Silver Fox: The Only Tax Audit Where the Fine Print Installs Malware
Track the 2025-2026 shift of China-based Silver Fox from financial crime to APT espionage. Discover how they exploit tax-themed phishing and RMM tools to target South Asian entities.
Advent Of Configuration Extraction – Part 4: Turning capa Into A Configuration Extractor For TinyShell variant
Learn how to extract TinyShell configuration data using capa, Capstone and Python to recover RC4-encrypted C2 settings from Linux malware.
Advent of Configuration Extraction – Part 1: Pipeline Overview - First Steps with Kaiji Configuration Unboxing
Learn how TDR automates Kaiji configuration extraction using Assemblyline, introducing the malware analysis pipeline and MACO-based workflows
ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery
ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through the drive-by download technique. When it first emerged in July 2023, the injected code was designed to display a fake web browser download page,
Unveiling the intricacies of DiceLoader
This report aims to detail the functioning of a malware used by FIN7 since 2021, named DiceLoader (also known Icebot), and to provide a comprehensive approach of the threat by detailing the related Techniques and Procedures.
CustomerLoader: a new malware distributing a wide variety of payloads
This blog post aims at presenting a technical analysis of CustomerLoader focusing on the decryption of the next-stage payloads, an overview of more than 30 known and distributed malware families, and details on three infection chains observed distrib
Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity - Part 2
This blogpost is a technical analysis of Stealc infostealer, detailing different characteristics of the malware, including anti analysis, strings de-obfuscation and C2 communication techniques.
Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity - Part 1
This blogpost aims at presenting the activities of the Stealc’s alleged developer, a technical analysis of the malware and its C2 communications, and how to track it.
PrivateLoader: the loader of the prevalent ruzki PPI service
SEKOIA analysts tracked PrivateLoader’s network infrastructure for several months and recently conducted an in-depth analysis of the malware. In parallel, we also monitored activities related to the ruzki PPI malware service.
