ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery
ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through the drive-by download technique. When it first emerged in July 2023, the injected code was designed to display a fake web browser download page,
Targeted supply chain attack against Chrome browser extensions
On 26 December 2024, the data security company Cyberhaven informed its users about a compromise of their Chrome browser extension. The attacker exploited the extension developer's permissions, which had been previously gained through a targeted phish
ClickFix tactic: The Phantom Meet
This blog post provides a chronological overview of the observed ClickFix campaigns. We further share technical details about a ClickFix cluster that uses fake Google Meet video conference pages to distribute infostealers.
Scattered Spider laying new eggs
This report provides an overview of the Scattered Spider evolution, its modus operandi and the toolset leveraged over the past years. Additionally, it delves into the Scattered Spider TTPs, as well as the latest ongoing campaigns, including their cur
ClearFake: a newcomer to the "fake updates" threats landscape
ClearFake is a new malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. This blogpost aims at presenting a technical analysis of the ClearFake installation flow, the malware
CustomerLoader: a new malware distributing a wide variety of payloads
This blog post aims at presenting a technical analysis of CustomerLoader focusing on the decryption of the next-stage payloads, an overview of more than 30 known and distributed malware families, and details on three infection chains observed distrib
Overview of the Russian-speaking infostealer ecosystem: the logs
This blog post aims at presenting the life cycle of logs, the cybercrime marketplaces dedicated to logs and the noticeable schemes recently used by threat actors to exploit the stolen data.
Overview of the Russian-speaking infostealer ecosystem: the distribution
This blog post aims at presenting the main techniques, tools and social engineering schemes used by the cybercriminals from the Russian-speaking infostealer ecosystem and observed by Sekoia analysts in the past year.
Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity - Part 2
This blogpost is a technical analysis of Stealc infostealer, detailing different characteristics of the malware, including anti analysis, strings de-obfuscation and C2 communication techniques.
Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity - Part 1
This blogpost aims at presenting the activities of the Stealc’s alleged developer, a technical analysis of the malware and its C2 communications, and how to track it.
PrivateLoader: the loader of the prevalent ruzki PPI service
SEKOIA analysts tracked PrivateLoader’s network infrastructure for several months and recently conducted an in-depth analysis of the malware. In parallel, we also monitored activities related to the ruzki PPI malware service.
