The Microsoft Outlook application in particular has become a primary target for initial access due to its frequent and often silent network connections, which can trigger unintended NTLM authentication.

Sticky Werewolf sent phishing emails to targets in the aerospace and defense sector, pretending to be from a Moscow-based firm involved in aircraft production. The emails contained archive files with LNK files pointing to a payload on WebDAV servers.

Recently, Morphisec Labs identified a significant increase in activity linked to the Mispadu banking trojan. Initially concentrated on LATAM countries and Spanish-speaking individuals, Mispadu has broadened its scope in the latest campaign.

This new variant, primarily targeting logistics and financial sectors, has undergone significant changes, including being rewritten in Python, enhanced communication protocols, and new modules.

The GuLoader malware campaign utilizes a multi-stage infection chain, including a PDF lure, a GuLoader VBScript, and obfuscated Powershell scripts, to deliver the Remcos RAT.

The component that makes Aurora’s delivery stealthy and dangerous is a highly evasive loader we named “in2al5d p3in4er.” It is compiled with Embarcadero RAD Studio and targets endpoint workstations using an advanced anti-VM technique.

Morphisec has tracked an advanced info-stealer called SYS01stealer since November 2022. It uses similar lures and loading techniques to another information stealer recently named S1deload by Bitdefender, but the actual payload is different.

As the name suggests, ProxyShellMiner exploits the ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 in Windows Exchange servers for initial access and compromise of an organization to deliver crypto miners.

Attackers used a new Babuk strain to target a multibillion-dollar manufacturing company with more than 10,000 workstations and server devices. The attackers had network access for two weeks of full reconnaissance prior to launching their attack.

The threat actor has now switched from the Babadeda crypter to a new staged downloader while using the same delivery infrastructure as before. The new downloader adds increased defense evasion abilities to this malware.