Blog

Taking your threat intelligence seriously

A PAINFUL QUICKHEAL

A QUICKHEAL sample (9553567e231a172c69f0ef8800a927193b9cbd49), used in a recent campaign targeting the telecom sector, was recently uploaded to VirusTotal (VT). This malware is closely associated, according to open sources, with a Chinese People’s Liberation Army (PLA)-linked intrusion set known as the Needleminer group, RedFoxtrot, or Nomad Panda Since I had never worked on QUICKHEAL before and…
Lire la suite

Unveiling Sharp Panda’s New Loader

Checkpoint recently published a report on Sharp Panda, mentioning an extension of its victimology as well as the utilization of a new dropper to deploy the 5.t framework. To avoid confusion with other vendors naming, Checkpoint decided to rename Sharp Panda to Sharp Dragon. Associated in open sources to China, this intrusion set is mostly…
Lire la suite

Analysis of Sarwent loader: Old ways die hard

A few days ago, I saw a tweet from malware C2 hunter Viriback (kudos for all your great work) mentioning the Sarwent loader. This malware appeared at least in 2018 and was notably used in a campaign reported by Talos using Amnesty International as lure in 2021. Since I had never worked on this malware…
Lire la suite

Exploring MadMxShell’s Infrastructure: Rapid Pivoting for Actionable Insights

In a great blog post, Xscaler revealed a recent campaign targeting IT professionals via Google maldvertising in order to distribute a new backdoor named « MadMxShell ». In this campaign, the attackers registered domains mimicking the names of well-known IP scanners to lure their victims into downloading a zip archive containing a legitimate executable that sideloads a…
Lire la suite