Mastodawn

Just Another Blue Teamer Aug 18, 2025

Happy Monday everyone!

Cisco Talos researchers report on a "malvertising campaign" that involved the #PS1Bot, which is modular and has "several modules delivered to perform a variety of malicious activities on infected systems." It has the capability to capture keystrokes from their victim, conduct reconnaissance and establish persistence.

This campaign involved Search Engine Optimization (SEO) poisoning and/or malvertising where the file name matched the keywords used in this target. The victim received a compressed archive that had a single file named "FULL DOCUMENT" which functioned as the downloader and retrieved the next stage. Powershell modules cam into play later that had the capability to detect which antivirus was being used by the victim, capture screen shots and key strokes, collect wallet information, and gain persistence, which is a pretty creative way of achieving it! But I won't spoil it! Find out for yourself and discover all the other details I left out! Enjoy and Happy Hunting!

Malvertising campaign leads to PS1Bot, a multi-stage malware framework
https://blog.talosintelligence.com/ps1bot-malvertising-campaign/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #inteldriventhreathunting

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.”

Cisco Talos Blog

Just Another Blue Teamer Aug 7, 2025

Good day everyone!

Somehow I missed this article when it first dropped but at least I found it! The DFIR Report published another great article that involved the #Bumblebee malware as the initial access vector that was installed after a user fell victim to an SEO poisoning campaign. The report states that "the threat actor moved laterally to a domain controller, dumped credentials, installed persistent remote access tools, and exfiltrated data using an SFTP client." The adversary also created two new domain accounts and used one to connect to a domain controller via RDP and dumped the NTDS.dit file using wbadmin.exe.

There are more technical details along with some great queries to use to aid your threat hunting and detection engineering efforts! As always, thank you to the authors for a great report! Happy Hunting!

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira
https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #IntelDrivenThreatHunting #HappyHunting #readoftheday

From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira

Overview Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery mechanism. Recently in …

The DFIR Report