SWEED  (Back to overview)

Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans. SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).

Associated Families
win.agent_tesla win.formbook win.lokipws

2024-06-06Medium b.magnezi0xMrMagnezi
Agent Tesla Analysis
Agent Tesla
2024-05-14Check Point ResearchAntonis Terefos, Tera0017
Foxit PDF “Flawed Design” Exploitation
Rafel RAT Agent Tesla AsyncRAT DCRat DONOT Nanocore RAT NjRAT Pony Remcos Venom RAT XWorm
Agent Tesla Malware Analysis
Agent Tesla
2024-04-15Positive TechnologiesAleksandr Badaev, Kseniya Naumova
SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world
LokiBot 404 Keylogger Agent Tesla CloudEyE Formbook Remcos XWorm
2024-04-02Check Point ResearchAntonis Terefos, Raman Ladutska
Agent Tesla Targeting United States & Australia: Revealing the Attackers' Identities
Agent Tesla Bignosa
2024-03-26EchoCTIBilal BAKARTEPE, bixploit
Agent Tesla Technical Analysis Report
Agent Tesla
2024-02-28Security IntelligenceGolo Mühr, Ole Villadsen
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023
404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos
2024-02-16Medium b.magnezi0xMrMagnezi
Malware Analysis — AgentTesla
Agent Tesla
2024-02-06Medium osamaellahiOsama Ellahi
Unfolding Agent Tesla: The Art of Credentials Harvesting.
Agent Tesla
2024-02-02StairwellThreat Research at Stairwell
Proactive response: AnyDesk, any breach
Agent Tesla
2024-01-24Medium shaddy43Shayan Ahmed Khan
Layers of Deception: Analyzing the Complex Stages of XLoader 4.3 Malware Evolution
Xloader Formbook
2024-01-09BitSightAndré Tavares
Data Insights on AgentTesla and OriginLogger Victims
Agent Tesla OriginLogger
2024-01-08YouTube (Embee Research)Embee_research
Javascript Malware Analysis - Decoding an AgentTesla Loader
Agent Tesla
2023-12-20ropgadget.comJeff White
The Origin of OriginLogger & Agent Tesla
Agent Tesla OriginLogger
2023-10-12Cluster25Cluster25 Threat Intel Team
CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations
Agent Tesla Crimson RAT Nanocore RAT SmokeLoader
2023-10-01Infinitum ITKerime Gencay
Agent Tesla Technical Analysis Report (Paywall)
Agent Tesla
2023-09-29IntrinsecCTI Intrinsec, Intrinsec
Ongoing threats targeting the energy industry
Agent Tesla CloudEyE
2023-08-29ViuleeenzAlessandro Strino
Agent Tesla - Building an effective decryptor
Agent Tesla
2023-07-12FortinetCara Lin
LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros
Loki Password Stealer (PWS)
2023-07-06kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] Examining Formbook Campaign via Phishing Emails
2023-06-30Github (itaymigdal)Itay Migdal
Formbook unpacking
2023-06-05Malware Traffic AnalysisBrad Duncan
2023-05-07Twitter (@embee_research)Matthew
AgentTesla - Full Loader Analysis - Resolving API Hashes Using Conditional Breakpoints
Agent Tesla
2023-04-16OALabsSergei Frankoff
Agent Tesla RedLine Stealer
2023-04-10Check PointCheck Point
March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee
2023-04-07ElasticSalim Bitam
Attack chain leads to XWORM and AGENTTESLA
Agent Tesla XWorm
2023-03-30loginsoftSaharsh Agrawal
From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2023-03-30ZscalerBrett Stone-Gross, Javier Vicente, Nikolaos Pantazopoulos
Technical Analysis of Xloader’s Code Obfuscation in Version 4.3
2023-03-23LogpointAnish Bogati
Emerging Threats: AgentTesla – A Review and Detection Strategies
Agent Tesla
2023-03-16Trend MicroCedric Pernet, Jaromír Hořejší, Loseway Lu
IPFS: A New Data Frontier or a New Cybercriminal Hideout?
Agent Tesla Formbook RedLine Stealer Remcos
XLoader/FormBook: Encryption Analysis and Malware Decryption
2023-01-30CheckpointArie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2023-01-24TrellixDaksh Kapur, John Fokker, Robert Venal, Tomer Shloman
Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity
Andromeda Formbook Houdini Remcos
2023-01-16Difesa & SicurezzaFrancesco Bussoletti
Cybercrime, RFQ from Turkey carries AgentTesla and zgRAT
Agent Tesla zgRAT
2022-12-18SANS ISCGuy Bruneau
Infostealer Malware with Double Extension
Agent Tesla
2022-12-08TrustwaveDiana Lopera, Phil Hay, Rodel Mendrez
Trojanized OneNote Document Leads to Formbook Malware
2022-11-21 Threat Intel Report
404 Keylogger Agent Tesla Formbook Hive Remcos
2022-11-16splunkSplunk Threat Research Team
Inside the Mind of a ‘Rat’ - Agent Tesla Detection and Analysis
Agent Tesla
2022-11-09Cisco TalosEdmund Brumaghin
Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns
Agent Tesla
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-10-05FortinetXiaopeng Zhang
Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II
Formbook RedLine Stealer
2022-09-23KasperskyArtem Ushkov, Roman Dedenok
Mass email campaign with a pinch of targeted spam
Agent Tesla
2022-09-19FortinetXiaopeng Zhang
Excel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I
Formbook RedLine Stealer
2022-09-15SekoiaThreat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-09-13Palo Alto Networks Unit 42Jeff White
OriginLogger: A Look at Agent Tesla’s Successor
Agent Tesla OriginLogger
2022-08-29360 netlabwanghao
PureCrypter Loader continues to be active and has spread to more than 10 other families
404 Keylogger Agent Tesla AsyncRAT Formbook RedLine Stealer
2022-08-29360 netlabwanghao
PureCrypter is busy pumping out various malicious malware families
Agent Tesla PureCrypter RedLine Stealer
2022-08-17SecureworksCounter Threat Unit ResearchTeam
DarkTortilla Malware Analysis
Agent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer
2022-08-08Medium CSIS TechblogBenoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-08-050xIvanTwitter (@viljoenivan)
LokiBot Analysis
Loki Password Stealer (PWS)
2022-08-04ConnectWiseStu Gonzalez
Formbook and Remcos Backdoor RAT by ConnectWise CRU
Formbook Remcos
Malware AV evasion - part 8. Encode payload via Z85
Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector
Mass distribution of desktops (Formbook, Snake Keylogger) and use of Malware RelicRace/RelicSource as a means of delivery (CERT-UA#5056)
404 Keylogger Formbook RelicRace
Cyberattack on State Organizations of Ukraine using the topic OK "South" and the malicious program AgentTesla (CERT-UA#4987)
Agent Tesla
2022-07-12CyrenKervin Alintanahin
Example Analysis of Multi-Component Malware
Emotet Formbook
2022-07-12Team CymruKyle Krejci
An Analysis of Infrastructure linked to the Hagga Threat Actor
Agent Tesla
Xloader Returns With New Infection Technique
2022-06-30CYBER GEEKS All Things InfosecCyberMasterV
How to Expose a Potential Cybercriminal due to Misconfigurations
Loki Password Stealer (PWS)
2022-06-30Cyber Geeks (CyberMasterV)Vlad Pasca
How to Expose a Potential Cybercriminal due to Misconfigurations
Loki Password Stealer (PWS)
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord
Agent Tesla Quasar RAT WhisperGate
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-05-12Palo Alto Networks Unit 42Tyler Halfpop
Harmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla
Agent Tesla
2022-05-05Malwarebytes LabsThreat Intelligence Team
Nigerian Tesla: 419 scammer gone malware distributor unmasked
Agent Tesla
Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky
2022-04-17Malcatmalcat team
Reversing a NSIS dropper using quick and dirty shellcode emulation
Loki Password Stealer (PWS)
2022-04-15Center for Internet SecurityCIS
Top 10 Malware March 2022
Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus
2022-04-12Check PointCheck Point Research
March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance
Alien FluBot Agent Tesla Emotet
2022-03-31APNICDebashis Pal
How to: Detect and prevent common data exfiltration attacks
Agent Tesla DNSMessenger PingBack Rising Sun
2022-03-26forensicitguyTony Lambert
An AgentTesla Sample Using VBA Macros and Certutil
Agent Tesla
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-11NetskopeGustavo Palazolo
New Formbook Campaign Delivered Through Phishing Emails
2022-03-07FortinetFred Gutierrez, James Slaughter, Val Saengphaibul
Fake Purchase Order Used to Deliver Agent Tesla
Agent Tesla
2022-03-07LAC WATCHCyber ​​Emergency Center
Xloader Agent Tesla Formbook Loki Password Stealer (PWS)
2022-03-04BitdefenderAlina Bizga
Bitdefender Labs Sees Increased Malicious and Scam Activity Exploiting the War in Ukraine
Agent Tesla Remcos
2022-03-04Bleeping ComputerBill Toulas
Russia-Ukraine war exploited as lure for malware distribution
Agent Tesla Remcos
2022-02-28AhnLabASEC Analysis Team
Change in Distribution Method of Malware Disguised as Estimate (VBS Script)
2022-02-23Weixin360 Threat Intelligence Center
APT-C-58 (Gorgon Group) attack warning
Agent Tesla
2022-02-11forensicitguyTony Lambert
XLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets
2022-02-11Cisco TalosTalos
Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus
2022-02-06forensicitguyTony Lambert
AgentTesla From RTF Exploitation to .NET Tradecraft
Agent Tesla
2022-02-02QualysGhanshyam More
Catching the RAT called Agent Tesla
Agent Tesla
2022-01-28Atomic Matryoshkaz3r0day_504
Malware Headliners: LokiBot
Loki Password Stealer (PWS)
2022-01-25Palo Alto Networks Unit 42Yaron Samuel
Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies
Agent Tesla
2022-01-24NetskopeGhanashyam Satpathy, Gustavo Palazolo
Infected PowerPoint Files Using Cloud Services to Deliver Multiple Malware
Agent Tesla
DTPacker – a .NET Packer with a Curious Password
Agent Tesla TA2536
2022-01-21ZscalerBrett Stone-Gross, Javier Vicente
Analysis of Xloader’s C2 Network Encryption
Xloader Formbook
2022-01-21MalGamyGameel Ali
Deep Analysis Agent Tesla Malware
Agent Tesla
2022-01-18ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Seth Goodwin
FORMBOOK Adopts CAB-less Approach
2022-01-12Guillaume Orlando
Malware Analysis - AgentTesla v3
Agent Tesla
2022-01-12Guillaume Orlando
2021 Gorgon Group APT Operation
Agent Tesla
Deep analysis agent tesla malware
Agent Tesla
2022-01-03forensicitguyTony Lambert
A Tale of Two Dropper Scripts for Agent Tesla
Agent Tesla
2021-12-31InfoSec Handlers Diary BlogJan Kopriva
Do you want your Agent Tesla in the 300 MB or 8 kB package?
Agent Tesla
2021-12-30InfoSec Handlers Diary BlogBrad Duncan
Agent Tesla Updates SMTP Data Exfiltration Technique
Agent Tesla
2021-12-20InfoSec Handlers Diary BlogAlef Nula, Jan Kopriva
PowerPoint attachments, Agent Tesla and code reuse in malware
Agent Tesla
2021-12-17YoroiCarmelo Ragusa, Luca Mella, Luigi Martire
Serverless InfoStealer delivered in Est European Countries
Agent Tesla
2021-12-08YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
Full malware analysis Work-Flow of AgentTesla Malware
Agent Tesla
Agent Tesla
2021-12-02AhnLabASEC Analysis Team
Spreading AgentTesla through more sophisticated malicious PPT
Agent Tesla
2021-11-23HPPatrick Schläpfer
RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
AdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos
2021-11-22YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
Powershell and DnSpy tricks in .NET reversing – AgentTesla [Part1]
Agent Tesla
2021-11-22YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
Powershell and DnSpy tricks in .NET reversing – AgentTesla [Part2]
Agent Tesla
2021-11-17InfobloxGaetano Pellegrino
Deep Analysis of a Recent Lokibot Attack
Loki Password Stealer (PWS)
2021-11-16YoroiCarmelo Ragusa, Luca Mella, Luigi Martire
Office Documents: May the XLL technique change the threat Landscape in 2022?
Agent Tesla Dridex Formbook
2021-11-12Living CodeDominik Degroot
AgentTesla dropped via NSIS installer
Agent Tesla
2021-11-02InQuestDmitry Melikov
Adults Only Malware Lures
Agent Tesla
2021-10-06zimperiumJordan Herman
Malware Distribution with Mana Tools
Agent Tesla Azorult
2021-09-30BlackberryThe BlackBerry Research & Intelligence Team
Threat Thursday: xLoader Infostealer
Xloader Formbook
2021-09-29Trend MicroAliakbar Zahravi, Kamlapati Choubey, Peter Girnus, William Gamazo Sanchez
FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal
REMCOS and Agent Tesla loaded into memory with Rezer0 loader
Agent Tesla Remcos
2021-09-08JuniperPaul Kimayong
Aggah Malware Campaign Expands to Zendesk and GitHub to Host Its Malware
Agent Tesla
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze
2021-08-25Trend MicroBin Lin, William Gamazo Sanchez
New Campaign Sees LokiBot Delivered Via Multiple Methods
Loki Password Stealer (PWS)
2021-08-23YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
CloudEyE Loki Password Stealer (PWS)
2021-08-16Malcatmalcat team
Statically unpacking a simple .NET dropper
Loki Password Stealer (PWS)
2021-07-28RiskIQJennifer Grob, Jordan Herman
Use of XAMPP Web Component to Identify Agent Tesla Infrastructure
Agent Tesla
2021-07-24InfoSec Handlers Diary BlogXavier Mertens
Agent.Tesla Dropped via a .daa Image and Talking to Telegram
Agent Tesla
2021-07-21Quick HealRumana Siddiqui
FormBook Malware Returns: New Variant Uses Steganography and In-Memory Loading of multiple stages to steal data
2021-07-12IBMClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12Cipher Tech SolutionsClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-07YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
CloudEyE Loki Password Stealer (PWS)
2021-07-06YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
CloudEyE Loki Password Stealer (PWS)
2021-06-29YoroiLuca Mella, Luigi Martire
The "WayBack” Campaign: a Large Scale Operation Hiding in Plain Sight
Agent Tesla Cobian RAT Oski Stealer
2021-06-24BlackberryThe BlackBerry Research and Intelligence Team
Threat Thursday: Agent Tesla Infostealer
Agent Tesla
2021-06-24TrustwaveDiana Lopera
Yet Another Archive Format Smuggling Malware
Agent Tesla
2021-06-11NSFOCUSFuying Laboratory
Nigerian Hacker Organization SWEED is Distributing Phishing Documents Targeting the Logistics Industry
Agent Tesla
LOKIBOT - A commodity malware
Loki Password Stealer (PWS)
2021-06-04FortinetXiaopeng Zhang
Phishing Malware Hijacks Bitcoin Addresses and Delivers New Agent Tesla Variant
Agent Tesla
2021-06-02SophosSean Gallagher
AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter
2021-05-18Youtube (AhmedS Kasmani)AhmedS Kasmani
Malware Analysis: Agent Tesla Part 1/2 Extraction of final payload from dropper.
Agent Tesla
2021-05-11VMRayMateusz Lukaszewski, VMRay Labs Team
Threat Bulletin: Exploring the Differences and Similarities of Agent Tesla v2 & v3
Agent Tesla
2021-05-11Twitter (@MsftSecIntel)Microsoft Security Intelligence
Tweet on Snip3 crypter delivering AsyncRAT or AgentTesla
Agent Tesla AsyncRAT
2021-05-07MorphisecNadav Lorber
Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader
Agent Tesla AsyncRAT NetWire RC Revenge RAT
2021-05-05ZscalerAniruddha Dolas, Manohar Ghule, Mohd Sadique
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-04-22FortinetXiaopeng Zhang
Deep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part II
2021-04-21SophosLabs UncutAnand Aijan, Andrew Brandt, Markel Picado, Michael Wood, Sean Gallagher, Sivagnanam Gn, Suriya Natarajan
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-12FortinetXiaopeng Zhang
Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part I
2021-04-06InfoSec Handlers Diary BlogJan Kopriva
Malspam with Lokibot vs. Outlook and RFCs
Loki Password Stealer (PWS)
2021-04-04menshaway blogspotMahmoud Morsy
Technical report of AgentTesla
Agent Tesla
2021-03-17HPHP Bromium
Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-03-11YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)Jiří Vinopal
Formbook Reversing - Part1 [Formbook .NET loader/injector analyzing, decrypting, unpacking, patching]
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-25MinervaMinerva Labs
Preventing AgentTelsa Infiltration
Agent Tesla
2021-02-12InfoSec Handlers Diary BlogXavier Mertens
AgentTesla Dropped Through Automatic Click in Microsoft Help File
Agent Tesla
2021-02-12TrustwaveDiana Lopera, Rodel Mendrez
The Many Roads Leading To Agent Tesla
Agent Tesla
2021-02-11InfoSec Handlers Diary BlogJan Kopriva
Agent Tesla hidden in a historical anti-malware tool
Agent Tesla
2021-01-21DENEXUSMarkel Picado
Spear Phishing Targeting ICS Supply Chain - Analysis
Agent Tesla
2021-01-11ESET ResearchMatías Porolli
Operation Spalax: Targeted malware attacks in Colombia
Agent Tesla AsyncRAT NjRAT Remcos
2021-01-09Marco Ramilli's BlogMarco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-06TalosHolger Unterbrink, Irshad Muhammad
A Deep Dive into Lokibot Infection Chain
Loki Password Stealer (PWS)
Threat Profile: GOLD GALLEON
Agent Tesla HawkEye Keylogger Pony GOLD GALLEON
2020-12-21Cisco TalosJON MUNSHAW
2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-12-18Trend MicroJunestherry Salvador, Matthew Camacho, Raphael Centeno
Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware
Agent Tesla Dharma
2020-12-15CofenseAaron Riley
Strategic Analysis: Agent Tesla Expands Targeting and Networking Capabilities
Agent Tesla
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-07ProofpointProofpoint Threat Research Team
Commodity .NET Packers use Embedded Images to Hide Payloads
Agent Tesla Loki Password Stealer (PWS) Remcos
2020-12-04IndeChris Campbell
Inside a .NET Stealer: AgentTesla
Agent Tesla
2020-12-03TelsyTelsy Research Team
When a false flagdoesn’t work: Exploring the digital-crimeunderground at campaign preparation stage
Agent Tesla
2020-11-27HPAlex Holland
Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer
Agent Tesla
2020-11-19SANS ISC InfoSec ForumsXavier Mertens
PowerShell Dropper Delivering Formbook
SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world
Agent Tesla Dridex TrickBot Zloader
2020-11-18G DataG-Data
Business as usual: Criminal Activities in Times of a Global Pandemic
Agent Tesla Nanocore RAT NetWire RC Remcos
2020-11-05tccontre Blogtcontre
Interesting FormBook Crypter - unconventional way to store encrypted data
2020-11-05MorphisecMichael Gorelik
Agent Tesla: A Day in a Life of IR
Agent Tesla
2020-10-16HornetsecurityHornetsecurity Security Lab
VBA Purging Malspam Campaigns
Agent Tesla Formbook
2020-10-05JuniperPaul Kimayong
New pastebin-like service used in multiple malware campaigns
Agent Tesla LimeRAT RedLine Stealer
2020-10-01SpiderLabs BlogDiana Lopera
Evasive URLs in Spam: Part 2
Loki Password Stealer (PWS)
2020-09-03Medium mariohenkelMario Henkel
Decrypting AgentTesla strings and config
Agent Tesla
Win.Trojan.AgentTesla - Malware analysis & threat intelligence report
Agent Tesla
2020-08-26Lab52Jagaimo Kawaii
A twisted malware infection chain
Agent Tesla Loki Password Stealer (PWS)
2020-08-10SeqritePavankumar Chaudhari
Gorgon APT targeting MSME sector in India
Agent Tesla
2020-08-10SentinelOneJim Walter
Agent Tesla | Old RAT Uses New Tricks to Stay on Top
Agent Tesla
2020-07-30SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-29ESET Researchwelivesecurity
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
'FormBook Tracker' unveiled on the Dark Web
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
Revisiting the NSIS-based crypter
2020-05-23InfoSec Handlers Diary BlogXavier Mertens
AgentTesla Delivered via a Malicious PowerPoint Add-In
Agent Tesla
2020-05-22YoroiAntonio Pirozzi, Giacomo d'Onofrio, Luca Mella, Luigi Martire
Cyber-Criminal espionage Operation insists on Italian Manufacturing
Agent Tesla
2020-05-21MalwarebytesMalwarebytes Labs
Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-05-14SophosLabsMarkel Picado
RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2020-04-28Trend MicroMiguel Ang
Loki Info Stealer Propagates through LZH Files
Loki Password Stealer (PWS)
2020-04-16MalwarebytesHossein Jazi
New AgentTesla variant steals WiFi credentials
Agent Tesla
2020-04-15Suraj Malhotra
How Analysing an AgentTesla Could Lead To Attackers Inbox - Part II
Agent Tesla
2020-04-14Palo Alto Networks Unit 42Adrian McCabe, Juan Cortes, Vicky Ray
Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns
Agent Tesla EDA2
2020-04-13Suraj Malhotra
How Analysing an AgentTesla Could Lead To Attackers Inbox - Part I
Agent Tesla
Trojan Agent Tesla – Malware Analysis
Agent Tesla
2020-04-01CiscoAndrea Kaiser, Shyam Sundar Ramaswami
Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-31Click All the Things! BlogJamie
LokiBot: Getting Equation Editor Shellcode
Loki Password Stealer (PWS)
2020-03-24RiskIQWes Smiley
Exploring Agent Tesla Infrastructure
Agent Tesla
2020-03-24AviraAvira Protection Labs
A new technique to analyze FormBook malware infections
2020-03-20BitdefenderLiviu Arsene
5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2020-03-18ProofpointAxel F, Sam Scholten
Coronavirus Threat Landscape Update
Agent Tesla Get2 ISFB Remcos
2020-02-26MalwareLab.plMaciej Kotowicz
(Ab)using bash-fu to analyze recent Aggah sample
Agent Tesla
2020-02-14Virus BulletinAditya K. Sood
LokiBot: dissecting the C&C panel deployments
Loki Password Stealer (PWS)
2020-02-06PrevailionDanny Adamitis
The Triune Threat: MasterMana Returns
Azorult Loki Password Stealer (PWS)
2020-02-02Sophos LabsMarkel Picado, Sean Gallagher
Agent Tesla amps up information stealing attacks
Agent Tesla
BayWorld event, Cyber Attack Against Foreign Trade Industry
Azorult Formbook Nanocore RAT Revenge RAT
Agent Tesla HawkEye Keylogger Pony Predator The Thief
2019-12-28Paul Burbage
The Tale of the Pija-Droid Firefinch
Loki Password Stealer (PWS)
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-10-28Marco Ramilli's BlogMarco Ramilli
SWEED Targeting Precision Engineering Companies in Italy
Loki Password Stealer (PWS)
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-08-10Check PointOmer Gull
SELECT code_execution FROM * USING SQLite;
Azorult Loki Password Stealer (PWS) Pony
2019-07-15Cisco TalosEdmund Brumaghin
SWEED: Exposing years of Agent Tesla campaigns
Agent Tesla Formbook Loki Password Stealer (PWS) SWEED
2019-06-12CyberbitHod Gavriel
Formbook Research Hints Large Data Theft Attack Brewing
2019-05-02Usual Suspect REJohann Aydinbas
FormBook - Hiding in plain sight
2019-04-05TrustwavePhil Hay, Rodel Mendrez
Spammed PNG file hides LokiBot
Loki Password Stealer (PWS)
2019-01-01Virus BulletinGabriela Nicolao
Inside Formbook infostealer
2018-12-05BotconfRémi Jullian
FORMBOOK In-depth malware analysis
2018-12-04Brad Duncan
Malspam pushing Lokibot malware
Loki Password Stealer (PWS)
How to Analyse FormBook - A New Malware-as-a-Service
How to understand FormBook - A New Malware-as-a-Service
2018-08-29Kaspersky LabsTatyana Shcherbakova
Loki Bot: On a hunt for corporate passwords
Loki Password Stealer (PWS)
2018-08-02Palo Alto Networks Unit 42David Fuertes, Josh Grunzweig, Kyle Wilhoit, Robert Falcone
The Gorgon Group: Slithering Between Nation State and Cybercrime
Loki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT
2018-07-06Github (d00rt)d00rt
LokiBot Infostealer Jihacked Version
Loki Password Stealer (PWS)
FormBook stealer: Data theft made easy
2018-06-20Cisco TalosPaul Rascagnères, Warren Mercer
My Little FormBook
2018-04-18SecureworksCounter Threat Unit ResearchTeam
GOLD GALLEON: How a Nigerian Cyber Crew Plunders the Shipping Industry
Agent Tesla HawkEye Keylogger Pony GOLD GALLEON
2018-04-05FortinetXiaopeng Zhang
Analysis of New Agent Tesla Spyware Variant
Agent Tesla
2018-03-29StormshieldRémi Jullian
In-depth Formbook malware analysis – Obfuscation and process injection
2018-01-29Vitali Kremez BlogVitali Kremez
Let's Learn: Dissecting FormBook Infostealer Malware: Crypter & "RunLib.dll"
2018-01-12StormshieldRémi Jullian
Analyzing an Agent Tesla campaign: from a word document to the attacker credentials
Agent Tesla
2017-12-19LastlineAndy Norton
Novel Excel Spreadsheet Attack Launches Password Stealing Malware Loki Bot
Loki Password Stealer (PWS)
2017-10-05FireEyeNart Villeneuve, Randi Eitzman, Sandor Nemes, Tyler Dean
Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea
2017-09-25Palo Alto Networks Unit 42Jeff White
Analyzing the Various Layers of AgentTesla’s Packing
Agent Tesla
2017-09-20NetScoutDennis Schwarz
The Formidable FormBook Form Grabber
2017-06-28FortinetXiaopeng Zhang
In-Depth Analysis of A New Variant of .NET Malware AgentTesla
Agent Tesla
2017-06-22SANS Institute Information Security Reading RoomRob Pantazopoulos
Loki-Bot: InformationStealer, Keylogger, &More!
Loki Password Stealer (PWS)
2017-05-17FortinetHua Liu, Xiaopeng Zhang
New Loki Variant Being Spread via PDF File
Loki Password Stealer (PWS)
Loki-Bot: Come out, come out, wherever you are!
Loki Password Stealer (PWS)
2017-05-05Github (R3MRUM)R3MRUM
Loki Password Stealer (PWS)
Tales from the Trenches: Loki Bot Malware
Loki Password Stealer (PWS)
2017-02-16CysinfoWinston M
Nefarious Macro Malware drops “Loki Bot” to steal sensitive information across GCC countries!
Loki Password Stealer (PWS)
2016-08-01ZscalerDeepen Desai
Agent Tesla Keylogger delivered using cybersquatting
Agent Tesla
2016-06-01Safety First BlogSL4ID3R
Form Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world

Credits: MISP Project