Blog / Research

GitHub pages serve Braodo Version 2, A Python based Stealer 19 May
  • By Gurumoorthi
  • stealer, python_obfuscation, braodo, telegram_bot
  • 7 Likes
  • 0 Comments
  • 0 Shares

GitHub pages serve Braodo Version 2, A Python based Stealer

We observed a threat actor leveraging GitHub repositories to execute Braodo Stealer a Sophisticated Python based Stealer. The Author hosted all the necessary python packages to run the stealer within the GitHub repository. The infection layers included a Byte Order Marker (BOM), a type of obfuscator designed to make the victim believe it is a Chinese file.

Websites poisoned with Fake Captcha Leading to Lumma Stealer 29 Apr
  • By Mageshwaran B
  • phishing, lummastealer, fakecaptcha, amsi_bypass
  • 8 Likes
  • 0 Comments
  • 1 Shares

Websites poisoned with Fake Captcha Leading to Lumma Stealer

Since Q1’ 2025 we found that the Threat Actor leveraging Cloudflare themed Fake Captcha to Inject into legit sites leading to Drop LummaStealer. Where the Malware author used various obfuscation and encryption methods to evade the detections from AV vendors

Unveiling APT36, Spreading Documents Employs Pahalgam Attack Theme 26 Apr
  • By Gurumoorthi
  • stealer, crimsonRAT, phishing
  • 7 Likes
  • 0 Comments
  • 2 Shares

Unveiling APT36, Spreading Documents Employs Pahalgam Attack Theme

From 24’ April’2025, We observed Pakistan-Aligned Threat Actor called as TransparentTribe spreading Phishing PPT & PDF in Pahalgam Attack Themes. Phishing PDF shows that the target might be an Indian Government along with the normal Victim people. Though the infection chain looks simple, the PDF and PPT seems very promising to lure the user to click on the links and has embedded login page asks for the credentials ‘gov.in’ and ‘nic.in’ mail ids.

Multi layers of evasion techniques drops various Remote Access Trojan 26 Apr
  • By Gurumoorthi
  • xwormrat, python_obfuscation, memory_injection
  • 7 Likes
  • 0 Comments
  • 4 Shares

Multi layers of evasion techniques drops various Remote Access Trojan

We recently came across a phishing campaign where a malicious author sent an email, in which the author attached an HTML file. The infection flow involves multiple levels of evasion techniques, especially as the author used Kramer obfuscation method used by the author, a python script obfuscator available on GitHub, was used by the author. This campaign pretends to be consumer asking for a service and was directed at staff.

Sophisticated Dbat Loader delivers Agenttesla targeting Italy 18 Apr
  • By Dhebika S
  • stealer, agenttesla, remcosrat, dropper
  • 9 Likes
  • 0 Comments
  • 6 Shares

Sophisticated Dbat Loader delivers Agenttesla targeting Italy

Since 2022, attackers have installed infostealers and commodity malware remote access Trojans (RATs) such as Remcos, Formbook and AgentTesla using the DbatLoader (also known as ModiLoader). It spreads usually through phishing email carrying a malicious attachment.

Categories

Tags

agenttesla amsi_bypass braodo crimson crimsonRAT dropper fakecaptcha github lummastealer memory_injection phishing python_obfuscation remcosrat stealer telegram_bot xwormrat