Virus Bulletin

@VirusBulletin@infosec.exchange
2.5K Followers
57 Following
1.9K Posts
Security information portal, testing and certification body.
Organisers of the annual Virus Bulletin conference.
Virus Bulletin16h ago
ESET researchers analyse a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group with likely ties to OilRig. They found two reverse tunnels, a variety of supplementary tools, a new backdoor (Whisper) & a malicious IIS module (PrimeCache). https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/
Virus Bulletin16h ago
Splunk researchers analyse a malicious Inno Setup installer that leverages Inno Setup's Pascal scripting capabilities to retrieve and execute HijackLoader, a known loader used to evade detection and deliver the final payload - in this case, RedLine Stealer. https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
Virus Bulletin3d ago
Splunk Threat Research Team takes a close look at recent XWorm malware samples spotted in the wild and shows how this threat uses a mix of different stagers and loaders to sneak past defences and carry out its attacks. https://www.splunk.com/en_us/blog/security/xworm-shape-shifting-arsenal-detection-evasion.html
Virus Bulletin3d ago
Elastic Security Labs has observed multiple campaigns that appear to be leveraging commercial AV/EDR evasion framework SHELLTER to load malware. SHELLTER is a commercial evasion framework that helps red teams bypass AV and EDR tools. https://www.elastic.co/security-labs/taking-shellter
Virus Bulletin3d ago
Fortinet's Vincent Li analyses RondoDox, a new botnet campaign targeting Linux-based operating systems running on diverse architectures. RondoDox incorporates custom libraries and mimics traffic from gaming platforms or VPN servers to evade detection. https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat
Virus Bulletin4d ago
Palo Alto Networks researchers Haizhou Wang, Ashkan Hosseini & Ashutosh Chitwadgi show how Windows Shortcut (LNK) files are exploited for malware delivery, based on analysis of 30,000 recent samples. https://unit42.paloaltonetworks.com/lnk-malware/
Virus Bulletin4d ago
ESET Research analyses Russia-aligned APT group Gamaredon’s updated cyberespionage toolset, new stealth-focused techniques, and its aggressive spearphishing operations observed throughout 2024 against Ukraine. https://www.welivesecurity.com/en/eset-research/gamaredon-2024-cranking-out-spearphishing-campaigns-ukraine-evolved-toolset/
Virus Bulletin4d ago
ANSSI has published details about the Houken intrusion campaign, which seeks initial access to the networks of French entities through the exploitation of several zero-day vulnerabilities on Ivanti Cloud Service Appliance devices. https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-009/
Virus Bulletin4d ago
Cisco Talos5d ago
Did you know PDFs may be the perfect disguise for phishing attacks? Cisco Talos is enhancing email threat detection and uncovering new tactics like callback phishing (aka TOAD) and Adobe abuse: https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliveries-for-phish/
Virus Bulletin4d ago
ANY.RUN5d ago

🚨 Top 5 Remote Access Tools Exploited by Threat Actors in the First Half of 2025.
⚠️ While legitimate and widely used by IT teams, Remote Monitoring and Management tools are increasingly used by threat actors to establish persistence, bypass defenses, and exfiltrate data.

In the first half of 2025, #ANYRUN observed a significant number of #malware samples leveraging known RMM software for #malicious access. Here are the 5 most frequently abused tools, along with analysis examples:
1️⃣ ScreenConnect – 3,829 sandbox sessions
https://app.any.run/tasks/3aa42d2e-8b91-4b8c-8bbb-e2b733194294/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

2️⃣ UltraVNC – 2,117 sandbox sessions
https://app.any.run/tasks/1b7234a0-ab11-4301-a5e7-9e157acfad95/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

3️⃣ NetSupport – 746 sandbox sessions
https://app.any.run/tasks/6740b646-2763-4969-9afe-31104dff0d81/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

4️⃣ PDQ Connect – 230 sandbox sessions
https://app.any.run/tasks/05948d1c-3128-4daa-97e5-60dd9991c115/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

5️⃣ Atera – 171 sandbox sessions
https://app.any.run/tasks/61e01084-e442-4bb7-a725-1667128573ce/?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_term=020725&utm_content=linktoservice

👨‍💻 To support faster detection and investigation, we’ve added the rmm-tool tag in TI Lookup, making it easier for threat hunters and incident responders to track RMM-based intrusions.

🔍 Explore recent RMM abuse cases in the last 180 days:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=top_rmm&utm_content=linktoti&utm_term=020725#%7B%2522query%2522:%2522threatName:%255C%2522rmm-tool%255C%2522%2522,%2522dateRange%2522:180%7D%20

Analyze latest malware and #phishing threats with #ANYRUN 🚀 #ExploreWithANYRUN

×
Virus Bulletin5d ago
Fortinet's Ariel Litvak uncovered a malspam attack distributing DCRAT. The threat actor is impersonating a Colombian government entity & evades detection with a password-protected archive, obfuscation, steganography, Base64 encoding, & multiple file drops. https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government