Virus Bulletin

@VirusBulletin@infosec.exchange
2.5K Followers
57 Following
1.9K Posts
Security information portal, testing and certification body.
Organisers of the annual Virus Bulletin conference.
Virus Bulletin6h ago
Cybereason Security Services investigates a BlackSuit ransomware attack leveraging tools like Cobalt Strike for command and control (C2), rclone for data exfiltration, & BlackSuit ransomware for file encryption. https://www.cybereason.com/blog/blacksuit-data-exfil
Virus Bulletin6h ago
Palo Alto Networks researchers explore the obfuscation techniques employed by the malware authors in the SLOW#TEMPEST campaign and highlight methods and code that can be used to detect and defeat these techniques. https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/
Virus Bulletin6h ago
Researchers from The DFIR Report, in partnership with Proofpoint, have identified a PHP variant of Interlock RAT (aka NodeSnake) distributed via KongTuke FileFix. https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interlock-rat-variant/
Virus Bulletin3d ago
Acronis TRU researchers look into the SafePay ransomware group targeting managed service providers & small-to-midsize businesses across industries. The group appears to operate with centralized control, managing its own operations, infrastructure & negotiations. https://www.acronis.com/en-us/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/
Virus Bulletin3d ago
SentinelOne's Phil Stokes (‪@philofishal) & Dinesh Devadoss provide a technical analysis of the latest version of the macOS.ZuRu malware, along with new technical indicators to aid detection engineers and threat hunters. https://www.sentinelone.com/blog/macos-zuru-resurfaces-modified-khepri-c2-hides-inside-doctored-termius-app/
Virus Bulletin3d ago
Huntress's John Hammond, Jamie Levy, Lindsey O'Donnell-Welch & Michael Tigges observed exploitation of a remote code execution Wing FTP Server bug (CVE-2025-47812). Organizations running Wing FTP Server should update to the fixed version. https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
Virus Bulletin3d ago
ESET Research5d ago
After years of dominance in #ESET’s top #infostealer statistics, the era of #AgentTesla has come to an end. It finished H1 2025 in fourth place, its numbers having decreased by 57%. The reason? It is no longer under active development.
The threat actors behind Agent Tesla have reportedly lost access to the servers with the malware’s source code. A successor appeared almost immediately – another #MaaS threat, known as #SnakeStealer or #SnakeKeylogger, has claimed the number one spot.
Recommended as a suitable replacement directly in Agent Tesla’s Telegram channel, SnakeStealer now takes up almost a fifth of all infostealer detections registered by ESET telemetry. Between H2 2024 and H1 2025, its detections more than doubled.
If you want to find out more information about this changing of the guard in the infostealer threat landscape, head on over to #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025
Virus Bulletin4d ago
ANY.RUN5d ago

🚨 Fake 7-Zip installer exfiltrates Active Directory files.
A #malicious installer disguised as 7-Zip steals critical Active Directory files, including ntds.dit and the SYSTEM hive, by leveraging shadow copies and exfiltrating the data to a remote server.
🥷 Upon execution, the #malware creates a shadow copy of the system drive to bypass file locks and extract protected files without disrupting system operations.

🎯 It then copies ntds.dit, which contains Active Directory user and group data, and SYSTEM, which holds the corresponding encryption keys.

The malware connects to a remote server via SMB using hardcoded credentials. All output is redirected to NUL to minimize traces.

👨‍💻 #ANYRUN Sandbox makes it easy to detect these stealthy operations by providing full behavioral visibility, from network exfiltration to credential staging, within a single interactive session.
🔍 See analysis session: https://app.any.run/tasks/7f03cd5b-ad02-4b3a-871f-c31ac0f5dc15/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_7zip&utm_term=090725&utm_content=linktoservice

This technique grants the attacker full access to ntds.dit dump, allowing them to extract credentials for Active Directory objects and enables lateral movement techniques such as Pass-the-Hash or Golden Ticket.

🚀 Analyze and investigate the latest malware and #phishing threats with #ANYRUN.
#ExploreWithANYRUN

Virus Bulletin5d ago

How does Russia’s Sandworm unit exploit pirated software to target Ukraine?

Join Arda Buyukkaya from EclecticIQ at VB2025 in Berlin to uncover how cyber operations can turn everyday behaviour into large-scale threats.

📅 Sept 25 | 09:30–10:00 | Green Room

Find out more about this talk 👉 https://tinyurl.com/e9anehex

#VB2025 #cybersecurity #conference #networking

Virus Bulletin5d ago
Palo Alto Networks Unit 42 researchers uncovered a campaign by an initial access broker to exploit leaked Machine Keys (cryptographic keys used on ASP.NET sites) to gain access to targeted organizations & sell that access on to other threat actors. https://unit42.paloaltonetworks.com/initial-access-broker-exploits-leaked-machine-keys/
×
Virus BulletinJul 7
Splunk researchers analyse a malicious Inno Setup installer that leverages Inno Setup's Pascal scripting capabilities to retrieve and execute HijackLoader, a known loader used to evade detection and deliver the final payload - in this case, RedLine Stealer. https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html