#ta558 — Public Fediverse posts

🎣 Phishing Campaign
====================

🎯 Threat Intelligence

Executive summary: RevengeHotels, tracked as TA558, has launched a new campaign focused on targets in Latin America. The operation combines social‑engineering lures generated or refined with LLMs and a multi‑stage payload delivery that includes VenomRAT as a secondary implant.

Technical details: The research attributed to Kaspersky GReAT describes an initial infection vector using convincing lures (reports indicate use of large language models to craft messages and
attachments) followed by deployment of a malicious implant and a second loading step that delivers VenomRAT. Additional behaviours reported include USB spreading and anti‑kill mechanisms intended to maintain persistence and hinder remediation.

Analysis & impact: The group’s historical goal of payment‑card harvesting aligns with observed tooling and TTPs; VenomRAT provides remote access and data‑collection capabilities that enable payment‑card skimming and exfiltration. Use of LLMs to tailor lures increases phishing efficacy and may broaden victim scope across industries in the region.

Detection: Monitor for anomalous post‑delivery processes and new persistence artifacts, uncommon USB autorun or device enumeration activity, and network connections associated with known VenomRAT command‑and‑control patterns. Endpoint telemetry showing staged downloads after opening social‑engineering attachments is a high‑value detection signal. No precise IoCs were included in the supplied excerpt.

Mitigation: Enforce multi‑layer controls: block known malicious file types at mail gateways, apply strict device control policies for removable media, enforce EDR detections for process injection and persistence modification, and treat unsolicited attachments with elevated suspicion, especially those leveraging sophisticated social engineering likely crafted by LLMs.

References & caveats: Findings are derived from a Kaspersky GReAT report; technical artifacts and IoCs were not fully available in the supplied text. Further validation against full indicators is recommended.

🔹 RevengeHotels #VenomRAT #TA558 #LLM

🔗 Source: https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/

🎣 Phishing Campaign
====================

🎯 Threat Intelligence

Executive summary: RevengeHotels, tracked as TA558, has launched a new campaign focused on targets in Latin America. The operation combines social‑engineering lures generated or refined with LLMs and a multi‑stage payload delivery that includes VenomRAT as a secondary implant.

Technical details: The research attributed to Kaspersky GReAT describes an initial infection vector using convincing lures (reports indicate use of large language models to craft messages and
attachments) followed by deployment of a malicious implant and a second loading step that delivers VenomRAT. Additional behaviours reported include USB spreading and anti‑kill mechanisms intended to maintain persistence and hinder remediation.

Analysis & impact: The group’s historical goal of payment‑card harvesting aligns with observed tooling and TTPs; VenomRAT provides remote access and data‑collection capabilities that enable payment‑card skimming and exfiltration. Use of LLMs to tailor lures increases phishing efficacy and may broaden victim scope across industries in the region.

Detection: Monitor for anomalous post‑delivery processes and new persistence artifacts, uncommon USB autorun or device enumeration activity, and network connections associated with known VenomRAT command‑and‑control patterns. Endpoint telemetry showing staged downloads after opening social‑engineering attachments is a high‑value detection signal. No precise IoCs were included in the supplied excerpt.

Mitigation: Enforce multi‑layer controls: block known malicious file types at mail gateways, apply strict device control policies for removable media, enforce EDR detections for process injection and persistence modification, and treat unsolicited attachments with elevated suspicion, especially those leveraging sophisticated social engineering likely crafted by LLMs.

References & caveats: Findings are derived from a Kaspersky GReAT report; technical artifacts and IoCs were not fully available in the supplied text. Further validation against full indicators is recommended.

🔹 RevengeHotels #VenomRAT #TA558 #LLM

🔗 Source: https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/

🎣 Phishing Campaign
====================

🎯 Threat Intelligence

Executive summary: RevengeHotels, tracked as TA558, has launched a new campaign focused on targets in Latin America. The operation combines social‑engineering lures generated or refined with LLMs and a multi‑stage payload delivery that includes VenomRAT as a secondary implant.

Technical details: The research attributed to Kaspersky GReAT describes an initial infection vector using convincing lures (reports indicate use of large language models to craft messages and
attachments) followed by deployment of a malicious implant and a second loading step that delivers VenomRAT. Additional behaviours reported include USB spreading and anti‑kill mechanisms intended to maintain persistence and hinder remediation.

Analysis & impact: The group’s historical goal of payment‑card harvesting aligns with observed tooling and TTPs; VenomRAT provides remote access and data‑collection capabilities that enable payment‑card skimming and exfiltration. Use of LLMs to tailor lures increases phishing efficacy and may broaden victim scope across industries in the region.

Detection: Monitor for anomalous post‑delivery processes and new persistence artifacts, uncommon USB autorun or device enumeration activity, and network connections associated with known VenomRAT command‑and‑control patterns. Endpoint telemetry showing staged downloads after opening social‑engineering attachments is a high‑value detection signal. No precise IoCs were included in the supplied excerpt.

Mitigation: Enforce multi‑layer controls: block known malicious file types at mail gateways, apply strict device control policies for removable media, enforce EDR detections for process injection and persistence modification, and treat unsolicited attachments with elevated suspicion, especially those leveraging sophisticated social engineering likely crafted by LLMs.

References & caveats: Findings are derived from a Kaspersky GReAT report; technical artifacts and IoCs were not fully available in the supplied text. Further validation against full indicators is recommended.

🔹 RevengeHotels #VenomRAT #TA558 #LLM

🔗 Source: https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/

🎣 Phishing Campaign
====================

🎯 Threat Intelligence

Executive summary: RevengeHotels, tracked as TA558, has launched a new campaign focused on targets in Latin America. The operation combines social‑engineering lures generated or refined with LLMs and a multi‑stage payload delivery that includes VenomRAT as a secondary implant.

Technical details: The research attributed to Kaspersky GReAT describes an initial infection vector using convincing lures (reports indicate use of large language models to craft messages and
attachments) followed by deployment of a malicious implant and a second loading step that delivers VenomRAT. Additional behaviours reported include USB spreading and anti‑kill mechanisms intended to maintain persistence and hinder remediation.

Analysis & impact: The group’s historical goal of payment‑card harvesting aligns with observed tooling and TTPs; VenomRAT provides remote access and data‑collection capabilities that enable payment‑card skimming and exfiltration. Use of LLMs to tailor lures increases phishing efficacy and may broaden victim scope across industries in the region.

Detection: Monitor for anomalous post‑delivery processes and new persistence artifacts, uncommon USB autorun or device enumeration activity, and network connections associated with known VenomRAT command‑and‑control patterns. Endpoint telemetry showing staged downloads after opening social‑engineering attachments is a high‑value detection signal. No precise IoCs were included in the supplied excerpt.

Mitigation: Enforce multi‑layer controls: block known malicious file types at mail gateways, apply strict device control policies for removable media, enforce EDR detections for process injection and persistence modification, and treat unsolicited attachments with elevated suspicion, especially those leveraging sophisticated social engineering likely crafted by LLMs.

References & caveats: Findings are derived from a Kaspersky GReAT report; technical artifacts and IoCs were not fully available in the supplied text. Further validation against full indicators is recommended.

🔹 RevengeHotels #VenomRAT #TA558 #LLM

🔗 Source: https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/

Crypters And Tools. Часть 2: Разные лапы — один клубок

Всем салют! Вновь на связи киберразведчики из экспертного центра безопасности (PT ESC) с новой порцией находок, связанных с Crypters And Tools. В первой части мы рассказали о крипторе, который мы обнаружили в процессе исследования атак различных группировок. Отчет концентрировался на внутреннем устройстве и инфраструктуре самого криптора. В этой части мы расскажем о хакерских группировках, которые использовали его в атаках, их связях, уникальных особенностях, а также о пользователях Crypters And Tools, часть из которых связана с рассматриваемыми группировками.

https://habr.com/ru/companies/pt/articles/905308/

#cybersecurity #киберразведка #хакерские_инструменты #apt #крипторы #ta558 #вредоносное_программное_обеспечение #расследование_инцидентов #mitre #латинская_америка