One of the common malware being reported nowadays is the Remote Access Trojan or RAT, such as the LodaRAT. Written in Autolt, LodaRAT not only have abandoned their usual obfuscation techniques, but several functions have also been rewritten and new functionality has been added. Learn more about this malware and more in this batch of InfoSec articles.

For more articles, check out our #onpatrol4malware blog.

RampantKitten: An Iranian Surveillance Operation unraveled

Source: Checkpoint

Check Point Research has unraveled an ongoing surveillance operation by Iranian entities that has been targeting Iranian expats and dissidents for years. Read more.

New Snort, ClamAV coverage strikes back against Cobalt Strike

Source: Cisco Talos

Cisco Talos recently released a more granular set of updated SNORTⓇ and ClamAVⓇ detection signatures to detect attempted obfuscation and exfiltration of data via Cobalt Strike, a common toolkit often used by adversaries. Read more.


LokiBot Malware

Source: CISA

LokiBot—also known as Lokibot, Loki PWS, and Loki-bot—employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Read more.

APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure

Source: Quointelligence

The malware used in the APT28 campaign attack was the Zebrocy Delphi version. All the artifacts had very low Anti-Virus (AV) detection rates on VirusTotal when they were first submitted. Read more.


Threat landscape for industrial automation systems. H1 2020

Source: Kaspersky

Kaspersky have observed a tendency for decreases in the percentages of attacked computers, both in the ICS and in the corporate and personal environments. Read more.

Federal Agency Compromised by Malicious Cyber Actor

Source: CISA

In coordination with the affected agency, CISA conducted an incident response engagement, confirming malicious activity. The following information is derived exclusively from the incident response engagement. Read more.

Microsoft Security — detecting empires in the cloud

Source: Microsoft

MSTIC observed the evolution of GADOLINIUM using cloud services and open source tools to enhance weaponization of their malware payload, attempt to gain command and control all the way to the server, and to obfuscate detection. Read more.

German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed

Source: Amnesty

This report provides technical information on these recent FinSpy samples in order to aid the cybersecurity research community in further investigations. Read more.


LodaRAT Update: Alive and Well

Source: Cisco Talos

LodaRAT, a remote access trojan written in AutoIt, not only have abandoned their usual obfuscation techniques, but several functions have also been rewritten and new functionality has been added. Read more.


No Rest for the Wicked: Evilnum Unleashes Pyvil Rat

Source: Cybereason

Evilnum’s operations appear to be highly targeted with a focus on the FinTech market by way of abusing the Know Your Customer regulations (KYC), documents with information provided by clients when business is undertaken. Read more.


MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA

Source: CISA

The malware variant, known as SlothfulMedia, has been used by a sophisticated cyber actor. CISA and CNMF are distributing this MAR to enable network defense and reduced exposure to malicious activity. Read more.