Npav Lab

A new variant of the Qilin (Agenda) ransomware, known as Qilin.B, has been discovered with enhanced encryption methods, improved evasion techniques, and capabilities to disrupt data recovery. This strain targets both Windows and network systems, making it a serious threat to enterprises across various sectors.

Ransomware gangs are using the notorious LockBit’s reputation to intimidate victims and carry out sophisticated data exfiltration attacks via Amazon S3 Transfer Acceleration. These attacks exploit embedded AWS credentials and target Windows and macOS systems, encrypting data and applying pressure tactics to extract ransom payments.

Net Protector Total Security has proudly received the International VB100 certification, showcasing its exceptional malware detection abilities and reinforcing its reputation as a trusted cybersecurity solution.

The Lazarus hacking group exploited a Google Chrome zero-day vulnerability (CVE-2024-4947) through a fake decentralized finance (DeFi) game, "DeTankZone," targeting individuals in the cryptocurrency sector. This attack demonstrates Lazarus' evolving tactics, using browser exploits and rebranded games to steal sensitive data and potentially cryptocurrency.

A new phishing campaign has been uncovered targeting Russian-speaking users, leveraging the Gophish framework to deliver two remote access trojans (RATs)—DarkCrystal RAT (DCRat) and a newly identified malware, PowerRAT. The campaign exploits phishing emails, malicious documents, and HTML pages to initiate infection chains, resulting in system compromise and data exfiltration.

The Bumblebee malware loader, believed to be a creation of TrickBot developers, has resurfaced after going silent following a law enforcement disruption in May 2024. New attacks tied to Bumblebee have been observed, signaling a possible resurgence of the malware. It continues to target victims through phishing and malvertising, delivering dangerous payloads like ransomware and information-stealing malware.

A recently discovered phishing campaign is exploiting a stored cross-site scripting (XSS) vulnerability in the open-source Roundcube webmail software to steal login credentials. Threat actors are leveraging a now-patched flaw (CVE-2024-37383) via malicious emails, targeting government organizations in Commonwealth of Independent States (CIS) countries. The vulnerability, patched in May 2024, allowed attackers to execute JavaScript within victims' browsers, tricking them into revealing sensitive login information.

A new ClickFix campaign is targeting users with fake Google Meet conference errors, luring them to download infostealing malware on both Windows and macOS systems. The campaign impersonates technical issues and prompts victims to run malicious PowerShell code, infecting devices with malware like Stealc, Rhadamanthys, and AMOS Stealer.

Cybercriminals are increasingly abusing the open-source EDRSilencer tool to tamper with Endpoint Detection and Response (EDR) solutions and conceal their malicious activities. This tool uses the Windows Filtering Platform (WFP) to block security software from communicating, making it harder for organizations to detect and remove malware.

In May 2024, North Korean hacking group ScarCruft (APT37) exploited an Internet Explorer zero-day flaw (CVE-2024-39178) to distribute RokRAT malware through malicious toast pop-up ads. This zero-click malware campaign, dubbed "Code on Toast," compromised an advertising server, targeting systems to exfiltrate sensitive data and perform espionage activities. Despite Internet Explorer’s retirement, its components still pose a significant risk as threat actors continue exploiting these vulnerabilities.