Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware
Void Dokkaebi, a North Korea-aligned intrusion set, has updated its information-stealing malware, InvisibleFerret, shifting its delivery format to evade script-based detections.
Stay ahead of threats with the latest on evasion techniques in infosec. Insights on how attackers bypass defenses and updates on countermeasures.
Search across headline titles and summaries.
Background for this topic.
Evasion is the deliberate concealment or modification of malicious code, commands, traffic, or behavior to bypass security controls and avoid detection. Common examples include code obfuscation, encrypted or rapidly changing payloads, abuse of trusted system tools, and disguising command-and-control traffic as ordinary network activity. It can target antivirus signatures, email and web filters, endpoint monitoring, or analysts investigating suspicious activity.
Successful evasion can reduce visibility, delay detection, and allow unauthorized activity to continue, although it may still leave behavioral or operational evidence. Mitigation should combine signature detection with behavior-based analytics and reliable endpoint, identity, and network telemetry. Restricting unnecessary scripting and administrative tools, applying application controls, and protecting centralized logs make abuse harder and preserve evidence. During investigations, examine process ancestry, unusual tool use, persistence changes, and deviations from expected user or host behavior rather than relying solely on file hashes or other easily changed indicators.
Weekly headline count for the current query.
Void Dokkaebi, a North Korea-aligned intrusion set, has updated its information-stealing malware, InvisibleFerret, shifting its delivery format to evade script-based detections.
Warlock continues to enhance its attack chain with new tactics to improve persistence, lateral movement, and defense evasion using an expanded toolset: TightVNC Yuze, and a persistent BYOVD technique leveraging the NSec driver.
Threat actors exploited Cloudflare's free-tier infrastructure and legitimate Python environments to deploy the AsyncRAT remote access trojan, demonstrating advanced evasion techniques that abuse trusted cloud services for malicious operations.
Crypto24 is a ransomware group that stealthily blends legitimate tools with custom malware, using advanced evasion techniques to bypass security and EDR technologies.
Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks.
In this blog entry, we uncovered a campaign that uses fake GitHub repositories to distribute SmartLoader, which is then used to deliver Lumma Stealer and other malicious payloads. The campaign leverages GitHub’s trusted reputation to evade detection, using AI-generated content to make fake repositories appear legitimate.
Our research shows how attackers use platforms like YouTube to spread fake installers via trusted hosting services, employing encryption to evade detection and steal sensitive browser data.
Notorious Mekotio and BBTok are having a resurgence targeting Latin American users. Mekotio’s latest variant suggests the gang behind it is broadening their target, while BBTok is seen abusing MSBuild.exe to evade detection.
This blog delves into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malware's payload.
Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the LockBit ransomware.