Threat-Intelligence

Cybersecurity researchers have uncovered an ongoing cyber espionage campaign specifically targeting users in India. The attack utilizes a multi-stage backdoor and leverages sophisticated evasion techniques to achieve persistent access and data exfiltration from compromised systems. Initial Attack Vector and Malicious Payloads The campaign begins with phishing emails that impersonate the Income Tax Department of India. These emails trick victims into downloading a malicious archive file. The ultimate objective of the threat actors is to deploy a variant of the Blackmoon (also known as KRBanker) banking trojan and repurpose a legitimate enterprise tool, SyncFuture TSM (Terminal Security Management), for espionage purposes. ...

The threat actor Water Saci is evolving its tactics, now employing a sophisticated infection chain that uses HTA files and PDFs to propagate a worm. This worm deploys a banking trojan via WhatsApp, targeting users in Brazil. The attackers have shifted from PowerShell to a Python-based variant to spread malware via WhatsApp Web. The new multi-format attack chain uses AI to convert propagation scripts, enabling Water Saci to bypass security controls, exploit user trust, and increase infection rates. Users receive messages on WhatsApp with malicious PDF or HTA attachments, which activate the infection chain and drop a banking trojan. The infection chain involves: ...