Latest Update25/11/2024

Threats Feed

  1. Public

    BadBlood Campaign: TA453 Targets US and Israeli Medical Research Professionals

    In late 2020, the Iranian-nexus threat actor TA453 launched a credential phishing campaign called BadBlood, targeting senior medical professionals in genetic, neurology, and oncology research in the United States and Israel. The campaign deviates from the group's usual activity and may indicate a shift in TA453's targeting priorities. The attackers used spearphishing emails with links to a fake OneDrive site to harvest user credentials, potentially to exfiltrate email contents or use compromised accounts for further phishing campaigns.

    read more about BadBlood Campaign: TA453 Targets US and Israeli Medical Research Professionals
  2. Public

    Automated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS

    In December 2021, PHOSPHORUS exploited the Microsoft Exchange ProxyShell vulnerabilities, using web shells to gain initial access and execute code. The attack closely resembled their previous attacks and due to previous reports and OSINT research, DFIR believes with medium to high confidence that this intrusion would have ended in ransomware. The attackers established persistence through scheduled tasks and a newly created account, and after enumerating the environment, disabled LSA protection and dumped LSASS process memory. The entire attack was likely scripted out, as evidenced by the user agent strings and the similarity between commands.

    read more about Automated Scripts Used in Microsoft Exchange ProxyShell Attack By PHOSPHORUS
  3. Public

    Unwrapping Charming Kitten's Holiday Phishing Campaign

    During the 2021 Christmas holidays, Iranian state-backed hackers Charming Kitten initiated a targeted phishing campaign against individuals, focusing on personal and business emails. The group used public-facing applications, such as Google services, to redirect victims through a chain of legitimate services, helping bypass security layers in email services and obfuscate their operations. They employed various fake domains and developed custom phishing pages to target a range of online services, collecting sensitive data and emails from victims.

    read more about Unwrapping Charming Kitten's Holiday Phishing Campaign
  4. Public

    Phosphorus Targets Munich Security Conference and T20 Summit Attendees

    The Iranian threat actor Phosphorus targeted potential attendees of the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia through a series of cyberattacks. The attackers sent spoofed email invitations to former government officials, policy experts, academics, and leaders from non-governmental organizations. Their goal was intelligence collection, and they successfully compromised several high-profile individuals' accounts.

    read more about Phosphorus Targets Munich Security Conference and T20 Summit Attendees
  5. Public

    Magic Hound Strikes Saudi Arabia with Spearphishing and PowerShell Attacks

    The report details the Magic Hound cyber campaign targeting primarily Saudi Arabia. The campaign leveraged spearphishing emails with malicious attachments and links, PowerShell scripts, Windows Command Shell, and obfuscation techniques like XOR and Base64 encoding. Additionally, the attackers utilized HTTP and HTTPS protocols for command and control communication.

    read more about Magic Hound Strikes Saudi Arabia with Spearphishing and PowerShell Attacks