Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

AWS Route 53 DNS Resolver Firewall

Source: Malware Patrol

Amazon Route 53 is a Domain Name System (DNS) service that connects user requests to Internet applications running on AWS or on-premises. Among the features this service offers is protection via the Route 53 Resolver DNS Firewall. It allows the use of AWS Managed Domain Lists, as well as custom Domain Lists (outside sources or your own). Read more.

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

Source: Security Intelligence

Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. Read more.

New Threat Insights Reveal That Cybercriminals Increasingly Target the Pharmacy Sector

Source: Proofpoint

At a taxonomy department level, “pharmacy” job roles advanced from the number 35 rank in the per-user attack index average in 2023 to the top spot in the per-user attack index average in Q1 2024. VIP job roles rank second, while finance services roles rank fourth. Read more.

New Antidot Android Banking Trojan Masquerading as Fake Google Play Updates

Source: CYBLE

Antidot incorporates a range of malicious features, including overlay attacks and keylogging, allowing it to compromise devices and harvest sensitive information. Read more.

Payload Trends in Malicious OneNote Samples

Source: UNIT42

Our analysis of roughly 6,000 malicious OneNote samples from WildFire reveals that these samples have a phishing-like theme where attackers use one or more images to lure people into clicking or interacting with OneNote files. The interaction then executes an embedded malicious payload. Read more.

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

Source: Microsoft Security

The observed activity begins with impersonation through voice phishing (vishing), followed by delivery of malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware like Qakbot, Cobalt Strike, and ultimately Black Basta ransomware. Read more.

FBI seize BreachForums hacking forum used to leak stolen data


The website is now displaying a message stating that the FBI has taken control over it and the backend data, indicating that law enforcement seized both the site’s servers and domains. Read more.

Foxit PDF “Flawed Design” Exploitation


Check Point Research has identified an unusual pattern of behavior involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands. Check Point Research has observed variants of this exploit being actively utilized in the wild. Read more.

Hackers Use DNS Tunneling to Scan and Track Victims

Source: Infosecurity Magazine

“In this application of DNS tunneling, an attacker’s malware embeds information on a specific user and that user’s actions into a unique subdomain of a DNS query. This subdomain is the tunneling payload, and the DNS query for the fully qualified domain name (FQDN) uses an attacker-controlled domain,” the blog explained. Read more.

Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain

Source: welivesecurity

Among the victims are many hosting providers. The gang leverages its access to the hosting provider’s infrastructure to install Ebury on all the servers that are being rented by that provider. As an experiment, we rented a virtual server from one of the compromised hosting providers: Ebury was installed on our server within seven days. Read more.