Threat Research

At the end of October, during a global AWS connectivity disruption, Labs detected malware known as “ShadowV2” exploiting IoT vulnerabilities to spread. The incidents impacted multiple countries and affected seven different industries. To date, the malware has only been observed operating during the major AWS outage window....

A major botnet campaign, dubbed RondoDox, is actively exploiting over 50 known vulnerabilities in routers, DVRs, NVRs, CCTV systems, and web servers from more than 30 vendors. Organizations with internet-facing infrastructure face heightened risks of data theft, persistent access, and operational disruption....

Detects unusual process activity where Sysmon is observed as the parent process—behavior that may indicate exploitation attempts, such as those associated with CVE-2022-41120....

A newly identified botnet called RustoBot is spreading through TOTOLINK routers using Rust, a programming language known for its speed and security. RustoBot exploits command injection vulnerabilities in the cstecgi.cgi script, including CVE-2022-26210 and CVE-2022-26187, to achieve remote code execution....

Monitors the creation of JavaScript files within the DriverStore directory. Forest Blizzard exploited the CVE-2022-38028 vulnerability in the Windows Print Spooler service by altering a JavaScript constraints file and executing it with SYSTEM-level privileges....

In October and November 2024, a surge in activity was observed by two botnets, the Mirai variant "FICORA" and the Kaiten variant "CAPSAICIN," both exploiting aging D-Link vulnerabilities. These vulnerabilities, primarily through the HNAP interface, allow remote attackers to execute malicious commands....

Identifies a possible exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. According to Morphisec, during the attack, threat actors utilized PowerShell commands that ran as child processes of the legitimate Tomcat "prunsrv.exe" application....