Thanks for comming researcher

Lastest Posts:

post @ 2022-04-24


SilentBuilder is a campaign that is being used to launch bankers such as Emotet to increase the Epoch5 botnet as well as the usual tasks of this malware. The similarities between other loaders that launch Emotet and that, once the banker is in our computer, tries to contact C&C, we could understand that this is a typical modus operandi of the criminal group Mummy Spider or TA542.

Read More
post @ 2022-03-16


SysJoker is a backdoor which appeare for the first time at the beginning of 2022 whose power resides in being cross-platform. Its main objective is to install itself in our computer and perform espionage and/or data theft tasks. Currently it has not yet been attributed to any group or campaign.

Read More
OperationLayover | TA2541 in SNIP3 campaign

_OperationLayover | TA2541 in SNIP3 campaign

OperationLayover also called TA2541 is a group that uses SNIP3 loader to attack targets related to the transport, aviation, and travel sectors around the world. A group that first appeared in 2013. Using Malware-as-a-service and Cryper-as-a-service Malware campaign models to attack their opponents, using these models have orchestrated and constantly updated executions. The group is originate from Nigeria, as a large number of VPNs have been seen being used from this country to launch attacks. Their main motivation is information theft and espionage by performing various exfiltration methods.


Read More
post @ 2021-11-01


RagnarLocker is a Ransomware normally associated with the group Viking Spider whose InitialAccess is varied, but as usual, they perform direct attacks trying to exploit systems or after the abuse of legitimate applications or by implanting malware inside these, after these movements, the most common is to gain maximum access and control within the attacked company to encrypt as many computers as possible.

Read More
post @ 2021-10-28
NanoCore RAT


NanoCore is a RAT (Remote Admin Tool) used by cybercriminal groups such as APT33 (Refined Kitten) whose InitialAccess is varied, although it has been most commonly used through fake emails with .zipx extensions or with fake formats, which is commonly called phishing (T1566) or in this case, since it contains a file in the email and its objective is execution on disk to go further, it would be more accurate to call it Spearphishing (T1566.001).

The main potential of NanoCore is usually minning or steal data from the computer and user once it has gained access to the disk, but once it is inside, it could perform any action from the outside, and, of course it depends of version.

To this analysis, I have divided into two parts, which is usually a common practice in which we observe first statically everything we can get in the shortest possible time and then a dynamic in which we will see how it behaves, although, we will lose information if we do not monitor properly or not debug.

Read More
post @ 2021-05-09
Babuk | Babyk

_Babuk | Babyk Ransomware

One of the biggest current threats in terms of cybersecurity and the one that most concerns companies today is the Ransomware attack, its power be on encrypting as much as posible, regarding some exclusions and try to expand into a company to do as much damage as possible and request a ransom based on extortion. Babuk a ransomware with a short lifespan, is the first one in 2021.

Distinguished by a little perfected behaviour, it has already appeared in some companies, requesting for ransoms, like all the previous Ransomwares.

An example of this is the attack to Serco and PhoneHouse, in which, after cypher computers, they requested near 100.000$ through Bitcoin, the extorsión tryies to publicy sensitive and privacy content about clients, something that would cause any company to lose customers

Read More