Malware Analysis

Cybersecurity researchers have revealed details about a new botnet loader called Aeternum C2, which uses a blockchain-based command and control (C2) infrastructure to resist takedown efforts. Instead of relying on traditional servers or domains, Aeternum stores its instructions on the public Polygon blockchain, making its C2 infrastructure permanent and resistant to conventional takedown methods. Aeternum C2: A New Generation of Crimeware The Aeternum C2 botnet operates as a native C++ loader available in x32 and x64 builds. Its operation is based on writing commands directed to infected hosts in smart contracts on the Polygon blockchain. Infected bots read these commands by querying public remote procedure endpoints (RPCs). ...

This article presents a detailed analysis of a recent malware campaign that uses advanced obfuscation techniques to evade detection. The infection chain begins with a JScript script attached to a phishing email and culminates with the download of Remcos RAT. The analysis focuses on the obfuscation techniques used and how to disassemble each stage of the attack. Phishing Campaign and First Stage of Infection The campaign was distributed via phishing emails impersonating a legitimate Czech company. Although the email contained credible visual elements, it failed DMARC/SPF checks, which would likely have resulted in it being quarantined by most mail servers. ...

Cybersecurity researchers have uncovered an ongoing cyber espionage campaign specifically targeting users in India. The attack utilizes a multi-stage backdoor and leverages sophisticated evasion techniques to achieve persistent access and data exfiltration from compromised systems. Initial Attack Vector and Malicious Payloads The campaign begins with phishing emails that impersonate the Income Tax Department of India. These emails trick victims into downloading a malicious archive file. The ultimate objective of the threat actors is to deploy a variant of the Blackmoon (also known as KRBanker) banking trojan and repurpose a legitimate enterprise tool, SyncFuture TSM (Terminal Security Management), for espionage purposes. ...

This report details two threat campaigns using the PeckBirdy JavaScript framework, attributed to China-aligned advanced persistent threat (APT) actors. The campaigns, temporarily named SHADOW-VOID-044 and SHADOW-EARTH-045, demonstrate the increasing sophistication and adaptability of these groups. Analysis of the SHADOW-VOID-044 Campaign The SHADOW-VOID-044 campaign has been linked to the UNC3569 threat actor, with moderate to high confidence, based on overlapping TTPs and victims. Link to UNC3569: Observed use of the GRAYRABBIT backdoor, previously associated with UNC3569. The Command and Control (C&C) server center.myrnicrosoft.com is the same one used by UNC3569, and the campaign target (Chinese gaming industry) matches the known targets of this actor. The GRAYRABBIT implementation in this campaign uses a DLL sideloading technique combined with the UuidFromStringA PowerShell function. Link to TheWizard: The campaign also deployed the HOLODONUT backdoor. Some HOLODONUT samples connected to the same C&C server (mkdmcdn.com) used by the APT group TheWizard. TheWizard has also used the DarkNimbus backdoor, associated with the Earth Minotaur actor. Stolen Certificate: SHADOW-VOID-044 used a Cobalt Strike sample signed with a certificate stolen from a South Korean game company. This same certificate was used in the BIOPASS RAT campaign, linked to the actor Earth Lusca. Infection Detection Technique: The BIOPASS RAT and MKDOOR campaigns employ a technique to verify infection: they open a local HTTP server on a high port so that a watering hole attack script can scan and confirm the presence of the backdoor on the host. Analysis of the SHADOW-EARTH-045 Campaign This campaign focused on a Filipino educational institution in July 2024. ...

Ukraine’s Computer Emergency Response Team (CERT-UA) has revealed details of a series of new cyberattacks targeting its defense forces and state institutions. These attacks, which took place between October and December 2025, involve various intrusion techniques and several malware families, including one known as PLUGGYAPE. PLUGGYAPE attacks attributed to Void Blizzard Among the most notable attacks are those distributing the PLUGGYAPE malware, attributed with “medium confidence” to the Russian hacking group Void Blizzard (also known as Laundry Bear or UAC-0190), active since at least April 2024. ...

What are TLS Callbacks? Thread Local Storage (TLS) is a Windows operating system mechanism that allows each thread in a process to have its own copy of specific variables. To support this, Windows PE (Portable Executable) executable files contain a TLS directory (IMAGE_TLS_DIRECTORY). This directory not only describes where the TLS data is stored and its size, but also includes a list of callback functions. TLS callbacks are an execution mechanism that allows code to run automatically when a process or thread starts, even before the program’s normal entry point (main or WinMain for EXEs, or DllMain for DLLs) is reached. ...

Recent research has revealed the existence of four distinct threat activity groups that are leveraging a malware loader known as CastleLoader. This evidence reinforces previous assessment that the tool is offered to other cybercriminals under a malware-as-a-service (MaaS) model. The threat actor behind CastleLoader has been identified by Recorded Future’s Insikt Group as GrayBravo, previously tracked as TAG-150. GrayBravo’s Profile GrayBravo is a threat actor characterized by: Rapid development cycles. Technical sophistication. Responsiveness to public reports. An expansive and constantly evolving infrastructure. Tools and Frameworks GrayBravo’s toolset includes several key pieces of malware: ...

A joint investigation by Amnesty International, Haaretz, Inside Story and Inside IT has revealed that the human rights lawyer from Balochistan province, Pakistan, was the target of Intellexa’s Predator spyware. This incident marks the first time that a member of civil society in Pakistan has been targeted by this surveillance tool. The attack was carried out using a suspicious link sent by WhatsApp, which Amnesty International identified as an “attempted Predator attack” based on its technical behavior and characteristics. ...

Phishing kits typically have distinctive signatures in their delivery methods and infrastructure, making attribution easier. However, analysts have recently observed an overlap between two phishing kits such as Salty2FA and Tycoon2FA, marking a significant change that complicates detection. ANY.RUN observed a sudden drop in Salty2FA activity, followed by the appearance of Tycoon2FA indicators within Salty attack chains. Finally, unique payloads were detected that combined code from both frameworks. This convergence weakens kit-specific detection rules and gives threat actors more leeway to evade early detection. ...