Investigación-De-Amenazas

ESET researchers have discovered new activities of the Iran-aligned cyber espionage group MuddyWater (also known as Mango Sandstorm or TA450). This campaign primarily targets organizations in Israel and, in one confirmed case, Egypt, showing significant evolution in their technical and tactical evasion capabilities. Key Aspects of the Campaign Unlike previous operations, this MuddyWater campaign is more stealthy and sophisticated. ESET highlights the following points: ...

The Kimwolf botnet, a new distributed denial of service (DDoS) threat, has recruited a massive army of at least 1.8 million infected devices, primarily Android-based TVs, set-top boxes, and tablets. According to research by QiAnXin XLab, the botnet is associated with the infamous AISURU botnet. Kimwolf Threat Summary Massive reach: Kimwolf has infected 1.8 million devices, primarily Android TV boxes, set-top boxes, and tablets. Advanced Capabilities: In addition to typical DDoS attack capabilities, Kimwolf integrates proxy forwarding, reverse shell, and file management features. It is compiled using the Android NDK (Native Development Kit). Attack Activity: The botnet issued an estimated 1.7 billion DDoS attack commands over a three-day period (November 19-22, 2025). Primary Targets: The most affected devices include popular models such as TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV and MX10. The global spread is notable, with high concentrations in Brazil, India, the USA, Argentina, South Africa and the Philippines. Ties with the AISURU Botnet and TTPs XLab research has uncovered significant links between Kimwolf and the AISURU botnet, known for record-breaking DDoS attacks over the past year. Researchers suspect that the same hacking group reused code from AISURU in the early stages of Kimwolf. ...

A new phishing framework called GhostFrame, built around a stealthy iframe architecture, has been linked to more than a million attacks, cybersecurity experts at Barracuda have found. This attack kit distinguishes itself from known Phishing-as-a-Service (PhaaS) offerings by its innovative approach to evasion and deception. How Does GhostFrame Work? GhostFrame’s design focuses on a simple HTML file that presents itself as a harmless landing page, while hiding its malicious behavior within an embedded iframe. This structure allows attackers to: ...

Phishing kits typically have distinctive signatures in their delivery methods and infrastructure, making attribution easier. However, analysts have recently observed an overlap between two phishing kits such as Salty2FA and Tycoon2FA, marking a significant change that complicates detection. ANY.RUN observed a sudden drop in Salty2FA activity, followed by the appearance of Tycoon2FA indicators within Salty attack chains. Finally, unique payloads were detected that combined code from both frameworks. This convergence weakens kit-specific detection rules and gives threat actors more leeway to evade early detection. ...