2024-05-14 (Tuesday): #DarkGate activity. HTML file asks victim to paste script into a run window. Indicators available at bit.ly/4bjvMAC
#TimelyThreatIntel #Unit42ThreatIntel #Wireshark #InfectionTraffic
Unit 42
2,983 posts
Unit 42
@Unit42_Intel
The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Joined December 2015
- We have tested CVE-2025-24813. Under specific circumstances, an exploit sent to a vulnerable Apache web server running outdated Tomcat software could lead to remote code execution. We used a 2-step method that resulted in a successful attempt. Details at bit.ly/426Njtp
- We are observing active global exploitation of critical Microsoft SharePoint vulns CVE-2025-49704 and CVE-2025-49706. Orgs worldwide are being targeted. Patch immediately. The exploits are real, in-the-wild and pose a serious threat. IoCs we've seen: bit.ly/4kQZS2e
- Today, we exposed "BendyBear," one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode employed by an APT, says the Unit 42 researcher who analyzed it. bit.ly/3aH1ABi
- 🦈 Good news everyone! 🦈 @malware_traffic is back with another great #Wireshark tutorial - this one covers a recent infection with the information stealer Qakbot (aka Qbot).
- Acting as digital detectives, we uncovered the sale of a bypass tool on underground forums. This investigation began when a bad actor tried to test an EDR bypass tool. Read what we learned from there: bit.ly/4eb8nlh
- 2023-12-07 (Thursday) - PDF file found on VirusTotal led to #DarkGate infection - Windows shortcut retrieved DarkGate install script from DNS TXT record - activity may have started as early as 2023-11-27 - IOCs available at bit.ly/47DoyFH #TimelyThreatIntel #Wireshark
- Love our Wireshark Tutorials? We've just released five free Wireshark Workshop videos from @malware_traffic bit.ly/3CZQPqb
- In our latest Wireshark tutorial, we demonstrate how to prepare the environment, obtain a decryption key and use it to decrypt RDP traffic. bit.ly/3rCESAz
- 2023-10-12 (Thursday): The latest example of #DarkGate malware distributed through Microsoft Teams. Attacker poses as target organization's CEO and sends victim a Teams invite. Message contains password-protected zip archive. IOCs available at bit.ly/3rY1hi1
- 2024-08-28 (Wednesday): More #Lumma #Stealer (#LummaStealer) from pages instructing potential victims to copy/paste #PowerShell script in a Run window. Recent examples of these human captcha style pages available at bit.ly/4cJk0zq #Unit42ThreatIntel #TimelyThreatIntel
- 2023-01-16 (Monday) - Google ad led to fake software site sending malware. Post-infection activity for #Gozi (#ISFB/#Ursnif) and #RedlineStealer. Seeing this for different software searches. Indicators for an infection from a fake 7-Zip page available at bit.ly/3iQe8OH
- 2023-02-07 (Tuesday): Among the wave of #Qakbot malspam, we found an email with a #OneNote attachment pushing probable #Matanbuchus malware. IoCs from an infection run available at bit.ly/3I7jGOF
- 2023-01-31 (Tuesday) - #Qakbot (#Qbot) returns after one month hiatus, now using OneNote (.one) files as initial lure. Saw #CobaltStrike on 104.237.219[.]36 using ciruvowuto[.]com as the domain. Also saw VNC traffic from this infection. IoCs available at bit.ly/3DqSszS
