Dragon News Blog

Oct 298 min read

An Introduction to Operational Relay Box (ORB) Networks - Unpatched, Forgotten, and Obscured

Although not a new concept, Operational Relay Box (ORB) networks—often referred to as "covert," "mesh," or "obfuscated" networks—are...

FIN7: The Truth Doesn't Need to be so STARK

S2 Research Team

Aug 136 min read

FIN7: The Truth Doesn't Need to be so STARK

First and foremost, our thanks go to the threat research team at Silent Push and the security team at Stark Industries Solutions...

Botnet 7777: Are You Betting on a Compromised Router?

S2 Research Team

Aug 77 min read

Botnet 7777: Are You Betting on a Compromised Router?

Firstly, we extend our thanks to Chris Fearnley and Gi7w0rm, two threat researchers who assisted us behind the scenes with our...

S2 Research Team

Apr 41 min read

Latrodectus: This Spider Bytes Like Ice

For this research, we partnered with Proofpoint’s Threat Research team in a collaborative effort to provide a comprehensive overview of...

Coper / Octo - A Conductor for Mobile Mayhem… With Eight Limbs?

S2 Research Team

Mar 514 min read

Coper / Octo - A Conductor for Mobile Mayhem… With Eight Limbs?

Analysis of an Android Malware-as-a-Service Operation Coper, a descendant of the Exobot malware family, was first observed in the wild in...

Visualizing Qakbot Infrastructure Part II: Uncharted Territory

S2 Research Team

Aug 7, 202315 min read

Visualizing Qakbot Infrastructure Part II: Uncharted Territory

A Data-Driven Approach Based on Analysis of Network Telemetry In this blog post, we will provide an update on our high-level analysis of...

Inside the IcedID BackConnect Protocol (Part 2)

S2 Research Team

Jul 28, 202311 min read

Inside the IcedID BackConnect Protocol (Part 2)

Introduction In this blog post, we will provide an update on our continued analysis and tracking of infrastructure associated with...

S2 Research Team

Jun 15, 20235 min read

Darth Vidar: The Aesir Strike Back

At the beginning of this year, we released a detailed publication on Vidar infrastructure, encompassing both the primary administrative...

S2 Research Team

May 16, 20236 min read

Visualizing QakBot Infrastructure

A Data-Driven Approach based on Analysis of Network Telemetry This blog post seeks to draw out some high-level trends and anomalies based...

S2 Research Team

Apr 19, 20235 min read

AllaKore(d) the SideCopy Train

Identifying Connected Infrastructure and Management Activities Introduction This blog post seeks to build on recent public reporting on...

MoqHao Part 3: Recent Global Targeting Trends

S2 Research Team

Mar 16, 20235 min read

MoqHao Part 3: Recent Global Targeting Trends

Introduction This blog post is part of an ongoing series of analysis on MoqHao (also referred to as Wroba and XLoader), a malware family...

Desde Chile con Malware (From Chile with Malware)

S2 Research Team

Feb 24, 20235 min read

Desde Chile con Malware (From Chile with Malware)

Spoiler Alert: They weren't actually from Chile. Introduction This blog post provides a short update on our ongoing tracking of...

S2 Research Team

Jan 27, 20237 min read

A Blog with NoName

UPDATE: Since publishing this blog piece, we have worked in cooperation with Stark Industries Solutions to assist in the reduction of...

Darth Vidar: The Dark Side of Evolving Threat Infrastructure

S2 Research Team

Jan 19, 20238 min read

Darth Vidar: The Dark Side of Evolving Threat Infrastructure

Summary Three key takeaways from our analysis of Vidar infrastructure: Russian VPN gateways are potentially providing anonymity for Vidar...

S2 Research Team

Dec 21, 20229 min read

Inside the IcedID BackConnect Protocol

Deriving Threat Actor TTPs from Management Infrastructure Tracking You can find our previous work on Stage 1 and Stage 2 of IcedID’s...

Iranian Exploitation Activities Continue as of November 2022

S2 Research Team

Dec 8, 20223 min read

Iranian Exploitation Activities Continue as of November 2022

Telemetry Data Suggests 107.173.231.114 Remains an Active IOC Introduction This blog provides a short update on Team Cymru’s ongoing...

S2 Research Team

Nov 3, 20227 min read

Inside the V1 Raccoon Stealer’s Den

Exposing links to Kharkiv (Ukraine) and the CC2BTC Marketplace Introduction Team Cymru’s S2 Research Team has blogged previously on the...

A Visualizza into Recent IcedID Campaigns:

S2 Research Team

Oct 7, 202210 min read

A Visualizza into Recent IcedID Campaigns:

Reconstructing Threat Actor Metrics with Pure Signal™ Recon Introduction IcedID (also known as BokBot) started life in early 2017 as a...

Seychelles, Seychelles, on the C(2) Shore

S2 Research Team

Sep 29, 20228 min read

Seychelles, Seychelles, on the C(2) Shore

An overview of a bulletproof hosting provider named ELITETEAM. Introduction: What is “Bulletproof Hosting” (BPH)? Bulletproof hosting...

Mythic Case Study: Assessing Common Offensive Security Tools

S2 Research Team

Sep 5, 20225 min read

Mythic Case Study: Assessing Common Offensive Security Tools

Having covered the Sliver C2 framework in a previous post, this blog will continue our examination of Cobalt Strike “alternatives”,...