Executive Summary Recent analysis of PlugX malware samples has identified 14 domains assessed to be part of ongoing PRC espionage activity consistent with threat actors designated as Mustang Panda, UNC6384, and RedDelta. The majority of… Before the Proxy: Uncovering Active PlugX Staging Infrastructure Linked to Three PRC Actors
In early February 2026, a misconfigured server with more than one-thousand files was found exposed to the internet. Among them were stolen firewall configs, Active Directory maps, credential dump output, and detailed attack plans targeting… LLMs in the Kill Chain: Inside a Custom MCP Targeting FortiGate Devices Across Continents
Information stealers (infostealers) continue to be the tool of choice fueling an ever growing cybercriminal economy. Harvested credentials are a hot commodity, from account takeover and financial fraud, to underground markets, and hand offs to… Tracking DigitStealer: How Operator Patterns Exposed C2 Infrastructure
There are plenty of options when it comes to automating Python scripts. You can use cronjobs if your using *nix, scheduled tasks on Windows, and native libraries like schedule and apschedule. Tracking newly registered domains… Serverless Domain Hunting: Track Newly Registered Domains With Ease
Bifrose or Bifrost is a backdoor initially targeting Windows systems with a long history. First identified in the early 2000’s, it is believed a hacking group (likely BlackTech), purchased the source code or gained access… A Quick Look at ELF Bifrose (Part 1)
Summary BlackTech has built a reputation relying on (much to the delight of defenders) tech-themed domains and predictable registration patterns. Recent reporting linking malicious domains to the actor suggests these patterns may be fading, at… So Long (Go)Daddy | Tracking BlackTech Infrastructure
21 August 2022 Recently, Avast tweeted a GitHub link of indicators of compromise (IOC) linked to the Manjusaka Framework. Cisco Talos released a blog earlier this month covering the framework in great detail, so I… Analyzing Manjusaka Infrastructure
02 June 2022
The Kimsuky APT Group has routinely utilized the AppleSeed Backdoor to target various entities within South Korea, mainly for the purposes of espionage.
While phishing still remains the primary vector of delivering the backdoor, over the past year, Kimsuky has gone to great lengths to disguise its attacks, utilizing numerous types of decoy files, packers, and encoding schemes.
Overview of AppleSeed Dropper
26 May 2022 While the actual blog post has been difficult to access for some, Positive Technologies released research on the Space Pirates APT group that has been spotted intruding on government, IT, and critical… Analyzing the Royal Road to Space Pirates
15 May 2022 RTF SHA256: ac64adbfa128fd5f31bd922957942a1b80c56ee119791a29b939be04e1d7e2ba Filename: PO#JEL180409TH IR & JEL180409TH IRB.doc VirusTotal Score: 30/59 as of 12 May 2022 What’s An RTF? First released some 35 years ago, the Rich Text Format (RTF) file… Analysis of an Obfuscated RTF File