Author name: William Thomas

Mercenary advanced persistent threat (APT) groups, sometimes called “hackers-for-hire” – and dubbed private-sector offensive actors (PSOAs) by Microsoft – have become a significant part of the threat landscape in recent years. These cyber-soldiers of fortune have been executing increasing numbers of attack campaigns for their clients, usually nation-states, that are looking for surveillance capabilities. Not

Cyjax analysts have analysed a long-running AgentTesla infostealer campaign targeting Dubai and the United Arab Emirates (UAE). The campaign began in at least January 2021 and the samples we gathered continued, almost daily, until May 2021. We have also seen new samples compiled in October 2021. Unlike most AgentTesla campaigns, the targeting focused heavily on

Cyjax analysts have uncovered a large credential harvesting campaign targeting multiple government departments in APAC and EMEA countries. Over 50 hostnames were analysed, many of which were posing as the Ministry of Foreign Affairs, Ministry of Finance, or Ministry of Energy, in various countries such as Uzbekistan, Belarus, and Turkey; as well as the Main

REvil (short for Ransomware Evil) is a revolutionary ransomware operation. Its predecessor, GandCrab, which was retired in early 2019, pioneered the concept of ransomware-as-a-service (RaaS) for “big game hunting” campaigns (where corporate targets are selected according to their annual turnover). REvil’s operators (also known as GoldSouthfield or PinchySpider) continued where GandCrab left off, and thrived.

On 12 May, the FBI Cyber Division issued a TLP:WHITE Private Industry Notification. This concerned a spear-phishing campaign distributing messages that masqueraded as financial institutions to push fake Windows apps containing remote access Trojans (RATs). The most recent attack impersonated a US-based financial institution to target an American renewable energy company. The spear-phishing email referenced

Ransomware has continued to play a dominant role in the 2021 threat landscape alongside the unravelling SolarWinds saga and the recent wave of ProxyLogon attacks to deploy webshells on vulnerable Microsoft Exchange Servers [1]. Since the start of the year, Cyjax analysts have tracked a malicious spam (malspam) campaign and cybercriminal operation, dubbed WizardSpider (also

Since early February, Cyjax analysts have been tracking a mass spam campaign masquerading as Royal Mail parcel delivery notifications. We have observed large numbers of malicious domains being registered each day, typically using Namecheap as registrar and hosting service rather than any others. Multiple varieties of attacks have been detected that use both Royal Mail-themed