Visualizing QakBot Infrastructure
A Data-Driven Approach based on Analysis of Network Telemetry This blog post seeks to draw out some high-level trends and anomalies based...
top of page
Dragon News Blog
S2 Research Team
- Apr 19
- 5 min
AllaKore(d) the SideCopy Train
Identifying Connected Infrastructure and Management Activities Introduction This blog post seeks to build on recent public reporting on...
S2 Research Team
- Mar 16
- 5 min
MoqHao Part 3: Recent Global Targeting Trends
Introduction This blog post is part of an ongoing series of analysis on MoqHao (also referred to as Wroba and XLoader), a malware family...
S2 Research Team
- Feb 24
- 5 min
Desde Chile con Malware (From Chile with Malware)
Spoiler Alert: They weren't actually from Chile. Introduction This blog post provides a short update on our ongoing tracking of...
S2 Research Team
- Jan 27
- 7 min
A Blog with NoName
Further Insight into the Hacktivist Operation Targeting NATO and Affiliated Nations Key Findings NoName057(16) is a pro-Russian...
S2 Research Team
- Jan 19
- 8 min
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
Summary Three key takeaways from our analysis of Vidar infrastructure: Russian VPN gateways are potentially providing anonymity for Vidar...
S2 Research Team
- Dec 21, 2022
- 9 min
Inside the IcedID BackConnect Protocol
Deriving Threat Actor TTPs from Management Infrastructure Tracking You can find our previous work on Stage 1 and Stage 2 of IcedID’s...
S2 Research Team
- Dec 8, 2022
- 3 min
Iranian Exploitation Activities Continue as of November 2022
Telemetry Data Suggests 107.173.231.114 Remains an Active IOC Introduction This blog provides a short update on Team Cymru’s ongoing...
S2 Research Team
- Nov 3, 2022
- 7 min
Inside the V1 Raccoon Stealer’s Den
Exposing links to Kharkiv (Ukraine) and the CC2BTC Marketplace Introduction Team Cymru’s S2 Research Team has blogged previously on the...
S2 Research Team
- Oct 7, 2022
- 10 min
A Visualizza into Recent IcedID Campaigns:
Reconstructing Threat Actor Metrics with Pure Signal™ Recon Introduction IcedID (also known as BokBot) started life in early 2017 as a...
S2 Research Team
- Sep 29, 2022
- 8 min
Seychelles, Seychelles, on the C(2) Shore
An overview of a bulletproof hosting provider named ELITETEAM. Introduction: What is “Bulletproof Hosting” (BPH)? Bulletproof hosting...
S2 Research Team
- Sep 5, 2022
- 4 min
Mythic Case Study: Assessing Common Offensive Security Tools
Having covered the Sliver C2 framework in a previous post (May 2022), this blog will continue our examination of Cobalt Strike...
tcblogposts
- Jul 12, 2022
- 6 min
An Analysis of Infrastructure linked to the Hagga Threat Actor
Summary As this research reveals, mapping out adversary infrastructure has distinct advantages that enable a proactive response to future...
S2 Research Team
- Jun 29, 2022
- 5 min
The Sliding Scale of Threat Actor Sophistication When Reacting to 0-day Vulnerabilities
Threat Telemetry Analysis for the Disclosure of CVE-2022-26134 SUMMARY Team Cymru’s S2 Research Team has highlighted why it is important...
S2 Research Team
- May 25, 2022
- 4 min
Bablosoft; Lowering the Barrier of Entry for Malicious Actors
Free-to-use browser automation framework creates thriving criminal community Summary Evidence suggests an increasing number of threat...
S2 Research Team
- May 3, 2022
- 6 min
Sliver Case Study: Assessing Common Offensive Security Tools
The Use of the Sliver C2 Framework for Malicious Purposes The proliferation of Cobalt Strike during the early 2020s has been undeniable,...
S2 Research Team
- Apr 7, 2022
- 4 min
MoqHao Part 2: Continued European Expansion
Monitoring Roaming Mantis Operations with Pure Signal™ Recon This blog is a product of ongoing collaboration with @ninoseki, a...
S2 Research Team
- Mar 23, 2022
- 4 min
Raccoon Stealer – An Insight into Victim “Gates”
Tracking Infostealers with Team Cymru's Botnet Analysis and Reporting Service (BARS) Raccoon Stealer is one of 40-plus malware families...
S2 Research Team
- Feb 3, 2022
- 4 min
Insight into North Korean ‘Internet Outages’
Understanding the 'How' and 'When' The first month of 2022 saw the return of North Korean ballistic missile testing. Reports of several...
S2 Research Team
- Jan 26, 2022
- 4 min
Analysis of a Management IP Address linked to Molerats APT
Enrichment of Zscaler Research into Middle Eastern Espionage Attacks Key Findings Higher order infrastructure, utilizing IP addresses...
bottom of page