今日已更新 412 条资讯 | 累计 19972 条内容
关于我们

标签:#threatintel

找到 2 篇相关文章

AI 资讯

Operation DragonReturn: DcRAT Deployment via Fake ITR Utilities

Originally published on satyamrastogi.com Seqrite Labs identifies multi-stage DcRAT campaign impersonating India's Income Tax Department. Attackers exploit tax professional workflows to deliver remote access trojans capable of data exfiltration and lateral movement. Operation DragonReturn: DcRAT Deployment via Fake ITR Utilities Executive Summary A China-nexus threat cluster is actively exploiting the predictable workflows of Indian tax professionals, corporate finance teams, and individual taxpayers through phishing campaigns distributing DcRAT (Dark Crystal Remote Access Trojan). Operation DragonReturn, as tracked by Seqrite Labs, demonstrates sophisticated understanding of Indian taxation cycles and organizational structures - critical operational intelligence required for high-success-rate social engineering. From an attacker's perspective, this campaign is methodologically sound: it targets a specific, predictable event (tax filing deadlines), uses trusted entity impersonation (Income Tax Department), and deploys a mature RAT with established evasion capabilities. The selection of DcRAT indicates access to commodity malware-as-a-service (MaaS) infrastructure, likely from Chinese underground forums where such tools are actively monetized and continuously updated. Attack Vector Analysis This operation chains multiple MITRE ATT&CK techniques into a cohesive infection chain: Initial Compromise: Spear-Phishing with Pretexting Attackers execute T1566.002 (Phishing - Spearphishing Attachment) by crafting emails impersonating legitimate Indian Income Tax Department communications. The social engineering layer leverages T1598.003 (Phishing - Spearphishing Link) with URLs pointing to malicious tax filing utilities. Pretexting is enhanced through T1589.001 (Gather Victim Identity Information - Credentials) , as attackers likely harvested tax professional contact lists from public records, LinkedIn OSINT, or previous data breaches. The timing of campaigns around Indian fis

2026-07-07 原文 →
AI 资讯

npm Supply Chain RAT: PostCSS Impersonation & Dependency Confusion

Originally published on satyamrastogi.com Three malicious npm packages masquerading as PostCSS tools delivered Windows RAT payloads. Analysis of supply chain attack mechanics, payload delivery chains, and detection gaps in dependency management. Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT Executive Summary This is a textbook supply chain attack leveraging npm's trust model. Three packages published in June 2026 - aes-decode-runner-pro , postcss-minify-selector , and postcss-minify-selector-parser - delivered Windows RAT payloads to developers. The attack demonstrates why automated dependency management without behavioral validation is a critical vulnerability. What makes this particularly effective: PostCSS is a legitimate, widely-used build tool. Developers hunting for PostCSS plugins via search or copy-pasting dependency names from tutorials become easy prey. The attacker didn't need zero-days, social engineering sophistication, or exploit kits. Just npm account registration and package uploads. This follows the exact pattern we've seen in credential theft campaigns prioritizing convenience over complexity . Low barrier to entry, high payoff. Attack Vector Analysis MITRE ATT&CK Framework Mapping This attack chains multiple techniques: T1195.001: Compromise Third-Party Software Supply Chain - Malicious package publication on npm registry T1566.002: Phishing - Spearphishing Link - Package discovery and recommendation (implicit trust) T1059.003: Command and Scripting Interpreter - Windows Command Shell - RAT payload execution T1105: Ingress Tool Transfer - Initial RAT download mechanism T1571: Non-Standard Port - C2 communication channels (typical) Kill Chain Breakdown Stage 1: Reconnaissance & Naming Attacker identifies PostCSS as high-value target (builds present in thousands of projects) Creates names that blend legitimacy with search results: postcss-minify-selector exploits incomplete package searches The aes-decode-runner-pro variant sug

2026-06-23 原文 →