Virus Bulletin

@VirusBulletin@infosec.exchange
2.5K Followers
57 Following
1.9K Posts
Security information portal, testing and certification body.
Organisers of the annual Virus Bulletin conference.
Virus Bulletin12h ago
Splunk Threat Research Team takes a close look at recent XWorm malware samples spotted in the wild and shows how this threat uses a mix of different stagers and loaders to sneak past defences and carry out its attacks. https://www.splunk.com/en_us/blog/security/xworm-shape-shifting-arsenal-detection-evasion.html
Virus Bulletin12h ago
Elastic Security Labs has observed multiple campaigns that appear to be leveraging commercial AV/EDR evasion framework SHELLTER to load malware. SHELLTER is a commercial evasion framework that helps red teams bypass AV and EDR tools. https://www.elastic.co/security-labs/taking-shellter
Virus Bulletin12h ago
Fortinet's Vincent Li analyses RondoDox, a new botnet campaign targeting Linux-based operating systems running on diverse architectures. RondoDox incorporates custom libraries and mimics traffic from gaming platforms or VPN servers to evade detection. https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat
Virus Bulletin1d ago
Palo Alto Networks researchers Haizhou Wang, Ashkan Hosseini & Ashutosh Chitwadgi show how Windows Shortcut (LNK) files are exploited for malware delivery, based on analysis of 30,000 recent samples. https://unit42.paloaltonetworks.com/lnk-malware/
Virus Bulletin1d ago
ESET Research analyses Russia-aligned APT group Gamaredon’s updated cyberespionage toolset, new stealth-focused techniques, and its aggressive spearphishing operations observed throughout 2024 against Ukraine. https://www.welivesecurity.com/en/eset-research/gamaredon-2024-cranking-out-spearphishing-campaigns-ukraine-evolved-toolset/
Virus Bulletin1d ago
ANSSI has published details about the Houken intrusion campaign, which seeks initial access to the networks of French entities through the exploitation of several zero-day vulnerabilities on Ivanti Cloud Service Appliance devices. https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-009/
Virus Bulletin1d ago
Cisco Talos2d ago
Did you know PDFs may be the perfect disguise for phishing attacks? Cisco Talos is enhancing email threat detection and uncovering new tactics like callback phishing (aka TOAD) and Adobe abuse: https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliveries-for-phish/
Virus Bulletin1d ago
ANY.RUN2d ago

🚨 Top 5 Remote Access Tools Exploited by Threat Actors in the First Half of 2025.
⚠️ While legitimate and widely used by IT teams, Remote Monitoring and Management tools are increasingly used by threat actors to establish persistence, bypass defenses, and exfiltrate data.

In the first half of 2025, #ANYRUN observed a significant number of #malware samples leveraging known RMM software for #malicious access. Here are the 5 most frequently abused tools, along with analysis examples:
1️⃣ ScreenConnect – 3,829 sandbox sessions
https://app.any.run/tasks/3aa42d2e-8b91-4b8c-8bbb-e2b733194294/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

2️⃣ UltraVNC – 2,117 sandbox sessions
https://app.any.run/tasks/1b7234a0-ab11-4301-a5e7-9e157acfad95/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

3️⃣ NetSupport – 746 sandbox sessions
https://app.any.run/tasks/6740b646-2763-4969-9afe-31104dff0d81/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

4️⃣ PDQ Connect – 230 sandbox sessions
https://app.any.run/tasks/05948d1c-3128-4daa-97e5-60dd9991c115/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

5️⃣ Atera – 171 sandbox sessions
https://app.any.run/tasks/61e01084-e442-4bb7-a725-1667128573ce/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

👨‍💻 To support faster detection and investigation, we’ve added the rmm-tool tag in TI Lookup, making it easier for threat hunters and incident responders to track RMM-based intrusions.

🔍 Explore recent RMM abuse cases in the last 180 days:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_content=linktoti&utm_term=020725#%7B%2522query%2522:%2522threatName:%255C%2522rmm-tool%255C%2522%2522,%2522dateRange%2522:180%7D%20

Analyze latest malware and #phishing threats with #ANYRUN 🚀 #ExploreWithANYRUN

Virus Bulletin2d ago

Planning your Berlin adventure? ✨

We’ve put together a handy guide to help you make the most of your time in this amazing city, from travel information and public transport to local restaurants and must-see sights.

Come for VB2025, stay for Berlin!

Check out our Visiting Berlin page and start planning now 👉 https://tinyurl.com/4hvn7bcs

Virus Bulletin2d ago
Fortinet's Ariel Litvak uncovered a malspam attack distributing DCRAT. The threat actor is impersonating a Colombian government entity & evades detection with a password-protected archive, obfuscation, steganography, Base64 encoding, & multiple file drops. https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government
×
Virus BulletinJun 26
Recorded Future researchers analyse a new version of DRAT in a TAG-140 (overlaps with SideCopy) campaign targeting Indian government organizations. DRAT V2 updates its custom TCP-based, server-initiated C2 protocol & expands functional capabilities. https://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal