Search Results for “process injection” – Page 3

adfind bazar cobaltstrike ransomware ryuk

Ryuk Speed Run, 2 Hours to Ransom

editor November 5, 2020

Intro Since the end of September Ryuk has been screaming back into the news. We’ve already covered 2 cases in that timeframe. We’ve seen major healthcare providers, managed service providers, … Read More

adfind bazar cobaltstrike ransomware ryuk

Ryuk’s Return

editor October 8, 2020

Intro The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as … Read More

elpacoteam mimic ransomware

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware

editor May 19, 2025

Key Takeaways The DFIR Report Services Table of Contents: Case Summary In late June 2024, an unpatched Confluence server was compromised via CVE-2023-22527, a template injection vulnerability, first from IP … Read More

blacksuit bruteratel cobaltstrike ransomware sectoprat

Fake Zoom Ends in BlackSuit Ransomware

editor March 31, 2025

Key Takeaways Case Summary This case from May 2024 started with a malicious download from a website mimicking the teleconferencing application Zoom. When visiting the website and downloading a file … Read More

exploit lockbit ransomware

Confluence Exploit Leads to LockBit Ransomware

editor February 24, 2025

Key Takeaways Case Summary The intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability in Confluence, against a Windows server. The first indication of threat actor … Read More

cobaltstrike opendir

Inside the Open Directory of the “You Dun” Threat Group

editor October 28, 2024

Key Takeaways The DFIR Report Services Reports such as this one are part of our All Intel service and are categorized as Threat Actor Insights. Private Threat Briefs: Over 20 … Read More

alphv cobaltstrike icedid ransomware

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

editor June 10, 2024

Key Takeaways The DFIR Report Services → Click here to access the DFIR Lab related to this report ← Five new sigma rules were created from this report and added … Read More

metasploit opendir sliver

Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity

editor December 18, 2023

This report is a little different than our typical content. We were able to analyze data from a perspective we typically don’t get to see… a threat actor’s host! In … Read More

coinminer exploit

SELECT XMRig FROM SQLServer

editor July 11, 2022

In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to deploy a coin miner. Although deploying a coin miner … Read More

cobaltstrike hancitor

Hancitor Continues to Push Cobalt Strike

editor June 28, 2021

First observed in 2014, Hancitor (also known as Chanitor and Tordal) is a downloader trojan that has been used to deliver multiple different malware such as Pony, Vawtrak, and DELoader. … Read More

cryptominer CVE-2020-14882

WebLogic RCE Leads to XMRig

editor June 3, 2021

Intro This report will review an intrusion where, the threat actor took advantage of a WebLogic remote code execution vulnerability (CVE-2020–14882) to gain initial access to the system before installing … Read More

adfind bazar cobaltstrike ryuk

Bazar, No Ryuk?

editor January 31, 2021

Intro In the fall of 2020, Bazar came to prominence when several campaigns delivered Ryuk ransomware. While Bazar appeared to drop-off in December, new campaigns have sprung up recently, using … Read More