APT

October 29, 2020

THREAT RESEARCH

DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread

1 min read

The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location. Even if the command and control (C2) is taken down, the DoNot team can still redirect the malware to another C2 using Google infrastructure. The approach in the final payload upload denotes a highly personalized targeting […]

June 29, 2020

THREAT RESEARCH

PROMETHIUM extends global reach with StrongPity3 APT

1 min read

The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. By matching indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, Cisco Talos identified around 30 new […]

September 24, 2019

THREAT RESEARCH

How Tortoiseshell created a fake veteran hiring website to host malware

1 min read

Cisco Talos discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans. Symantec had previously identified the actor as Tortoiseshell.

July 9, 2019

THREAT RESEARCH

Sea Turtle Keeps on Swimming

1 min read

By Danny Adamitis with contributions from Paul Rascagneres. Executive summary After several months of activity, the actors behind the "Sea Turtle" DNS hijacking campaign are not slowing down. Cisco Talos recently discovered...

April 23, 2019

THREAT RESEARCH

DNSpionage brings out the Karkoff

1 min read

In November 2018, Cisco Talos discovered an attack campaign, called DNSpionage, in which threat actors created a new remote administrative tool that supports HTTP and DNS communication with the attackers'...

April 17, 2019

THREAT RESEARCH

DNS Hijacking Abuses Trust In Core Internet Service

1 min read

This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and...

November 27, 2018

THREAT RESEARCH

DNSpionage Campaign Targets Middle East

1 min read

DNSpionage Campaign Targets Middle East This blog post was authored by Warren Mercer and Paul Rascagneres. Executive Summary Cisco Talos recently discovered a new campaign targeting Lebanon and the United...

May 31, 2018

THREAT RESEARCH

NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea

1 min read

Talos discovered a malicious Hangul Word Processor (HWP) document targeting Korean users. If a malicious document is opened, a remote access trojan, "NavRAT," downloads with command execution and keylogging capabilities.

April 26, 2018

THREAT RESEARCH

GravityRAT – The Two-Year Evolution Of An APT Targeting India

1 min read

GravityRAT malware has implemented new features, such as file exfiltration, remote command execution capability and anti-vm techniques. Consistent evolution and innovation beyond standard remote code execution is concerning.