Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A sophisticated spear phishing campaign has been identified, distributing the VIP keylogger through email attachments. The malware is delivered via a ZIP file containing a malicious executable disguised as a PDF. Once executed, an AutoIt script drops two encrypted files, which are then decrypted and injected into RegSvcs.exe using process hollowing techniques. The VIP keylogger is designed to steal sensitive information by logging keystrokes, capturing credentials from popular web browsers, and monitoring clipboard activity. The campaign employs obfuscation techniques and maintains persistence through a VBS script in the Startup folder. The final payload exfiltrates data through SMTP and communicates with a command and control server.

This threat describes a sophisticated spear phishing campaign that distributes the VIP keylogger malware via email attachments. The attack vector involves sending a ZIP file containing a malicious executable disguised as a PDF document. Upon execution, the malware runs an AutoIt script that drops two encrypted files onto the victim's system. These files are then decrypted and injected into the legitimate Windows process RegSvcs.exe using process hollowing, a technique that replaces the memory of a legitimate process with malicious code to evade detection. The VIP keylogger is designed to capture sensitive information by logging keystrokes, stealing credentials from popular web browsers, and monitoring clipboard activity. To maintain persistence on the infected system, the malware installs a Visual Basic Script (VBS) in the Startup folder, ensuring it runs on system boot. The malware also uses obfuscation techniques to hinder analysis and detection. Finally, the stolen data is exfiltrated via SMTP email and the malware communicates with a command and control (C2) server to receive further instructions or updates. Indicators of compromise include specific file hashes and an IP address associated with the C2 infrastructure. Although no CVE or known exploits in the wild are reported, the campaign's use of process hollowing, persistence mechanisms, and data exfiltration techniques make it a notable threat.

Detailed information about Spear Phishing Campaign Delivers VIP Keylogger via Email Attachment. Get real-time updates, technical details, and mitigation strateg

Spear Phishing Campaign Delivers VIP Keylogger via Email Attachment - Live Threat Intelligence - Threat Radar | OffSeq.com

Spear Phishing Campaign Delivers VIP Keylogger via Email Attachment

A sophisticated variant of the Masslogger credential stealer malware has been identified spreading through .VBE files. This multi-stage fileless malware heavily relies on Windows Registry to store and execute its malicious payload. The infection begins with a .VBE file, likely distributed via spam email or drive-by downloads. The malware sets up registry keys for storing commands, stager configurations, and the final payload. It establishes persistence through a scheduled task and uses techniques to simulate user input. The malware employs multiple stagers to decode and load the final Masslogger payload, which is injected into the AddInProcess32.exe process. The payload targets multiple web browsers and email clients to steal credentials and sensitive information, with capabilities including keylogging, screen capture, and data exfiltration via FTP, SMTP, or Telegram.

The Masslogger Fileless Variant is an advanced form of the Masslogger credential stealer malware that propagates primarily through malicious .VBE (VBScript Encoded) files. These files are typically distributed via spam emails or drive-by download attacks, exploiting user interaction or social engineering to initiate infection. Unlike traditional malware that relies on executable files, this variant operates in a fileless manner, leveraging Windows Registry keys to store and execute its payload, thereby evading conventional file-based detection mechanisms. The infection chain is multi-staged: initially, the .VBE file executes and sets up registry keys that contain encoded commands, stager configurations, and the final payload. Persistence is achieved by creating scheduled tasks, ensuring the malware remains active across system reboots. The malware also employs techniques to simulate user input, which can help bypass certain security controls or user activity monitoring. The final Masslogger payload is loaded through multiple decoding stagers and is injected into the legitimate Windows process AddInProcess32.exe via process hollowing, a technique that replaces the memory of a legitimate process with malicious code to evade detection. Once active, the payload targets a broad range of web browsers and email clients to harvest credentials and sensitive data. Its capabilities include keylogging, screen capturing, and exfiltration of stolen data using various protocols such as FTP, SMTP, and Telegram messaging. The use of multiple exfiltration channels increases the likelihood of successful data theft even if some communication paths are blocked. The malware’s reliance on registry-based storage and fileless execution complicates detection and remediation efforts, as traditional antivirus solutions may not easily identify its presence. The campaign does not currently have known exploits in the wild beyond the initial infection vector and lacks a CVE identifier, but its sophisticated techniques and credential theft capabilities pose a significant threat to targeted environments.

Detailed information about Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry. Get real-time updates, technical details, and mitigation strategie

Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry - Live Threat Intelligence - Threat Radar | OffSeq.com

Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry

Hive0131 is conducting email campaigns targeting users in Colombia with fake electronic notifications of criminal proceedings, purportedly from The Judiciary of Colombia. The campaigns deliver DCRat, a banking trojan operated as Malware-as-a-Service, through embedded links or PDF lures. DCRat's presence has increased in Latin America since 2024. The infection chain involves downloading a loader called VMDetectLoader, which uses process hollowing to inject DCRat into memory. VMDetectLoader can detect virtual machines and create persistence through scheduled tasks or registry keys. DCRat has various capabilities including recording victims, file manipulation, and keystroke logging. IBM X-Force assesses that Latin America will continue facing targeting from actors deploying banking trojans via phishing campaigns.

The threat involves a sophisticated phishing campaign conducted by the threat actor Hive0131, primarily targeting users in Colombia with fake electronic notifications purportedly from The Judiciary of Colombia. These phishing emails contain embedded links or PDF attachments designed to lure victims into downloading a loader named VMDetectLoader. This loader employs advanced evasion techniques, including virtual machine detection to avoid sandbox analysis, and uses process hollowing to inject the DCRat banking trojan directly into memory. This in-memory injection minimizes the malware's disk footprint, helping it evade traditional antivirus detection. VMDetectLoader also establishes persistence on infected systems through scheduled tasks or registry key modifications. DCRat itself is a Malware-as-a-Service (MaaS) banking trojan with a broad range of capabilities such as keystroke logging, file manipulation, and recording victim activity, enabling attackers to steal sensitive financial credentials and other confidential information. The infection chain leverages multiple MITRE ATT&CK techniques including T1566 (phishing), T1055 (process hollowing), T1547 (persistence), and T1056 (input capture), indicating a multi-stage, sophisticated attack. Although currently focused on Latin America, particularly Colombia, the modularity and MaaS model of DCRat suggest potential for expansion to other regions. Indicators of compromise include specific malicious domains (e.g., feb18.freeddns.org) and file hashes associated with the loader and trojan components. No known public exploits exist, but the campaign’s reliance on social engineering and evasion techniques makes it a persistent and evolving threat vector.

Detailed information about Threat Analysis: DCRat presence growing in Latin America. Get real-time updates, technical details, and mitigation strategies.

Threat Analysis: DCRat presence growing in Latin America - Live Threat Intelligence - Threat Radar | OffSeq.com

Threat Analysis: DCRat presence growing in Latin America

A new PowerShell-based shellcode loader has been discovered, designed to execute a variant of Remcos RAT. The attack chain begins with malicious LNK files in ZIP archives, using mshta.exe for initial execution. The loader employs fileless techniques, executing code directly in memory to evade traditional defenses. It leverages Windows APIs to allocate memory and execute binary code. The Remcos RAT provides full system control, featuring keylogging, screen capture, and credential theft capabilities. It uses advanced evasion techniques like process hollowing and UAC bypass. The malware establishes persistence through registry modifications and connects to a command and control server over TLS. This sophisticated attack emphasizes the need for behavioral analytics and proactive security measures to detect and mitigate such stealthy threats.

This threat involves a sophisticated fileless malware attack leveraging PowerShell to load and execute shellcode directly in memory, thereby bypassing traditional file-based detection mechanisms. The attack initiates via malicious LNK shortcut files embedded within ZIP archives, which when opened, trigger mshta.exe to execute the initial payload. The PowerShell-based loader then uses Windows API calls to allocate memory and execute binary code without writing files to disk, significantly enhancing stealth. The payload is a variant of Remcos RAT, a remote access trojan that grants attackers full control over the compromised system. Remcos RAT capabilities include keylogging, screen capture, credential theft, and other espionage functions. It employs advanced evasion techniques such as process hollowing—injecting malicious code into legitimate processes—and User Account Control (UAC) bypass to escalate privileges without user consent. Persistence is achieved through registry modifications, ensuring the malware survives system reboots. Communication with the command and control (C2) server is conducted over encrypted TLS channels, complicating network detection. This attack chain exemplifies modern threat actor tactics that emphasize stealth, memory-resident execution, and multi-layered evasion, making detection and mitigation challenging without behavioral analytics and endpoint detection and response (EDR) solutions capable of monitoring in-memory activities and anomalous process behaviors.

Detailed information about Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT. Get real-time updates, technical details, and mitigation s

Title	Severity	Type	Source	Date

Threats Tagged 'process hollowing'

Filter Threats

Threats Tagged 'process hollowing'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility