Deobfuscating APT28's HTA Trojan: A Deep Dive into VBE Techniques & Multi-Layer Obfuscation

This analysis delves into APT28's cyber espionage campaign targeting Central Asia and Kazakhstan diplomatic relations, focusing on their HTA Trojan. The malware employs advanced obfuscation techniques, including VBE (VBScript Encoded) and multi-layer obfuscation. The investigation uses x32dbg debugging to decode the obfuscated code, revealing a custom map algorithm for character deobfuscation. The process involves decoding strings using embedded characters from Windows vbscript.dll. The analysis identifies the use of Microsoft's Windows Script Encoder (screnc.exe) to create VBE files. By employing various deobfuscation techniques, including a Python script, the final malware sample is extracted and analyzed, showcasing APT28's evolving tactics in cyber espionage.

Pulse ID: 67efc6e712b49d46c1423ca9
Pulse Link: https://otx.alienvault.com/pulse/67efc6e712b49d46c1423ca9
Pulse Author: AlienVault
Created: 2025-04-04 11:47:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Silent Credit Card Thief Uncovered

A sophisticated credit card skimming campaign dubbed 'RolandSkimmer' has been discovered, targeting users in Bulgaria. The attack utilizes malicious browser extensions across Chrome, Edge, and Firefox, initiated through a deceptive LNK file. The malware employs obfuscated scripts to establish persistent access, harvesting and exfiltrating sensitive financial data. The attack workflow involves system reconnaissance, downloading additional malicious files, and injecting scripts into web pages. The threat actor uses unique identifiers to track victims and employs sophisticated techniques to evade detection. The campaign demonstrates the evolving nature of web-based credit card skimming threats, highlighting the need for enhanced security measures against LNK-based attacks and unverified browser extensions.

Pulse ID: 67efc6e92fbd533808f09435
Pulse Link: https://otx.alienvault.com/pulse/67efc6e92fbd533808f09435
Pulse Author: AlienVault
Created: 2025-04-04 11:47:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Russian-Speaking Threat Actor Abuses Cloudflare & Telegram in Phishing Campaign

A Russian-speaking threat actor has launched a new phishing campaign using Cloudflare-branded pages themed around DMCA takedown notices. The attack abuses the ms-search protocol to deliver malicious LNK files disguised as PDFs. Once executed, the malware communicates with a Telegram bot to report the victim's IP address before connecting to Pyramid C2 servers. The campaign leverages Cloudflare Pages and Workers services to host phishing pages, and uses an open directory to store malicious files. The infection chain includes PowerShell and Python scripts, with incremental changes in tactics to evade detection. The actors' infrastructure spans multiple domains and IP addresses, primarily using Cloudflare's network.

Pulse ID: 67efc6ed5285702a3440969a
Pulse Link: https://otx.alienvault.com/pulse/67efc6ed5285702a3440969a
Pulse Author: AlienVault
Created: 2025-04-04 11:47:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Cyberattacks by AI agents are coming

Agents could make it easier and cheaper for criminals to hack systems at scale. We need to be ready.

https://www.technologyreview.com/2025/04/04/1114228/cyberattacks-by-ai-agents-are-coming

This sneaky #Android #spyware needs a password to uninstall. Here’s how to remove it without one.

https://techcrunch.com/2025/04/03/this-sneaky-android-spyware-needs-a-password-to-uninstall-heres-how-to-remove-it-without-one/

Cloudflare shuts down port 80 API access, malware devs turn to obscure languages like FORTH, and password reuse remains rampant. @SGgrc & @leo Laporte unpack the latest on Security Now 1019!

#CyberSecurity #Malware
Download and subscribe here:
https://buff.ly/aqfGWFq

FIN7 *again*? Seriously, these guys just don't quit, do they?

Heads up – they've cooked up an Anubis backdoor using Python. And nope, *it's not* the Android Trojan people know. It's pretty wild what this thing packs: we're talking remote shell capabilities, file uploads, messing with the registry... Basically, the keys to the kingdom!

And let me tell you from a pentester's perspective: Just relying on AV? That's *definitely* not gonna cut it anymore. We all know that, right?

Looks like they're slipping in through compromised SharePoint sites now? Yikes. The nasty part? A Python script decrypts the payload *directly in memory*, making it incredibly tough to spot! Plus, their command and control chats happen over a Base64-encoded TCP socket.

So, keep a *sharp eye* on those ZIP attachments! Double-check your SharePoint sites' integrity. You'll also want to monitor network traffic closely (especially that TCP activity!). And make sure your endpoint security is actually up to snuff – remember, they love finding ways to bypass defenses!

How are *you* tackling threats like this one? What are your go-to tools and strategies for defense? Let's share some knowledge!

Counterfeit #Android devices found preloaded with #Triada #malware

https://www.bleepingcomputer.com/news/security/counterfeit-android-devices-found-preloaded-with-triada-malware/

#Gootloader #Malware Resurfaces in #Google Ads for Legal Docs. Attackers target a familiar industry, law professionals, by hiding the infostealer in ads delivered via Google-based malvertising.
https://www.darkreading.com/cyberattacks-data-breaches/gootloader-malware-google-ads-legal-docs

New #Triada trojan comes preinstalled on #Android devices
https://securityaffairs.com/176143/malware/new-triada-comes-preinstalled-on-android-devices.html
#securityaffairs #hacking #malware

New advanced #FIN7's #Anubis #backdoor allows to gain full system control on #Windows
https://securityaffairs.com/176134/malware/new-advanced-fin7s-anubis-backdoor-allows-to-gain-full-system-control-on-windows.html
#securityaffairs #hacking #malware

New Open-Source Tool Spotlight

Loki is an open-source malware scanner designed for threat detection. It uses YARA rules, IOC pattern matching, and file system anomaly detection to identify malicious files and artifacts. Ideal for quick triage, not full AV replacement. #malware #cybersecurity

Project link on #GitHub https://github.com/Neo23x0/Loki

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

Hackers abuse #WordPress MU-Plugins to hide malicious code

https://www.bleepingcomputer.com/news/security/hackers-abuse-wordpress-mu-plugins-to-hide-malicious-code/

A csv formatted list of #malspam campaigns that crossed my path in March to include subject, #malware, hash, c2's, and email exfil addresses:

https://gist.github.com/silence-is-best/70f69b4a412b14c16e6fe9a29c82630a

#CrushFTP CVE-2025-2825 flaw actively exploited in the wild
https://securityaffairs.com/176097/hacking/crushftp-cve-2025-2825-flaw-actively-exploited.html
#securityaffairs #hacking #malware

Malware: Qakbot mit falschen Captchas verteilt

Längere Zeit war es still um die Qakbot-Trojaner. Nun verteilen Kriminelle neue Varianten mit Fake-Captchas.

https://www.heise.de/news/Malware-Qakbot-mit-falschen-Captchas-verteilt-10335589.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#France’s antitrust authority fines #Apple €150M for issues related to its App Tracking Transparency
https://securityaffairs.com/176092/digital-id/frances-antitrust-authority-fines-apple-e150m.html
#securityaffairs #hacking #malware

Hiding #WordPress #malware in the mu-plugins directory to avoid detection
https://securityaffairs.com/176083/malware/wordpress-malware-in-the-mu-plugins-directory.html
#securityaffairs #hacking #malware

#CoffeeLoader #Malware Is Stacked With Vicious Evasion Tricks. Next-level malware represents a new era of malicious code developed specifically to get around modern #security software like digital forensics #tools and EDR, new research warns.
https://www.darkreading.com/threat-intelligence/coffeeloader-malware-evasion-tricks

#CISA Warns of Resurge #Malware Connected to Ivanti Vuln. Threat actors are exploiting a #vulnerability in Ivanti Connect Secure first disclosed by the vendor in January.
https://www.darkreading.com/cyberattacks-data-breaches/cisa-warns-resurge-malware-ivanti-vuln
#security