UNC1878 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

UNC1878 (Back to overview)

UNC1878 is a financially motivated threat actor that monetizes network access via the deployment of RYUK ransomware. Earlier this year, Mandiant published a blog on a fast-moving adversary deploying RYUK ransomware, UNC1878. Shortly after its release, there was a significant decrease in observed UNC1878 intrusions and RYUK activity overall almost completely vanishing over the summer. But beginning in early fall, Mandiant has seen a resurgence of RYUK along with TTP overlaps indicating that UNC1878 has returned from the grave and resumed their operations.

Associated Families

win.grimagent win.ryuk win.trickbot win.bazarbackdoor win.cobalt_strike

References

2022-11-21 ⋅ Palo Alto Networks Unit 42 ⋅ Kristopher Russo
Threat Assessment: Luna Moth Callback Phishing Campaign
BazarBackdoor Conti

2022-11-03 ⋅ Github (chronicle) ⋅ Chronicle
GCTI Open Source Detection Signatures
Cobalt Strike Sliver

2022-11-03 ⋅ paloalto Netoworks: Unit42 ⋅ Durgesh Sangvikar, Chris Navarrete, Matthew Tennis, Yanhui Jia, Yu Fu, Siddhart Shibiraj
Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild
Cobalt Strike

2022-10-31 ⋅ Cynet ⋅ Max Malyutin
Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware
Black Basta Cobalt Strike QakBot

2022-10-31 ⋅ paloalto Netoworks: Unit42 ⋅ Or Chechik
Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure
Dridex Kronos TrickBot Zeus

2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Loki Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm

2022-10-03 ⋅ Check Point ⋅ Marc Salinas Fernandez
Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar

2022-09-26 ⋅ The DFIR Report ⋅ The DFIR Report
BumbleBee: Round Two
BumbleBee Cobalt Strike Meterpreter

2022-09-25 ⋅ YouTube (Arda Büyükkaya) ⋅ Arda Büyükkaya
Cobalt Strike Shellcode Loader With Rust (YouTube)
Cobalt Strike

2022-09-13 ⋅ AdvIntel ⋅ Advanced Intelligence
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022
Conti Cobalt Strike Emotet Ryuk TrickBot

2022-09-12 ⋅ The DFIR Report ⋅ The DFIR Report
Dead or Alive? An Emotet Story
Cobalt Strike Emotet

2022-09-07 ⋅ cyble ⋅ Cyble
Bumblebee Returns With New Infection Technique
BumbleBee Cobalt Strike

2022-09-07 ⋅ Google ⋅ Pierre-Marc Bureau, Google Threat Analysis Group
Initial access broker repurposing techniques in targeted attacks against Ukraine
AnchorMail Cobalt Strike IcedID

2022-09-06 ⋅ INCIBE-CERT ⋅ INCIBE
Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage

2022-09-06 ⋅ cocomelonc ⋅ cocomelonc
Malware development tricks: parent PID spoofing. Simple C++ example.
Cobalt Strike Konni

2022-09-06 ⋅ CISA ⋅ US-CERT, FBI, CISA, MS-ISAC
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin

2022-09-06 ⋅ Didier Stevens ⋅ Didier Stevens
An Obfuscated Beacon – Extra XOR Layer
Cobalt Strike

2022-09-01 ⋅ Trend Micro ⋅ Trend Micro
Ransomware Spotlight Black Basta
Black Basta Cobalt Strike MimiKatz QakBot

2022-08-31 ⋅ Fourcore ⋅ Hardik Manocha
Ryuk Ransomware: History, Timeline, And Adversary Simulation
Ryuk

2022-08-25 ⋅ SentinelOne ⋅ Jim Walter
BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar
BlueSky Cobalt Strike JuicyPotato

2022-08-22 ⋅ Microsoft ⋅ Microsoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk

2022-08-19 ⋅ nccgroup ⋅ Ross Inman
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
FAKEUPDATES Cobalt Strike LockBit

2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket

2022-08-18 ⋅ NSFOCUS ⋅ NSFOCUS
New APT group MURENSHARK investigative report: Torpedoes hit Turkish Navy
Cobalt Strike

2022-08-18 ⋅ IBM ⋅ Charlotte Hammond, Ole Villadsen
From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers
BumbleBee Karius Ramnit TrickBot Vawtrak

2022-08-18 ⋅ Group-IB ⋅ Nikita Rostovtsev
APT41 World Tour 2021 on a tight schedule
Cobalt Strike

2022-08-18 ⋅ Sophos ⋅ Sean Gallagher
Cookie stealing: the new perimeter bypass
Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT

2022-08-17 ⋅ Cybereason ⋅ Cybereason Global SOC Team
Bumblebee Loader – The High Road to Enterprise Domain Control
BumbleBee Cobalt Strike

2022-08-15 ⋅ SentinelOne ⋅ Vikram Navali
Detecting a Rogue Domain Controller – DCShadow Attack
MimiKatz TrickBot

2022-08-12 ⋅ SANS ISC ⋅ Brad Duncan
Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
Cobalt Strike DarkVNC IcedID

2022-08-11 ⋅ SecurityScorecard ⋅ Robert Ames
The Increase in Ransomware Attacks on Local Governments
BlackCat BlackCat Cobalt Strike LockBit

2022-08-11 ⋅ Malcat ⋅ malcat team
LNK forensic and config extraction of a cobalt strike beacon
Cobalt Strike

2022-08-10 ⋅ Weixin ⋅ Red Raindrop Team
Operation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe
BumbleBee Cobalt Strike

2022-08-08 ⋅ The DFIR Report ⋅ The DFIR Report
BumbleBee Roasts Its Way to Domain Admin
BumbleBee Cobalt Strike

2022-08-04 ⋅ YouTube (Arda Büyükkaya) ⋅ Arda Büyükkaya
LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
Cobalt Strike LockBit

2022-08-03 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti

2022-08-02 ⋅ Cisco Talos ⋅ Asheer Malhotra, Vitor Ventura
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Manjusaka Cobalt Strike Manjusaka

2022-07-30 ⋅ cocomelonc
Malware AV evasion - part 8. Encode payload via Z85
Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector

2022-07-28 ⋅ SentinelOne ⋅ Júlio Dantas, James Haughom, Julien Reisdorffer
Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool
Cobalt Strike LockBit

2022-07-27 ⋅ cyble ⋅ Cyble Research Labs
Targeted Attacks Being Carried Out Via DLL SideLoading
Cobalt Strike QakBot

2022-07-27 ⋅ ReversingLabs ⋅ Joseph Edwards
Threat analysis: Follina exploit fuels 'live-off-the-land' attacks
Cobalt Strike MimiKatz

2022-07-27 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama
Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt

2022-07-22 ⋅ Binary Ninja ⋅ Xusheng Li
Reverse Engineering a Cobalt Strike Dropper With Binary Ninja
Cobalt Strike

2022-07-20 ⋅ NVISO Labs ⋅ Sasja Reynaert
Analysis of a trojanized jQuery script: GootLoader unleashed
GootLoader Cobalt Strike

2022-07-20 ⋅ U.S. Cyber Command ⋅ Cyber National Mission Force Public Affairs
Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor

2022-07-20 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy, Marley Smith
Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion
Cobalt Strike

2022-07-20 ⋅ Mandiant ⋅ Mandiant Threat Intelligence
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor

2022-07-19 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Peter Renals
Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive
Cobalt Strike EnvyScout Gdrive

2022-07-18 ⋅ Censys ⋅ Censys
Russian Ransomware C2 Network Discovered in Censys Data
Cobalt Strike MimiKatz PoshC2

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Obscure Serpens
Cobalt Strike Empire Downloader Meterpreter MimiKatz DarkHydrus

2022-07-13 ⋅ Malwarebytes Labs ⋅ Roberto Santos, Hossein Jazi
Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
Cobalt Strike

2022-07-13 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Durgesh Sangvikar, Yu Fu, Yanhui Jia, Siddhart Shibiraj
Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption
Cobalt Strike

2022-07-11 ⋅ Cert-UA ⋅ Cert-UA
UAC-0056 attack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4941)
Cobalt Strike

2022-07-07 ⋅ SANS ISC ⋅ Brad Duncan
Emotet infection with Cobalt Strike
Cobalt Strike Emotet

2022-07-07 ⋅ IBM ⋅ Ole Villadsen, Charlotte Hammond, Kat Weinberger
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter

2022-07-06 ⋅ Cert-UA ⋅ Cert-UA
UAC-0056 cyberattack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4914)
Cobalt Strike

2022-06-30 ⋅ Trend Micro ⋅ Kenneth Adrian Apostol, Paolo Ronniel Labrador, Mirah Manlapig, James Panlilio, Emmanuel Panopio, John Kenneth Reyes, Melvin Singwa
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Black Basta Cobalt Strike QakBot

2022-06-28 ⋅ Lumen ⋅ Black Lotus Labs
ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks
ZuoRAT Cobalt Strike

2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem Snegirev, Kirill Kruglov
Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad

2022-06-26 ⋅ BushidoToken
Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022
Cobalt Strike CredoMap EnvyScout

2022-06-24 ⋅ Palo Alto Networks Unit 42 ⋅ Mark Lim, Riley Porter
There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families
BazarBackdoor Zloader

2022-06-23 ⋅ cyble ⋅ Cyble Research Labs
Matanbuchus Loader Resurfaces
Cobalt Strike Matanbuchus

2022-06-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster

2022-06-21 ⋅ McAfee ⋅ Lakshya Mathur
Rise of LNK (Shortcut files) Malware
BazarBackdoor Emotet IcedID QakBot

2022-06-21 ⋅ Cisco Talos ⋅ Flavio Costa, Chris Neal, Guilherme Venere
Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz

2022-06-20 ⋅ Cert-UA ⋅ Cert-UA
UAC-0098 group cyberattack on critical infrastructure of Ukraine (CERT-UA#4842)
Cobalt Strike

2022-06-17 ⋅ SANS ISC ⋅ Brad Duncan
Malspam pushes Matanbuchus malware, leads to Cobalt Strike
Cobalt Strike Matanbuchus

2022-06-15 ⋅ AttackIQ ⋅ Jackson Wells, AttackIQ Adversary Research Team
Attack Graph Emulating the Conti Ransomware Team’s Behaviors
BazarBackdoor Conti TrickBot

2022-06-12 ⋅ cocomelonc
Malware development: persistence - part 7. Winlogon. Simple C++ example.
BazarBackdoor Gazer TurlaRPC Turla SilentMoon

2022-06-07 ⋅ cyble ⋅ Cyble
Bumblebee Loader on The Rise
BumbleBee Cobalt Strike

2022-06-07 ⋅ AdvIntel ⋅ Vitali Kremez, Marley Smith, Yelisey Boguslavskiy
BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive
BlackCat BlackCat Cobalt Strike

2022-06-06 ⋅ Trellix ⋅ Trelix
Growling Bears Make Thunderous Noise
Cobalt Strike HermeticWiper WhisperGate

2022-06-04 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien
[QuickNote] CobaltStrike SMB Beacon Analysis
Cobalt Strike

2022-06-03 ⋅ AttackIQ ⋅ Jackson Wells, AttackIQ Adversary Research Team
Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group
Cobalt Strike MimiKatz

2022-06-02 ⋅ Mandiant ⋅ Mandiant
TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot

2022-06-02 ⋅ Eclypsium ⋅ Eclypsium
Conti Targets Critical Firmware
Conti HermeticWiper TrickBot WhisperGate

2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker

2022-06-01 ⋅ Elastic ⋅ Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC

2022-05-27 ⋅ 0ffset Blog ⋅ Chuong Dong
BAZARLOADER: Analysing The Main Loader
BazarBackdoor

2022-05-25 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT

2022-05-24 ⋅ The Hacker News ⋅ Florian Goutin
Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot

2022-05-24 ⋅ BitSight ⋅ João Batista, Pedro Umbelino, BitSight
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC

2022-05-22 ⋅ R136a1 ⋅ Dominik Reichel
Introduction of a PE file extractor for various situations
Cobalt Strike Matanbuchus

2022-05-20 ⋅ AhnLab ⋅ ASEC
Why Remediation Alone Is Not Enough When Infected by Malware
Cobalt Strike DarkSide

2022-05-20 ⋅ sonatype ⋅ Ax Sharma
New 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux
Cobalt Strike

2022-05-20 ⋅ Cybleinc ⋅ Cyble
Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon
Cobalt Strike

2022-05-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Bumblebee Malware from TransferXL URLs
BumbleBee Cobalt Strike

2022-05-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
Wizard Spider In-Depth Analysis
Cobalt Strike Conti

2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot

2022-05-12 ⋅ Red Canary ⋅ Tony Lambert, Lauren Podber
Gootloader and Cobalt Strike malware analysis
GootLoader Cobalt Strike

2022-05-12 ⋅ Intel 471 ⋅ Intel 471
What malware to look for if you want to prevent a ransomware attack
Conti BumbleBee Cobalt Strike IcedID Sliver

2022-05-12 ⋅ TEAMT5 ⋅ Leon Chang, Silvia Yeh
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu

2022-05-12 ⋅ Red Canary ⋅ Tony Lambert, Lauren Podber
The Goot cause: Detecting Gootloader and its follow-on activity
GootLoader Cobalt Strike

2022-05-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader

2022-05-11 ⋅ NTT ⋅ Ryu Hiyoshi
Operation RestyLink: Targeted attack campaign targeting Japanese companies
Cobalt Strike

2022-05-10 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
A Malware Analysis in RU-AU conflict
Cobalt Strike

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-09 ⋅ The DFIR Report ⋅ The DFIR Report
SEO Poisoning – A Gootloader Story
GootLoader LaZagne Cobalt Strike GootKit

2022-05-09 ⋅ TEAMT5 ⋅ TeamT5
Hiding in Plain Sight: Obscuring C2s by Abusing CDN Services
Cobalt Strike

2022-05-09 ⋅ Microsoft Security ⋅ Microsoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot

2022-05-09 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu

2022-05-08 ⋅ IronNet ⋅ Michael Leardi, Joey Fitzpatrick, Brent Eskridge
Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine
Cobalt Strike

2022-05-06 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Durgesh Sangvikar, Yu Fu, Yanhui Jia, Siddhart Shibiraj
Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding
Cobalt Strike

2022-05-06 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence
Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity
FAKEUPDATES Blister Cobalt Strike LockBit

2022-05-06 ⋅ The Hacker News ⋅ Ravie Lakshmanan
This New Fileless Malware Hides Shellcode in Windows Event Logs
Cobalt Strike

2022-05-05 ⋅ YouTube (Chris Greer) ⋅ Chris Greer
MALWARE Analysis with Wireshark // TRICKBOT Infection
TrickBot

2022-05-05 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Justin Thattil, Aliza Berk, Kendall McKay
Mustang Panda deploys a new wave of malware targeting Europe
Cobalt Strike Meterpreter PlugX

2022-05-05 ⋅ Intel 471 ⋅ Intel 471
Cybercrime loves company: Conti cooperated with other ransomware gangs
LockBit Maze RagnarLocker Ryuk

2022-05-04 ⋅ Twitter (@felixw3000) ⋅ Felix
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader

2022-05-04 ⋅ Kaspersky ⋅ Denis Legezo
A new secret stash for “fileless” malware
Cobalt Strike

2022-05-03 ⋅ Recorded Future ⋅ Insikt Group
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Cobalt Strike

2022-05-03 ⋅ Cluster25 ⋅ Cluster25
The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet
Cobalt Strike IsaacWiper PyXie

2022-05-03 ⋅ Recorded Future ⋅ Insikt Group®
SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Cobalt Strike EnvyScout

2022-05-02 ⋅ Cisco Talos ⋅ Kendall McKay, Paul Eubanks, JAIME FILSON
Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive

2022-05-02 ⋅ Macnica ⋅ Hiroshi Takeuchi
Attack Campaigns that Exploit Shortcuts and ISO Files
Cobalt Strike

2022-04-29 ⋅ NCC Group ⋅ Mike Stokkel, Nikolaos Totosis, Nikolaos Pantazopoulos
Adventures in the land of BumbleBee – a new malicious loader
BazarBackdoor BumbleBee Conti

2022-04-28 ⋅ Symantec ⋅ Karthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot

2022-04-28 ⋅ Mandiant ⋅ John Wolfram, Sarah Hawley, Tyler McLellan, Nick Simonian, Anders Vejlby
Trello From the Other Side: Tracking APT29 Phishing Campaigns
Cobalt Strike

2022-04-28 ⋅ PWC ⋅ PWC UK
Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen

2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Júlio Dantas, Jim Walter
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Cobalt Strike LockBit BRONZE STARLIGHT

2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Júlio Dantas, Jim Walter
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
Cobalt Strike LockBit

2022-04-27 ⋅ Mandiant ⋅ Mandiant
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
Cobalt Strike Raindrop SUNBURST TEARDROP

2022-04-27 ⋅ Medium elis531989 ⋅ Eli Salem
The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection
BumbleBee TrickBot

2022-04-27 ⋅ Trendmicro ⋅ Trendmicro
IOCs for Earth Berberoka - Windows
AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka

2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka

2022-04-27 ⋅ ANSSI ⋅ ANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot

2022-04-26 ⋅ Intel 471 ⋅ Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot

2022-04-26 ⋅ Trend Micro ⋅ Ryan Flores, Stephen Hilt, Lord Alfred Remorin
How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT

2022-04-25 ⋅ paloalto Networks Unit 42 ⋅ Mark Lim
Defeating BazarLoader Anti-Analysis Techniques
BazarBackdoor

2022-04-25 ⋅ Morphisec ⋅ Morphisec Labs
New Core Impact Backdoor Delivered Via VMware Vulnerability
Cobalt Strike JSSLoader

2022-04-25 ⋅ The DFIR Report ⋅ The DFIR Report
Quantum Ransomware
Cobalt Strike IcedID

2022-04-21 ⋅ ZeroSec ⋅ Andy Gill
Understanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6
Cobalt Strike

2022-04-20 ⋅ CISA ⋅ CISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader

2022-04-20 ⋅ CISA ⋅ CISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet

2022-04-19 ⋅ 0ffset Blog ⋅ Chuong Dong
BAZARLOADER: Unpacking An ISO File Infection
BazarBackdoor

2022-04-19 ⋅ Varonis ⋅ Nadav Ovadia
Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz

2022-04-19 ⋅ Blake's R&D ⋅ bmcder02
Extracting Cobalt Strike from Windows Error Reporting
Cobalt Strike

2022-04-18 ⋅ vanmieghem ⋅ Vincent Van Mieghem
A blueprint for evading industry leading endpoint protection in 2022
Cobalt Strike

2022-04-18 ⋅ RiskIQ ⋅ Jennifer Grob
RiskIQ: Trickbot Rickroll
TrickBot

2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive

2022-04-18 ⋅ SentinelOne ⋅ James Haughom
From the Front Lines | Peering into A PYSA Ransomware Attack
Chisel Chisel Cobalt Strike Mespinoza

2022-04-17 ⋅ BushidoToken Blog ⋅ BushidoToken
Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot

2022-04-15 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Karakurt revealed as data extortion arm of Conti cybercrime syndicate
Anchor BazarBackdoor Conti TrickBot

2022-04-15 ⋅ Arctic Wolf ⋅ Arctic Wolf
The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model
Conti Diavol Ryuk TrickBot

2022-04-14 ⋅ Cynet ⋅ Max Malyutin
Orion Threat Alert: Flight of the BumbleBee
BumbleBee Cobalt Strike

2022-04-13 ⋅ ESET Research ⋅ Jean-Ian Boutin, Tomáš Procházka
ESET takes part in global operation to disrupt Zloader botnets
Cobalt Strike Zloader

2022-04-13 ⋅ Microsoft ⋅ Amy Hogan-Burney
Notorious cybercrime gang’s botnet disrupted
Ryuk Zloader

2022-04-13 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader

2022-04-08 ⋅ Infinitum Labs ⋅ Arda Büyükkaya
Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team
Cobalt Strike MimiKatz

2022-04-08 ⋅ ReversingLabs ⋅ Paul Roberts
ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles
Conti Emotet TrickBot

2022-04-07 ⋅ InQuest ⋅ Will MacArthur, Nick Chalard
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate

2022-04-07 ⋅ splunk ⋅ Splunk Threat Research Team
You Bet Your Lsass: Hunting LSASS Access
Cobalt Strike MimiKatz

2022-04-06 ⋅ TRM Labs ⋅ TRM Labs
TRM Analysis Corroborates Suspected Ties Between Conti and Ryuk Ransomware Groups and Wizard Spider
Conti Ryuk

2022-04-06 ⋅ Github (infinitumlabs) ⋅ Arda Büyükkaya
Karakurt Hacking Team Indicators of Compromise (IOC)
Cobalt Strike

2022-04-05 ⋅ Intel 471 ⋅ Intel 471
Move fast and commit crimes: Conti’s development teams mirror corporate tech
BazarBackdoor TrickBot

2022-04-04 ⋅ Mandiant ⋅ Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite

2022-03-31 ⋅ Trellix ⋅ John Fokker, Jambul Tologonov
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot

2022-03-31 ⋅ nccgroup ⋅ Nikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team
Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot

2022-03-31 ⋅ SC Media ⋅ SC Staff
Novel obfuscation leveraged by Hive ransomware
Cobalt Strike Hive

2022-03-30 ⋅ Prevailion ⋅ Prevailion
Wizard Spider continues to confound
BazarBackdoor Cobalt Strike Emotet

2022-03-30 ⋅ Bleeping Computer ⋅ Bill Toulas
Phishing campaign targets Russian govt dissidents with Cobalt Strike
Unidentified PS 002 (RAT) Cobalt Strike

2022-03-29 ⋅ SentinelOne ⋅ James Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, Shai Tilias
From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
Cobalt Strike Hive

2022-03-29 ⋅ Malwarebytes Labs ⋅ Hossein Jazi
New spear phishing campaign targets Russian dissidents
Unidentified PS 002 (RAT) Cobalt Strike

2022-03-28 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
CobaltStrike UUID stager
Cobalt Strike

2022-03-25 ⋅ nccgroup ⋅ Yun Zheng Hu
Mining data from Cobalt Strike beacons
Cobalt Strike

2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT

2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot

2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot

2022-03-23 ⋅ splunk ⋅ Shannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-03-22 ⋅ Red Canary ⋅ Red Canary
2022 Threat Detection Report
FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT

2022-03-22 ⋅ NVISO Labs ⋅ Didier Stevens
Cobalt Strike: Overview – Part 7
Cobalt Strike

2022-03-21 ⋅ Threat Post ⋅ Lisa Vaas
Conti Ransomware V. 3, Including Decryptor, Leaked
Cobalt Strike Conti TrickBot

2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID

2022-03-18 ⋅ Avast ⋅ Martin Hron
Mēris and TrickBot standing on the shoulders of giants
Glupteba Proxy Glupteba TrickBot

2022-03-17 ⋅ Google ⋅ Vladislav Stolyarov, Benoit Sevens
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Conti EXOTIC LILY

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2022-03-17 ⋅ Trend Micro ⋅ Trend Micro Research
Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil

2022-03-17 ⋅ Google ⋅ Vladislav Stolyarov, Benoit Sevens, Google Threat Analysis Group
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti

2022-03-16 ⋅ SANS ISC ⋅ Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot

2022-03-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Qakbot infection with Cobalt Strike and VNC activity
Cobalt Strike QakBot

2022-03-16 ⋅ paloalto Netoworks: Unit42 ⋅ Chris Navarrete, Durgesh Sangvikar, Andrew Guan, Yu Fu, Yanhui Jia, Siddhart Shibiraj
Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect
Cobalt Strike

2022-03-16 ⋅ Microsoft ⋅ Microsoft Defender for IoT Research Team, Microsoft Threat Intelligence Center (MSTIC)
Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure
TrickBot

2022-03-15 ⋅ SentinelOne ⋅ Amitai Ben Shushan Ehrlich
Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear

2022-03-15 ⋅ RiskIQ ⋅ RiskIQ
RiskIQ: Trickbot Abuse of Compromised MikroTik Routers for Command and Control
TrickBot

2022-03-15 ⋅ Prevailion ⋅ Matt Stafford, Sherman Smith
What Wicked Webs We Un-weave
Cobalt Strike Conti

2022-03-14 ⋅ Bleeping Computer ⋅ Bill Toulas
Fake antivirus updates used to deploy Cobalt Strike in Ukraine
Cobalt Strike

2022-03-12 ⋅ Arash's Blog ⋅ Arash Parsa
Analyzing Malware with Hooks, Stomps, and Return-addresses
Cobalt Strike

2022-03-11 ⋅ Cert-UA
Cyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145)
Cobalt Strike

2022-03-10 ⋅ Bleeping Computer ⋅ Bill Toulas
Corporate website contact forms used to spread BazarBackdoor malware
BazarBackdoor

2022-03-09 ⋅ BreachQuest ⋅ Marco Figueroa, Napoleon Bing, Bernard Silvestrini
The Conti Leaks | Insight into a Ransomware Unicorn
Cobalt Strike MimiKatz TrickBot

2022-03-09 ⋅ Abnormal ⋅ Belem Regalado, Rachelle Chouinard
BazarLoader Actors Initiate Contact via Website Contact Forms
BazarBackdoor

2022-03-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot

2022-03-08 ⋅ Mandiant ⋅ Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram
Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
KEYPLUG Cobalt Strike LOWKEY

2022-03-07 ⋅ The DFIR Report ⋅ The DFIR Report
2021 Year In Review
Cobalt Strike

2022-03-04 ⋅ Reuters ⋅ Raphael Satter
Details of another big ransomware group 'Trickbot' leak online, experts say
TrickBot

2022-03-04 ⋅ Telsy ⋅ Telsy
Legitimate Sites Used As Cobalt Strike C2s Against Indian Government
Cobalt Strike

2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research
Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate

2022-03-02 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Conti Ransomware Group Diaries, Part II: The Office
Conti Emotet Ryuk TrickBot

2022-03-02 ⋅ elDiario ⋅ Carlos del Castillo
Cybercrime bosses warn that they will "fight back" if Russia is hacked
Conti Ryuk

2022-03-02 ⋅ Threatpost ⋅ Lisa Vaas
Conti Ransomware Decryptor, TrickBot Source Code Leaked
Conti TrickBot

2022-03-02 ⋅ CyberArk ⋅ CyberArk Labs
Conti Group Leaked!
TeamTNT Conti TrickBot

2022-03-01 ⋅ VX-Underground
Leaks: Conti / Trickbot
Conti TrickBot

2022-03 ⋅ VirusTotal ⋅ VirusTotal
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT

2022-02-26 ⋅ Mandiant ⋅ Mandiant
TRENDING EVIL Q1 2022
KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot

2022-02-25 ⋅ CyberScoop ⋅ Joe Warminsky
TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators
BazarBackdoor Emotet TrickBot

2022-02-24 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien
[QuickNote] Techniques for decrypting BazarLoader strings
BazarBackdoor

2022-02-24 ⋅ Fortinet ⋅ Fred Gutierrez
Nobelium Returns to the Political World Stage
Cobalt Strike

2022-02-24 ⋅ The Record ⋅ Catalin Cimpanu
TrickBot gang shuts down botnet after months of inactivity
TrickBot

2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan
Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure
BazarBackdoor Emotet TrickBot

2022-02-24 ⋅ Cynet ⋅ Max Malyutin
New Wave of Emotet – When Project X Turns Into Y
Cobalt Strike Emotet

2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan
TrickBot Gang Likely Shifting Operations to Switch to New Malware
BazarBackdoor Emotet QakBot TrickBot

2022-02-23 ⋅ SophosLabs Uncut ⋅ Andrew Brandt
Dridex bots deliver Entropy ransomware in recent attacks
Cobalt Strike Dridex Entropy

2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-02-23 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)
Cobalt Strike Conti

2022-02-23 ⋅ cyber.wtf blog ⋅ Luca Ebach
What the Pack(er)?
Cobalt Strike Emotet

2022-02-22 ⋅ Bankinfo Security ⋅ Matthew J. Schwartz
Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware
Conti TrickBot

2022-02-22 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader

2022-02-22 ⋅ Bleeping Computer ⋅ Bill Toulas
Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck

2022-02-21 ⋅ ASEC
Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
Cobalt Strike Lemon Duck

2022-02-21 ⋅ The DFIR Report
Qbot and Zerologon Lead To Full Domain Compromise
Cobalt Strike QakBot

2022-02-20 ⋅ Security Affairs ⋅ Pierluigi Paganini
The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware.
Conti TrickBot

2022-02-20 ⋅ Medium SOCFortress ⋅ SOCFortress
Detecting Cobalt Strike Beacons
Cobalt Strike

2022-02-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Conti ransomware gang takes over TrickBot malware operation
Conti TrickBot

2022-02-18 ⋅ Huntress Labs ⋅ Matthew Brennan
Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection
Cobalt Strike

2022-02-16 ⋅ Medium elis531989 ⋅ Eli Salem
Highway to Conti: Analysis of Bazarloader
BazarBackdoor

2022-02-16 ⋅ Check Point Research ⋅ Aliaksandr Trafimchuk, Raman Ladutska
A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies
TrickBot

2022-02-16 ⋅ Threat Post ⋅ Tara Seals
TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands
TrickBot

2022-02-16 ⋅ Security Onion ⋅ Doug Burks
Quick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08
Cobalt Strike Emotet

2022-02-16 ⋅ Advanced Intelligence ⋅ Yelisey Boguslavskiy
The TrickBot Saga’s Finale Has Aired: Spinoff is Already in the Works
TrickBot

2022-02-15 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Increase in Emotet Activity and Cobalt Strike Deployment
Cobalt Strike Emotet

2022-02-10 ⋅ Cybereason ⋅ Cybereason Global SOC Team
Threat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot
Cobalt Strike Emotet IcedID QakBot

2022-02-09 ⋅ vmware ⋅ VMWare
Exposing Malware in Linux-Based Multi-Cloud Environments
ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike

2022-02-08 ⋅ Intel 471 ⋅ Intel 471
PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar

2022-02-02 ⋅ IBM ⋅ Kevin Henson
TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware
BazarBackdoor TrickBot

2022-02-01 ⋅ Wired ⋅ Matt Burgess
Inside Trickbot, Russia’s Notorious Ransomware Gang
TrickBot

2022-01-31 ⋅ CyberArk ⋅ Arash Parsa
Analyzing Malware with Hooks, Stomps and Return-addresses
Cobalt Strike

2022-01-28 ⋅ Morphisec ⋅ Morphisec Labs
Log4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk
Cobalt Strike

2022-01-27 ⋅ JSAC 2021 ⋅ Hajime Yanagishita, Kiyotaka Tamada, You Nakatsuru, Suguru Ishimaru
What We Can Do against the Chaotic A41APT Campaign
CHINACHOPPER Cobalt Strike HUI Loader SodaMaster

2022-01-26 ⋅ Blackberry ⋅ Ryan Gibson, Codi Starks, Will Ikard
Log4U, Shell4Me
Cobalt Strike

2022-01-25 ⋅ Cynet ⋅ Orion Threat Research and Intelligence Team
Threats Looming Over the Horizon
Cobalt Strike Meterpreter NightSky

2022-01-24 ⋅ IBM ⋅ Michael Gal, Segev Fogel, Itzik Chimino, Limor Kessem, Charlotte Hammond
TrickBot Bolsters Layered Defenses to Prevent Injection Research
TrickBot

2022-01-24 ⋅ The DFIR Report ⋅ The DFIR Report
Cobalt Strike, a Defender’s Guide – Part 2
Cobalt Strike

2022-01-24 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team
Deep Dive into Trickbot's Web Injection
TrickBot

2022-01-22 ⋅ forensicitguy ⋅ Tony Lambert
BazarISO Analysis - Loading with Advpack.dll
BazarBackdoor

2022-01-20 ⋅ Morphisec ⋅ Michael Gorelik
Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk
Cobalt Strike

2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk

2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin
Extracting Cobalt Strike Beacon Configurations
Cobalt Strike

2022-01-19 ⋅ FBI ⋅ FBI
CU-000161-MW: Indicators of Compromise Associated with Diavol Ransomware
Diavol TrickBot

2022-01-19 ⋅ Elastic ⋅ Derek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin
Collecting Cobalt Strike Beacons with the Elastic Stack
Cobalt Strike

2022-01-19 ⋅ Sophos ⋅ Colin Cowie, Mat Gangwer, Stan Andic, Sophos MTR Team
Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike
Cobalt Strike Zloader

2022-01-18 ⋅ Recorded Future ⋅ Insikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot

2022-01-17 ⋅ Trend Micro ⋅ Joseph Chen, Kenney Lu, Gloria Chen, Jaromír Hořejší, Daniel Lunghi, Cedric Pernet
Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca

2022-01-16 ⋅ forensicitguy ⋅ Tony Lambert
Analyzing a CACTUSTORCH HTA Leading to Cobalt Strike
CACTUSTORCH Cobalt Strike

2022-01-15 ⋅ MalwareBookReports ⋅ muzi
BazarLoader - Back from Holiday Break
BazarBackdoor

2022-01-15 ⋅ Huntress Labs ⋅ Team Huntress
Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401)
Cobalt Strike

2022-01-11 ⋅ Cybereason ⋅ Omri Refaeli, Chen Erlich, Ofir Ozer, Niv Yona, Daichi Shimabukuro
Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle

2022-01-11 ⋅ Twitter (@cglyer) ⋅ Christopher Glyer
Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware
Cobalt Strike NightSky

2022-01-11 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
Signed DLL campaigns as a service
Cobalt Strike ISFB Zloader

2022-01-09 ⋅ forensicitguy ⋅ Tony Lambert
Inspecting a PowerShell Cobalt Strike Beacon
Cobalt Strike

2022-01-06 ⋅ Sekoia ⋅ sekoia
NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies
Cobalt Strike EnvyScout

2022-01-02 ⋅ BleepingComputer ⋅ Lawrence Abrams
Malicious CSV text files used to install BazarBackdoor malware
BazarBackdoor

2022 ⋅ Silent Push ⋅ Silent Push
Consequences- The Conti Leaks and future problems
Cobalt Strike Conti

2021-12-29 ⋅ CrowdStrike ⋅ Benjamin Wiley, Falcon OverWatch Team
OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt
Cobalt Strike

2021-12-29 ⋅ Blake's R&D ⋅ Blake
Cobalt Strike DFIR: Listening to the Pipes
Cobalt Strike

2021-12-28 ⋅ Morphus Labs ⋅ Renato Marinho
Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
Cobalt Strike

2021-12-22 ⋅ Telsy ⋅ Telsy Research Team
Phishing Campaign targeting citizens abroad using COVID-19 theme lures
Cobalt Strike

2021-12-16 ⋅ Red Canary ⋅ The Red Canary Team
Intelligence Insights: December 2021
Cobalt Strike QakBot Squirrelwaffle

2021-12-13 ⋅ The DFIR Report ⋅ The DFIR Report
Diavol Ransomware
BazarBackdoor Conti Diavol

2021-12-10 ⋅ Accenture ⋅ Accenture
Karakurt rises from its lair
Cobalt Strike

2021-12-08 ⋅ Check Point Research ⋅ Raman Ladutska, Aliaksandr Trafimchuk, David Driker, Yali Magiel
When old friends meet again: why Emotet chose Trickbot for rebirth
Emotet TrickBot

2021-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Cobalt Strike Emotet

2021-12-06 ⋅ Mandiant ⋅ Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock, Luis Rocha, Marius Fodoreanu, Mitchell Clarke, Manfred Erjak, Josh Madeley, Ashraf Abdalhalim, Juraj Sucik, Wojciech Ledzion, Gabriella Roncone, Jonathan Leathery, Ben Read, Microsoft Threat Intelligence Center (MSTIC), Microsoft Detection and Response Team (DART)
Suspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)
Cobalt Strike CryptBot

2021-12-06 ⋅ CERT-FR ⋅ CERT-FR
Phishing campaigns by the Nobelium intrusion set
Cobalt Strike

2021-12-03 ⋅ GoSecure ⋅ GoSecure Titan Labs
TrickBot Leverages Zoom Work from Home Interview Malspam, Heaven’s Gate and… Spamhaus?
TrickBot

2021-12-02 ⋅ CERT-FR ⋅ CERT-FR
Phishing Campaigns by the Nobelium Intrusion Set
Cobalt Strike

2021-11-30 ⋅ Symantec ⋅ Symantec Threat Hunter Team
Yanluowang: Further Insights on New Ransomware Threat
BazarBackdoor Cobalt Strike FiveHands

2021-11-29 ⋅ Mandiant ⋅ Tyler McLellan, Brandan Schondorfer
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
Cobalt Strike

2021-11-29 ⋅ The DFIR Report ⋅ The DFIR Report
CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti

2021-11-23 ⋅ Trend Micro ⋅ Ian Kenefick
BazarLoader Adds Compromised Installers, ISO to Arrival and Delivery Vectors
BazarBackdoor

2021-11-19 ⋅ Trend Micro ⋅ Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar
Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
Cobalt Strike QakBot Squirrelwaffle

2021-11-18 ⋅ Medium 0xchina ⋅ Hamad Alnakal
Malware reverse engineering (Ryuk Ransomware)
Ryuk

2021-11-17 ⋅ Trend Micro ⋅ Mohamed Fahmy, Abdelrhman Sharshar, Sherif Magdy, Ryan Maglaque
Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
Cobalt Strike Cotx RAT

2021-11-17 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Decrypting Obfuscated Traffic – Part 4
Cobalt Strike

2021-11-17 ⋅ Black Hills Information Security ⋅ Kyle Avery
DNS Over HTTPS for Cobalt Strike
Cobalt Strike

2021-11-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
Tweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike
Cobalt Strike QakBot

2021-11-16 ⋅ Malwarebytes ⋅ Malwarebytes Threat Intelligence Team
TrickBot helps Emotet come back from the dead
Emotet TrickBot

2021-11-16 ⋅ Cisco ⋅ Chetan Raghuprasad, Vanja Svajcer, Asheer Malhotra
Attackers use domain fronting technique to target Myanmar with Cobalt Strike
Cobalt Strike

2021-11-16 ⋅ Blackberry ⋅ T.J. O'Leary, Tom Bonner, Marta Janus, Dean Given, Eoin Wickens, Jim Simpson
Finding Beacons in the dark
Cobalt Strike

2021-11-16 ⋅ PC's Xcetra Support ⋅ David Ledbetter
Excel 4 macro code obfuscation
BazarBackdoor

2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Morgan Demboski, Joey Fitzpatrick, Peter Rydzynski
How IronNet's Behavioral Analytics Detect REvil and Conti Ransomware
Cobalt Strike Conti IcedID REvil

2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani
ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
Cobalt Strike Conti QakBot

2021-11-13 ⋅ Just Still ⋅ Still Hsu
Threat Spotlight - Domain Fronting
Cobalt Strike

2021-11-12 ⋅ Recorded Future ⋅ Insikt Group®
The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot

2021-11-12 ⋅ Malwarebytes ⋅ Hossein Jazi
A multi-stage PowerShell based attack targets Kazakhstan
Cobalt Strike

2021-11-11 ⋅ Cynet ⋅ Max Malyutin
A Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation
Cobalt Strike QakBot

2021-11-11 ⋅ SophosLabs Uncut ⋅ Andrew Brandt
BazarLoader ‘call me back’ attack abuses Windows 10 Apps mechanism
BazarBackdoor

2021-11-10 ⋅ AT&T ⋅ Josh Gomez
Stories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!
Cobalt Strike Conti

2021-11-10 ⋅ Sekoia ⋅ Cyber Threat Intelligence team
Walking on APT31 infrastructure footprints
Rekoobe Unidentified ELF 004 Cobalt Strike

2021-11-09 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Eli Salem
THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware
Cobalt Strike Conti

2021-11-05 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42
Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops
BazarBackdoor Cobalt Strike

2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity

2021-11-03 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3
Cobalt Strike

2021-11-03 ⋅ Didier Stevens ⋅ Didier Stevens
New Tool: cs-extract-key.py
Cobalt Strike

2021-11-02 ⋅ boschko.ca blog ⋅ Olivier Laflamme
Cobalt Strike Process Injection
Cobalt Strike

2021-11-02 ⋅ Intel 471 ⋅ Intel 471
Cybercrime underground flush with shipping companies’ credentials
Cobalt Strike Conti

2021-11-02 ⋅ unh4ck ⋅ Cyb3rSn0rlax
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
Cobalt Strike Conti

2021-11-01 ⋅ The DFIR Report ⋅ @iiamaleks, @samaritan_o
From Zero to Domain Admin
Cobalt Strike Hancitor

2021-11-01 ⋅ Accenture ⋅ Heather Larrieu, Curt Wilson, Katrina Hill
Diving into double extortion campaigns
Cobalt Strike MimiKatz

2021-10-29 ⋅ Національна поліція України ⋅ Національна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-29 ⋅ Europol ⋅ Europol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-28 ⋅ Department of Justice ⋅ Department of Justice
Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization
TrickBot

2021-10-28 ⋅ Department of Justice ⋅ Department of Justice
Indictment: Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization
TrickBot

2021-10-27 ⋅ VinCSS ⋅ m4n0w4r, Tran Trung Kien
[RE025] TrickBot ... many tricks
TrickBot

2021-10-27 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2
Cobalt Strike

2021-10-26 ⋅ ANSSI
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil

2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike
Cobalt Strike QakBot Squirrelwaffle

2021-10-26 ⋅ unh4ck ⋅ Hamza OUADIA
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Cobalt Strike Conti

2021-10-22 ⋅ HUNT & HACKETT ⋅ Krijn de Mik
Advanced IP Scanner: the preferred scanner in the A(P)T toolbox
Conti DarkSide Dharma Egregor Hades REvil Ryuk

2021-10-21 ⋅ nviso ⋅ Didier Stevens
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1
Cobalt Strike

2021-10-21 ⋅ CrowdStrike ⋅ Alex Clinton, Tasha Robinson
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet

2021-10-19 ⋅ Kaspersky ⋅ Oleg Kupreev
Trickbot module descriptions
TrickBot

2021-10-18 ⋅ paloalto Netoworks: Unit42 ⋅ Brad Duncan
Case Study: From BazarLoader to Network Reconnaissance
BazarBackdoor Cobalt Strike

2021-10-18 ⋅ Symantec ⋅ Threat Hunter Team
Harvester: Nation-state-backed group uses new toolset to target victims in South Asia
Cobalt Strike Graphon

2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker

2021-10-14 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware)

2021-10-13 ⋅ IBM ⋅ Ole Villadsen, Charlotte Hammond
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
BazarBackdoor TrickBot

2021-10-13 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
BlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book
Cobalt Strike

2021-10-12 ⋅ Mandiant ⋅ Alyssa Rahman
Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis
Cobalt Strike

2021-10-11 ⋅ Accenture ⋅ Accenture Cyber Threat Intelligence
Moving Left of the Ransomware Boom
REvil Cobalt Strike MimiKatz RagnarLocker REvil

2021-10-08 ⋅ 0ffset Blog ⋅ Chuong Dong
SQUIRRELWAFFLE – Analysing The Main Loader
Cobalt Strike Squirrelwaffle

2021-10-08 ⋅ Zscaler ⋅ Tarun Dewan, Lenart Brave
New Trickbot and BazarLoader campaigns use multiple delivery vectorsi
BazarBackdoor TrickBot

2021-10-07 ⋅ Netskope ⋅ Gustavo Palazolo, Ghanashyam Satpathy
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot
Cobalt Strike QakBot Squirrelwaffle

2021-10-07 ⋅ Mandiant ⋅ Joshua Shilko, Zach Riddle, Jennifer Brooks, Genevieve Stark, Adam Brunner, Kimberly Goody, Jeremy Kennelly
FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets
BazarBackdoor GRIMAGENT Ryuk

2021-10-07 ⋅ Mandiant ⋅ Mandiant Research Team
FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets
Cobalt Strike Empire Downloader TrickBot

2021-10-06 ⋅ Blackberry ⋅ Blackberry Research
Finding Beacons in the Dark
Cobalt Strike

2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT

2021-10-05 ⋅ Trend Micro ⋅ Fyodor Yarochkin, Janus Agcaoili, Byron Gelera, Nikko Tamana
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk

2021-10-04 ⋅ Sophos ⋅ Sean Gallagher, Vikas Singh, Krisztián Diriczi, Kajal Katiyar, Chaitanya Ghorpade, Rahil Shah
Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack
ATOMSILO Cobalt Strike

2021-10-04 ⋅ The DFIR Report ⋅ The DFIR Report
BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti

2021-10-04 ⋅ Cisco ⋅ Tiago Pereira
Threat hunting in large datasets by clustering security events
BazarBackdoor TrickBot

2021-10-03 ⋅ Github (0xjxd) ⋅ Joel Dönne
SquirrelWaffle - From Maldoc to Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-10 ⋅ HP ⋅ HP Wolf Security
Threat Insights Report Q3 - 2021
STRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm

2021-10-01 ⋅ 0ffset Blog ⋅ Chuong Dong
SQUIRRELWAFFLE – Analysing the Custom Packer
Cobalt Strike Squirrelwaffle

2021-09-30 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
Hunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense
Cobalt Strike

2021-09-30 ⋅ PT Expert Security Center
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike

2021-09-30 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
Masters of Mimicry: new APT group ChamelGang and its arsenal
Cobalt Strike

2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2021-09-29 (Wednesday) - Hancitor with Cobalt Strike
Cobalt Strike Hancitor

2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
Hancitor with Cobalt Strike
Cobalt Strike Hancitor

2021-09-29 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy
Backup “Removal” Solutions - From Conti Ransomware With Love
Cobalt Strike Conti

2021-09-28 ⋅ Zscaler ⋅ Avinash Kumar, Brett Stone-Gross
Squirrelwaffle: New Loader Delivering Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-09-27 ⋅ Cynet ⋅ Max Malyutin
A Virtual Baffle to Battle Squirrelwaffle
Cobalt Strike Squirrelwaffle

2021-09-26 ⋅ NSFOCUS ⋅ Jie Ji
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile

2021-09-24 ⋅ Trend Micro ⋅ Warren Sto.Tomas
Examining the Cring Ransomware Techniques
Cobalt Strike Cring MimiKatz

2021-09-22 ⋅ CISA ⋅ US-CERT
Alert (AA21-265A) Conti Ransomware
Cobalt Strike Conti

2021-09-21 ⋅ Medium elis531989 ⋅ Eli Salem
The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Cobalt Strike Squirrelwaffle

2021-09-21 ⋅ GuidePoint Security ⋅ Drew Schmitt
A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike
Cobalt Strike

2021-09-21 ⋅ skyblue.team blog ⋅ skyblue team
Scanning VirusTotal's firehose
Cobalt Strike

2021-09-21 ⋅ Sophos ⋅ Andrew Brandt, Vikas Singh, Shefali Gupta, Krisztián Diriczi, Chaitanya Ghorpade
Cring ransomware group exploits ancient ColdFusion server
Cobalt Strike Cring

2021-09-17 ⋅ Medium inteloperator ⋅ Intel Operator
The default: 63 6f 62 61 6c 74 strike
Cobalt Strike

2021-09-17 ⋅ CrowdStrike ⋅ Falcon OverWatch Team
Falcon OverWatch Hunts Down Adversaries Where They Hide
BazarBackdoor Cobalt Strike

2021-09-17 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike
Cobalt Strike Squirrelwaffle

2021-09-16 ⋅ Medium Shabarkin ⋅ Pavel Shabarkin
Pointer: Hunting Cobalt Strike globally
Cobalt Strike

2021-09-16 ⋅ Twitter (@GossiTheDog) ⋅ Kevin Beaumont
Tweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using exploiting ProxyShell
Cobalt Strike MgBot

2021-09-16 ⋅ RiskIQ ⋅ RiskIQ
Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
Cobalt Strike Ryuk

2021-09-15 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability
Cobalt Strike

2021-09-14 ⋅ Recorded Future ⋅ Insikt Group®
Full-Spectrum Cobalt Strike Detection
Cobalt Strike

2021-09-13 ⋅ The DFIR Report ⋅ The DFIR Report
BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti

2021-09-12 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444
Cobalt Strike

2021-09-10 ⋅ Gigamon ⋅ Joe Slowik
Rendering Threats: A Network Perspective
Cobalt Strike

2021-09-09 ⋅ Trend Micro ⋅ Trend Micro
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
Cobalt Strike

2021-09-08 ⋅ Arash's Blog ⋅ Arash Parsa
Hook Heaps and Live Free
Cobalt Strike

2021-09-07 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara
Cobalt Strike C2 Hunting with Shodan
Cobalt Strike

2021-09-06 ⋅ kienmanowar Blog ⋅ m4n0w4r
Quick analysis CobaltStrike loader and shellcode
Cobalt Strike

2021-09-06 ⋅ Bleeping Computer ⋅ Lawrence Abrams