Threat actors have been observed concealing malicious code in images to deliver malware, such as VIP Keylogger and 0bj3ctivity Stealer, as part of separate campaigns. In both campaigns, attackers hid malicious code in photos uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads. The starting point is a phishing email that masquerades as invoices and purchase orders to trick recipients into opening malicious attachments, such as Microsoft
xworm (3)
Between April and June 2024, the NullBulge group emerged, targeting users in AI-centric applications and gaming communities. The NullBulge persona has showcased creative methods of distributing malware targeting said tools and platforms. Though the group projects an image of activism claiming to be “protecting artists around the world” and claims to be motivated by a pro-art, anti-AI cause rather than profit, other activities tied to this threat actor may indicate otherwise.
NullBulge’s servic
In 2023, FortiGuard Labs uncovered the 8220 Gang’s utilization of ScrubCrypt to launch attacks targeting exploitable Oracle WebLogic Servers. ScrubCrypt has been described as an “antivirus evasion tool” that converts executables into undetectable batch files. It offers several options to manipulate malware, making it more challenging for antivirus products to detect. Analysts recently discovered a threat actor distributing a phishing email containing malicious Scalable Vector Graphics (SVG) f
