21 min
Incident Response
BlackSuit Continues Social Engineering Attacks in Wake of Black Basta’s Internal Conflict
Despite a significant decrease in social engineering attacks linked to the Black Basta ransomware group since late December 2024, Rapid7 has observed sustained social engineering attacks. Evidence suggests that BlackSuit affiliates have either adopted Black Basta’s strategy or absorbed its members.
14 min
Research
NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign
Rapid7 has been tracking a malware campaign that uses fake software installers disguised as popular apps like VPN and QQBrowser—to deliver Winos v4.0, a hard-to-detect malware that runs entirely in memory and gives attackers remote access.
10 min
Malware
Modular Java Backdoor Dropped in Cleo Exploitation Campaign
While investigating incidents related to Cleo software exploitation, Rapid7 Labs and MDR team discovered a novel, multi-stage attack that deploys an encoded Java Archive (JAR) payload.
18 min
Incident Response
Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware
Beginning in early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign being conducted by Black Basta ransomware operators.
4 min
Artificial Intelligence
Why Cybercriminals Are Not Necessarily Embracing AI
The rapid advancement of AI has offered powerful tools for malware detection, but it has also introduced new avenues for adversarial attacks.
9 min
Research
New “CleverSoar” Installer Targets Chinese and Vietnamese Users
In early November, Rapid7 Labs identified a new, highly evasive malware installer, 'CleverSoar,' targeting Chinese and Vietnamese-speaking victims.
7 min
Malware
A Bag of RATs: VenomRAT vs. AsyncRAT
Remote access tools (RATs) have long been a favorite tool for cyber attackers, since they enable remote control over compromised systems and facilitate data theft, espionage, and continuous monitoring of victims. Among the well-known RATs are VenomRAT and AsyncRAT.
5 min
Malware
LodaRAT: Established Malware, New Victim Patterns
Rapid7 has observed an ongoing malware campaign involving a new version of LodaRAT. This version possesses the ability to steal cookies and passwords from Microsoft Edge and Brave.
9 min
Malware
Malware Campaign Lures Users With Fake W2 Form
Rapid7 has recently observed an ongoing campaign targeting users searching for W2 forms using the Microsoft search engine Bing.
15 min
Managed Detection and Response (MDR)
Ongoing Malvertising Campaign Leads to Ransomware
Rapid7 has observed an ongoing campaign to distribute trojanized installers for WinSCP and PuTTY via malicious ads on commonly used search engines, where clicking on the ad leads to typo squatted domains.
7 min
Research
Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader
In part one of our blog series, we discussed how a Rust based application was used to download and execute the IDAT Loader. In part two of this series, we will be providing analysis of how an MSIX installer led to the download and execution of the IDAT Loader.
10 min
Malware
Stories from the SOC Part 1: IDAT Loader to BruteRatel
Rapid7’s Managed Detection and Response (MDR) team continuously monitors our customers' environments, identifying emerging threats and developing new detections.
7 min
Velociraptor
How To Hunt For UEFI Malware Using Velociraptor
UEFI threats have historically been limited in number and mostly implemented by
nation state actors as stealthy persistence. However, the recent proliferation
of Black Lotus on the dark web, Trickbot enumeration module (late 2022), and
Glupteba (November 2023) indicates that this historical trend may be changing.
With this context, it is becoming important for security practitioners to
understand visibility and collection capabilities for UEFI threats
[https://www.rapid7.com/info/understanding
3 min
Threat Intel
Network Access for Sale: Protect Your Organization Against This Growing Threat
Vulnerable network access points are a potential gold mine for threat actors. We look at the techniques they use and best practices for prevention.
12 min
Malware
Infostealer Malware Masquerades as Windows Application
Rapid7's Managed Detection and Response (MDR) team recently identified a malware campaign whose payload installs itself as a Windows application.