Topic

Groups & tactics

The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers' use of evolving malware and stealthy communication channels.

placeholder image
Code of Conduct: DPRK’s Python-fueled intrusions into secured networks

Code of Conduct: DPRK’s Python-fueled intrusions into secured networks

Investigating the DPRK’s strategic use of Python and carefully crafted social engineering, this publication sheds light on how they breach highly secure networks with evolving and effective cyber attacks.

GrimResource - Microsoft Management Console for initial access and evasion

GrimResource - Microsoft Management Console for initial access and evasion

Elastic researchers uncovered a new technique, GrimResource, which allows full code execution via specially crafted MSC files. It underscores a trend of well-resourced attackers favoring innovative initial access methods to evade defenses.

Invisible miners: unveiling GHOSTENGINE’s crypto mining operations

Invisible miners: unveiling GHOSTENGINE’s crypto mining operations

Elastic Security Labs has identified REF4578, an intrusion set incorporating several malicious modules and leveraging vulnerable drivers to disable known security solutions (EDRs) for crypto mining.

Sinking macOS Pirate Ships with Elastic Behavior Detections

Sinking macOS Pirate Ships with Elastic Behavior Detections

This research looks at a recently found macOS malware campaign using the macOS Endpoint Security Framework paired with the Elastic Agent to hunt and detect the behaviors this malware exhibits.

Unmasking a Financial Services Intrusion: REF0657

Unmasking a Financial Services Intrusion: REF0657

Elastic Security Labs details an intrusion leveraging open-source tooling and different post-exploitation techniques targeting the financial services industry in South Asia.

Elastic catches DPRK passing out KANDYKORN

Elastic catches DPRK passing out KANDYKORN

Elastic Security Labs exposes an attempt by the DPRK to infect blockchain engineers with novel macOS malware.

GHOSTPULSE haunts victims using defense evasion bag o' tricks

GHOSTPULSE haunts victims using defense evasion bag o' tricks

Elastic Security Labs reveals details of a new campaign leveraging defense evasion capabilities to infect victims with malicious MSIX executables.

The DPRK strikes using a new variant of RUSTBUCKET

The DPRK strikes using a new variant of RUSTBUCKET

Watch out! We’ve recently discovered a variant of RUSTBUCKET. Read this article to understand the new capabilities we’ve observed, as well as how to identify it in your own network.

Initial research exposing JOKERSPY

Initial research exposing JOKERSPY

Explore JOKERSPY, a recently discovered campaign that targets financial institutions with Python backdoors. This article covers reconnaissance, attack patterns, and methods of identifying JOKERSPY in your network.

Attack chain leads to XWORM and AGENTTESLA

Attack chain leads to XWORM and AGENTTESLA

Our team has recently observed a new malware campaign that employs a well-developed process with multiple stages. The campaign is designed to trick unsuspecting users into clicking on the documents, which appear to be legitimate.

REF2924: how to maintain persistence as an (advanced?) threat

REF2924: how to maintain persistence as an (advanced?) threat

Elastic Security Labs describes new persistence techniques used by the group behind SIESTAGRAPH, NAPLISTENER, and SOMNIRECORD.

Update to the REF2924 intrusion set and related campaigns

Update to the REF2924 intrusion set and related campaigns

Elastic Security Labs is providing an update to the REF2924 research published in December of 2022. This update includes malware analysis of the implants, additional findings, and associations with other intrusions.

SiestaGraph: New implant uncovered in ASEAN member foreign ministry

SiestaGraph: New implant uncovered in ASEAN member foreign ministry

Elastic Security Labs is tracking likely multiple on-net threat actors leveraging Exchange exploits, web shells, and the newly discovered SiestaGraph implant to achieve and maintain access, escalate privilege, and exfiltrate targeted data.

Exploring the REF2731 Intrusion Set

Exploring the REF2731 Intrusion Set

The Elastic Security Labs team has been tracking REF2731, an 5-stage intrusion set involving the PARALLAX loader and the NETWIRE RAT.

Doing time with the YIPPHB dropper

Doing time with the YIPPHB dropper

Elastic Security Labs outlines the steps collect and analyze the various stages of the REF4526 intrusion set. This intrusion set uses a creative approach of Unicode icons in Powershell scripts to install a loader, a dropper, and RAT implants.

ICEDIDs network infrastructure is alive and well

ICEDIDs network infrastructure is alive and well

Elastic Security Labs details the use of open source data collection and the Elastic Stack to analyze the ICEDID botnet C2 infrastructure.

LUNA Ransomware Attack Pattern Analysis

LUNA Ransomware Attack Pattern Analysis

In this research publication, we'll explore the LUNA attack pattern — a cross-platform ransomware variant.

Exploring the QBOT Attack Pattern

Exploring the QBOT Attack Pattern

In this research publication, we'll explore our analysis of the QBOT attack pattern — a full-featured and prolific malware family.

Elastic Security uncovers BLISTER malware campaign

Elastic Security uncovers BLISTER malware campaign

Elastic Security has identified active intrusions leveraging the newly identified BLISTER malware loader utilizing valid code-signing certificates to evade detection. We are providing detection guidance for security teams to protect themselves.

A peek behind the BPFDoor

A peek behind the BPFDoor

In this research piece, we explore BPFDoor — a backdoor payload specifically crafted for Linux in order to gain re-entry into a previously or actively compromised target environment.

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 2)

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 2)

Learn how Elastic Endpoint Security and Elastic SIEM can be used to hunt for and detect malicious persistence techniques at scale.

Playing defense against Gamaredon Group

Playing defense against Gamaredon Group

Learn about the recent campaign of a Russia-based threat group known as Gamaredon Group. This post will review these details and provide detection strategies.

Okta and LAPSUS$: What you need to know

Okta and LAPSUS$: What you need to know

The latest organization under the microscope of the LAPSUS$ group is Okta. Threat hunt for the recent breach targeting Okta users using these simple steps in Elastic

Collecting Cobalt Strike Beacons with the Elastic Stack

Collecting Cobalt Strike Beacons with the Elastic Stack

Part 1 - Processes and technology needed to extract Cobalt Strike implant beacons

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1)

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1)

Learn how Elastic Endpoint Security and Elastic SIEM can be used to hunt for and detect malicious persistence techniques at scale.