⋅ Alex Holland @online{holland:20201127:aggah:7dd38ba, author = {Alex Holland}, title = {{Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer}}, date = {2020-11-27}, organization = {HP}, url = {https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/}, language = {English}, urldate = {2020-11-27} } Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer Agent Tesla

2020-11-19 ⋅ SANS ISC InfoSec Forums ⋅ Xavier Mertens @online{mertens:20201119:powershell:72b44bf, author = {Xavier Mertens}, title = {{PowerShell Dropper Delivering Formbook}}, date = {2020-11-19}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/diary/26806}, language = {English}, urldate = {2020-11-19} } PowerShell Dropper Delivering Formbook Formbook

2020-11-18 ⋅ Sophos ⋅ Sophos @techreport{sophos:20201118:sophos:8fd201e, author = {Sophos}, title = {{SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world}}, date = {2020-11-18}, institution = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf}, language = {English}, urldate = {2020-11-19} } SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world Agent Tesla Dridex TrickBot Zloader

2020-11-18 ⋅ G Data ⋅ G-Data @online{gdata:20201118:business:f4eda3a, author = {G-Data}, title = {{Business as usual: Criminal Activities in Times of a Global Pandemic}}, date = {2020-11-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire}, language = {English}, urldate = {2020-11-23} } Business as usual: Criminal Activities in Times of a Global Pandemic Agent Tesla Nanocore RAT NetWire RC Remcos

2020-11-05 ⋅ Morphisec ⋅ Michael Gorelik @online{gorelik:20201105:agent:1cefe08, author = {Michael Gorelik}, title = {{Agent Tesla: A Day in a Life of IR}}, date = {2020-11-05}, organization = {Morphisec}, url = {https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir}, language = {English}, urldate = {2020-11-09} } Agent Tesla: A Day in a Life of IR Agent Tesla

2020-11-05 ⋅ tccontre Blog ⋅ tcontre @online{tcontre:20201105:interesting:17c82b2, author = {tcontre}, title = {{Interesting FormBook Crypter - unconventional way to store encrypted data}}, date = {2020-11-05}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html}, language = {English}, urldate = {2020-11-06} } Interesting FormBook Crypter - unconventional way to store encrypted data Formbook

2020-10-16 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab @online{lab:20201016:vba:577dd47, author = {Hornetsecurity Security Lab}, title = {{VBA Purging Malspam Campaigns}}, date = {2020-10-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/}, language = {English}, urldate = {2020-12-08} } VBA Purging Malspam Campaigns Agent Tesla Formbook

2020-10-05 ⋅ Juniper ⋅ Paul Kimayong @online{kimayong:20201005:new:739309f, author = {Paul Kimayong}, title = {{New pastebin-like service used in multiple malware campaigns}}, date = {2020-10-05}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns}, language = {English}, urldate = {2020-10-07} } New pastebin-like service used in multiple malware campaigns Agent Tesla LimeRAT RedLine Stealer

2020-10-01 ⋅ SpiderLabs Blog ⋅ Diana Lopera @online{lopera:20201001:evasive:c15da47, author = {Diana Lopera}, title = {{Evasive URLs in Spam: Part 2}}, date = {2020-10-01}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/}, language = {English}, urldate = {2020-10-12} } Evasive URLs in Spam: Part 2 Loki Password Stealer (PWS)

2020-09-03 ⋅ Medium mariohenkel ⋅ Mario Henkel @online{henkel:20200903:decrypting:16cd7a9, author = {Mario Henkel}, title = {{Decrypting AgentTesla strings and config}}, date = {2020-09-03}, organization = {Medium mariohenkel}, url = {https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4}, language = {English}, urldate = {2020-09-03} } Decrypting AgentTesla strings and config Agent Tesla

2020-08-27 ⋅ MalWatch ⋅ MalWatch @online{malwatch:20200827:wintrojanagenttesla:8c6e4f6, author = {MalWatch}, title = {{Win.Trojan.AgentTesla - Malware analysis & threat intelligence report}}, date = {2020-08-27}, organization = {MalWatch}, url = {https://malwatch.github.io/posts/agent-tesla-malware-analysis/}, language = {English}, urldate = {2020-08-28} } Win.Trojan.AgentTesla - Malware analysis & threat intelligence report Agent Tesla

2020-08-26 ⋅ Lab52 ⋅ Jagaimo Kawaii @online{kawaii:20200826:twisted:b91cfb5, author = {Jagaimo Kawaii}, title = {{A twisted malware infection chain}}, date = {2020-08-26}, organization = {Lab52}, url = {https://lab52.io/blog/a-twisted-malware-infection-chain/}, language = {English}, urldate = {2020-08-31} } A twisted malware infection chain Agent Tesla Loki Password Stealer (PWS)

2020-08-10 ⋅ Seqrite ⋅ Pavankumar Chaudhari @online{chaudhari:20200810:gorgon:3a961be, author = {Pavankumar Chaudhari}, title = {{Gorgon APT targeting MSME sector in India}}, date = {2020-08-10}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/}, language = {English}, urldate = {2020-08-13} } Gorgon APT targeting MSME sector in India Agent Tesla

2020-08-10 ⋅ SentinelOne ⋅ Jim Walter @online{walter:20200810:agent:d09f042, author = {Jim Walter}, title = {{Agent Tesla | Old RAT Uses New Tricks to Stay on Top}}, date = {2020-08-10}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/}, language = {English}, urldate = {2020-08-13} } Agent Tesla | Old RAT Uses New Tricks to Stay on Top Agent Tesla

2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs @techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020 AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader

2020-07-29 ⋅ ESET Research ⋅ welivesecurity @techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020 DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-07-22 ⋅ S2W LAB Inc. ⋅ S2W LAB INTELLIGENCE TEAM @online{team:20200722:formbook:6297801, author = {S2W LAB INTELLIGENCE TEAM}, title = {{'FormBook Tracker' unveiled on the Dark Web}}, date = {2020-07-22}, organization = {S2W LAB Inc.}, url = {https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view}, language = {English}, urldate = {2020-08-14} } 'FormBook Tracker' unveiled on the Dark Web Formbook

2020-06-02 ⋅ Lastline Labs ⋅ James Haughom, Stefano Ortolani @online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization Agent Tesla DanaBot ISFB TrickBot Zloader

2020-05-31 ⋅ Malwarebytes ⋅ hasherezade @online{hasherezade:20200531:revisiting:cb8df95, author = {hasherezade}, title = {{Revisiting the NSIS-based crypter}}, date = {2020-05-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/}, language = {English}, urldate = {2021-06-09} } Revisiting the NSIS-based crypter Formbook

2020-05-23 ⋅ InfoSec Handlers Diary Blog ⋅ Xavier Mertens @online{mertens:20200523:agenttesla:eba0b0c, author = {Xavier Mertens}, title = {{AgentTesla Delivered via a Malicious PowerPoint Add-In}}, date = {2020-05-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/}, language = {English}, urldate = {2020-05-27} } AgentTesla Delivered via a Malicious PowerPoint Add-In Agent Tesla

2020-05-22 ⋅ Yoroi ⋅ Luigi Martire, Giacomo d'Onofrio, Antonio Pirozzi, Luca Mella @online{martire:20200522:cybercriminal:97a41b3, author = {Luigi Martire and Giacomo d'Onofrio and Antonio Pirozzi and Luca Mella}, title = {{Cyber-Criminal espionage Operation insists on Italian Manufacturing}}, date = {2020-05-22}, organization = {Yoroi}, url = {https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/}, language = {English}, urldate = {2022-02-02} } Cyber-Criminal espionage Operation insists on Italian Manufacturing Agent Tesla

2020-05-21 ⋅ Malwarebytes ⋅ Malwarebytes Labs @techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC

2020-05-14 ⋅ SophosLabs ⋅ Markel Picado @online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos

2020-04-28 ⋅ Trend Micro ⋅ Miguel Ang @online{ang:20200428:loki:169b27e, author = {Miguel Ang}, title = {{Loki Info Stealer Propagates through LZH Files}}, date = {2020-04-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files}, language = {English}, urldate = {2020-08-14} } Loki Info Stealer Propagates through LZH Files Loki Password Stealer (PWS)

2020-04-16 ⋅ Malwarebytes ⋅ Hossein Jazi @online{jazi:20200416:new:6b7cb7a, author = {Hossein Jazi}, title = {{New AgentTesla variant steals WiFi credentials}}, date = {2020-04-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/}, language = {English}, urldate = {2020-04-16} } New AgentTesla variant steals WiFi credentials Agent Tesla

2020-04-15 ⋅ Suraj Malhotra @online{malhotra:20200415:how:6cfc199, author = {Suraj Malhotra}, title = {{How Analysing an AgentTesla Could Lead To Attackers Inbox - Part II}}, date = {2020-04-15}, url = {https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/}, language = {English}, urldate = {2020-04-20} } How Analysing an AgentTesla Could Lead To Attackers Inbox - Part II Agent Tesla

2020-04-14 ⋅ Palo Alto Networks Unit 42 ⋅ Adrian McCabe, Vicky Ray, Juan Cortes @online{mccabe:20200414:malicious:9481b60, author = {Adrian McCabe and Vicky Ray and Juan Cortes}, title = {{Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns}}, date = {2020-04-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/}, language = {English}, urldate = {2020-04-14} } Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns Agent Tesla EDA2

2020-04-13 ⋅ Suraj Malhotra @online{malhotra:20200413:how:6ea81f8, author = {Suraj Malhotra}, title = {{How Analysing an AgentTesla Could Lead To Attackers Inbox - Part I}}, date = {2020-04-13}, url = {https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/}, language = {English}, urldate = {2020-04-15} } How Analysing an AgentTesla Could Lead To Attackers Inbox - Part I Agent Tesla

2020-04-05 ⋅ MalwrAnalysis ⋅ Anurag @online{anurag:20200405:trojan:2bb6584, author = {Anurag}, title = {{Trojan Agent Tesla – Malware Analysis}}, date = {2020-04-05}, organization = {MalwrAnalysis}, url = {https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/}, language = {English}, urldate = {2020-04-08} } Trojan Agent Tesla – Malware Analysis Agent Tesla

2020-04-01 ⋅ Cisco ⋅ Shyam Sundar Ramaswami, Andrea Kaiser @online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot

2020-03-31 ⋅ Click All the Things! Blog ⋅ Jamie @online{jamie:20200331:lokibot:f927742, author = {Jamie}, title = {{LokiBot: Getting Equation Editor Shellcode}}, date = {2020-03-31}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/}, language = {English}, urldate = {2020-04-07} } LokiBot: Getting Equation Editor Shellcode Loki Password Stealer (PWS)

2020-03-24 ⋅ RiskIQ ⋅ Wes Smiley @online{smiley:20200324:exploring:3a3c04b, author = {Wes Smiley}, title = {{Exploring Agent Tesla Infrastructure}}, date = {2020-03-24}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/6337984e}, language = {English}, urldate = {2021-04-09} } Exploring Agent Tesla Infrastructure Agent Tesla

2020-03-24 ⋅ Avira ⋅ Avira Protection Labs @online{labs:20200324:new:88d7b1d, author = {Avira Protection Labs}, title = {{A new technique to analyze FormBook malware infections}}, date = {2020-03-24}, organization = {Avira}, url = {https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/}, language = {English}, urldate = {2020-04-01} } A new technique to analyze FormBook malware infections Formbook

2020-03-20 ⋅ Bitdefender ⋅ Liviu Arsene @online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } 5 Times More Coronavirus-themed Malware Reports during March ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos

2020-03-18 ⋅ Proofpoint ⋅ Axel F, Sam Scholten @online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } Coronavirus Threat Landscape Update Agent Tesla Get2 ISFB Remcos

2020-02-26 ⋅ MalwareLab.pl ⋅ Maciej Kotowicz @online{kotowicz:20200226:abusing:2a32e8e, author = {Maciej Kotowicz}, title = {{(Ab)using bash-fu to analyze recent Aggah sample}}, date = {2020-02-26}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/basfu_aggah/}, language = {English}, urldate = {2020-02-27} } (Ab)using bash-fu to analyze recent Aggah sample Agent Tesla

2020-02-14 ⋅ Virus Bulletin ⋅ Aditya K. Sood @online{sood:20200214:lokibot:c4e5d9d, author = {Aditya K. Sood}, title = {{LokiBot: dissecting the C&C panel deployments}}, date = {2020-02-14}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/}, language = {English}, urldate = {2020-02-25} } LokiBot: dissecting the C&C panel deployments Loki Password Stealer (PWS)

2020-02-06 ⋅ Prevailion ⋅ Danny Adamitis @online{adamitis:20200206:triune:ada8ad3, author = {Danny Adamitis}, title = {{The Triune Threat: MasterMana Returns}}, date = {2020-02-06}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html}, language = {English}, urldate = {2020-04-13} } The Triune Threat: MasterMana Returns Azorult Loki Password Stealer (PWS)

2020-02-02 ⋅ Sophos Labs ⋅ Sean Gallagher, Markel Picado @online{gallagher:20200202:agent:81dd245, author = {Sean Gallagher and Markel Picado}, title = {{Agent Tesla amps up information stealing attacks}}, date = {2020-02-02}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/}, language = {English}, urldate = {2021-02-04} } Agent Tesla amps up information stealing attacks Agent Tesla

2020-01-19 ⋅ 360 ⋅ kate @online{kate:20200119:bayworld:2cc2212, author = {kate}, title = {{BayWorld event, Cyber Attack Against Foreign Trade Industry}}, date = {2020-01-19}, organization = {360}, url = {https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/}, language = {English}, urldate = {2020-02-03} } BayWorld event, Cyber Attack Against Foreign Trade Industry Azorult Formbook Nanocore RAT Revenge RAT

2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:gold:cf5f9e4, author = {SecureWorks}, title = {{GOLD GALLEON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-galleon}, language = {English}, urldate = {2020-05-23} } GOLD GALLEON Agent Tesla HawkEye Keylogger Pony Predator The Thief

2019-12-28 ⋅ Paul Burbage @online{burbage:20191228:tale:2e5f361, author = {Paul Burbage}, title = {{The Tale of the Pija-Droid Firefinch}}, date = {2019-12-28}, url = {https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2}, language = {English}, urldate = {2020-02-14} } The Tale of the Pija-Droid Firefinch Loki Password Stealer (PWS)

2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko @online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech

2019-10-28 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli @online{ramilli:20191028:sweed:bce7adf, author = {Marco Ramilli}, title = {{SWEED Targeting Precision Engineering Companies in Italy}}, date = {2019-10-28}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/}, language = {English}, urldate = {2019-12-17} } SWEED Targeting Precision Engineering Companies in Italy Loki Password Stealer (PWS)

2019-09-26 ⋅ Proofpoint ⋅ Bryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team @online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos

2019-08-10 ⋅ Check Point ⋅ Omer Gull @online{gull:20190810:select:56061b1, author = {Omer Gull}, title = {{SELECT code_execution FROM * USING SQLite;}}, date = {2019-08-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/}, language = {English}, urldate = {2020-02-09} } SELECT code_execution FROM * USING SQLite; Azorult Loki Password Stealer (PWS) Pony

2019-07-15 ⋅ Cisco Talos ⋅ Edmund Brumaghin @online{brumaghin:20190715:sweed:9725699, author = {Edmund Brumaghin}, title = {{SWEED: Exposing years of Agent Tesla campaigns}}, date = {2019-07-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html}, language = {English}, urldate = {2020-01-08} } SWEED: Exposing years of Agent Tesla campaigns Agent Tesla Formbook Loki Password Stealer (PWS) SWEED

2019-06-12 ⋅ Cyberbit ⋅ Hod Gavriel @online{gavriel:20190612:formbook:8dc2df9, author = {Hod Gavriel}, title = {{Formbook Research Hints Large Data Theft Attack Brewing}}, date = {2019-06-12}, organization = {Cyberbit}, url = {https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/}, language = {English}, urldate = {2020-08-21} } Formbook Research Hints Large Data Theft Attack Brewing Formbook

2019-05-02 ⋅ Usual Suspect RE ⋅ Johann Aydinbas @online{aydinbas:20190502:formbook:d1ef715, author = {Johann Aydinbas}, title = {{FormBook - Hiding in plain sight}}, date = {2019-05-02}, organization = {Usual Suspect RE}, url = {https://usualsuspect.re/article/formbook-hiding-in-plain-sight}, language = {English}, urldate = {2020-01-13} } FormBook - Hiding in plain sight Formbook

2019-04-05 ⋅ Trustwave ⋅ Phil Hay, Rodel Mendrez @online{hay:20190405:spammed:82cb5e3, author = {Phil Hay and Rodel Mendrez}, title = {{Spammed PNG file hides LokiBot}}, date = {2019-04-05}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png-file-hides-lokibot/}, language = {English}, urldate = {2022-08-15} } Spammed PNG file hides LokiBot Loki Password Stealer (PWS)

2019-01 ⋅ Virus Bulletin ⋅ Gabriela Nicolao @online{nicolao:201901:inside:a4c68f3, author = {Gabriela Nicolao}, title = {{Inside Formbook infostealer}}, date = {2019-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/}, language = {English}, urldate = {2019-12-18} } Inside Formbook infostealer Formbook

2018-12-05 ⋅ Botconf ⋅ Rémi Jullian @techreport{jullian:20181205:formbook:40cf2ad, author = {Rémi Jullian}, title = {{FORMBOOK In-depth malware analysis}}, date = {2018-12-05}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf}, language = {English}, urldate = {2019-12-17} } FORMBOOK In-depth malware analysis Formbook

2018-12-04 ⋅ Brad Duncan @online{duncan:20181204:malspam:8e2d810, author = {Brad Duncan}, title = {{Malspam pushing Lokibot malware}}, date = {2018-12-04}, url = {https://isc.sans.edu/diary/24372}, language = {English}, urldate = {2019-10-29} } Malspam pushing Lokibot malware Loki Password Stealer (PWS)

2018-11-01 ⋅ Peerlyst ⋅ Sudhendu @online{sudhendu:20181101:how:582221a, author = {Sudhendu}, title = {{How to Analyse FormBook - A New Malware-as-a-Service}}, date = {2018-11-01}, organization = {Peerlyst}, url = {https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent}, language = {English}, urldate = {2019-12-17} } How to Analyse FormBook - A New Malware-as-a-Service Formbook

2018-10-16 ⋅ Peerlyst ⋅ Sudhendu @online{sudhendu:20181016:how:8aa1eed, author = {Sudhendu}, title = {{How to understand FormBook - A New Malware-as-a-Service}}, date = {2018-10-16}, organization = {Peerlyst}, url = {https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?}, language = {English}, urldate = {2020-01-09} } How to understand FormBook - A New Malware-as-a-Service Formbook

2018-08-29 ⋅ Kaspersky Labs ⋅ Tatyana Shcherbakova @online{shcherbakova:20180829:loki:c239728, author = {Tatyana Shcherbakova}, title = {{Loki Bot: On a hunt for corporate passwords}}, date = {2018-08-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/loki-bot-stealing-corporate-passwords/87595/}, language = {English}, urldate = {2019-12-20} } Loki Bot: On a hunt for corporate passwords Loki Password Stealer (PWS)

2018-08-02 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit @online{falcone:20180802:gorgon:06112b1, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-12-20} } The Gorgon Group: Slithering Between Nation State and Cybercrime Loki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT

2018-07-06 ⋅ Github (d00rt) ⋅ d00rt @techreport{d00rt:20180706:lokibot:6508667, author = {d00rt}, title = {{LokiBot Infostealer Jihacked Version}}, date = {2018-07-06}, institution = {Github (d00rt)}, url = {https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf}, language = {English}, urldate = {2020-01-10} } LokiBot Infostealer Jihacked Version Loki Password Stealer (PWS)

2018-06-22 ⋅ InQuest ⋅ Aswanda @online{aswanda:20180622:formbook:ce3c98b, author = {Aswanda}, title = {{FormBook stealer: Data theft made easy}}, date = {2018-06-22}, organization = {InQuest}, url = {http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/}, language = {English}, urldate = {2020-01-09} } FormBook stealer: Data theft made easy Formbook

2018-06-20 ⋅ Cisco Talos ⋅ Warren Mercer, Paul Rascagnères @online{mercer:20180620:my:9c08115, author = {Warren Mercer and Paul Rascagnères}, title = {{My Little FormBook}}, date = {2018-06-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/my-little-formbook.html}, language = {English}, urldate = {2020-01-06} } My Little FormBook Formbook

2018-04-18 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam @online{researchteam:20180418:gold:c342756, author = {Counter Threat Unit ResearchTeam}, title = {{GOLD GALLEON: How a Nigerian Cyber Crew Plunders the Shipping Industry}}, date = {2018-04-18}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry}, language = {English}, urldate = {2021-06-01} } GOLD GALLEON: How a Nigerian Cyber Crew Plunders the Shipping Industry Agent Tesla HawkEye Keylogger Pony GOLD GALLEON

2018-04-05 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20180405:analysis:a048b77, author = {Xiaopeng Zhang}, title = {{Analysis of New Agent Tesla Spyware Variant}}, date = {2018-04-05}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html}, language = {English}, urldate = {2019-11-26} } Analysis of New Agent Tesla Spyware Variant Agent Tesla

2018-03-29 ⋅ Stormshield ⋅ Rémi Jullian @online{jullian:20180329:indepth:badef63, author = {Rémi Jullian}, title = {{In-depth Formbook malware analysis – Obfuscation and process injection}}, date = {2018-03-29}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/}, language = {English}, urldate = {2020-01-10} } In-depth Formbook malware analysis – Obfuscation and process injection Formbook

2018-01-29 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez @online{kremez:20180129:lets:450880d, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting FormBook Infostealer Malware: Crypter & "RunLib.dll"}}, date = {2018-01-29}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html}, language = {English}, urldate = {2020-01-10} } Let's Learn: Dissecting FormBook Infostealer Malware: Crypter & "RunLib.dll" Formbook

2018-01-12 ⋅ Stormshield ⋅ Rémi Jullian @online{jullian:20180112:analyzing:572a942, author = {Rémi Jullian}, title = {{Analyzing an Agent Tesla campaign: from a word document to the attacker credentials}}, date = {2018-01-12}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/}, language = {English}, urldate = {2019-07-10} } Analyzing an Agent Tesla campaign: from a word document to the attacker credentials Agent Tesla

2017-12-19 ⋅ Lastline ⋅ Andy Norton @online{norton:20171219:novel:2a852a7, author = {Andy Norton}, title = {{Novel Excel Spreadsheet Attack Launches Password Stealing Malware Loki Bot}}, date = {2017-12-19}, organization = {Lastline}, url = {https://www.lastline.com/blog/password-stealing-malware-loki-bot/}, language = {English}, urldate = {2020-01-13} } Novel Excel Spreadsheet Attack Launches Password Stealing Malware Loki Bot Loki Password Stealer (PWS)

2017-10-05 ⋅ FireEye ⋅ Nart Villeneuve, Randi Eitzman, Sandor Nemes, Tyler Dean @online{villeneuve:20171005:significant:0b91e49, author = {Nart Villeneuve and Randi Eitzman and Sandor Nemes and Tyler Dean}, title = {{Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea}}, date = {2017-10-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html}, language = {English}, urldate = {2019-12-20} } Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea Formbook

2017-09-25 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White @online{white:20170925:analyzing:92167ce, author = {Jeff White}, title = {{Analyzing the Various Layers of AgentTesla’s Packing}}, date = {2017-09-25}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/}, language = {English}, urldate = {2019-12-20} } Analyzing the Various Layers of AgentTesla’s Packing Agent Tesla

2017-09-20 ⋅ NetScout ⋅ Dennis Schwarz @online{schwarz:20170920:formidable:654d8e3, author = {Dennis Schwarz}, title = {{The Formidable FormBook Form Grabber}}, date = {2017-09-20}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/}, language = {English}, urldate = {2019-07-09} } The Formidable FormBook Form Grabber Formbook

2017-06-28 ⋅ Fortinet ⋅ Xiaopeng Zhang @online{zhang:20170628:indepth:51d37ec, author = {Xiaopeng Zhang}, title = {{In-Depth Analysis of A New Variant of .NET Malware AgentTesla}}, date = {2017-06-28}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr}, language = {English}, urldate = {2020-01-08} } In-Depth Analysis of A New Variant of .NET Malware AgentTesla Agent Tesla

2017-06-22 ⋅ SANS Institute Information Security Reading Room ⋅ Rob Pantazopoulos @online{pantazopoulos:20170622:lokibot:cb24973, author = {Rob Pantazopoulos}, title = {{Loki-Bot: InformationStealer, Keylogger, &More!}}, date = {2017-06-22}, organization = {SANS Institute Information Security Reading Room}, url = {https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850}, language = {English}, urldate = {2019-07-11} } Loki-Bot: InformationStealer, Keylogger, &More! Loki Password Stealer (PWS)

2017-05-17 ⋅ Fortinet ⋅ Xiaopeng Zhang, Hua Liu @online{zhang:20170517:new:15004ed, author = {Xiaopeng Zhang and Hua Liu}, title = {{New Loki Variant Being Spread via PDF File}}, date = {2017-05-17}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file}, language = {English}, urldate = {2020-01-05} } New Loki Variant Being Spread via PDF File Loki Password Stealer (PWS)

2017-05-07 ⋅ R3MRUM ⋅ R3MRUM @online{r3mrum:20170507:lokibot:5a6975d, author = {R3MRUM}, title = {{Loki-Bot: Come out, come out, wherever you are!}}, date = {2017-05-07}, organization = {R3MRUM}, url = {https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/}, language = {English}, urldate = {2020-01-12} } Loki-Bot: Come out, come out, wherever you are! Loki Password Stealer (PWS)

2017-05-05 ⋅ Github (R3MRUM) ⋅ R3MRUM @online{r3mrum:20170505:lokiparse:c8a2916, author = {R3MRUM}, title = {{loki-parse}}, date = {2017-05-05}, organization = {Github (R3MRUM)}, url = {https://github.com/R3MRUM/loki-parse}, language = {English}, urldate = {2019-11-29} } loki-parse Loki Password Stealer (PWS)

2017-03-23 ⋅ Cofense ⋅ Cofense @online{cofense:20170323:tales:cbdee9a, author = {Cofense}, title = {{Tales from the Trenches: Loki Bot Malware}}, date = {2017-03-23}, organization = {Cofense}, url = {https://phishme.com/loki-bot-malware/}, language = {English}, urldate = {2019-12-02} } Tales from the Trenches: Loki Bot Malware Loki Password Stealer (PWS)

2017-02-16 ⋅ Cysinfo ⋅ Winston M @online{m:20170216:nefarious:a0ed57b, author = {Winston M}, title = {{Nefarious Macro Malware drops “Loki Bot” to steal sensitive information across GCC countries!}}, date = {2017-02-16}, organization = {Cysinfo}, url = {https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/}, language = {English}, urldate = {2019-10-23} } Nefarious Macro Malware drops “Loki Bot” to steal sensitive information across GCC countries! Loki Password Stealer (PWS)

2016-08 ⋅ Zscaler ⋅ Deepen Desai @online{desai:201608:agent:d527844, author = {Deepen Desai}, title = {{Agent Tesla Keylogger delivered using cybersquatting}}, date = {2016-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting}, language = {English}, urldate = {2019-11-26} } Agent Tesla Keylogger delivered using cybersquatting Agent Tesla

2016-06 ⋅ Safety First Blog ⋅ SL4ID3R @online{sl4id3r:201606:form:53a7823, author = {SL4ID3R}, title = {{Form Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world}}, date = {2016-06}, organization = {Safety First Blog}, url = {http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html}, language = {English}, urldate = {2019-11-26} } Form Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world Formbook

---

Credits: MISP Project