• Home
  • Authors
  • Cybereason Nocturnus

About Cybereason Nocturnus

Cybereason Nocturnus

The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.

All posts by Cybereason Nocturnus

Cybereason vs. Black Basta Ransomware

In just two months, Black Basta has added nearly 50 victims to their list, making them one of the more prominent ransomware gangs. The attackers infiltrate and move laterally throughout the network in a fully-developed RansomOps attack. The Cybereason Nocturnus Team assesses the threat level as HIGH SEVERITY given the destructive potential of the attacks...

June 24, 2022 / 6 minute read

Cybereason vs. Quantum Locker Ransomware

The AI-driven Cybereason XDR Platform detects and blocks MountLocker ransomware which launched back in September 2020. Since then, the attackers have rebranded the operation as AstroLocker, XingLocker, and now in its current phase, the Quantum Locker...

May 9, 2022 / 5 minute read

Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation

Cybereason recently an attack assessed to be the work of Chinese APT Winnti that operated undetected, siphoning intellectual property and sensitive data - the two companion reports examine the tactics and techniques of the overall campaign as well as more detailed analysis of the malware arsenal and exploits used...

May 4, 2022 / 4 minute read

Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques

Cybereason investigated multiple intrusions targeting technology and manufacturing companies located in Asia, Europe and North America. Based on the findings of our investigation, it appears that the goal behind these intrusions was to steal sensitive intellectual property for cyber espionage purposes...

May 4, 2022 / 11 minute read

Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive

This research zeroes in on the Winnti malware arsenal and includes analysis of the observed malware and the complex Winnti infection chain, including evasive maneuvers and stealth techniques that are baked-in to the malware code...

May 4, 2022 / 19 minute read

Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials

This APT-C-23 campaign involves of two previously undocumented malware strains dubbed Barb(ie) Downloader and BarbWire Backdoor, which use an enhanced stealth mechanism to remain undetected - in addition, Cybereason observed an upgraded version of an Android implant dubbed VolatileVenom...

April 6, 2022 / 11 minute read

Cybereason vs. BlackCat Ransomware

BlackCat Ransomware gained notoriety quickly leaving a trail of destruction behind it, among its recent victims are German oil companies, an Italian luxury fashion brand and a Swiss Aviation company. Cybereason XDR detects and blocks BlackCat Ransomware...

March 1, 2022 / 7 minute read

Cybereason vs. WhisperGate and HermeticWiper

Ukrainian officials attributed the attack to Russia “preparing the ground” for a military invasion with nasty wipers dubbed WhisperGate and HermeticWiper. Cybereason Anti-Ransomware and Anti-MBR corruption technology detects and blocks WhisperGate and HermeticWiper...

February 15, 2022 / 2 minute read

Cybereason vs. Lorenz Ransomware

Prior to the deployment of the Lorenz ransomware, the attackers attempt to infiltrate and move laterally throughout the organization, carrying out a fully-developed RansomOps attack - the Cybereason XDR Platform fully detects and prevents the Lorenz ransomware...

February 8, 2022 / 7 minute read

StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations

Cybereason discovered an undocumented RAT dubbed StrifeWater attributed to Iranian APT Moses Staff who deploy destructive ransomware following network infiltration and the exfiltration of sensitive data...

February 1, 2022 / 7 minute read

PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage

Cybereason discovered a new toolset developed by Iranian APT Phosphorus which revealed a connection to Memento ransomware and includes the newly discovered PowerLess Backdoor that evades detection by running PowerShell in a .NET context...

February 1, 2022 / 8 minute read

Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms

The highly-targeted attacks against aerospace and telecoms firms by new Iranian threat actor MalKamak includes newly discovered malware that evaded security tools since 2018 and abuses Dropbox services for command and control...

October 6, 2021 / 16 minute read

Cybereason vs. LockBit2.0 Ransomware

Following the rise of the new LockBit2.0 and the attack against the global IT company Accenture, this report provides detailed information about the attack process and how the Cybereason Defense Platform detects and prevents this threat at several stages...

August 24, 2021 / 6 minute read

DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos

Cybereason discovered several previously unidentified attack campaigns targeting the telecoms industry across Southeast Asia assessed to be the work of several prominent Chinese APT groups...

August 3, 2021 / 27 minute read

Cybereason vs. Prometheus Ransomware

The Cybereason Defense Platform detects and prevents Prometheus ransomware, a relatively new variant first observed in February of 2021 that has impacted more than 40 companies...

July 15, 2021 / 10 minute read

PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector

In a highly targeted operation by a Chinese APT, a newly discovered backdoor dubbed PortDoor is being used in attacks targeting a Russian defense contractor...

April 30, 2021 / 7 minute read

Cybereason vs. Avaddon Ransomware

Cybereason Nocturnus Team has been tracking the Avaddon Ransomware since June 2020 and the double extortion model...

April 27, 2021 / 4 minute read

Cybereason vs. DarkSide Ransomware

DarkSide ransomware follows the double extortion trend where the threat actors first exfiltrate the data and threaten to make it public if the ransom demand is not paid, rendering backing up data as a precaution against a ransomware attack moot...

April 1, 2021 / 6 minute read

Cybereason vs. NetWalker Ransomware

The NetWalker ransomware has been targeting organizations in the US and Europe including several healthcare organizations, despite several known threat actors publicly claiming to abstain from targeting such organizations due to COVID-19.

February 16, 2021 / 4 minute read

Cybereason vs. RansomEXX Ransomware

The Cybereason Nocturnus Team has been tracking the activity around the RansomEXX, being used as a part of multi-staged human-operated attacks targeting various government related entities and tech companies.

January 26, 2021 / 4 minute read

Cybereason vs. Conti Ransomware

Since first emerging in May 2020, the ransomware operators (aka. the Conti Gang) claim to have over 150 successful attacks with millions in extortion fees. Download the Indicator's of Compromise to search for Conti in your own environment.

January 12, 2021 / 5 minute read

Amazon Gift Card Offer Serves Up Dridex Banking Trojan

Over the course of December, 2020, the Cybereason Nocturnus Team has been tracking down cyber crime campaigns related to the holiday season, and more specifically to online shopping. Download the Indicator's of Compromise to search for Dridex in your own environment.

December 24, 2020 / 6 minute read

Cybereason vs. Cl0p Ransomware

The Cybereason Nocturnus team has been tracking the activity of the Cl0p ransomware, a variant of CryptoMix ransomware. Download the Indicator's of Compromise to search for Cl0p in your own environment...

December 23, 2020 / 3 minute read

Cybereason vs. Ryuk Ransomware

Ryuk ransomware is most often seen as the final payload in a larger targeted attack against a corporation, and since its return in September, it has been mainly delivered via TrickBot or BazarLoader infections.

December 10, 2020 / 3 minute read

New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign

The Cybereason Nocturnus Team has identified an active espionage campaign employing three previously unidentified malware variants that use Facebook, Dropbox, Google Docs and Simplenote for command & control and the exfiltration of data from targets across the Middle East.

December 9, 2020 / 2 minute read

Cybereason vs. Egregor Ransomware

Egregor is a newly identified ransomware variant that was first discovered in September, 2020, and has recently been identified in several sophisticated attacks on organizations worldwide, including the games industry giants Crytek and Ubisoft. 

November 26, 2020 / 5 minute read

Cybereason vs. MedusaLocker Ransomware

There have been reports of MedusaLocker attacks across multiple industries, especially the healthcare industry which suffered a great deal of ransomware attacks during the COVID-19 pandemic.

November 19, 2020 / 4 minute read

Novel Chaes Malware Underscores Heightened E-Commerce Risk This Holiday Season

The Cybereason Nocturnus Team has identified an active campaign targeting customers of a larger e-commerce platform with newly identified multi-stage malware that evades antivirus tools dubbed Chaes. 

November 18, 2020 / 2 minute read

Back to the Future: Inside the Kimsuky KGH Spyware Suite

The Cybereason Nocturnus Team has been tracking a North Korean cyber espionage group known as Kimsuky and has identified a new spyware suite along with new attack infrastructure.

November 2, 2020 / 14 minute read

VB2020: Anchor, Bazar, and the Trickbot Connection

Cybereason Nocturnus Team members Daniel Frank and Lior Rochberger will be presenting a session titled, Anchor, Bazar, and the Trickbot Connection, examining some new developments regarding a familiar threat actor.

September 22, 2020 / 1 minute read

No Rest for the Wicked: Evilnum Unleashes PyVil RAT

Nocturnus has been tracking the Evilnum group, targeting financial technology companies to spy and steal passwords, documents, browser cookies, email credentials and more.

September 3, 2020 / 9 minute read

A Bazar of Tricks: Following Team9’s Development Cycles

Learn how the Bazar malware is sent via phishing emails that take advantage of the ongoing coronavirus pandemic, employee payroll reports, and customer complaints.

July 16, 2020 / 14 minute read

FakeSpy Masquerades as Postal Service Apps Around the World

The Cybereason Nocturnus team is investigating a new campaign involving FakeSpy, an Android mobile malware used to steal SMS messages, send SMS messages, steal financial data, read account information and contact lists, steal application data, and do much more.

July 1, 2020 / 10 minute read

Valak: More than Meets the Eye

The Valak Malware is a sophisticated malware that can steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust. 

May 28, 2020 / 13 minute read

EventBot: A New Mobile Banking Trojan is Born

The Cybereason Nocturnus team is investigating EventBot, a new type of Android mobile malware. EventBot abuses accessibility features to steal user data from financial applications, read user SMS messages, and steal SMS messages to allow the malware to bypass two-factor authentication.

April 30, 2020 / 12 minute read

Just Because You’re Home Doesn’t Mean You’re Safe

Cybereason’s Nocturnus team is continuing to observe hundreds of phishing attacks that use coronavirus-themed files and domains to distribute malware and infect victims all over the world.

March 18, 2020 / 5 minute read

Who's Hacking the Hackers: No Honor Among Thieves

Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.

March 10, 2020 / 8 minute read

Code Integrity in the Kernel: A Look Into ci.dll

Our kernel team researches how to reliably authenticate in kernel mode using ci.dll.

March 5, 2020 / 8 minute read

New Cyber Espionage Campaigns Targeting Palestinians - Part 2: The Discovery of the New, Mysterious Pierogi Backdoor

Cybereason's Nocturnus team has been tracking recent espionage campaigns specifically directed at entities and individuals in the Palestinian territories.

February 13, 2020 / 7 minute read

New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign

Cybereason's Nocturnus team has been tracking recent espionage campaigns specifically directed at entities and individuals in the Palestinian territories.

February 13, 2020 / 11 minute read

The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware

Cybereason is following an active campaign to deliver multiple different types of malware to victims all over the world. This attack is able to steal data, mine for cryptocurrency, and in specific cases deliver ransomware.

February 5, 2020 / 9 minute read

Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware

Cybereason Nocturnus detected a series of attacks that started with a TrickBot infection and progressed into a hacking operation targeting sensitive financial systems using a new variant of Anchor_DNS and a new malware dubbed Anchor.

December 11, 2019 / 15 minute read

Phoenix: The Tale of the Resurrected Keylogger

Nocturnus is tracking a new keylogger called Phoenix, packed with a myriad of information-stealing features extending far beyond logging keystrokes.

November 20, 2019 / 11 minute read

Hunting Raccoon: The New Masked Bandit on the Block

Nocturnus has investigated infections of the Raccoon stealer including its origin, team members, business model, and marketing efforts. We also cover Racoon's current capabilities and delivery methods, with a look into their future plans for the malware.

October 24, 2019 / 14 minute read

Glupteba Expands Operation and Toolkit with LOLBins And Cryptominer

The Nocturnus team has identified variants of Glupteba that made use of an extensive arsenal, including LOLBins and a cryptocurrency miner.

September 12, 2019 / 15 minute read

REvil / Sodinokibi: The Crown Prince of Ransomware

Cybereason has been tracking REvil/Sodinokibi since 2019 - the Cybereason Defense Platform detects and blocks this nasty ransomware that struck meatpacker JBS...

August 5, 2019 / 8 minute read

Exploit Kits “Shade” Into New Territory

We take a closer look at the Spelevo exploit, its infection method, and the new direction attackers are taking the Shade ransomware to make money while avoiding publicity.

July 23, 2019 / 5 minute read

Watch Where You Browse - The Fallout Exploit Kit Stays Active

Attackers are turning even the most common activities into a possible threat. As the latest example of that trend, the attack presented in this research shows how everyday browsing can be exploited dynamically by threat actors in order to install the AZORult Infostealer.

July 3, 2019 / 5 minute read

Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers

In 2018, the Cybereason Nocturnus team identified Operation Soft Cell, an advanced, persistent attack targeting global telecommunications providers.

June 25, 2019 / 16 minute read

Adobe Worm Faker Uses LOLbins And Dynamic Techniques To Deliver Customized Payloads

We have found an active malware that uses LOLBins and delivers customized payloads called Adobe Worm Faker.

June 20, 2019 / 11 minute read

New Pervasive Worm Exploiting Linux Exim Server Vulnerability

There’s an active, ongoing campaign exploiting a widespread vulnerability in linux email servers. Read about the attack first here.

June 13, 2019 / 6 minute read

GandCrab's new Evasive Infection Chain

Ransomware is not a new form of attack, but GandCrab has upgraded it to be more dynamic and harder to resolve.

May 7, 2019 / 5 minute read

Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware

In this research, we introduce a meticulously planned, malicious operation against a financial institution in April of 2019 by TA505.

April 25, 2019 / 11 minute read

A One-two Punch of Emotet, TrickBot, & Ryuk Stealing & Ransoming Data

The Cybereason team has identified a campaign that incorporates Emotet, TrickBot, and the Ryuk ransomware. This malware adapts Emotet to drop TrickBot, and adapts TrickBot to not only steal data but also download the Ryuk ransomware.

April 2, 2019 / 5 minute read

Triple Threat: Emotet Deploys TrickBot to Steal Data & Spread Ryuk

The Cybereason team has uncovered a severe threat that adapts Emotet to drop TrickBot, and adapts TrickBot to not only steal data but also download the Ryuk ransomware. This attack steals personal information, passwords, mail files, browser data, and registry keys before ransoming the victims data.

April 2, 2019 / 15 minute read

New Ursnif Variant Comes with Enhanced Information Stealing Features

The Cybereason research team observed a new campaign involving Ursnif in the beginning of 2019 attacking users in Japan across multiple customer environments. This Ursnif variant has enhanced stealing modules focused on taking data from mail clients and email credentials stored in browsers.

March 12, 2019 / 4 minute read

New Ursnif Variant Targets Japan Packed with New Features

In this research we dissect a new Ursnif Variant using language checks and steganography to evade detection. It features a stealthy persistence mechanism, revamped information-stealing modules focusing on mail clients and cryptocurrency.

March 12, 2019 / 10 minute read

The Newest Variant of the Astaroth Trojan Evades Detection in the Sneakiest Way

In this malware research, we explain one of the most recent and unique campaigns involving the Astaroth trojan. This Trojan and information stealer affected Europe and especially Brazil through the abuse of native OS processes and the exploitation of security-related products.

February 13, 2019 / 4 minute read

Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data

In this report, we explore a recent campaign involving the Astaroth information stealing trojan, chiefly affecting Brazil through the abuse of native OS processes.

February 13, 2019 / 10 minute read

LOLbins and trojans: How the Ramnit Trojan spreads via sLoad in a cyberattack

Cybereason detected an evasive infection technique used to spread a variant of the Ramnit banking Trojan as part of an Italian spam campaign. We investigate this attack, its use of sLoad, and its adoption of LOLbins to minimize discovery.

January 3, 2019 / 13 minute read

Pervasive Brazilian Financial Malware Targets Bank Customers in Latin America and Europe

Cybereason’s Nocturnus team mapped out the multi-stage malware distribution infrastructure behind Brazilian financial malware and found that Brazilian-made malware have become pervasive and target over 60 banks in nearly a dozen countries throughout Latin America, Spain and Portugal.

November 29, 2018 / 19 minute read

New Betabot campaign under the microscope

In the past few weeks, the Cybereason SOC has detected multiple Betabot (aka Neurevt) infections in customer environments. This blog will look at the infection chain and delve into Betabot’s self-defense mechanisms using telemetry data gathered from multiple customer endpoints.

October 3, 2018 / 6 minute read


Cybereason's Nocturnus Research team analyzes campaigns targeting the Brazilian financial sector, focusing on infection vectors and the threat actor's toolset and techniques.

September 18, 2018 / 7 minute read

WannaMine Cryptominer that uses EternalBlue still active

The WannaMine Cryptominer, which uses the EternalBlue exploits, is still active although a patch that fixes these well-known vulnerabilities was released last March.

September 14, 2018 / 5 minute read

The Anatomy of a .NET Malware Dropper

Cybereason researchers discovered a .NET dropper/crypter. Here's how they reverse engineered it.

September 10, 2018 / 7 minute read

Attackers incriminate a signed Oracle process for DLL hijacking, running Mimikatz

With application whitelisting being integrated into an OS’s security stack, attackers need more creative ways to use their tools without getting detected. In this incident observed by Cybereason, DLL hijacking was used to run Mimikatz using a process that was signed and verified by Oracle.

June 24, 2018 / 3 minute read

Fauxpersky: CredStealer malware written in AutoHotKey masquerades as Kaspersky Antivirus, spreading through infecting USB drives

Cybereason researchers discovered a credstealer written with AutoHotKey that masquerades as Kaspersky Antivirus and spreads through infected USB drives. We’ve named it Fauxpersky.

March 28, 2018 / 6 minute read