All news with #huntress labs tag

From Infostealer to PureRAT: Dissecting an Escalating Attack

🔍 Huntress Labs analyzed a multi-stage intrusion that began with a phishing ZIP and DLL sideloading and escalated to deployment of the commercial PureRAT backdoor. The operator combined bespoke Python loaders and a Python-based infostealer with compiled .NET loaders, process hollowing, AMSI/ETW tampering, and reflective DLL injection to evade detection. Final-stage configuration revealed a Vietnam-hosted C2 (157.66.26.209) and Telegram infrastructure linked to PXA Stealer, underscoring a shift from custom theft to a professional RAT.

Obscura: New Ransomware Variant Targeting Domains Globally

🔒 On 29 August 2025 Huntress analysts identified a previously unseen ransomware variant they named Obscura after its embedded ransom note. The binary was placed in the domain NETLOGON scripts folder, enabling propagation via AD replication, and the actor created scheduled tasks to run it across hosts. Obscura requires administrative privileges, attempts to delete volume shadow copies and terminates roughly 120 security and backup processes. It uses Curve25519/X25519 key exchange and XChaCha20 for file encryption and writes a decoded ransom note to C:\README-OBSCURA.txt.