Threat Intelligence Archives

Threat Intelligence

₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware

December 1, 2022

Callum Roxan, Paul Rascagneres, and Robert Jan Mora

Over the last few months, Volexity has observed new activity tied to a North Korean threat actor it tracks that is widely referred to as the Lazarus Group. This activity […]

Threat Intelligence

Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925

August 10, 2022

Volexity Threat Research

[Note: Volexity has reported all findings in this post to Zimbra. Where an existing contact was known, Volexity has notified local CERTs of compromised Zimbra instances in their constituency. The […]

Threat Intelligence

SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”

July 28, 2022

Paul Rascagneres, Tom Lancaster, and Volexity Threat Research

Volexity tracks a variety of threat actors to provide unique insights and actionable information to its Threat Intelligence customers. One frequently encountered—that often results in forensics investigations on compromised systems—is […]

Threat Intelligence

DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach

June 15, 2022

Steven Adair, Tom Lancaster, and Volexity Threat Research

Volexity frequently works with individuals and organizations heavily targeted by sophisticated, motivated, and well-equipped threat actors from around the world. Some of these individuals or organizations are attacked infrequently or […]

Threat Intelligence

Zero-Day Exploitation of Atlassian Confluence

June 2, 2022

Andrew Case, Sean Koessel, Steven Adair, Tom Lancaster, and Volexity Threat Research

UPDATE: On June 3, 2022, Atlassian updated its security advisory with new information regarding a fix for Confluence Server and Data Center to address CVE-2022-26134. Users are encouraged to update immediately to […]

Threat Intelligence

Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS

March 22, 2022

Damien Cash, Steven Adair, and Tom Lancaster

In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse […]

Threat Intelligence

Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra

February 3, 2022

Steven Adair and Tom Lancaster

[UPDATE] On February 4, 2022, Zimbra provided an update regarding this zero-day exploit vulnerability and reported that a hotfix for 8.8.15 P30 would be available on February 5, 2022. This vulnerability […]

Threat Intelligence

XE Group – Exposed: 8 Years of Hacking & Card Skimming for Profit

December 7, 2021

Volexity Threat Research

In 2020 and 2021, Volexity identified multiple compromises related to a relatively unknown criminal threat actor that refers to itself as “XE Group”. Volexity believes that XE Group is likely […]

Threat Intelligence

North Korean BLUELIGHT Special: InkySquid Deploys RokRAT

August 24, 2021

Damien Cash, Josh Grunzweig, Steven Adair, and Tom Lancaster

In a recent blog post, Volexity disclosed details on a portion of the operations by a North Korean threat actor it tracks as InkySquid. This threat actor compromised a news […]

Threat Intelligence

North Korean APT InkySquid Infects Victims Using Browser Exploits

August 17, 2021

Damien Cash, Josh Grunzweig, Matthew Meltzer, Steven Adair, and Tom Lancaster

Volexity recently investigated a strategic web compromise (SWC) of the website of the Daily NK (www.dailynk[.]com), a South Korean online newspaper that focuses on issues relating to North Korea. Malicious […]