Volexity has observed multiple Russian threat actors conducting social-engineering and spear-phishing campaigns targeting organizations with the ultimate goal of compromising Microsoft 365 accounts via Device Code Authentication phishing.

Volexity discovered and reported a vulnerability in Fortinet's Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo.

The threat actor uses a malware called DISGOMOJI, written in Golang, to infect Linux systems. DISGOMOJI is a modified version of Discord-C2, utilizing emojis for its command and control communication through Discord.

This actor is believed to be North Korean in origin and is often publicly referred to under the name Kimsuky. The definition of which threat activity comprises Kimsuky is a matter of debate amongst threat intelligence analysts.

Once deployed, Gimmick is launched either as a daemon or in the form of a customized application that's engineered to impersonate a program frequently launched by the targeted user.

Since 2020, Volexity identified multiple hacks related to a lesser-known criminal threat actor that refers to itself as "XE Group." Volexity believes that XE Group is likely of Vietnamese origin.

BLUELIGHT malware was discovered being delivered to a victim alongside RokRAT. RokRAT is a backdoor previously attributed to use by ScarCruft/APT37, which is also known as InkySquid.

Volexity attributes the compromise of the Daily NK website to a threat actor it refers to as InkySquid, which broadly corresponds to an activity known publicly under the monikers ScarCruft and APT37.

In the latest activity identified by Volexity, the Evil Eye threat actor used an open source framework called IRONSQUIRREL to launch their exploit chain.

Unlike strategic web compromises of the past, this attack activity did not rely on or use exploits. Instead, the attackers relied on enticing targeted users to install an “update to Adobe Flash”.