All news with #malware analysis tag

🔎 Symantec and Carbon Black confirm the Lua-based fast16 malware was a pre-Stuxnet sabotage tool designed to corrupt nuclear weapons testing simulations. The threat specifically targets high-explosive runs in LS-DYNA and AUTODYN, activating only when simulated material density reaches ~30 g/cm³. With 101 hook rules organized into 9–10 groups, the framework tracked software versions and spread laterally while avoiding some security products, indicating a methodical, long-running operation.

⚠ Check Point Research discovered a critical implementation bug in Vect 2.0 that causes files larger than 131,072 bytes (128 KB) to be permanently destroyed rather than recoverably encrypted. The ransomware uses raw ChaCha20-IETF without the Poly1305 MAC and a faulty nonce-handling routine that discards three of four decryption nonces, effectively turning the RaaS into a wiper across Windows, Linux and ESXi variants. Researchers also identified multiple additional coding and design errors that undermine the group's RaaS ambitions and affiliate program.

⚠️ VECT 2.0 ransomware contains a nonce-handling defect that overwrites per-chunk nonces when encrypting files, leaving only the final nonce saved. As a result, files larger than about 128 KB are partially unrecoverable — roughly only the last quarter can be decrypted — causing the malware to act like a wiper for many enterprise assets. Check Point researchers report the flaw affects Windows, Linux and ESXi builds and means victims cannot recover corrupted data even if they pay.

🔎 SentinelOne researchers have identified a sabotage-focused malware framework from around 2005 that predates Stuxnet by at least five years. The investigation uncovered a service binary (svcmgmt.exe) embedding a Lua 5.0 VM and a boot-start kernel driver (fast16.sys) that intercepts and patches executables at the storage layer. Fast16 acted as a wormable carrier with multiple 'wormlet' payloads, targeted Windows 2000/XP file shares using weak credentials, and included environmental checks to avoid specific security software. The framework was designed to corrupt outputs from engineering and simulation suites, and was later referenced in the Shadow Brokers leak.

🔒 CISA and the U.K. NCSC analyzed a sample of the FIRESTARTER Linux ELF backdoor affecting Cisco Firepower and Secure Firewall devices running ASA/FTD. The agency assesses the malware provides persistent remote access, installs a hook into LINA to execute arbitrary shellcode, and can survive firmware updates and reboots. CISA provides YARA rules for detection and directs U.S. FCEB agencies to collect and submit core dumps per V1: ED 25-03, and to await further guidance.

🛡️ Cloudflare demonstrates an automated method to reverse-engineer classic BPF socket filters and generate the exact “magic” packets that trigger stealthy Linux backdoors. By combining symbolic execution with the Z3 theorem prover and translating the resulting constraints into concrete byte values, the approach reduces manual analysis of complex BPF bytecode from hours or days to seconds. The team uses scapy to assemble crafted packets and has open-sourced the filterforge tool to accelerate threat research and detection.

🔍 Cisco Talos introduces DispatchLogger, an open-source DLL that transparently instruments late-bound COM (IDispatch) interactions to enhance malware analysis visibility. The tool hooks COM instantiation APIs and returns proxy objects that forward calls while logging method names, parameters, return values, and object relationships. It supports recursive wrapping, enumerator proxies, and moniker handling to reveal high-level automation events often missed by low-level API tracing. Deployment requires injecting the DLL into target processes and preserves COM lifetime and threading semantics.

🔔 Recent signals show attackers moving faster and hiding in plain sight. Kali Linux added an integration with Anthropic's Claude via the Model Context Protocol to translate natural-language prompts into technical commands, enabling AI-assisted command execution in a red‑team distro. Censys analyzed ResidentBat, an Android spyware implant used for mass surveillance that exfiltrates audio, messages and files. Alongside Bitpanda-themed phishing, ClickFix-based macOS stealers, ActiveMQ-enabled LockBit intrusions and a widespread WinRAR patch lag, these developments underscore shrinking breakout times, improved cloaking and persistent patching gaps that defenders must address.

🔒 CISA released an updated Malware Analysis Report detailing new findings on RESURGE, a sophisticated implant that exploits vulnerabilities to establish covert SSH-based command-and-control access. The update shows advanced network-level evasion, forged TLS certificates, and authentication techniques that allow RESURGE to remain dormant on Ivanti Connect Secure devices until an operator connects, evading routine scans. CISA publishes IOCs, detection signatures, and directs use of mitigation guidance for CVE-2025-0282 to aid defenders.

🛡️ Google Threat Intelligence Group, Mandiant, and partners executed a coordinated disruption against a global espionage campaign attributed to UNC2814 that abused cloud services for covert command and control. Investigators identified a novel C-based backdoor called GRIDTIDE that uses Google Sheets APIs as a high-availability C2 channel, protected by an AES-128-CBC key and service account credentials. Actions included terminating attacker-controlled Google Cloud projects, disabling accounts and Sheets API access, sinkholing infrastructure, and publishing IOCs and detection guidance to support defenders.

🔍 This Fortinet analysis dissects a recent multi-stage campaign deploying Agent Tesla, which targets Windows users with credential theft and keylogging. The chain uses spearphishing with RAR attachments containing obfuscated JSE loaders that fetch encrypted PowerShell scripts and reflectively load .NET assemblies in memory. Operators leverage process hollowing, virtualization and sandbox checks, and SMTP-based exfiltration to minimize detection. Fortinet telemetry and cross-product protections are highlighted to help organizations mitigate the threat.

🔍 SafeBreach reported that the Iranian-linked threat group Infy resumed operations on January 26, 2026, deploying new command-and-control (C2) servers and replacing infrastructure for its Foudre and Tonnerre tool families. The actor introduced Tornado v51, which supports both HTTP and Telegram-based C2 and uses a hybrid domain-generation approach combining a new DGA and blockchain-derived fixed names. Researchers observed signs the group exploited a disclosed WinRAR extraction flaw to deliver a self-extracting archive that drops a Tornado DLL and an installer that checks for Avast before establishing persistence. SafeBreach also recovered Telegram artifacts, a ZZ Stealer chain, and a malicious PyPI package used for targeted deployments.

🤖 Check Point Research's analysis of VoidLink describes one of the first advanced malware families largely generated using artificial intelligence. Unlike earlier AI-assisted samples, which were often low-quality or derivative, VoidLink exhibits clear sophistication, modularity, and rapid evolution. AI appears to have enabled a single actor to plan, build, and iterate a complex malware framework in days rather than months, compressing development cycles and increasing operational tempo. Security teams must adapt detection, attribution, and incident response to meet this emerging threat class.

🛡️ ReversingLabs has identified a versatile Windows packer, pkr_mtsi, used since April 2025 in large-scale malvertising and SEO-poisoning campaigns to deliver trojanized installers pretending to be utilities like PuTTY, Rufus and Microsoft Teams. The infections arise from fake download sites promoted via paid search ads rather than vendor compromise. The loader drops varied follow-on payloads (Oyster, Vidar, Vanguard Stealer, Supper), increasingly employs obfuscation and anti‑analysis techniques, and RL has released an expanded YARA rule to improve detection.

⚡ CrowdStrike’s Malware Analysis Agent, launched as part of the Threat AI initiative at Fal.Con 2025, automates file triage to produce near-real-time, confidence-scored intelligence for analysts. The agent runs parallel static analysis and dynamic sandbox detonations, correlates findings with CrowdStrike’s threat repository and more than 5,000 YARA rules, and synthesizes behavioral summaries, classification, and remediation guidance. Integrated with Falcon Fusion SOAR and APIs, it can trigger automated hunts, deploy protections, export IOCs, and isolate hosts to accelerate response and reduce analyst backlog.

🔍 Unit 42 provides a detailed technical analysis of VVS stealer, a Python-based malware family that targets Discord users and Chromium/Firefox browsers to exfiltrate tokens, credentials, and browser data. The report explains distribution as PyInstaller packages protected with Pyarmor (observed v9.1.4) and documents the deobfuscation steps used to recover bytecode, AES keys, and encrypted strings. It summarizes runtime behaviors including Discord client injection via modified Electron files, webhook-based exfiltration, persistence in %APPDATA%, and sample indicators defenders can monitor.

🔒 Unit 42 analyzes a notable upgrade to RansomHouse (tracked as Jolly Scorpius) that replaces a simple linear encryptor with a more complex, multi-layered design. The revised encryptor, Mario, implements a two-stage scheme using a 32-byte primary key and an 8-byte secondary key, plus chunked and sparse file processing. These changes complicate static analysis and decryption and specifically target ESXi virtual and backup artifacts. Unit 42 highlights detection controls and mitigation guidance for defenders.

🔍 Elastic Security Labs has detailed a Windows backdoor named NANOREMOTE that leverages the Google Drive API to stage payloads and exfiltrate data, making detection more difficult. The C++ implant implements a robust task manager for queued uploads and downloads with pause, resume and cancel capabilities and exposes 22 command handlers for reconnaissance, execution and file transfer. Researchers also observed a WMLOADER dropper and an uploaded artifact linking NANOREMOTE to the FINALDRAFT family, indicating likely code reuse.

🔒 CISA, NSA, and the Canadian Centre for Cyber Security released a joint malware analysis on BRICKSTORM, a sophisticated backdoor targeting VMware vSphere (vCenter) and Windows environments used by PRC state-sponsored actors. The report provides indicators of compromise (IOCs), detection signatures, and CISA-developed YARA and SIGMA rules to help critical infrastructure owners identify compromises. Recommended mitigations include scanning with the provided rules, inventorying and monitoring edge devices, enforcing network segmentation, and adopting Cross-Sector Cybersecurity Performance Goals; organizations are urged to report suspected activity to CISA immediately.

🔒 The Kraken ransomware targets Windows and Linux/VMware ESXi hosts and runs on-host benchmarks to decide whether to perform full or partial encryption. Cisco Talos researchers found it creates temporary files, times encryption of random data, and uses the result to select an encryption mode that maximizes damage while avoiding overloads. Before encrypting it deletes shadow volumes, stops backup services, appends .zpsc to files, and drops a readme_you_ws_hacked.txt ransom note. The group continues big‑game hunting and data theft for double extortion and has launched a forum called 'The Last Haven Board'.