Category
On 2021-12-23 the Fortgale team identified a massive exploitation campaign targeting VMware Horizon deployments. The attack chain consists of Log4Shell (CVE-2021-44228) exploitation followed by deployment of a backdoor inside the corporate Horizon servers — granting persistent Remote Command Execution (T1190 — Exploit Public-Facing Application). The threat actor executes a PowerShell command (T1059.001) to interact with … Read more
During the first weeks of December 2021 we observed attacks targeting the Apache Log4j library. On 2021-12-12, an official security advisory disclosed a critical Remote Command Execution vulnerability — CVE-2021-44228 (T1190 — Exploit Public-Facing Application). Any vulnerable system exposed to the public network is to be considered compromised given the volume of mass-exploitation activity observed … Read more
Agent Tesla is a spyware that exfiltrates information from victim systems by capturing keystrokes and user actions (T1056.001 — Keylogging). Built on the .NET framework, it transmits stolen data to a command-and-control (C2) server. Agent Tesla extracts credentials and stored data from web browsers, email clients, and FTP clients (T1555.003 — Credentials from Web Browsers, … Read more
In recent days we observed a series of attacks targeting e-commerce platforms running the Nginx web server. Researchers identified, during an investigation into a CronRAT malware compromise, the execution of a previously undocumented malware family — NginRAT — which evades the leading security solutions by injecting its own code into legitimate Nginx worker processes (T1055.012 … Read more
Zero-day vulnerability in Windows Installer enabling local privilege escalation: exploitation techniques, public PoC analysis and mitigation paths.
APT28 (Fancy Bear) Gmail phishing operation: lookalike domains, OAuth abuse, credential harvesting and target profiles consistent with Russian GRU TTPs.
Cybercriminal abuse of Windows 10 features for callback-based malware delivery: phone-based social engineering, lure templates and detection considerations.
HTML Smuggling: payload assembly client-side from JavaScript-encoded blobs, perimeter-bypass mechanics and detection considerations for email and web gateways.
Extortion-only intrusions skipping the encryption stage: rapid data theft, leak-site coercion, response time pressure and detection priorities for security teams.
