Cybereason has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe.

THREAT ANALYSIS: Assemble LockBit 3.0

LockBit 2.0 ransomware attackers are constantly evolving and making detection, investigation, and prevention more complex by disabling EDR and other security products and deleting the evidence to stifle forensics attempts...

August 21, 2023 / 4 minute read

THREAT ANALYSIS REPORT: DLL Side-Loading Widely (Ab)Used

This Threat Analysis Report explores widely used DLL Side-Loading attack techniques, outlines how threat actors leverage these techniques, describes how to reproduce an attack, and reports on how defenders can detect and prevent these attacks...

October 26, 2022 / 13 minute read

Blue Teaming on macOS with eslogger

In this edition of the Blue Team Chronicles, we assess the capabilities of eslogger, a new built-in macOS tool, and show how defenders can use this tool to better understand malicious activities on macOS and build new detection approaches...

October 4, 2022 / 8 minute read

THREAT ALERT: ProxyNotShell - Two Critical Vulnerabilities Affecting MS Exchange

The Cybereason GSOC Managed Detection and Response (MDR) Team is investigating incidents that involve exploitation of the critical Microsoft Exchange vulnerabilities (CVE-2022–41040 and CVE-2022–41082) dubbed ProxyNotShell after finding them being exploited in the wild...

October 3, 2022 / 5 minute read

THREAT ANALYSIS REPORT: Abusing Notepad++ Plugins for Evasion and Persistence

Cybereason GSOC team analysts have analyzed a specific technique that abuses Notepad++ plugins to evade security mechanisms, achieve persistence and deploy backdoors on targeted machines...

September 14, 2022 / 4 minute read


PlugX is a post-exploitation modular RAT (Remote Access Trojan), which is known for its multiple functionalities such as data exfiltration, keystroke grabbing, backdoor functionality, and utilizing DLL-Sideloading techniques for evading security solutions...

September 8, 2022 / 10 minute read

THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector

Ragnar Locker is a ransomware family with security evasion capabilities which is targeting the energy sector and recently claimed to have breached DESFA, a Greek pipeline company...

September 1, 2022 / 8 minute read

THREAT ALERT: HavanaCrypt Ransomware Masquerading as Google Update

First observed in June 2022 in the wild, HavanaCrypt Ransomware masquerades as a legitimate Google Chrome update with sophisticated anti-analysis techniques and other functionality that may be used for data exfiltration and privilege escalation...

August 22, 2022 / 5 minute read

THREAT ALERT: Inside the Redeemer 2.0 Ransomware

A new and improved Redeemer 2.0 ransomware version was released on an underground forum and is described by the developers as a “C++ no dependency ransomware with no privacy intrusions” targeting the Windows OS with support for Windows 11 systems...

August 19, 2022 / 2 minute read

THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control

Cybereason GSOC observed distribution of the Bumblebee Loader and post-exploitation activities including privilege escalation, reconnaissance and credential theft. Bumblebee operators use the Cobalt Strike framework throughout the attack and abuse credentials for privilege escalation to access Active Directory, as well as abusing a domain administrator account to move laterally, create local user accounts and exfiltrate data...

August 17, 2022 / 10 minute read

Rundll32: The Infamous Proxy for Executing Malicious Code

In this article we take a deeper dive into an often abused Microsoft-signed tool, the infamous rundll32.exe, which allows adversaries to execute malicious code during their offensive operations through a technique which we explain in detail...

August 9, 2022 / 10 minute read

THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom

LockBit 2.0 ransomware attackers are constantly evolving and making detection, investigation, and prevention more complex by disabling EDR and other security products and deleting the evidence to stifle forensics attempts...

July 7, 2022 / 16 minute read

THREAT ALERT: Raspberry Robin Worm Abuses Windows Installer and QNAP Devices

Raspberry Robin involves a worm that spreads over USB devices or shared folders, leveraging compromised QNAP (Network Attached Storage or NAS) devices as stagers and an old but still effective method of using “LNK” shortcut files to lure its victims...

July 7, 2022 / 5 minute read

Cybereason vs. Black Basta Ransomware

In just two months, Black Basta has added nearly 50 victims to their list, making them one of the more prominent ransomware gangs. The attackers infiltrate and move laterally throughout the network in a fully-developed RansomOps attack. The Cybereason Nocturnus Team assesses the threat level as HIGH SEVERITY given the destructive potential of the attacks...

June 24, 2022 / 6 minute read

Cybereason vs. Quantum Locker Ransomware

The AI-driven Cybereason XDR Platform detects and blocks MountLocker ransomware which launched back in September 2020. Since then, the attackers have rebranded the operation as AstroLocker, XingLocker, and now in its current phase, the Quantum Locker...

May 9, 2022 / 5 minute read

Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation

Cybereason recently an attack assessed to be the work of Chinese APT Winnti that operated undetected, siphoning intellectual property and sensitive data - the two companion reports examine the tactics and techniques of the overall campaign as well as more detailed analysis of the malware arsenal and exploits used...

May 4, 2022 / 4 minute read

Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques

Cybereason investigated multiple intrusions targeting technology and manufacturing companies located in Asia, Europe and North America. Based on the findings of our investigation, it appears that the goal behind these intrusions was to steal sensitive intellectual property for cyber espionage purposes...

May 4, 2022 / 11 minute read

Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials

This APT-C-23 campaign involves of two previously undocumented malware strains dubbed Barb(ie) Downloader and BarbWire Backdoor, which use an enhanced stealth mechanism to remain undetected - in addition, Cybereason observed an upgraded version of an Android implant dubbed VolatileVenom...

April 6, 2022 / 11 minute read

THREAT ALERT: Emotet Targeting Japanese Organizations

The surge of Emotet attacks targeting Japanese organizations in the first quarter of 2022 is a continuation of the earlier Emotet activity, with some changes in the malware deployment process. The Cybereason XDR Platform detects and blocks Emotet malware...

March 7, 2022 / 3 minute read

Cybereason vs. BlackCat Ransomware

BlackCat Ransomware gained notoriety quickly leaving a trail of destruction behind it, among its recent victims are German oil companies, an Italian luxury fashion brand and a Swiss Aviation company. Cybereason XDR detects and blocks BlackCat Ransomware...

March 1, 2022 / 7 minute read

Cybereason vs. WhisperGate and HermeticWiper

Ukrainian officials attributed the attack to Russia “preparing the ground” for a military invasion with nasty wipers dubbed WhisperGate and HermeticWiper. Cybereason Anti-Ransomware and Anti-MBR corruption technology detects and blocks WhisperGate and HermeticWiper...

February 15, 2022 / 2 minute read

Cybereason vs. Lorenz Ransomware

Prior to the deployment of the Lorenz ransomware, the attackers attempt to infiltrate and move laterally throughout the organization, carrying out a fully-developed RansomOps attack - the Cybereason XDR Platform fully detects and prevents the Lorenz ransomware...

February 8, 2022 / 7 minute read

StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations

Cybereason discovered an undocumented RAT dubbed StrifeWater attributed to Iranian APT Moses Staff who deploy destructive ransomware following network infiltration and the exfiltration of sensitive data...

February 1, 2022 / 7 minute read

PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage

Cybereason discovered a new toolset developed by Iranian APT Phosphorus which revealed a connection to Memento ransomware and includes the newly discovered PowerLess Backdoor that evades detection by running PowerShell in a .NET context...

February 1, 2022 / 8 minute read

Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike

After exploitation of ProxyShell, attackers used Exchange to distribute phishing emails with the QBot payload and DatopLoader, a loader previously used to distribute the Cobalt Strike malware...

January 11, 2022 / 10 minute read

THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool

This report provides analysis on the evolution of configuration and implementation aspects of the StealBit malware developed by the LockBit ransomware group to exfiltrate sensitive data from targets for double extortion purposes…

December 16, 2021 / 20 minute read

THREAT ALERT: The Return of Emotet

Since the first Twitter post about this most recent discovery, the team at G DATA and the Cybereason SOC team have seen multiple Emotet samples in the wild, particularly between November 21-23, confirming that Emotet is reemerging...

December 9, 2021 / 3 minute read

Cybereason Research Finds Organizations Unprepared for Ransomware Attacks on Weekends and Holidays

The research findings highlight a disconnect between the risk ransomware poses to organizations during these off-hour periods and their preparedness to respond during weekends and into the holiday season...

November 17, 2021 / 4 minute read

THREAT ANALYSIS REPORT: Snake Infostealer Malware

This report provides an overview of key features of the Snake #malware and similarities discovered in the staging mechanisms with two other information-stealing malware variants, FormBook and Agent Tesla...

October 28, 2021 / 16 minute read

THREAT ALERT: Malicious Code Implant in the UAParser.js Library

A threat actor has implanted malicious code in UAParser.js, a JavaScript library that parses User-Agent data where the implanted code deploys cryptocurrency-mining and information-stealing malware on compromised systems...

October 27, 2021 / 3 minute read

Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms

The highly-targeted attacks against aerospace and telecoms firms by new Iranian threat actor MalKamak includes newly discovered malware that evaded security tools since 2018 and abuses Dropbox services for command and control...

October 6, 2021 / 16 minute read

Threat Analysis Report: Inside the Destructive PYSA Ransomware

The PYSA ransomware gang uses tools like Koadic, PsExec and Mimikatz for credential theft and lateral movement before executing PowerShell scripts that stop or remove system security mechanisms like Windows Defender...

September 27, 2021 / 10 minute read

THREAT ALERT: Microsoft MSHTML Remote Code Execution Vulnerability

The Cybereason GSOC Managed Detection and Response (MDR) team is investigating CVE-2021-40444, a critical vulnerability in the Microsoft Hypertext Markup Language (MSHTML) web content rendering engine that Microsoft Office applications use...

September 10, 2021 / 3 minute read

THREAT ALERT: Microsoft Exchange ProxyShell Exploits and LockFile Ransomware

The exploitation of the ProxyShell vulnerabilities enables attackers to execute arbitrary commands on compromised systems, which may lead to full system compromise and/or the deployment of malware...

August 30, 2021 / 3 minute read

Cybereason vs. LockBit2.0 Ransomware

Following the rise of the new LockBit2.0 and the attack against the global IT company Accenture, this report provides detailed information about the attack process and how the Cybereason Defense Platform detects and prevents this threat at several stages...

August 24, 2021 / 6 minute read

DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos

Cybereason discovered several previously unidentified attack campaigns targeting the telecoms industry across Southeast Asia assessed to be the work of several prominent Chinese APT groups...

August 3, 2021 / 27 minute read

Cybereason vs. Prometheus Ransomware

The Cybereason Defense Platform detects and prevents Prometheus ransomware, a relatively new variant first observed in February of 2021 that has impacted more than 40 companies...

July 15, 2021 / 10 minute read

Cybereason vs. REvil Ransomware: The Kaseya Chronicles

Cybereason detects and blocks REvil ransomware, protecting our customers and those of our Managed Services Provider partners in the wake of the Kaseya supply chain attacks...

July 6, 2021 / 5 minute read

THREAT ALERT: PrintNightmare Critical Vulnerability in Windows Print Spooler

PrintNightmare is a critical vulnerability in the Windows Print Spooler service that allows attackers to execute arbitrary code on target systems with administrative privileges...

July 2, 2021 / 3 minute read

THREAT ALERT: SolarMarker Backdoor

SolarMarker enables attackers to execute commands, PowerShell scripts, and Windows executables on compromised systems, and to deploy additional malware...

June 23, 2021 / 3 minute read

Report: Ransomware Attacks and the True Cost to Business

A new global research study conducted by Cybereason reveals that the majority of organizations suffered significant business impact following a ransomware attack...

June 16, 2021 / 2 minute read

THREAT ALERT: LemonDuck Crypto-Mining Malware

LemonDuck is a cryptocurrency-mining malware that in addition to mining, also spreads in a network after the initial infection with the goal to increase the number of systems that participate in its mining pool. ..

May 19, 2021 / 3 minute read

THREAT ALERT: N3tw0rm Ransomware Campaign

The campaign uses a disk space filler utility, a scenario not typical for ransomware where the disk space filler utility continuously writes files on a victim’s hard disk volumes until no free disk space is left available...

May 10, 2021 / 2 minute read

PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector

In a highly targeted operation by a Chinese APT, a newly discovered backdoor dubbed PortDoor is being used in attacks targeting a Russian defense contractor...

April 30, 2021 / 7 minute read

Cybereason vs. Avaddon Ransomware

Cybereason Nocturnus Team has been tracking the Avaddon Ransomware since June 2020 and the double extortion model...

April 27, 2021 / 4 minute read

Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities

The multi-stage cryptocurrency botnet has been observed exploiting the Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate networks...

April 22, 2021 / 15 minute read

Cybereason vs. DarkSide Ransomware

DarkSide ransomware follows the double extortion trend where the threat actors first exfiltrate the data and threaten to make it public if the ransom demand is not paid, rendering backing up data as a precaution against a ransomware attack moot...

April 1, 2021 / 6 minute read

Cybereason vs. NetWalker Ransomware

The NetWalker ransomware has been targeting organizations in the US and Europe including several healthcare organizations, despite several known threat actors publicly claiming to abstain from targeting such organizations due to COVID-19.

February 16, 2021 / 4 minute read

Cybereason vs. RansomEXX Ransomware

The Cybereason Nocturnus Team has been tracking the activity around the RansomEXX, being used as a part of multi-staged human-operated attacks targeting various government related entities and tech companies.

January 26, 2021 / 4 minute read

Cybereason vs. Conti Ransomware

Since first emerging in May 2020, the ransomware operators (aka. the Conti Gang) claim to have over 150 successful attacks with millions in extortion fees. Download the Indicator's of Compromise to search for Conti in your own environment.

January 12, 2021 / 5 minute read

Amazon Gift Card Offer Serves Up Dridex Banking Trojan

Over the course of December, 2020, the Cybereason Nocturnus Team has been tracking down cyber crime campaigns related to the holiday season, and more specifically to online shopping. Download the Indicator's of Compromise to search for Dridex in your own environment.

December 24, 2020 / 6 minute read

Cybereason vs. Cl0p Ransomware

The Cybereason Nocturnus team has been tracking the activity of the Cl0p ransomware, a variant of CryptoMix ransomware. Download the Indicator's of Compromise to search for Cl0p in your own environment...

December 23, 2020 / 3 minute read

Cybereason vs. SolarWinds Supply Chain Attack

On December 13, 2020, IT infrastructure management provider SolarWinds issued a Security Advisory regarding their SolarWinds Orion Platform after experiencing a “highly sophisticated” supply chain attack.

December 22, 2020 / 2 minute read

Molerats APT: New Malware and Techniques in Middle East Espionage Campaign

Security researchers observed a politically motivated APT called “Molerats” using three new malware variants to conduct espionage in the Middle East. Download the Indicator's of Compromise to search for Molerats in your own environment.

December 15, 2020 / 3 minute read

Cybereason vs. Ryuk Ransomware

Ryuk ransomware is most often seen as the final payload in a larger targeted attack against a corporation, and since its return in September, it has been mainly delivered via TrickBot or BazarLoader infections.

December 10, 2020 / 3 minute read

New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign

The Cybereason Nocturnus Team has identified an active espionage campaign employing three previously unidentified malware variants that use Facebook, Dropbox, Google Docs and Simplenote for command & control and the exfiltration of data from targets across the Middle East.

December 9, 2020 / 2 minute read

Cybereason vs. MedusaLocker Ransomware

There have been reports of MedusaLocker attacks across multiple industries, especially the healthcare industry which suffered a great deal of ransomware attacks during the COVID-19 pandemic.

November 19, 2020 / 4 minute read

Novel Chaes Malware Underscores Heightened E-Commerce Risk This Holiday Season

The Cybereason Nocturnus Team has identified an active campaign targeting customers of a larger e-commerce platform with newly identified multi-stage malware that evades antivirus tools dubbed Chaes. 

November 18, 2020 / 2 minute read

Back to the Future: Inside the Kimsuky KGH Spyware Suite

The Cybereason Nocturnus Team has been tracking a North Korean cyber espionage group known as Kimsuky and has identified a new spyware suite along with new attack infrastructure.

November 2, 2020 / 14 minute read

No Rest for the Wicked: Evilnum Unleashes PyVil RAT

Nocturnus has been tracking the Evilnum group, targeting financial technology companies to spy and steal passwords, documents, browser cookies, email credentials and more.

September 3, 2020 / 9 minute read

A Bazar of Tricks: Following Team9’s Development Cycles

Learn how the Bazar malware is sent via phishing emails that take advantage of the ongoing coronavirus pandemic, employee payroll reports, and customer complaints.

July 16, 2020 / 14 minute read

FakeSpy Masquerades as Postal Service Apps Around the World

The Cybereason Nocturnus team is investigating a new campaign involving FakeSpy, an Android mobile malware used to steal SMS messages, send SMS messages, steal financial data, read account information and contact lists, steal application data, and do much more.

July 1, 2020 / 10 minute read

Cybereason’s Newest Honeypot Shows How Multistage Ransomware Attacks Should Have Critical Infrastructure Providers on High Alert

Earlier this year, Cybereason launched its latest honeypot to analyze the tactics, techniques, and procedures used by state-sponsored groups and cyber crime actors to target critical infrastructure providers.

June 11, 2020 / 6 minute read

Valak: More than Meets the Eye

The Valak Malware is a sophisticated malware that can steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust. 

May 28, 2020 / 13 minute read

EventBot: A New Mobile Banking Trojan is Born

The Cybereason Nocturnus team is investigating EventBot, a new type of Android mobile malware. EventBot abuses accessibility features to steal user data from financial applications, read user SMS messages, and steal SMS messages to allow the malware to bypass two-factor authentication.

April 30, 2020 / 12 minute read

Who's Hacking the Hackers: No Honor Among Thieves

Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, allowing the attackers to completely take over the victim’s machine.

March 10, 2020 / 8 minute read

New Cyber Espionage Campaigns Targeting Palestinians - Part 2: The Discovery of the New, Mysterious Pierogi Backdoor

Cybereason's Nocturnus team has been tracking recent espionage campaigns specifically directed at entities and individuals in the Palestinian territories.

February 13, 2020 / 7 minute read

New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign

Cybereason's Nocturnus team has been tracking recent espionage campaigns specifically directed at entities and individuals in the Palestinian territories.

February 13, 2020 / 11 minute read

The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware

Cybereason is following an active campaign to deliver multiple different types of malware to victims all over the world. This attack is able to steal data, mine for cryptocurrency, and in specific cases deliver ransomware.

February 5, 2020 / 9 minute read

Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware

Cybereason Nocturnus detected a series of attacks that started with a TrickBot infection and progressed into a hacking operation targeting sensitive financial systems using a new variant of Anchor_DNS and a new malware dubbed Anchor.

December 11, 2019 / 15 minute read

Phoenix: The Tale of the Resurrected Keylogger

Nocturnus is tracking a new keylogger called Phoenix, packed with a myriad of information-stealing features extending far beyond logging keystrokes.

November 20, 2019 / 11 minute read

Hunting Raccoon: The New Masked Bandit on the Block

Nocturnus has investigated infections of the Raccoon stealer including its origin, team members, business model, and marketing efforts. We also cover Racoon's current capabilities and delivery methods, with a look into their future plans for the malware.

October 24, 2019 / 14 minute read

Glupteba Expands Operation and Toolkit with LOLBins And Cryptominer

The Nocturnus team has identified variants of Glupteba that made use of an extensive arsenal, including LOLBins and a cryptocurrency miner.

September 12, 2019 / 15 minute read

REvil / Sodinokibi: The Crown Prince of Ransomware

Cybereason has been tracking REvil/Sodinokibi since 2019 - the Cybereason Defense Platform detects and blocks this nasty ransomware that struck meatpacker JBS...

August 5, 2019 / 8 minute read

Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers

In 2018, the Cybereason Nocturnus team identified Operation Soft Cell, an advanced, persistent attack targeting global telecommunications providers.

June 25, 2019 / 16 minute read

New Pervasive Worm Exploiting Linux Exim Server Vulnerability

There’s an active, ongoing campaign exploiting a widespread vulnerability in linux email servers. Read about the attack first here.

June 13, 2019 / 6 minute read

Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware

In this research, we introduce a meticulously planned, malicious operation against a financial institution in April of 2019 by TA505.

April 25, 2019 / 11 minute read

A One-two Punch of Emotet, TrickBot, & Ryuk Stealing & Ransoming Data

The Cybereason team has identified a campaign that incorporates Emotet, TrickBot, and the Ryuk ransomware. This malware adapts Emotet to drop TrickBot, and adapts TrickBot to not only steal data but also download the Ryuk ransomware.

April 2, 2019 / 5 minute read

Triple Threat: Emotet Deploys TrickBot to Steal Data & Spread Ryuk

The Cybereason team has uncovered a severe threat that adapts Emotet to drop TrickBot, and adapts TrickBot to not only steal data but also download the Ryuk ransomware. This attack steals personal information, passwords, mail files, browser data, and registry keys before ransoming the victims data.

April 2, 2019 / 15 minute read

New Ursnif Variant Targets Japan Packed with New Features

In this research we dissect a new Ursnif Variant using language checks and steganography to evade detection. It features a stealthy persistence mechanism, revamped information-stealing modules focusing on mail clients and cryptocurrency.

March 12, 2019 / 10 minute read

Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data

In this report, we explore a recent campaign involving the Astaroth information stealing trojan, chiefly affecting Brazil through the abuse of native OS processes.

February 13, 2019 / 10 minute read

LOLbins and trojans: How the Ramnit Trojan spreads via sLoad in a cyberattack

Cybereason detected an evasive infection technique used to spread a variant of the Ramnit banking Trojan as part of an Italian spam campaign. We investigate this attack, its use of sLoad, and its adoption of LOLbins to minimize discovery.

January 3, 2019 / 13 minute read

Pervasive Brazilian Financial Malware Targets Bank Customers in Latin America and Europe

Cybereason’s Nocturnus team mapped out the multi-stage malware distribution infrastructure behind Brazilian financial malware and found that Brazilian-made malware have become pervasive and target over 60 banks in nearly a dozen countries throughout Latin America, Spain and Portugal.

November 29, 2018 / 19 minute read

WannaMine Cryptominer that uses EternalBlue still active

The WannaMine Cryptominer, which uses the EternalBlue exploits, is still active although a patch that fixes these well-known vulnerabilities was released last March.

September 14, 2018 / 5 minute read

The Anatomy of a .NET Malware Dropper

Cybereason researchers discovered a .NET dropper/crypter. Here's how they reverse engineered it.

September 10, 2018 / 7 minute read