Reddit NetSec

AlienVault OTX General

CVE Database V5

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

Throughout 2024, Gamaredon focused exclusively on targeting Ukrainian governmental institutions with spearphishing campaigns and weaponized USB drives. The group developed six new tools and significantly updated existing ones, improving stealth and evasion capabilities. Gamaredon increased the scale of its spearphishing campaigns, especially in the second half of the year. The group also made efforts to bypass network-based blocking, hiding most of its command and control infrastructure behind Cloudflare tunnels. Notable updates include enhancements to PteroLNK for weaponizing network drives, improvements in file exfiltration techniques, and the introduction of new downloaders. Despite these advancements, Gamaredon showed signs of operational limitations, occasionally abandoning or infrequently updating certain tools.

Gamaredon is a persistent advanced threat actor that throughout 2024 has concentrated its cyber operations against Ukrainian governmental institutions. The group employs spearphishing campaigns and weaponized USB drives as primary infection vectors. In 2024, Gamaredon significantly evolved its toolset by developing six new malware tools and enhancing existing ones to improve stealth and evasion capabilities. Key technical advancements include improvements to PteroLNK, a tool used to weaponize network drives, enabling more effective lateral movement and infection spread within targeted networks. The group also refined file exfiltration techniques, making data theft more efficient and harder to detect. Additionally, Gamaredon introduced new downloader malware variants to facilitate payload delivery. To evade network-based detection and blocking, the group increasingly leveraged Cloudflare tunnels to conceal its command and control (C2) infrastructure, complicating attribution and mitigation efforts. Despite these enhancements, Gamaredon exhibited some operational constraints, occasionally abandoning or infrequently updating certain tools, which may indicate resource limitations or shifting priorities. The threat actor’s focus on Ukrainian government entities, combined with its use of sophisticated evasion techniques and multi-vector infection methods, underscores its role as a state-aligned APT group engaged in espionage and disruption activities. No known public exploits have been reported, and the threat remains primarily targeted rather than opportunistic.

Detailed information about Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset. Get real-time updates, technical det

Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset - Live Threat Intelligence - Threat Radar | OffSeq.com

Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

The SERPENTINE#CLOUD campaign leverages Cloudflare Tunnels and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. The attack begins with malicious .lnk files disguised as documents, fetching remote code from Cloudflare subdomains. The infection chain involves batch, VBScript, and Python stages, ultimately deploying shellcode that loads a Donut-packed PE payload. The campaign focuses on Western targets, using Cloudflare for payload hosting and anonymity. It demonstrates evolving tactics, shifting from simple .url files to sophisticated .lnk payloads. The final stage involves a RAT payload, giving attackers full control over infected hosts.

The SERPENTINE#CLOUD campaign is a sophisticated malware operation that abuses Cloudflare Tunnels to deliver stealthy, Python-based malware payloads to targeted systems. The attack initiates through malicious Windows shortcut (.lnk) files that are disguised as legitimate documents to entice victims into execution. These shortcuts fetch remote code hosted on Cloudflare subdomains, leveraging Cloudflare's infrastructure to provide anonymity and evade traditional detection mechanisms. The infection chain is multi-staged and complex, involving batch scripts, VBScript, and Python loaders that work together to execute memory injection techniques. The final payload is a shellcode loader that uses the Donut packer to embed a Portable Executable (PE) payload directly into memory, avoiding disk writes and reducing forensic footprints. This PE payload is a Remote Access Trojan (RAT), specifically linked to variants such as AsyncRAT and RevengeRAT, granting attackers full control over compromised hosts. The campaign has evolved from using simpler .url files to more complex .lnk files, indicating an adaptive threat actor improving stealth and delivery mechanisms. The use of obfuscation and memory injection techniques further complicates detection and analysis. The campaign primarily targets Western organizations, exploiting the trust and ubiquity of Cloudflare services to host malicious payloads and maintain operational security. No known exploits in the wild have been reported yet, but the campaign's medium severity rating reflects its potential impact and stealth capabilities.

Detailed information about Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware. Get real-tim

Analyzing SERPENTINE#CLOUD: Threat Actors Abuse Cloudflare Tunnels to Infect Systems with Stealthy Python-Based Malware - Live Threat Intelligence - Threat Radar | OffSeq.com

Title	Severity	Type	Source	Date

Threats Tagged 'cloudflare tunnels'

Filter Threats

Threats Tagged 'cloudflare tunnels'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility