Cyentia Cybersecurity Research Library
  • Sources
  • Tags
  • About
  • Sponsors
  • More from Cyentia

Backdoor

Below you will find reports with the tag of “Backdoor”

image from Anatomy Of An Attack: Iranian Nation State Interdiction

Anatomy Of An Attack: Iranian Nation State Interdiction

This report offers deep insight into the threat actor known as Oilrig.

Added: February 6, 2019
image from APT Group Profile: OilRig

APT Group Profile: OilRig

This report offers insight into OilRig an Iranian-linked Advanced Persistent Threat. It discusses who they are and why you should care.

(more available)
Added: January 25, 2019
image from 2017 Most Notable Hackers

2017 Most Notable Hackers

In 2017 we saw a measurable increase in cyber attacks executed by State sponsored hacking groups and APT’s. The Top 5 Threat Actors highlighted in this report carried out some of the most notable and financially devastating attacks of 2017 and are likely sponsored by nation-states. Cyber-attacks have become, and will continue to be, key elements of twenty-first century political warfare and terrorism. We believe that the use of cyber terror and other state sponsored attacks will increase in 2018 after it’s success in 2017.

(more available)
Added: January 25, 2019
image from The Rise Of State-Sponsored Attacks Against The Financial Services Industry

The Rise Of State-Sponsored Attacks Against The Financial Services Industry

This report posits the opinion that state-sponsored cybercrime is the fastest growing threat in cybersecurity. They discuss how usually state sponsored groups attack other governments and militaries, but in the last few years they are starting to see more activity directed towards the financial sector.

(more available)
Added: January 25, 2019
image from Is The AI Hype Putting Businesses At Risk?

Is The AI Hype Putting Businesses At Risk?

From the report, “In this paper, we discuss that while ML has proven to be a powerful tool in detecting malware for many years, the reality is that true AI does not yet exist. The marketing tricks of next-gen vendors are simply making matters all the more confusing for IT decision makers who need to build robust cyber security defences at a time when the threat landscape is becoming all the more precarious.”

(more available)
Added: January 15, 2019
image from Morphisec Labs Threat Report: December 2018

Morphisec Labs Threat Report: December 2018

This Morphisec Labs Threat Report is based on anonymized threat data collected from approximately 2,000,000 installed Morphisec endpoint agents as well as in-depth investigations conducted by Morphisec researchers. It includes observations about trends in the wider security landscape together with analyses of the tactics and techniques used by malicious actors.

(more available)
Added: January 15, 2019
image from 2018 State Of The Software Supply Chain

2018 State Of The Software Supply Chain

Sonatype’s 4th annual report on managing open source components to accelerate innovation.

Added: January 15, 2019
image from The SpyRATs of OceanLotus

The SpyRATs of OceanLotus

This paper takes a look at several bespoke backdoors deployed by OceanLotus Group, as well as evidence of the threat actor using obfuscated CobaltStrik Beacon payloads to perform C2.

(more available)
Added: December 29, 2018
image from McAfee Labs Threats Report - December 2018

McAfee Labs Threats Report - December 2018

This report provides insight into the top stories from the third quarter of 2018.

Added: December 29, 2018
image from Operation Sharpshooter

Operation Sharpshooter

This report takes a look at a new global campaign targeting nuclear, defense, energy, and financial companies.

Added: December 29, 2018
image from Cobalt Group

Cobalt Group

Fidelis Threat Research analysts have discovered a new version of ThreadKit, malware notorious for it’s use by the cybercrime organization known as Cobalt Group. This report will provide analysis of a recent campaign, seen October 30th , utilizing the Cobalt Group malware frameworks. Cobalt Group was believed to have suffered a hit earlier this year[1] with the reported arrest of one of its members. After the arrest, the campaigns appear to have slowed significantly however despite this, there has been continued development concerning the groups malware framework.

(more available)
Added: December 14, 2018
image from Email and Internet Voting: The Overlooked Threat To Election Security

Email and Internet Voting: The Overlooked Threat To Election Security

This report reviews the research that has been conducted by the federal government concluding that secure online voting is not yet feasible. We examine the insoluble security problems that are inherent to casting ballots online, including server penetration attacks, client-device malware, attacks to emailed and faxed ballots in transit, denial-of-service attacks, disruption attacks and the challenge to reliably authenticate voters.

(more available)
Added: November 20, 2018
image from Threat Actors Target Government of Belarus Using CMSTAR Trojan

Threat Actors Target Government of Belarus Using CMSTAR Trojan

Palo Alto Networks Unit 42 has identified a series of phishing emails containing updated versions of the previously discussed CMSTAR malware family targeting various government entities in the country of Belarus. We first reported on CMSTAR in spear phishing attacks in spring of 2015 and later in 2016. In this latest campaign, we observed a total of 20 unique emails between June and August of this year that included two new variants of the CMSTAR Downloader. We also discovered two previously unknown payloads. These payloads contained backdoors that we have named BYEBY and PYLOT respectively.

(more available)
Added: November 15, 2018
image from OilRig Deploys "ALMA Communicator" – DNS Tunneling Trojan

OilRig Deploys "ALMA Communicator" – DNS Tunneling Trojan

Unit 42 has been closely tracking the OilRig threat group since May 2016. One technique we’ve been tracking with this threat group is their use of the Clayslide delivery document as attachments to spear-phishing emails in attacks since May 2016. In our April 2017 posting OilRig Actors Provide a Glimpse into Development and Testing Effortswe showed how we observed the OilRig threat group developing and refining these Clayside delivery documents.

(more available)
Added: November 15, 2018
image from Magic Hound Campaign Attacks Saudi Targets

Magic Hound Campaign Attacks Saudi Targets

Unit 42 has discovered a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which we have named Magic Hound. This appears to be an attack campaign focused on espionage. We were able to collect over fifty samples of the tools used by the Magic Hound campaign using the AutoFocus threat intelligence tool. The earliest malware sample we were able to collect had a compile timestamp in May 2016. The samples themselves ranged from IRC bots, an open source Python remote access tool, malicious macros, and others. It is believed the use of specific tools may have coincided with specific attack waves by this adversary, with the most recent attacks using weaponized Microsoft Office documents with malicious macros. Due to the large amount of data collected, and limitations on attack telemetry, this blog will focus primarily on the most recent attacks occurring in the latter half of 2016.

(more available)
Added: November 15, 2018
image from The Gamaredon Group Toolset Evolution

The Gamaredon Group Toolset Evolution

Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.

(more available)
Added: November 15, 2018
image from DragonOK Updates Toolset and Targets Multiple Geographic Regions

DragonOK Updates Toolset and Targets Multiple Geographic Regions

The DragonOK group has been actively launching attacks for years. We first discussed them in April 2015 when we witnessed them targeting a number of organizations in Japan. In recent months, Unit 42 has observed a number of attacks that we attribute to this group. Multiple new variants of the previously discussed sysget malware family have been observed in use by DragonOK. Sysget malware was delivered both directly via phishing emails, as well as in Rich Text Format (RTF) documents exploiting the CVE-2015-1641 vulnerability (patched in MS15-033) that in turn leveraged a very unique shellcode. Additionally, we have observed instances of the IsSpace and TidePool malware families being delivered via the same techniques. While Japan is still the most heavily targeted geographic region by this particular actor, we also observed instances where individuals or organizations in Taiwan, Tibet, and Russia also may have been targeted.

(more available)
Added: November 15, 2018
image from KingSlayer - A Supply Chain Attack

KingSlayer - A Supply Chain Attack

In this Kingslayer post-mortem report, RSA Research describes a sophisticated software application supply chain attack that may have otherwise gone unnoticed by its targets.

(more available)
Added: November 15, 2018
image from Lazarus Under The Hood

Lazarus Under The Hood

This paper is the result of forensic investigations by Kaspersky Lab at banks in two countries far apart. It reveals new modules used by Lazarus group and strongly links the tools used to attack systems supporting SWIFT to the Lazarus Group’s arsenal of lateral movement tools.

(more available)
Added: November 15, 2018
image from Introducing WhiteBear

Introducing WhiteBear

“As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. Much of the contents of that report are reproduced here. WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report “Skipper Turla – the White Atlas framework” from mid-2016. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure. As a matter of fact, WhiteBear infrastructure has overlap with other Turla campaigns, like those deploying Kopiluwak, as documented in “KopiLuwak – A New JavaScript Payload from Turla” in December 2016. WhiteBear infected systems maintained a dropper (which was typically signed) as well as a complex malicious platform which was always preceded by WhiteAtlas module deployment attempts. However, despite the similarities to previous Turla campaigns, we believe that WhiteBear is a distinct project with a separate focus. We note that this observation of delineated target focus, tooling, and project context is an interesting one that also can be repeated across broadly labeled Turla and Sofacy activity.”

(more available)
Added: November 15, 2018
image from Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers

Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers

This blog post continues discussion about the CCleaner supply chain attack.

Added: November 15, 2018
  • ««
  • «
  • 1
  • 2
  • 3
  • 4
  • 5
  • »
  • »»
© Cyentia Institute 2025
Library updated: July 1, 2025 12:08 UTC (build b1d7be4)