Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2024-12-13
China_linked_APT_Targets_Southeast_Asia
MEDIUM
+
Intel Source:
Symantec
Intel Name:
China_linked_APT_Targets_Southeast_Asia
Date of Scan:
2024-12-13
Impact:
MEDIUM
Summary:
Threat actors linked to China-based APT groups have targeted several high-profile organizations in Southeast Asia since October 2023, including government ministries, an air traffic control body, a telecoms company, and a media outlet. These attacks appear to be focused on intelligence gathering. The attackers employ a mix of open-source and living-off-the-land tools, including a proxy tool called Rakshasa and DLL sideloading techniques used by the APT group Earth Baku (APT41). Their tactics involve using remote access tools to execute commands, install keyloggers, password collectors, reverse proxy tools, and custom DLLs to intercept login credentials and maintain access to compromised systems.
Source: https://www.security.com/threat-intelligence/china-southeast-asia-espionage#APT
2024-12-12
Rise_of_Remcos_RAT_in_Q3_2024
LOW
+
Intel Source:
Mcafee
Intel Name:
Rise_of_Remcos_RAT_in_Q3_2024
Date of Scan:
2024-12-12
Impact:
LOW
Summary:
Researchers from McAfee Labs have observed a considerable increase in the Remcos RAT threat in Q3 2024, indicating that it is a major cybersecurity concern. This malware, which is usually distributed through phishing emails and malicious attachments, allows attackers to remotely manipulate affected devices, aiding espionage, data theft, and system manipulation. Remcos RAT's rising sophistication highlights the necessity of knowing its methods and implementing strong cybersecurity measures, such as regular updates, email filtering, and network monitoring, to reduce its impact and preserve critical data.
Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-stealthy-stalker-remcos-rat/
2024-12-12
AIZ_Network_Targets_Retail_and_Crypto
MEDIUM
+
Intel Source:
Silent Push
Intel Name:
AIZ_Network_Targets_Retail_and_Crypto
Date of Scan:
2024-12-12
Impact:
MEDIUM
Summary:
Researchers at Silent Push have discovered a large-scale phishing and pig-butchering network known as "Aggressive Inventory Zombies" (AIZ), which targeted major retail companies and cryptocurrency audiences. The effort impersonates organizations such as Etsy, Amazon, BestBuy, and Wayfair, using a popular website template and integrated chat services for phishing purposes.
Source: https://www.silentpush.com/blog/aiz-retail-crypto-phishing/?utm_source=rss&utm_medium=rss&utm_campaign=aiz-retail-crypto-phishing
2024-12-12
Advanced_Snake_Keylogger_Variant
LOW
+
Intel Source:
ANY.RUN
Intel Name:
Advanced_Snake_Keylogger_Variant
Date of Scan:
2024-12-12
Impact:
LOW
Summary:
Researchers from AnyRun have discovered a new variation of the Snake Keylogger family, known as "Nova," that displays enhanced evasion strategies and expanded data exfiltration capabilities. Snake Keylogger, a.NET-based virus discovered in 2020, is well-known for credential theft and keylogging via phishing campaigns. Nova, developed in VB.NET, uses obfuscation techniques such as Net Reactor Obfuscator and Process Hollowing to avoid detection.
Source: https://any.run/cybersecurity-blog/nova-keylogger-malware-analysis/
2024-12-07
Cobalt_Strike_Infrastructure_Exposed
LOW
+
Intel Source:
Hunt.IO
Intel Name:
Cobalt_Strike_Infrastructure_Exposed
Date of Scan:
2024-12-07
Impact:
LOW
Summary:
Researchers from Hunt.IO have discovered a network of suspicious infrastructure running Cobalt Strike 4.10, the latest version released in July 2024. Despite efforts to prevent unauthorized use, threat actors continue to leverage its post-exploitation capabilities. The servers bear a distinct watermark shared by only five other IP addresses worldwide. Domains related to these servers, initially discovered on November 19, imitate well-known brands, indicating a focused phishing operation.
Source: https://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity
2024-12-06
Malware_Campaign_Targets_Manufacturing_Industry
LOW
+
Intel Source:
Cyble
Intel Name:
Malware_Campaign_Targets_Manufacturing_Industry
Date of Scan:
2024-12-06
Impact:
LOW
Summary:
Researchers from Cyble have discovered a sophisticated malware campaign targeted at the manufacturing industry. To circumvent typical security systems and remotely execute payloads, the attackers employ a misleading LNK file disguised as a PDF and exploit several Living-off-the-Land Binaries (LOLBins), such as ssh.exe, powershell.exe, and mshta.exe.
Source: https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/
2024-12-06
Data_Exfiltration_via_Formbook_Moalware
LOW
+
Intel Source:
Cofense
Intel Name:
Data_Exfiltration_via_Formbook_Moalware
Date of Scan:
2024-12-06
Impact:
LOW
Summary:
Researchers from Cofense have discovered a phishing campaign in which attackers are using legitimate HR communication about year-end leave approvals. The email with the subject line Mandatory Leave Notice for all employees uses professional language to lure employees into clicking on a malicious link that claims the recipient’s leave request has been approved. When the user clicks on a malicious link, it downloads a .zip file that contains an Excel (.xls) document related to Christmas leave schedules in which Formbook malware is deployed which steals sensitive information from the victim.
Source: https://cofense.com/blog/end-of-year-pto-days-off-and-data-exhilaration-with-formbook
2024-12-06
Meeten_Malware
LOW
+
Intel Source:
Cado Security Labs
Intel Name:
Meeten_Malware
Date of Scan:
2024-12-06
Impact:
LOW
Summary:
Researchers at Cado Security Labs have uncovered a scam where Web3 professionals are being targeted in which crypto-stealing malware called Realst is involved which works on both macOS and Windows. The scam is operated by fake company called Meetio which frequently changes its name and has previously been called Clusee, Cuesee, and Meeten. The scammers lure victims through telegram with fake business opportunities and then convince them to download a fake meeting app Meeten from their website which installs the Realst info-stealer to access cryptocurrency wallets and sensitive information. Their websites also contain malicious JavaScript that can steal crypto directly from web browsers even without downloading malware.
Source: https://www.cadosecurity.com/blog/meeten-malware-threat
2024-12-05
DarkNimbus_Backdoor_Targets_Multiple_Platforms
LOW
+
Intel Source:
Trend Micro
Intel Name:
DarkNimbus_Backdoor_Targets_Multiple_Platforms
Date of Scan:
2024-12-05
Impact:
LOW
Summary:
Researchers from Trend Micro have discovered that the Earth Minotaur threat organization is using the MOONSHINE exploit kit to exploit vulnerabilities in Android messaging apps, primarily targeting the Tibetan and Uyghur groups. MOONSHINE, which has been updated with new capabilities compared to the 2019 version, has been deployed on over 55 servers and is used to distribute the recently found DarkNimbus backdoor. This backdoor, which also has a Windows variant, shows Earth Minotaur's cross-platform attack strategy, affecting both Android and Windows devices.
Source: https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html
2024-12-05
BlueAlpha_Abuses_Cloudflare_Tunneling_Service
LOW
+
Intel Source:
Recorded Future
Intel Name:
BlueAlpha_Abuses_Cloudflare_Tunneling_Service
Date of Scan:
2024-12-05
Impact:
LOW
Summary:
Researchers at Insikt Group have uncovered an ongoing cyber-espionage campaign operated by Russian threat actor called BlueAlpha. The group has been active since 2014 and frequently targets Ukrainian organizations and individuals. BlueAlpha uses spearphishing emails with malicious attachments to infect victims with their malwares such as GammaDrop, GammaLoad, GammaSteel, and Pterodo. These malwares are capable of capable of stealing data, capturing credentials, and maintaining long-term access to compromised systems. The group is using advance tactics such as HTML smuggling to deliver malware via VBScript and leveraging Cloudflare Tunnels for staging its malwares.
Source: https://go.recordedfuture.com/hubfs/reports/cta-ru-2024-1205.pdf

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

securonix in github dashboard

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.