PDFChampions YAPA Browser Hijacker/Loader Analysis
Aaron Samala
TL;DR PDFChampions is a YAPA Browser Hijacker, delivered via ads, that changes the browsers default search engine and also functions as a loader. Tactical Pause THE CONTENT, VIEWS, AND OPINIONS…
AnyRun
ConvertyFile Browser Hijacker
TL;DR ConvertyFile is a browser hijacker, delivered via ads, that changes the browser’s default search engine. Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN…
Convert Master Browser Hijacker Analysis
TL;DR Convert Master is a browser hijacker, delivered via ads, that changes the browsers default search engine – and I’ve observed it using a redirector for the “Retro Revive” fake…
Teams Transcript Page Lure Delivers GoTo RMM
TL;DR This documents a Teams transcript download page lure that delivers GoTo RMM. Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT…
PoisonSeed YouTube-themed Career Phishing
TL;DR This documents a YouTube-themed Career Phishing campaign that I assess is likely related to PoisonSeed. Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN…
Oyster Malware Delivery via Teams Fake App
TL;DR Oyster malware delivery via MS Teams Fake App. Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY…
Malformed Rhadamanthys DoH Query
TL;DR This analysis documents how the Rhadamanthys malware sends a malformed DoH query with the Host field specified twice. It fails in Any Run tasks that have the MITM Proxy…
TA569 SocGholish Overlap w/TA582 Infra
Intro This is the long form of my post from here: https://x.com/MalasadaTech/status/1924982337689027063. While browsing urlscan scan tasks, I found crypto-js.min.js usage for obfuscation linked to Tycoon and Storm1747 in Any…
Copy/Paste Technique Used to Deliver XWORM
XWORM is observed being distributed via Copy/Paste. XWORM C2 traffic uses a pattern that can be matched. Using Discord webhooks for C2 is not new, but it’s new to me.…
PDF Lure Delivering GoTo (LogMeIn) RMM
This documents chrunting for delivery sites that connect to api.telegramorg, finding a malicious GoTo RMM, and developing masq-monitor and Snort/Suricata detections. Tactical Pause THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON…