Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.”
Since April 2022, Cisco Talos has been tracking a malicious campaign operated by the espionage-motivated Arid Viper advanced persistent threat (APT) group targeting Arabic-speaking Android users.
Cisco Talos assesses with high confidence that YoroTrooper, an espionage-focused threat actor first active in June 2022, likely consists of individuals from Kazakhstan based on their use of Kazakh currency and fluency in Kazakh and Russian.
The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails.
Cisco Talos has discovered a new intrusion set we're calling "ShroudedSnooper" consisting of two new implants "HTTPSnoop" and "PipeSnoop" targeting telecommunications firms in the middle-east.
Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware including PhoenixMiner and lolMiner on infected machines.
SapphireStealer appears to be delivered as part of a multi-stage infection process, with threat actors leveraging open-source malware downloaders like FUD-Loader to deliver SapphireStealer to potential victims.
Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.