CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike) I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising. 2017-09-11: a witnessed infection chain to CoalaBot A look inside : CoalaBot: Login Screen (August Stealer alike)  CoalaBot: Statistics...

Nebula Logo While Empire (RIG-E) disappeared at the end of December after 4 months of activity Illustration of  the last month of witnessed Activity for Empireon 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground. ------ Selling EK Nebula ------ Nebula Exploit kit Features: -Automatic domain scanning and generating (99%...

CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed  in november 2016 (MS16-129) by Microsoft. On 2017-01-04 @theori_io released a POC Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201)...

   Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware. Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016 RIG += internal TDS :Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic...

Gift for SweetTail-Fox-mlp  by Mad-N-Monstrous Small data drop about another Pony fork : Fox stealer. First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx. Advert : 2016-08-11 - Sold underground by a user going...

Spotted by Symantec in the wild  patched with MS16-051 in may 2016, CVE-2016-0189 is now being integrated in Exploit Kit. Neutrino Exploit Kit :Here 2016-07-13 but i am being told that i am late to the party.It's already [CN] documented here Neutrino after ScriptJS redirector dropping Locky Affid 13- 2016-07-13 Flash sample in that pass : 85b707cf63abc0f8cfe027153031e853fe452ed02034b792323eecd3bc0f7fd...