large-logo-mcafee-dark

Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Campaigns

Campaigns Description
VPN Vulnerabilities Under Attack - Alert AA20-259A A threat actor targeted the IT, government, healthcare, financial, insurance, and media sectors across the United States with multiple webshells known as ChunkyTuna, Tiny, and China Chopper. The cyber group focused on exploiting known vulnerabilities in Pulse Secure virtual private network, Citrix NetScaler, and F5 to gain an initial foothold into the network. Persistence, remote access, and data exfiltration was carried out using various tools including a modified version of the open-source FRP...
U.S. Government Networks Under Attack - Alert AA20-258A A threat actor targeted the United States government sector using commercial and open-source tools including Cobalt Strike, China Chopper, and Mimikatz. The initial infection vector consisted of exploiting known vulnerabilities in F5 Big-IP, Citrix VPN appliances, and Pulse VPN servers. The group also sent spear-phishing emails with malicious links to gain access to the network. The actor collected sensitive information including emails from Microsoft Exchange servers and used proxies to exfiltr...
TA2719 Delivers RATs The TA2719 threat group distributed the NanoCore and Async remote access trojans to entities located in more than a dozen countries around the world. The attacks started in March 2020 and used emails with either a malicious attachment or link to carry out the initial infection. The emails appeared to come from legitimate organizations and impersonated law enforcement, government, healthcare, finance, and transportation.
Evilnum Unleashes Pyvil RAT The Evilnum APT has added the RAT to its arsenal as part of a big change-up in its TTPs. The Evilnum group, which specializes in targeting financial technology companies, has debuted a new tool: A Python-based remote access trojan (RAT), dubbed PyVil. The malware’s emergence dovetails with a change in the chain of infection and an expansion of infrastructure for the APT. PyVil RAT was compiled with py2exe, which is a Python extension which converts Python scripts into Microsoft Windows executabl...
Salfram Phishing Campaign Salfram is an email phishing campaign recently discovered, that distributes known types of malware like Gozi ISFB, ZLoader, SmokeLoader and AveMaria, and more to a wide range of companies. Salfram makes use of a company website's contact form to appear legit, and delivers a packed binary through a Google Drive link.
KryptoCibule Cryptostealer KryptoCibule was first discovered in December 2018. This malware is a type of cryptocurrency malware that hijacks transactions, mines coins, and steals sensitive information. It avoids detection using basic anti-analysis techniques, among others.
Qbot's Latest Attack Methods The Qbot banking trojan was discovered in 2008 and continues to evolve in 2020 with new techniques to spread to targets in the United States and Europe. Multiple sectors were targeted with most of the entities located in government, manufacturing, insurance, legal, and healthcare. The campaign highjacked and used the victim's emails to spread to others and included a new VBS based infection method to drop the final payload. The malware also used more than 100 bots to hide network traffic and...
Evolution Of Transparent Tribe Part 2 The Transparent Tribe threat actor has been in operation since at least 2013 and continue to attack Indian military and government personnel with new and updated malware. In 2020 the group was discovered using a new Android implant to spy on mobile devices and distributed the malicious software using various lures including the COVID-19 pandemic. The remote access trojan exfiltrates a range of information including screenshots, files, text messages, call logs, contact lists, and device location....
Autodesk 3ds Max Attack A sophisticated cyberespionage campaign targeted an international architectural and video production company. The threat actor exploited a flaw in Autodesk 3ds Max software to drop a payload which masqueraded as a plugin for the 3D computer graphics application. Defense evasion was carried out by deleting dropped files, modifying timestamps, hiding files and directories, and using uncommon ports to communicate with the command and control server. Various tools were used during the campaign inclu...
Cybersquatting Campaigns Cybersquatting is a term that refers to the registration of domain names that are similar or appear related to that of an existing service. Cybercriminals often register such domains for phishing attacks. Since 2019, about 13,857 domains have been detected to be used in cybersquatting phishing campaigns. Just as for regular phishing attacks, users are tricked into thinking the service is legitimate, and their system will be infected with malware, e.g. backdoor, trojan or spyware, that connects t...