All news with #cobalt strike tag

Google Details BadAudio Malware Used by China APT24

🔐 Google Threat Intelligence Group (GTIG) disclosed a previously undocumented loader, BadAudio, used by China-linked APT24 in a multi-year espionage campaign that employed spearphishing, watering-hole infections, and supply-chain compromises. The loader is heavily obfuscated, leverages DLL search-order hijacking and control-flow flattening, and exfiltrates encrypted system data to hard-coded C2 servers. In at least one observed case it delivered an Cobalt Strike Beacon, and many samples remained undetected by most antivirus engines.

APT24 Pivot to BADAUDIO Multi-Vector Attacks in Taiwan

🔍 Google Threat Intelligence Group (GTIG) details a three-year espionage campaign by APT24 deploying the obfuscated BADAUDIO downloader to deliver AES-encrypted payloads, including Cobalt Strike beacons. The actor evolved from broad strategic web compromises to targeted supply-chain abuse of a Taiwanese digital marketing firm and spear-phishing lures. BADAUDIO uses DLL search order hijacking, control-flow flattening, and cookie-based beaconing to retrieve decrypted payloads in memory. GTIG added related domains and files to Safe Browsing, issued victim notifications, and published IOCs and YARA rules to support detection and mitigation.

Gootloader Returns After Seven Months With Evasion Tricks

🛡️ Gootloader has resumed operations after a seven-month pause, using SEO poisoning to promote fake legal-document sites that trick users into downloading malicious ZIP archives containing JScript loaders. The campaign now employs novel evasion techniques — a custom web font that renders readable keywords in the browser while the HTML source remains gibberish, and malformed ZIPs that extract a .js in Windows Explorer but a benign .txt for many analysis tools. Infected hosts receive follow-on payloads such as Cobalt Strike, backdoors including the Supper SOCKS5 implant, and bots that provide initial access for ransomware affiliates.

Qilin Ransomware: Attack Methods and TTPs Exposed Globally

🔍 Cisco Talos details widespread Qilin ransomware operations observed in late 2025, highlighting persistent leak-site activity and sustained victim publication. The analysis links many intrusions to exposed administrative credentials and unprotected remote access, with manufacturing, professional services, and wholesale trade heavily affected. Talos documents abuse of open-source exfiltration tools (notably Cyberduck), dual-encryptor deployment patterns, credential harvesting with mimikatz and SharpDecryptPwd, and numerous defense-evasion techniques, recommending layered controls such as MFA, credential monitoring, and hardened backups.

PassiveNeuron APT Uses Neursite and NeuralExecutor

🧠 Kaspersky researchers have identified a sophisticated cyber-espionage campaign dubbed PassiveNeuron that has targeted government, financial, and industrial organizations across Asia, Africa, and Latin America since late 2024. The operation uses bespoke implants—Neursite (a C++ modular backdoor) and NeuralExecutor (a .NET loader)—alongside Cobalt Strike, leveraging compromised internal servers as intermediate C2s and a plugin architecture to maintain persistence and adapt tooling. Victims include internet-exposed servers; attackers have used SQL-based remote command execution, attempted ASPX web shells, deployed DLL loaders into the System32 directory, and in 2025 adopted a GitHub-based dead-drop resolver to retrieve C2 addresses.

VirusTotal Success: SEQRITE APT Hunting Case Studies

🔎 SEQRITE's APT-Team describes how they used VirusTotal to pivot from isolated clues to comprehensive campaign mapping, tracking UNG0002, Silent Lynx, and DRAGONCLONE between May 2024 and May 2025. Their work combined malware configuration extraction, LNK metadata, code-sign certificate pivots, YARA and Sigma rules, and Livehunt queries to surface related samples and previously unreported implants. The post highlights practical hunting queries and pivots — public key and LNK-ID searches, submitter geofilters, and malware_config values — that enabled attribution and expanded detection across multiple Asian geographies.

Chinese Cybercrime Group Runs Global SEO Fraud Ring

🔍 UAT-8099, a Chinese-speaking cybercrime group, has been linked to a global SEO fraud operation that targets Microsoft IIS servers to manipulate search rankings and harvest high-value data. The actor gains access via vulnerable or misconfigured file upload features, deploys web shells and privilege escalation to enable RDP, then uses Cobalt Strike and a modified BadIIS module to serve malicious content when requests mimic Googlebot. Infections have been observed across India, Thailand, Vietnam, Canada, and Brazil, affecting universities, telecoms and technology firms and focusing on mobile users.

UAT-8099 Targets High-Value IIS Servers for SEO Fraud

🔍 Cisco Talos details UAT-8099, a Chinese-speaking cybercrime group that compromises reputable IIS servers to conduct SEO fraud and steal high-value credentials, certificates and configuration files. The actors exploit file-upload weaknesses to deploy ASP.NET web shells, enable RDP, create hidden administrative accounts and install VPN/reverse-proxy tools for persistence. They automate operations with custom scripts, deploy Cobalt Strike via DLL sideloading and install multiple BadIIS variants to manipulate search rankings and redirect mobile users to ads or gambling sites. Talos published IoCs, Snort/ClamAV signatures and mitigation guidance.

Chinese State-Linked RedNovember Targets Global Org

🛰️ Recorded Future has attributed a widespread cyber-espionage cluster to a Chinese state-sponsored actor it has named RedNovember, which overlaps with Microsoft's Storm-2077. From June 2024 to July 2025 the group targeted internet-facing perimeter appliances and used a mix of open-source and commercial tooling — notably Pantegana, Spark RAT and Cobalt Strike — to gain persistent access across government and private-sector networks worldwide. Attacks exploited known CVEs in VPNs, firewalls and other security appliances and leveraged a Go-based loader derived from LESLIELOADER, while administration infrastructure relied on VPN services such as ExpressVPN and Warp.

UAT-7237 Targets Taiwanese Web Hosting Infrastructure

🔍 Cisco Talos describes UAT-7237, a Chinese‑speaking APT active since 2022 that compromised a Taiwanese web hosting provider to establish long‑term persistence. The actor relies largely on open‑source tooling, customized utilities and a tailored shellcode loader tracked as SoundBill, which can decode and execute Cobalt Strike beacons. UAT-7237 favors SoftEther VPN and RDP for access rather than mass web‑shell deployment. Talos provides IOCs and mitigation guidance for detection and blocking.