Paper Werewolf Threat Actor Targets Flash Drives With New Malware
The threat actor, also known as Goffee, has been active since at least 2022 and has changed its tactics and techniques over the years while targeting Russian organizations.
Coverage of named threat actors and intrusion sets examines reported incidents, infrastructure, disruption, and defensive guidance.
Search across headline titles and summaries.
Background for this topic.
Coverage under this tag concerns a named threat actor or intrusion set: an individual, group, or organized operation assessed to be responsible for malicious cyber activity. Reports may describe incidents, malware, attack infrastructure, disruption efforts, or analyst assessments. Attribution is often provisional, so actor names and reported links should be treated as intelligence judgments rather than established identity, nationality, sponsorship, or motive.
For defenders, such reporting can help connect incidents and prioritize monitoring, but indicators and techniques may be reused or become obsolete. Validate reported infrastructure, hashes, and behaviors against local telemetry; use confirmed weaknesses to guide vulnerability remediation and access controls. If activity is suspected, preserve relevant logs and evidence, contain affected accounts or systems, and coordinate investigation without relying on an actor label alone.
The threat actor, also known as Goffee, has been active since at least 2022 and has changed its tactics and techniques over the years while targeting Russian organizations.
Fortinet has revealed that threat actors have found a way to maintain read-only access to vulnerable FortiGate devices even after the initial access vector used to breach the devices was patched
Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched. [...]
The threat actor known as Paper Werewolf has been observed exclusively targeting Russian entities with a new implant called PowerModul
Palo Alto Networks has revealed that it's observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat actors warned of a surge in suspicious login scanning activity targeting its appliances
Cybersecurity researchers have found that threat actors are setting up deceptive websites hosted on newly registered domains to deliver a known Android malware called SpyNote
Darktrace researchers detailed "spam bombing," a technique in which threat actors bombard targets with spam emails as a pretense for activity like social engineering campaigns.
Threat actors are continuing to upload malicious packages to the npm registry so as to tamper with already-installed local versions of legitimate libraries to execute malicious code in what's seen as a sneakier attempt to stage a software supply chain attack
The Russia-linked threat actor known as Gamaredon (aka Shuckworm) has been attributed to a cyber attack targeting a foreign military mission based in Ukraine with an aim to deliver an updated version of a known malware called GammaSteel
Tech Giant Says Threat Actors Are Exploiting a Flaw in Widely-Targeted Windows ToolRansomware threat actors are exploiting a zero-day vulnerability discovered in a highly targeted Windows logging system tool in a campaign in part targeting U.S. IT and real estate sectors, Microsoft confirmed in a Tuesday blog post urging customers to apply available patches.
Threat actors are trolling online forums and spreading malicious apps to target Uyghurs, Taiwanese, Tibetans, and other individuals aligned with interests that China sees as a threat to its authority.
Phishing actors are employing a new evasion tactic called 'Precision-Validated Phishing' that only shows fake login forms when a user enters an email address that the threat actors specifically targeted. [...]
A Chinese-affiliated threat actor known for its cyber-attacks in Asia has been observed exploiting a security flaw in security software from ESET to deliver a previously undocumented malware codenamed TCESB
A threat actor has already exploited one of the flaws in a ransomware campaign with victims in the US and other countries.
Espionage Campaign Mainly Targeted European OrganizationsA Russian nation state threat actor exploited "lesser known" features of Microsoft Windows remote desktop protocol to target European organizations for espionage. Hackers using RDP to deploy a malicious application and access data from victims.
Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency. [...]
Threat actors have been observed distributing malicious payloads such as cryptocurrency miner and clipper malware via SourceForge, a popular software hosting service, under the guise of cracked versions of legitimate applications like Microsoft Office
EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research. [...]
Researchers found the threat actor attempting to use the now-patched flaw to load and execute a malicious dynamic link library on infected systems.
Cybersecurity agencies from Australia, Canada, New Zealand, and the United States have published a joint advisory about the risks associated with a technique called fast flux that has been adopted by threat actors to obscure a command-and-control (C2) channel