From APT28 to RePythonNET: automating .NET malware analysis
This blogpost covers the tooling and methodology we use at TDR to reverse engineer .NET malware. In our daily work, we encounter a wide range of malware, sophisticated or not, and a significant portion of it is written in .NET. Yet, the…
Advent Of Configuration Extraction – Part 4: Turning capa Into A Configuration Extractor For TinyShell variant
Learn how to extract TinyShell configuration data using capa, Capstone and Python to recover RC4-encrypted C2 settings from Linux malware.
Advent of Configuration Extraction – Part 1: Pipeline Overview - First Steps with Kaiji Configuration Unboxing
Learn how TDR automates Kaiji configuration extraction using Assemblyline, introducing the malware analysis pipeline and MACO-based workflows
Predators for Hire: A Global Overview of Commercial Surveillance Vendors
This report provides an overview of the commercial surveillance vendors ecosystem between 2010 and 2025, analysing their spyware offerings, business models, client base, target profiles, and infection chains.
ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery
ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through the drive-by download technique. When it first emerged in July 2023, the injected code was designed to display a fake web browser download page,
Detection engineering at scale: one step closer (part three)
Following our first article explaining our detection approach and associated challenges, the second one detailing the regular and automated actions implemented through our CI/CD pipelines, we will now conclude this series by presenting the continuous
Cyber threats impacting the financial sector in 2024 - focus on the main actors
This report provides an overview of the main actors involved in malicious campaigns impacting the financial sector in 2024. It follows up on a previous Sekoia report focusing on the emerging trends in the financial cyber threat landscape.
Detection engineering at scale: one step closer (part two)
In this article, we will build upon the previous discussion of our detection approach and associated challenges by detailing the regular and automated actions implemented through our CI/CD pipelines.
Targeted supply chain attack against Chrome browser extensions
On 26 December 2024, the data security company Cyberhaven informed its users about a compromise of their Chrome browser extension. The attacker exploited the extension developer's permissions, which had been previously gained through a targeted phish
Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
Uncover the details of UAC-0063 cyberespionage campaign in Kazakhstan and its potential connection to APT28
Detection engineering at scale: one step closer (part one)
Security Operations Center (SOC) and Detection Engineering teams frequently encounter challenges in both creating and maintaining detection rules, along with their associated documentation, over time. These difficulties stem largely from the sheer nu
ClickFix tactic: The Phantom Meet
This blog post provides a chronological overview of the observed ClickFix campaigns. We further share technical details about a ClickFix cluster that uses fake Google Meet video conference pages to distribute infostealers.
Bulbature, beneath the waves of GobRAT
Since mid 2023, Sekoia Threat Detection & Research team (TDR) investigated an infrastructure which controls compromised edge devices transformed into Operational Relay Boxes used to launch offensive cyber attack.
SilentSelfie: Uncovering a major watering hole campaign against Kurdish websites
Our investigation uncovered 25 kurdish websites compromised by four different variants of a malicious script, ranging from the simplest, which obtains the device's location, to the most complex, which prompts selected users to install a malicious And
WebDAV-as-a-Service: Uncovering the infrastructure behind Emmenhtal loader distribution
This blogpost examines the use of WebDAV technology in hosting malicious files related to the Emmenhtal loader, then analyses the various final payloads delivered through this infrastructure, and concludes by exploring the possibility that the infras
NoName057(16)'s DDoSia project: 2024 updates and behavioural shifts
Learn about NoName057(16), a pro-Russian hacktivist group behind Project DDoSia targeting entities supporting Ukraine. Discover an overview of the changes made by the group, both from the perspective of the software shared by the group to generate DD
Scattered Spider laying new eggs
This report provides an overview of the Scattered Spider evolution, its modus operandi and the toolset leveraged over the past years. Additionally, it delves into the Scattered Spider TTPs, as well as the latest ongoing campaigns, including their cur
Unveiling the intricacies of DiceLoader
This report aims to detail the functioning of a malware used by FIN7 since 2021, named DiceLoader (also known Icebot), and to provide a comprehensive approach of the threat by detailing the related Techniques and Procedures.
Securing Gold: Assessing Cyber Threats on Paris 2024
Based on these observations and given the constantly evolving cyber threat landscape, we analysed cyber threats affecting previous editions of the Olympics, as well as the current geopolitical context to understand potential motivations of malicious
CALISTO doxxing: Sekoia.io findings concurs to Reuters’ investigation on FSB-related Andrey Korinets
Discover activities linking Korinets to CALISTO doxxing in our investigation. Uncover details from emails, domains & servers used to target UK Parliament & Cambridge University.
When a Botnet Cries: Detecting Botnet Infection Chains
Infection chains used by commodity malware are constantly evolving and use various tricks to bypass security measures and/or user awareness. BumbleBee, QNAPWorm, IcedID and Qakbot are all often used as first-stage malicious code, allowing…
AridViper, an intrusion set allegedly associated with Hamas
Given the recent events involving the Palestinian politico-military organisation Hamas which conducted on 7 October 2023 a military and terrorist operation in Israel, Sekoia.io took a deeper look into AridViper, an intrusion set suspected to be assoc
ClearFake: a newcomer to the "fake updates" threats landscape
ClearFake is a new malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. This blogpost aims at presenting a technical analysis of the ClearFake installation flow, the malware
Active Lycantrox infrastructure illumination
Sekoia.io is actively monitoring hundreds of malicious infrastructure clusters to protect its customers. In light of the recent Citizenlab blogspot and in solidarity with the efforts against cyber mercenaries, we have chosen to shed light on one of t
Sekoia mid-2023 Ransomware Threat Landscape
This blog post aims at presenting an overview of the ransomware-related threat evolution in the first half of 2023. The observations and the analysis shared in this blog post focus on ransomware operations mostly impacting corporate networks in lucra
The Transportation sector cyber threat overview
This report aims at contextualising cyber activities targeting the transportation sector worldwide over the 2022 - 2023 period. This report is based on open source reporting and Sekoia.io observations of campaigns mostly impacting the road, air and r
Engineering detection around Microsoft Defender
This blogpost slightly introduces Microsoft Defender different products and the confusion that can be made between them mainly because they were renamed over the years. Then it focuses on detection engineering around Microsoft Defender Antivirus (MDA
My Tea's not cold. An overview of China's cyber threat
This report is an overview of recent malicious cyber activities associated to China-nexus Intrusion Sets. It is based on open-source documents and Sekoia.io TDR analysts research and does not intend to present an exhaustive list of campaigns aligned
CustomerLoader: a new malware distributing a wide variety of payloads
This blog post aims at presenting a technical analysis of CustomerLoader focusing on the decryption of the next-stage payloads, an overview of more than 30 known and distributed malware families, and details on three infection chains observed distrib
Following NoName057(16) DDoSia Project’s Targets
DDoSia is a Distributed Denial of Service (DDoS) attack toolkit, developed and used by the pro Russia hacktivist nationalist group NoName057(16) against countries critical of the Russian invasion of Ukraine.
Bluenoroff’s RustBucket campaign
In April 2023, fellow security researchers at Jamf published a report on Bluenoroff’s RustBucket, a newly observed malware targeting macOS platform. Sekoia.io analysts further investigated Bluenoroff’s infrastructure and share their findings in this
APT28 leverages multiple phishing techniques to target Ukrainian civil society
The APT28 intrusion set (aka. Sofacy, PawnStorm, Fancy Bear), associated to the Russian GRU was observed using multiple phishing techniques to target the Ukrainian civil society.
The Energy sector 2022 cyber threat landscape
This report is a joint CITALID and SEKOIA analysis pertaining to cyber activities targeting the energy sector in 2022 in Europe. It is based on open sources reports and includes both our investigations and analysis. Information cut-off date is 22
Command & Control infrastructures tracked by Sekoia.io in 2022
Throughout 2022, SEKOIA.IO's Threat & Detection Research (TDR) team continued to proactively track and monitor the Command & Control (C2) infrastructures set up and used by cybercriminal or state sponsored intrusion sets to carry out malicious cyber
Calisto show interests into entities involved in Ukraine war support
Calisto (aka Callisto, COLDRIVER) is suspected to be a Russian-nexus intrusion set active since at least April 2017. Although it was not publicly attributed to any Russian intelligence service, past Calisto operations showed objectives and victimolog
Lucky Mouse: Incident Response to Detection Engineering
This blogpost discusses how the Tactics, Techniques and Procedures (TTPs) used by the APT27 (Lucky Mouse) intrusion set in the last incident reported by Intrinsec, a Sekoia Managed Security Service Provider (MSSP) partner, are detected using SEKOI
