Advanced Persistent Threat (APT) actors often rely on extortion techniques to monetize their campaigns. Modern organizations of this sort often employ ransomware modules or data theft malware to get their victims to pay some money. However, there are some exceptions to this rule, like the DeathStalker APT. This organization's campaigns were analyzed and connected properly only recently, and researchers believe that the group's first attacks might date back to 2012. However, the most notable...

RAINBOWMIX is the name cybersecurity researchers have given to a new Android advertising-fraud campaign, which is believed to be executed with the help of over 240 fake Android applications. Often, the bogus applications used to be disguised as emulators for popular games from the past. Cybersecurity experts estimate that the fake applications might have been installed over 14 million times, therefore turning the RAINBOWMIX campaign into one of the largest advertising-fraud operations to...

For many years fake online video players were used to promote dubious software updates that often delivered malware, adware or Potentially Unwanted Programs (PUPs.) Nowadays, con artists are appropriating the same tactic, but this time they do not ask the users to download a dodgy file – instead, they tell them to click 'Allow' to enable video playback. This tactic can be found on Deeptakken.pro and many similar websites, which want to trick visitors into enabling the shady Web page's...

Oritychiev.top is a fraudulent page designed to hijack browser notifications with the assistance of misleading messages and pop-ups. Users may come across the Oritychiev.top messages while browsing shady websites. According to the prompts Oritychiev.top shows, users need to click 'Allow' to verify their identity and confirm they are not a robot – mandatory step users must complete to continue browsing. However, all of this is fake, and clicking the button 'Allow' will subscribe you to...

Clickstars.xyz is a deceptive site that does not have any entertainment in store for you. You may come across this page's fraudulent pop-ups while browsing shady websites. The goal of the Clickstars.xyz's messages is to convince you to press 'Allow' to confirm you are not a robot. However, performing this action will result in subscribing to Clickstars.xyz's notifications. This allows the website to use your browser notifications to deliver whatever content it wants. Needless to say, a page...

Browser notifications have become the primary target of low-level online con artists. By hijacking this important browser feature, they can get the ability to inject advertisements in your Web browser without your approval. The actual hijacking happens with the assistance of a bogus Web page like Doaboowa.com. This website displays fake messages urging the user to click 'Allow' to continue browsing or watching a piece of media. However, engaging with the 'Allow' button will end up enabling...

The See_read_me Ransomware is a file-locking Trojan and variant of the Adhubllka Ransomware, which conducts similar, encryption-based attacks. Along with blocking files, it creates a text ransom note that promotes its TOR data-unlocking service and inserts new extensions into files' names. Appropriate backups will mitigate all data loss sufficiently, and cyber-security products can prevent infections or uninstall the See_read_me Ransomware. As a semi-noteworthy event in the threat...

The Mmpa Ransomware is a file-locking Trojan that's part of the STOP Ransomware family. This Ransomware-as-a-Service may use illicit torrents or similar exploits to compromise Windows computers and block their files with its custom encryption. Since decryption solutions are limited, users should have backups secure for recovery and protect their systems with anti-malware services that can remove the Mmpa Ransomware. Windows systems have a new target on their backs from the campaign of the...

The QueenOfHearts implant is very similar to KingOfHearts in terms of functionality, but it appeared on malware researchers' radar much later – around 2017. The threat continues to receive regular updates to enhance old features and introduce new functionality, even in 2020. As for features, it matches the ones of the KingOfHearts implant with one exclusion – it does not bear a 3rd-party library to take and transfer screenshots. The communication channel the QueenOfHearts uses to contact...

The QueenOfClubs is yet another payload used by the same criminal group behind the  SLOTHFULMEDIA  malware. The QueenOfClubs also share many similarities with QueenOfHearts and KingOfHearts malware samples, but they're also some drastic differences, which make the QueenOfClubs more suitable for specific situations. In terms of functionality, the QueenOfClubs backdoor Trojan can: Use the 'Windows Command Prompt' to execute remote commands. Load custom PowerShell scripts – an...

The KingOfHearts malware is a backdoor Trojan written in C++. Its development and usage are attributed to the group of criminals responsible for the  SLOTHFULMEDIA RAT , which was reported in the first days of October 2020. The KingOfHearts malware, however, is by no means new. The earliest artifacts linked to its activity are from 2014, and it has undergone significant updates since then. The threat is spread with the assistance of spear-phishing emails containing corrupted Microsoft...

The FIN11 APT is a threat actor believed to have been active for over four years. The first traces of its campaigns date back to 2016, but they ramped up the range and frequency of their operations between 2017 and 2018 significantly. The targets of FIN11 APT are very diverse, but the majority of them are concentrated in the retail, hospitality and financial sectors. The group operates all over the world. While they do not use state-of-the-art implants and exploits, they make up for this...

H1N1 is a piece of malware that first emerged online in 2015. Back then, it appeared to have one sole purpose: introducing additional malware to the compromised host. However, the H1N1 Loader kept on receiving updates aiming to extend its functionality and introduce new features like an info collecting module that can obtain data from compromised systems. The H1N1 Loader has been used in combination with notorious malware families such as the Pony Botnet and Vawtrak . Apart from loading...

Belighterservice.com is a fake Web page that tries to gain access to your browser notifications. It does this with the help of misleading pop-ups, which try to convince visitors to press 'Allow' to confirm they are not robots. However, performing this action will result in different consequences – it will subscribe you to the Belighterservice.com notifications and grant the page permissions to use this browser feature. Seeing Belighterservice.com's notifications whenever you use your...

The 'MS-Windows Support Alert' pop-up scam is a classic example of a technical support tactic, which tries to take money or financial details from victims. The page may be hosted on a wide range of domains, and it is often promoted via ads shown by shady pages linked to pirated software and games, adult media, gambling, etc. The 'MS-Windows Support Alert' Pop-Ups try to convince users that their computers have been locked temporarily because of suspicious behavior, and they need to make a...

The page at Hgreatent.top hosts a primary tactic, which is not considered to be harmful. However, users who fall for it may end up experiencing a minor annoyance caused by an overwhelming number of notifications showing in their Web browser. The source of the notifications is Hgreatent.top, and this page will focus on displaying advertisements of all sorts, which may sometimes end up leading users to deceptive websites, services, and products. The Hgreatent.top notifications should be...

Many websites ask visitors to verify their identity or confirm they are not robots, but many users may be unaware that not all of these prompts are legitimate. Deceptive websites like Radforwardstanly.com abuse this common prompt to trick visitors into subscribing to intrusive and misleading browser notifications. If you see notifications from Radforwardstanly.com whenever you browse the Web, then you have probably fallen for the tactic described above. The good news is that...

Myfreshposts.com is a misleading page that tries to gain access to your Web browser notifications by using warnings and pop-ups with deceptive content. Myfreshposts.com may ask users to click 'Allow' to view an embedded video, but they will not end up accessing any content if they perform this action. Instead, they will simply enable Myfreshposts.com's notifications. Seeing notifications from random websites like Myfreshposts.com is not unsafe, but it is not something you will enjoy. The...

The EKING Ransomware is a file-locking Trojan that's a variant of the Phobos Ransomware. The EKING Ransomware uses a custom encryption method for blocking media on the PC while also deleting backups and disabling associated security or file management tools. Users with secure backups on other devices should have no recovery issues, and cyber-security products should counteract attacks and remove the Trojan. Macros and other 'advanced' document or spreadsheet content tend to figure in...

Тhe SnatchLoader is a piece of malware that first surfaced in 2017, and since then, the developers behind it have released several updates aimed at enhancing the payload's features and covertness. The purpose of SnatchLoader is to infect a computer and then deliver a secondary payload based on the operators' instructions. The malware makes use of a basic geo-IP blocking feature, which allows it to filter out its victims based on their geographical location. Usually, malware using this feature...