A new malware family named WarmCookie, also known as BadSpace, has been actively distributed through malspam and malvertising campaigns since April 2024.
See: https://redskyalliance.org/xindustry/windows-backdoor-to-push-badspace
According to a blog post from Cisco Talos published on 23 October 2024, the malware facilitates persistent access to compromised networks. It has been observed as an initial payload, often leading to the deployment of additional malware such as CSharp-Streamer-RAT an
The targeted operation utilized CVE-2017-8570 as the initial vector and employed a notable custom loader for Cobalt Strike, yet attribution to any known threat actor remains elusive. An unknown threat actor targeted government entities in Ukraine toward the end of 2023 using an old Microsoft Office remote code execution (RCE) exploit from 2017 (CVE-2017-8570) as the initial vector and military vehicles as the lure.
The threat actor initiated the attack using a malicious PowerPoint file (.PPSX)
Chinese developers have created a new command-and-control (C2) framework with features and functionality similar to Cobalt Strike and Sliver. The new framework is called Manjusaka.
Cisco Talos researchers have discovered the C2 framework in the wild running in parallel with Cobalt strike. The initial investigation began with a Cisco Talos response to a Cobalt Strike beacon detection that was installed from a malicious Microsoft Word Document. The document was sent in an email as an attachment
In a recent study by CrowdStrike regarding cyber threat activity show more intrusion attempts in the first six months of this year than in all of 2019. The pandemic-related shift to remote work and the growing availability of Ransomware-as-a-Service (RaaS) were two major drivers. Red Sky Alliance has reported on many of these ransomware groups and actors in detail in 2020. These reports can be found at no charge at https://redskyalliance.org.
The security vendor's threat-hunting team blocked
