Zscaler Cloud Security Logo
Company > Blog

News and views from the leading voice in secure digital transformation

More From This Author

Profile picture for user Brett Stone-Gross

Brett Stone-Gross

Director of Threat Intelligence
Ransomware hacker
Ransomware
5 Min read

Nokoyawa Ransomware: Rust or Bust

Key Points Nokoyawa is a 64-bit Windows-based ransomware family that emerged in February 2022 The threat group behind Nokoyawa performs double extortion ransomware attacks: exfiltrating sensitive information from...
BlackBasta Hacker
Ransomware
7 Min read

Back in Black... Basta

Key Points BlackBasta emerged in February 2022 with double extortion ransomware attacks against organizations The threat group exfiltrates sensitive information from organizations before performing file encryptio...
Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 2: Exploit Analysis
Insights and Research
19 Min read

Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 2: Exploit Analysis

In Part 1 of this blog series, we analyzed the root cause for CVE-2022-37969. In this blog, we will present an in-the-wild exploit that was discovered by Zscaler ThreatLabz that successfully leveraged CVE-2022-37969 for ...
Windows Common Log File System Driver Privilege Escalation Zero-Day Vulnerability CVE-2022-37969
Insights and Research
19 Min read

Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 1: Root Cause Analysis

On September 2, 2022, Zscaler Threatlabz captured an in-the-wild 0-day exploit in the Windows Common Log File System Driver (CLFS.sys) and reported this discovery to Microsoft. In the September Tuesday patch, Microsoft f...
Malware
Insights and Research
9 Min read

The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA

Summary: ThreatLabz observed an update to the Ares banking trojan that introduces a domain generation algorithm (DGA), which mirrors the Qakbot DGA. Based on analyzing the malware code, there does not appear to be a dire...
Technical Analysis of Prynt Stealer/WorldWind/DarkEye Spiderman meme
Insights and Research
12 Min read

No Honor Among Thieves - Prynt Stealer’s Backdoor Exposed

Stealing information is fundamental to cybercriminals today to scope and gain access to systems, profile organizations, and execute bigger payday schemes like ransomware. Information stealer malware families including Pr...
Analysis of Adobe Acrobat Reader Javascript Doc.print() Use-After-Free Vulnerability (CVE-2022-34233)
Insights and Research
3 Min read

Analysis of Adobe Acrobat Reader Javascript Doc.print() Use-After-Free Vulnerability (CVE-2022-34233)

In July 2022, Adobe released a security update for vulnerabilities in Adobe Acrobat and Reader. The update fixed a vulnerability that is identified as CVE-2022-34233 discovered by the Zscaler ThreatLabz research team. In...
Ransomware
Ransomware
8 Min read

Technical Analysis of Industrial Spy Ransomware

Industrial Spy is a relatively new ransomware group that emerged in April 2022. In some instances, the threat group appears to only exfiltrate and ransom data, while in other cases they encrypt, exfiltrate and ransom dat...
The 2022 ThreatLabz State of Ransomware Report
Ransomware
6 Min read

The 2022 ThreatLabz State of Ransomware Report

Ransomware attacks increased by yet another 80% between February 2021 and March 2022, based on an analysis of ransomware payloads seen across the Zscaler cloud. Double-extortion attacks, which include data exfiltration i...
cover image
Insights and Research
11 Min read

Vidar distributed through backdoored Windows 11 downloads and abusing Telegram

Summary In April 2022, ThreatLabz discovered several newly registered domains, which were created by a threat actor to spoof the official Microsoft Windows 11 OS download portal. We discovered these domains by monitor...
Analysis of BlackByte Ransomware's Go-Based Variants
Ransomware
23 Min read

Analysis of BlackByte Ransomware's Go-Based Variants

Key Points BlackByte is a full-featured ransomware family that first emerged around July 2021 The ransomware was originally written in C# and later redeveloped in the Go programming language around September 2021...
Cyber honeycomb containing locks.
Insights and Research
7 Min read

Peeking into PrivateLoader

Key Points PrivateLoader is a downloader malware family that was first identified in early 2021 The loader’s primary purpose is to download and execute additional malware as part of a pay-per-install (PPI) malwar...
Zscaler ThreatLabz Discovers Multiple Product Bugs in Adobe Acrobat
Insights and Research
3 Min read

Zscaler ThreatLabz Discovers Multiple Product Bugs in Adobe Acrobat

In April 2022, Adobe released security update APSB22-16. This update fixed five product bugs that Zscaler’s ThreatLabz reported in Adobe Acrobat that are related to EMF (Enhanced Metafile Format) parsing. Adobe determine...
Ransomware
Insights and Research
8 Min read

Conti Ransomware Attacks Persist With an Updated Version Despite Leaks

In late January 2022, ThreatLabz identified an updated version of Conti ransomware as part of the global ransomware tracking efforts. This update was released prior to the massive leak of Conti source code and chat logs ...
CVE-2021-44708
Insights and Research
10 Min read

Analysis of Adobe Acrobat Pro DC Solid Framework Heap-based Buffer Overflow Vulnerability (CVE-2021-44708)

In January 2022, Adobe released a security update for vulnerabilities in Adobe Acrobat and Reader. The update fixed five vulnerabilities (CVE-2021-44703, CVE-2021-44708, CVE-2021-44709, CVE-2021-44740, and CVE-2021-44741...
Cyber honeycomb containing locks.
Insights and Research
4 Min read

DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense

March 7, 2022 Update DanaBot affiliate ID 5 has stopped DDoSing the Ukrainian Ministry of Defense’s webmail server and started DDoSing a hardcoded IP address, 138.68.177[.]158. According to Passive DNS data, this...
Ransomware hacker
Ransomware
4 Min read

Technical Analysis of PartyTicket Ransomware

Key Points PartyTicket is an unsophisticated and poorly designed ransomware family that is likely intended to be a diversion from the Hermetic wiper attack The ransomware generates a single AES key that is used t...
Ukraine targeted attacks
Insights and Research
11 Min read

HermeticWiper & resurgence of targeted attacks on Ukraine

Summary Since Jan 2022, ThreatLabz has observed a resurgence in targeted attack activity against Ukraine. We identified two attack-chains in the timeframe - Jan to Feb 2022, which we attribute to the same threat actor...
Analysis of Adobe Acrobat Pro DC Solid Framework Out-of-Bounds Read Vulnerability (CVE-2021-40729)
Insights and Research
11 Min read

Analysis of Adobe Acrobat Pro DC Solid Framework Out-of-Bounds Read Vulnerability (CVE-2021-40729)

Summary In October 2021, Adobe released a security update for vulnerabilities in Adobe Acrobat and Reader. Among these vulnerabilities is an out-of-bounds read (CVE-2021-40729) that was discovered by Zscaler’s ThreatL...
Analysis of Xloader’s C2 Network Encryption
Insights and Research
8 Min read

Analysis of Xloader’s C2 Network Encryption

Introduction Xloader is an information stealing malware that is the successor to Formbook, which had been sold in hacking forums since early 2016. In October 2020, Formbook was rebranded as Xloader and some significan...
Cyber security
Insights and Research
11 Min read

Squirrelwaffle: New Loader Delivering Cobalt Strike

Zscaler ThreatLabz has been following an emerging new malware loader known as Squirrelwaffle that is being used to deliver Cobalt Strike. In this blog, we will be analyzing the complete attack chain for this new malware ...
Ransomware hacker
Ransomware
3 Min read

DoppelPaymer Continues to Cause Grief Through Rebranding

In early May 2021, DoppelPaymer ransomware activity dropped significantly. Although the DoppelPaymer leak site still remains online, there has not been a new victim post since May 6, 2021. In addition, no victim posts ha...
Kaseya Supply Chain Ransomware Attack - Technical Analysis of the REvil Payload
Insights and Research
8 Min read

Kaseya Supply Chain Ransomware Attack - Technical Analysis of the REvil Payload

On July 2, 2021, Kaseya, an IT Management software firm, disclosed a security incident impacting their on-premises version of Kaseya's Virtual System Administrator (VSA) software. Kaseya VSA is a cloud-based Managed Serv...
Ares malware
Insights and Research
17 Min read

Ares Malware: The Grandson of the Kronos Banking Trojan

Kronos is a banking trojan that first emerged in 2014 and marketed in underground forums as a crimeware kit to conduct credit card, identity theft, and wire fraud. In September 2018, a new Kronos variant named Osiris int...
Botnets
Insights and Research
32 Min read

DreamBus Botnet – Technical Analysis

Zscaler’s ThreatLabZ research team recently analyzed a Linux-based malware family that we have dubbed the DreamBus Botnet. The malware is a variant of SystemdMiner, which consists of a series of Executable and Linkable F...

Related Articles

Explore More Topics