Latest Cyber Threat Trends

Threat Intelligence · November 26, 2025

Bloody Wolf: A Blunt Crowbar Threat To Justice

Since late June 2025, Group-IB analysts observed a surge in spear-phishing emails across Central Asia. The attackers impersonate government agencies to gain the trust of their victims. This blog describes the techniques, tools and ongoing activity of the threat group known as Bloody Wolf.

Amirbek Kurbanov

Volen Kayo

430

Ransomware · November 13, 2025

Uncovering a Multi-Stage Phishing Kit Targeting Italy’s Infrastructure

Group-IB researchers uncovered a professional phishing framework that mimics trusted brands with remarkable precision. Using layered evasion, CAPTCHA filtering, and Telegram-based data exfiltration, attackers harvest credentials and bypass automated detection. The findings highlight how phishing-as-a-service operations are scaling through automation, lowering technical barriers for cybercriminals, and industrializing one of the oldest yet most effective forms of digital fraud.

Ivan Salipur

Federico Marazzi

15,101

Technologies · November 5, 2025

Ghosts in /proc: Manipulation and Timeline Corruption

Discover how attackers could manipulate the Linux /proc filesystem to hide malicious processes and distort forensic timelines. This technical deep dive highlights examples of command-line substitution and start time corruption, and offers detection and defense strategies for incident responders and security analysts.

Nam Le Phuong

428

Email Protection Spotlight · October 31, 2025

Detecting the NPM Supply Chain Compromise Before It Spread

Discover how Group-IB’s Business Email Protection (BEP) could prevent an NPM supply chain compromise by detecting the initial phishing email that led to the developer’s infection.

Anastasia Tikhonova

Anton Shumakov

4,490

Cyber Investigations · October 28, 2025

The Illusion of Wealth: Inside the Engineered Reality of Investment Scam Platforms

This blog details online investment scam campaigns, including fraudulent cryptocurrency, forex, and trading platforms, while offering a technical investigation guide for investigators, based on Group-IB’s technical investigation methodology. It outlines the social engineering tactics and victim manipulation models employed, describes the fraud actor structures behind these schemes, and highlights key infrastructure artifacts identified by Group-IB High-Tech Investigations analysts that can be leveraged by cybersecurity professionals for detection and disruption.

Hai Ha Phan

618

Advanced Persistent Threats · October 22, 2025

Unmasking MuddyWater’s New Malware Toolkit Driving International Espionage

Group-IB Threat Intelligence has uncovered a sophisticated phishing campaign, attributed with high confidence to the Advanced Persistent Threat (APT) MuddyWater. The attack used a compromised mailbox to distribute Phoenix backdoor malware to international organizations and across the whole Middle East and North Africa region, targeting more than 100 government entities.

Mahmoud Zohdy

Mansour Alhmoud

56,296

Scam & Phishing · October 21, 2025

Exposing the Immediate Era Fraud in Singapore

Group-IB’s Threat Intelligence Report on a Singapore-Targeted Scam Operation

Vladimir Kalugin

3,619

Technologies · October 17, 2025

East-west tension: Are NDR vendors monitoring the wrong traffic?

Most NDR deployments focus on perimeter traffic. Meanwhile, attackers move laterally inside networks. Here’s why east-west visibility is the blind spot that defines today’s biggest breaches.

Ilya Pomerantcev

266

Threat Intelligence · October 15, 2025

A new weapon against payment fraud: Unique threat intelligence for anti-fraud teams

Group-IB’s Suspicious Payment Details module for Threat Intelligence delivers payment identifiers tied to ransomware, illegal casinos, and laundering schemes. Fraud, AML, and compliance teams can now stop money from reaching criminal infrastructure.

Dmitry Shestakov

52,336

Technologies · October 8, 2025

Top 7 Cybersecurity Newsletters Worth Your Inbox

Your inbox deserves better than spam. Here are 7 cybersecurity newsletters that actually inform and make you a little smarter each week.

Meeba Gracy

513

Advanced Persistent Threats · September 17, 2025

Tracking MuddyWater in Action: Infrastructure, Malware and Operations during 2025

The blog provides an in-depth look at MuddyWater’s evolution in tooling, targeting, and infrastructure management, suggesting a more mature and capable advanced persistent threat within the META region.

Mansour Alhmoud

Mahmoud Zohdy

144,840

Technologies · September 5, 2025

10 Cybersecurity Podcasts to Add to Your Queue Now

Meeba Gracy

415

Scam & Phishing · September 3, 2025

From Deepfakes to Dark LLMs: 5 use-cases of how AI is Powering Cybercrime

AI in cybercrime is evolving fast, fueling AI phishing attacks, AI scam calls, AI voice cloning scams, and even AI deepfake scams. From Dark LLMs to next-gen AI phishing tactics, we break down how criminals exploit AI today and what you can do to stay protected.

Anton Ushakov

1,990

Threat Intelligence · August 27, 2025

ShadowSilk: A Cross-Border Binary Union for Data Exfiltration

This blog describes attacks on victims in Central Asia and APAC. Research into the attack has identified a group also called YoroTrooper. We also identified profiles of attackers on hacker forums, their malicious web-panels, test infections of attackers' own machines, and screenshots of attackers' desktops.

Nikita Rostovcev

Sergei Turner

30,770

Technologies · August 25, 2025

Trust issues: How email threats hide behind your partners

The most widely used email security tools still focus on yesterday’s threats. Meanwhile, attackers have moved on. By hijacking legitimate business relationships and embedding infostealers in familiar-sounding, well-written emails, cybercriminals bypass conventional defenses. The only way to keep up is by using a behavioral approach.

Ilya Pomerantcev

20,054

Fraud Protection · August 20, 2025

Evolving Mule Tactics in the META Region Banking Sector

Discover how mule operators evolved in META-region banks—from IP masking to Starlink tactics with advanced GPS spoofing, SIM abuse, and device muling—and how layered fraud detection strategies fought back.

Andrei Loshchev

Norah Altriri

Nurbolat Nygmetov

816

Fraud Protection · August 13, 2025

Exposing Investment Scams: AI Trading, Deepfake & Online Fraud

Discover how AI trading scams and deepfake scam videos fuel fake trading platforms. Discover how to spot investment scam signals and avoid online trading scams.

Azizbek Khakimov

Anton Fomin

1,562

Fraud Protection · August 6, 2025

The Anatomy of a Deepfake Voice Phishing Attack: How AI-Generated Voices Are Powering the Next Wave of Scams

Discover how AI voice deepfake vishing exploits trust, drains millions, and learn practical steps to detect and stop voice‑based scams.

Yuan Huang

2,630

Digital Forensics & Incident Response · July 30, 2025

UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion

Deep dive into UNC2891’s multi‑stage bank intrusion: Raspberry Pi ATM implant, bind mount evasion, Dynamic DNS C2, and a CAKETAP move toward HSM manipulation.

Nam Le Phuong

8,028

Technologies · July 25, 2025

Predictive AI: The “Quiet Catalyst” Behind The Future of Cybersecurity

Think threat actors are unpredictable? The rise of intelligence-driven defense and the push for incident predictions might just give us the edge to know their next moves…long before they make it.

Jasmine Kharbanda

83,257

Digital Forensics & Incident Response · July 23, 2025

Signed, Sealed, Altered? Deepdive into PDF Tampering

Uncovering the validity of a PDF by utilizing some of the tools and methods to detect changes made to a PDF, and understand the limitations in proving PDF integrity.

Yeo Zi Wei

1,070

Technologies · July 22, 2025

Fraud-Proof Your Security: How BioConfirm Protects iGaming Platforms and Players

Enable real-time, token-based account security that stops withdrawal fraud before your brand, players, and their revenue are compromised.

Julien Laurent

Jasmine Kharbanda

193

Fraud Protection · July 17, 2025

Fake Receipts Generators: the rising threat to major retail brands

Scammers are using tools like MaisonReceipts to create fake receipts and exploit brands. Uncover how this growing fraud ecosystem works behind the scenes.

Anthony Gerlach

Aydos Kurbanaev

Sorint.Sec

1,440

Threat Intelligence · July 8, 2025

Combolists and ULP Files on the Dark Web: A Secondary and Unreliable Source of Information about Compromises

The blog is dedicated to the analysis of combolist and URL-Login-Password (ULP) files published on the dark web and establishing the reasons why they are mostly a secondary or untrustworthy source of compromising any data

Semyon Botalov

8,657

Fraud Protection · July 7, 2025

Authenticate Users, Secure Transactions: How BioConfirm Secures High-Stakes Banking Operations

Introducing BioConfirm - Enable real-time, token-based user account security that stops withdrawal fraud before your brand, customers’ trust, and revenue are compromised.

Julien Laurent

Jasmine Kharbanda

52,212

Technologies · July 4, 2025

Exploiting Trust: How Signed Drivers Fuel Modern Kernel Level Attacks on Windows

Discover how attackers leverage Windows Kernel loaders and abuse digitally signed drivers to gain privileged access, disable security tools, and stealthily maintain control — bypassing traditional defenses and enabling advanced threat operations.

Mahmoud Zohdy

1,476

Technologies · July 4, 2025

One attack, one alert: From thousands of signals to one clear story

Discover how Smart Alert in Group-IB Managed XDR consolidates thousands of alerts into one, cuts alert volume by 80%, and automates SOC detection and triage with AI.

Ilya Pomerantcev

53,415

Figure 1. A screenshot of a deceptive message via Telegram requesting users to download a malicious app to receive financial assistance from the government in Uzbek (top) and translation in English (bottom).

Malware Analysis · July 2, 2025

June’s Dark Gift: The Rise of Qwizzserial

Discovered by Group-IB in mid-2024, the Qwizzserial, which was initially not very active, began to spread strongly in Uzbekistan, masquerading as legitimate applications. The malware steals banking information and intercepts 2FA sms, transmitting it to fraudsters via Telegram bots.

Pavel Naumov

Amirbek Kurbanov

Anvar Anarkulov

1,431

Cyber Investigations · June 23, 2025

Middle East Cyber Escalation: From Hacktivism to Sophisticated Threat Operations

Regional Conflict Monitoring (June 13 - 20, 2025)

Batuhan Karakoç

Kuvonchbek Yorkulov

Karam Chatra

Amirbek Kurbanov

1,589

Scam & Phishing · June 19, 2025

Declaration trap: Crypto Drainers masquerading as European Tax Authorities

Scammers are using fake tax authority emails to deploy crypto drainers. Discover how the declaration trap works and how to protect your digital assets.

Nika Nepomniashchikh

1,107

Threat Landscape Overview · May 15, 2025

Disguised Cyber Risks On The Colombian Shore: The Insurance Trap

Uncover how cybercriminals in Colombia impersonate financial brands and exploit public data to craft convincing vehicle insurance scams.

Vlada Govorova

Hans Figueroa

12,276

Digital Forensics & Incident Response · May 8, 2025

Understanding Credential Harvesting via PAM: A Real-World Threat

Learn how attackers exploit Pluggable Authentication Modules (PAM) for credential harvesting—and discover defenses to harden Linux authentication.

Nam Le Phuong

Vito Alfano

29,167

Technologies · May 5, 2025

How To Avoid Critical Integration Mistakes In Your Cybersecurity Stack

Pavel Shepetina

40,651

Ransomware · April 30, 2025

Ransomware debris: an analysis of the RansomHub operation

This blog on RansomHub provides an overview into how this Ransomware-as-a-Service (RaaS) group operates, including its extortion tactics, affiliate recruitment strategies, and the features of its affiliate panel.

Pietro Albuquerque

Mahmoud Zohdy

Vito Alfano

8,473

Scam & Phishing · April 23, 2025

Toll of Deception: Where Evasion Drives Phishing Forward

Discover the latest phishing campaign targeting a major toll road service provider, where cybercriminals use sophisticated evasion techniques to bypass security detections. This in-depth blog reveals how threat actors exploit legitimate platforms and deploy cloaking methods to disguise malicious links, allowing them to evade detection by security solutions. Discover how these sophisticated tactics create highly convincing phishing pages designed to steal victims’ card information, and how to safeguard yourself against these evolving cyber threats.

Ha Thi Thu Nguyen

Hai Ha Phan

Bui Tuan Vu

727

Technologies · April 18, 2025

Fast, smart, and private: Group-IB introduces AI Assistant

Our new LLM-powered chatbot is designed for efficiency and security. Discover how Group-IB AI Assistant enhances threat intelligence workflows and provides security teams with instant insights — without compromising privacy.

Boris Zverkov

3,278

Cyber Investigations · April 16, 2025

Typical Dark Web Fraud: Where Scammers Operate and What They Look Like

Semyon Botalov

1,993

Technologies · April 11, 2025

CISOs Top Order Of Business: Cyber Risk Reduction & Management

For modern CISOs, cyber risk management and reduction are nonstop challenges. But this blog offers exactly what you need to build a strategy that empowers you to manage and mitigate threats—cutting through the noise of an otherwise demanding role.

Jasmine Kharbanda

328

Fraud Protection · April 9, 2025

SMS Pumping: How Criminals Turn Your Messaging Service into Their Cash Machine

Alexander Grabko

2,626

Threat Landscape Overview · April 3, 2025

Fraud Underbelly: Australia’s Digital Boom—A Fraudster’s Goldmine?

Know exactly how cybercriminals are orchestrating attacks on Australia’s citizens and digital assets, and why are they a lucrative target?

Vaibhav Khandelwal

410

Ransomware · April 2, 2025

The beginning of the end: the story of Hunters International

Learn about technical details on the ransomware and Storage Software tool, how the criminals use the affiliate panel as well as information on the Hunters International ransomware group from its emergence to the end of the operation.

Mahmoud Zohdy

Pietro Albuquerque

Abzal Aitoriyev

6,772

Technologies · March 27, 2025

Navigating Cybercrime Currents in Latin America: Strengthening the Region’s Defenses

Stripping down barriers of distance, language, and the unknown, Group-IB’s mission to fight cybercrime brings us to our latest frontier –Latin America. Join us as we uncover the region’s deceptive criminals and tactics.

Vlada Govorova

Hans Figueroa

540

Scam & Phishing · March 26, 2025

Unmasking the Classiscam in Central Asia

Scams like Classiscam automate fake websites to steal financial data, exploiting digitalization’s rise in developing countries, making fraud both effective and hard to detect. In this blog, we dissect the inner working of the scam and its prevalence in Central Asia.

Azizbek Khakimov

Sammy Pao

915

Hunting Rituals · March 24, 2025

Hunting Rituals #5: Why hypothesis-based threat hunting is essential in cybersecurity

Discover how hypothesis-driven threat hunting uncovered stealthy malware. Learn why having a dedicated in-house team or leveraging expert threat hunting services is crucial for modern cybersecurity.

Yiu Wai Leong

Yeo Zi Wei

790

Cyber Investigations · March 20, 2025

The Cybercriminal with Four Faces: Revealing Group-IB’s Investigation into ALTDOS, DESORDEN, GHOSTR and 0mid16B

Following the arrest of the cybercriminal behind the aliases ALTDOS, DESORDEN, GHOSTR, and 0mid16B, Group-IB provides a deep dive into his activities, uncovering striking similarities and unmasking the cybercriminal that breached more than 90 instances of data leaks worldwide over the span of four years in operation.

Jessica Tedja

Vesta Matveeva

6,674

Threat Intelligence · March 13, 2025

ClickFix: The Social Engineering Technique Hackers Use to Manipulate Victims

Discover how the ClickFix social engineering attack exploits human psychology to bypass security. Learn how hackers use this tactic and how to protect against it.

Mansour Alhmoud

Sattam AlMohsen

Abdullah Alzeid

13,588

Technologies · March 10, 2025

The Evolution of SIM Swapping Fraud: How Fraudsters Bypass Security Layers

Discover how SIM swapping fraud has evolved, how cybercriminals bypass security layers, and the best ways to protect yourself from SIM swap attacks. Learn key prevention tips now.

Norah Altriri

2,011

Technologies · March 7, 2025

Building Zero Trust Security: Selectively Trust To Rightfully Secure

Build resilience with a zero trust cybersecurity model. Leverage your existing infrastructure for stronger security. Get all essential insights to start now.

Jasmine Kharbanda

281

Technologies · March 4, 2025

Technology Alone Isn’t the Answer to Cyber Threats: Time to Rethink Security Culture

Get the (ABCs) Awareness, Behavior, and Culture of cybersecurity right - an organization's silent drivers of cyber protection.

Jasmine Kharbanda

308

Fraud Protection · February 20, 2025

Fingerprint Heists: How your browser fingerprint can be stolen and used by fraudsters

Discover how cybercriminals steal browser fingerprints to mimic users, bypass security measures, and commit online fraud. Learn how to protect your digital identity.

Giovanni Barbieri

Dmitrii Yankelevich

Pavel Naumov

Dmitry Pisarev

1,765

Ransomware · February 12, 2025

RansomHub Never Sleeps Episode 1: The evolution of modern ransomware

Discover how ransomware has evolved into a sophisticated cyber threat, with groups like RansomHub leading the charge. Learn more about their adaptability, TTPs, and the rise of Ransomware-as-a-service in this first-of-three-part trilogy.

Vito Alfano

Nam Le Phuong

Mahmoud Zohdy

Pietro Albuquerque

4,697

Technologies · February 6, 2025

5 ways to leverage our Malware Reports for malware analysis

Discover 5 ways to leverage Malware Reports for daily analysis and improve detection. Perfect for SOC analysts, threat hunters, and reverse engineers.

Ilya Pomerantcev

Maria Viderman

16,056

Fraud Protection · February 5, 2025

The Dark Side of Automation and Rise of AI Agents: Emerging Risks of Card Testing Attacks

Card testing attacks exploit stolen credit card details through small, unnoticed purchases to verify active cards for larger fraud. Cybercriminals use bots, proxies, and automation to evade detection, making real-time fraud prevention challenging. Learn how these attacks work and how to protect against them.

Alisher Abdullaev

Andrei Loshchev

Maxim Baldakov

11,138

Ransomware · January 28, 2025

Cat’s out of the bag: Lynx Ransomware-as-a-Service

In this blog, we observed how the Lynx Ransomware-as-a-Service (RaaS) group operates, detailing the workflow of their affiliates within the panel, their cross-platform ransomware arsenal, customizable encryption modes, and advanced technical capabilities.

Nikolay Kichatov

Sharmine Low

Pietro Albuquerque

18,976

Cyber Investigations · January 22, 2025

Odds & Ends: Unraveling the Surebet Playbook

Discover the world of surebets, a strategy that guarantees profits by leveraging differing odds from multiple bookmakers. Explore how this approach impacts the betting market, challenging traditional profit models and increasing operational costs for bookmakers.

Julien Laurent

Alexander Grabko

689

Technologies · January 21, 2025

Group-IB’s GLOCAL Vision Leading The Fight Against Global Cybercrime

How is Group-IB evolving into a leading cybersecurity force that the community relies on?

Jasmine Kharbanda

320

Scam & Phishing · January 16, 2025

The Realty of Deception: Real Estate Frauds Uncovered in the Middle East

Real estate scams are on the rise as fraudsters exploit online platforms to deceive victims into paying for fake properties. This blog dives into how these scams operate in the Middle East, explains the tools and techniques used to detect and disrupt money-mule networks, and provides practical tips for staying safe.

Aya Ibrahim

Yusuf Gülcan

Stepan Kechko

4,944

Fraud Protection · January 13, 2025

Beyond AI: Group-IB’s Local Expertise in Fraud Protection

Minimize false positives, proactively prevent threats, and gain customized fraud protection with Group-IB. Our AI-powered solutions are fine-tuned by local experts and real-time threat intelligence in key regions, ensuring optimal security performance and minimal disruption to your business.

Julien Laurent

286

Fraud Protection · January 8, 2025

Social Engineering in Action: How Fraudsters Exploit Trust with Fake Refund Schemes in the Middle East

Fraudsters have devised a sophisticated scheme targeting banking customers in the Middle East, impersonating government officials and using remote access software to steal credit card information and OTP codes. This scam specifically targets individuals who have lodged complaints online via a government portal, taking advantage of their trust and willingness to cooperate in hopes of refunds, leading to significant financial losses through fraudulent transactions.

Stepan Kechko

894

Threat Landscape Overview · January 7, 2025

Cyber Predictions For 2025 (and Beyond): Group-IB’s Expert Take On What’s Coming

Don’t fall weak in the face of change and disruption. Review the upcoming cybersecurity changes and become equipped while there’s time!

Dmitry Volkov

16,729

Cyber Investigations · December 18, 2024

Patch Me If You Can: The Truth About Smartphone Vulnerabilities

Discover how smartphone manufacturers conceal security flaws, the risks these vulnerabilities pose to users and businesses, and actionable steps to protect devices from data breaches, identity theft, and exploitative attacks.

Sergey Nikitin

2,136

Scam & Phishing · December 11, 2024

Trust Hijacked: The Subtle Art of Phishing Through Familiar Facades

Explore the advanced tactics employed in recent email phishing campaigns targeting employees from over 30 companies across 12 industries and 15 jurisdictions. This blog unveils sophisticated techniques used to outsmart Secure Email Gateways (SEGs) and exploit trusted platforms, creating highly convincing schemes to deceive victims and steal their credentials.

Ha Thi Thu Nguyen

Hai Ha Phan

1,773

Fraud Protection · December 4, 2024

Deepfake Fraud: How AI is Deceiving Biometric Security in Financial Institutions

Group-IB’s Fraud Protection team examines how fraudsters use deepfake technology to bypass biometric security in financial institutions, including facial recognition and liveness detection. This blog highlights the use of emulators, app cloning, and virtual cameras to exploit vulnerabilities, and highlights the financial and societal impacts of deepfake fraud.

Yuan Huang

6,124

Scam & Phishing · November 28, 2024

Shady Bets: How to Protect Yourself from Gambling Fraud Online

Scammers are using fake betting game advertisements on social media to target users, with over 500 deceptive advertisements and 1,377 malicious websites identified by Group-IB CERT. These scams promise quick money but are designed to steal personal data and funds, and this blog aims to educate users on how to recognize and protect themselves from such threats.

Mahmoud Mosaad

1,051

Cyber Investigations · November 25, 2024

Rethinking investigation: Group-IB’s Graph takes a leap forward

Daria Shcherbatyuk

863

Cyber Investigations · November 21, 2024

Tracing the Path of VietCredCare and DuckTail: Vietnamese dark market of infostealers’ data

Following the arrest in May 2024 of more than 20 individuals behind Facebook infostealers campaigns in Vietnam, we have compared the tactics of operators behind VietCredCare and DuckTail stealers. These 2 malware families have been active before the arrest in Vietnam and are believed to be controlled by Vietnamese threat actors. Based on the research, we decided that the groups operate in a different way and the arrest probably affected the VietCredCare operators.

Hai Ha Phan

Vesta Matveeva

2,213

Scam & Phishing · November 15, 2024

Strengthening AML Defenses: Detect Money Mules During Their ‘Warm-Up’ Phase

Know the need to catch mules early in their operations to protect you from severe risks, including large-scale money laundering, compliance breaches, and business and customer disruptions.

Julien Laurent

353

Advanced Persistent Threats · November 13, 2024

Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes

In this blog, we examine a fresh take on techniques regarding concealing codes in Extended Attributes in order to evade detection in macOS systems. This is a new technique that has yet to be included in the MITRE ATT&CK framework.

Sharmine Low

49,253

Hunting Rituals · November 7, 2024

~~Run from~~ Chase Cyber Threats

Waiting for risks to be presented to you rather than actively hunting them down? After reading this, you might consider a shift in approach to improve detection and proactively counter sophisticated attacks.

Jasmine Kharbanda

343

Scam & Phishing · October 30, 2024

Delivery Deception: Escalating cybercriminal tactics in the Balkan region

Explore our latest findings on the surge of cyberattacks in the Balkan region, focusing on threats to financial institutions and critical infrastructure. Discover how phishing scams impersonating postal services are targeting citizens in Croatia, Romania, Serbia, and Slovenia, and learn about the implications for public safety and security. Stay informed and protected against the rising tide of cybercrime.

Ivan Salipur

588

Fraud Protection · October 29, 2024

Group-IB Fraud Protection: Know your real users, catch the fraudsters

Stop fraud, RATs, and malware with Group-IB's Fraud Protection AI. Our advanced behavioral analysis uses AI to detect and prevent threats in real-time, safeguarding your business and users.

Julien Laurent

3,750

Fraud Protection · October 25, 2024

Global iGaming? Tailor Your Security with Group-IB Fraud Protection

With Group-IB Fraud Protection, you can navigate the complexities of global iGaming regulations and risk. Tailor security measures for each market, optimize costs, and maximize growth. Learn how our advanced fraud detection and prevention tools can protect your players and profits.

Julien Laurent

899

Scam & Phishing · October 22, 2024

Woodn’t You Believe It? The Rise of Fake Wood Scams

In this blog we uncover a long-running scheme by scammers selling wood to the people in France during the winter season, and how consumers and businesses can protect themselves from financial and reputation damages.

Anthony Gerlach

586

Threat Intelligence · October 17, 2024

Encrypted Symphony: Infiltrating the Cicada3301 Ransomware-as-a-Service Group

In this blog, we observed how the Cicada3301 Ransomware-as-a-Service (RaaS) group operates, detailing the workflow of their affiliates within the panel and examining the Windows, Linux, ESXi, and PowerPC variants of the ransomware.

Nikolay Kichatov

Sharmine Low

7,686

Fraud Protection · October 16, 2024

The firming grip of cyber fraud in Asia: What effective actions must banks take today?

Banks' current measures against cyber fraud are falling short – and the numbers don’t lie. That said, with a hyperactive threat landscape, what steps should you take to maximize cybersecurity?

Vaibhav Khandelwal

492

Digital Forensics & Incident Response · October 10, 2024

Unveiling USB Artifacts: A Comparative Analysis

Discover how USB artifacts enhance tracking user activities on files, examining the influence of operating systems, file systems, and applications on these crucial data traces.

Yeo Zi Wei

Alexey Kashtanov

1,358

Scam & Phishing · October 2, 2024

Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users

In this article, Group-IB specialists uncovered a large-scale fraud campaign involving fake trading apps targeting Apple iOS and Android users across multiple regions through the UniApp framework, and distributed through official app stores and phishing sites.

Andrey Polovinkin

10,250

Ransomware · September 25, 2024

Inside the Dragon: DragonForce Ransomware Group

In this blog, we look at the DragonForce ransomware group, which poses a severe threat with two variants—a LockBit fork and a customized Conti fork with advanced features and SystemBC malware.

Nikolay Kichatov

Sharmine Low

Alexey Kashtanov

39,204

Cyber Investigations · September 18, 2024

Storm clouds on the horizon: Resurgence of TeamTNT?

Investigations into recent campaigns may suggest the reemergence of TeamTNT in 2023 to present day, since evaporating in 2022.

Vito Alfano

Nam Le Phuong

7,486

Group-IB dark web investigations blog cover

Cyber Investigations · September 16, 2024

Concealed networks: Are dark web syndicates turning to social media for cybercrime?

Group-IB dark web investigations: To avoid prying eyes, find out how adversaries increasingly shift from the dark web to social media to execute attacks, leak credentials, share exploitable vulnerabilities, and more.

Cyril Boussiron

Jennifer Soh

817

Malware Analysis · September 12, 2024

Ajina attacks Central Asia: Story of an Uzbek Android Pandemic

Discovered by Group-IB in May 2024, the Ajina.Banker malware is a major cyber threat in the Central Asia region, disguising itself as legitimate apps to steal banking information and intercept 2FA messages.

Boris Martynyuk

Pavel Naumov

Anvar Anarkulov

3,885

Digital Forensics & Incident Response · September 6, 2024

The Duality of the Pluggable Authentication Module (PAM)

The Group-IB DFIR Team has identified a new technique not yet included in the MITRE ATT&CK framework, which could lead to use the module pam_exec to obtain a privileged shell on a host and grant a full persistence to a threat actor.

Vito Alfano

Nam Le Phuong

1,117

Advanced Persistent Threats · September 4, 2024

APT Lazarus: Eager Crypto Beavers, Video calls and Games

Explore the growing threats posed by the Lazarus Group's financially-driven campaign against developers. We will examine their recent Python scripts, including the CivetQ and BeaverTail malware variants, along with their updated versions in Windows and Python releases. Additionally, we will analyze their tactics, techniques, and indicators of compromise.

Sharmine Low

24,558

Ransomware · August 28, 2024

RansomHub ransomware-as-a-service

Learn why RansomHub's new affiliate program and its advanced ransomware tactics—recruiting former Scattered Spider members, exploiting unprotected RDP services, and exfiltrating large data volumes—are critical for staying ahead of modern cyber threats.

Abzal Aitoriyev

Anatoly Tykushin

4,360

Digital Forensics & Incident Response · August 26, 2024

Hiding in plain sight: Techniques and defenses against `/proc` filesystem manipulation in Linux

Group-IB explores methods of process visibility evasion through /proc filesystem manipulation in Linux, along with effective defenses to counteract these tactics.

Nam Le Phuong

1,917

Ransomware · August 14, 2024

Deciphering the Brain Cipher Ransomware

Deep dive into Brain Cipher ransomware group's activities and techniques, and how they are seemingly linked to other ransomware groups such as EstateRansomware and SenSayQ

Jennifer Soh

Vesta Matveeva

21,819

Threat Landscape Overview · August 7, 2024

Under Siege: The threat of compromised Mobile Device Management credentials and its implications for organizational security

The leakage of credentials for Mobile Device Management (MDM) services could pose significant risks to organizations and their data security.

Nikita Rostovcev

17,756

Threat Landscape Overview · August 2, 2024

NIS 2 compliance for EU businesses: Meet cybersecurity requirements before the deadline (October 17)

With NIS 2 non-compliance proving detrimental — resulting in millions in fines, business activity suspension, and more, become compliant while there’s still time!

Leonardo Cappabianca

319

Beware the RAT: Android Remote Access malware strikes in Malaysia

Malware Analysis · July 31, 2024

Beware CraxsRAT: Android Remote Access malware strikes in Malaysia

CraxsRAT is a notorious Android malware family known for its Remote Administration Tools (RAT), which include remote device control and advanced spyware functions like keylogging, gesture manipulation, and recording of cameras, screens, and calls.

Pavel Naumov

Yuan Huang

48,901

Cyber Investigations · July 25, 2024

GXC Team Unmasked: The cybercriminal group targeting Spanish bank users with AI-powered phishing tools and Android malware

Specializing in AI-powered phishing-as-a-service and Android malware capable of intercepting OTP codes, the GXC Team targets Spanish bank users and 30 institutions worldwide

Anton Ushakov

Martijn van den Berk

2,031

Ransomware · July 17, 2024

Qilin Revisited: Diving into the techniques and procedures of the recent Qilin Ransomware Attacks

Discover the insidious tactics of the Qilin ransomware group, notorious for their $50 million attack on the healthcare sector, impacting key NHS hospitals.

Dmitry Volkov

4,569

Technologies · July 15, 2024

Group-IB Digital Risk Protection: How does it enable the fastest violation detection and takedown?

The digital space is riddled with risks to your brand. Ensure it stays defended with Group-IB Digital Risk Protection’s automated violation detection and takedown.

Afiq Sasman

645

Ransomware · July 10, 2024

Patch or Peril: A Veeam vulnerability incident

Delaying security updates and neglecting regular reviews created vulnerabilities that were exploited by attackers, resulting in severe ransomware consequences.

Yeo Zi Wei

5,379

Fraud Protection · July 8, 2024

Breaking silos: The convergence of cybersecurity and fraud prevention

Where adversaries do not hesitate to initiate blended attacks combining multiple tactics, why are security teams still operating in silos?

Jasmine Kharbanda

728

Ransomware · July 3, 2024

Eldorado Ransomware: The New Golden Empire of Cybercrime?

All about Eldorado Ransomware and how its affiliates make their own samples for distribution.

Nikolay Kichatov

Sharmine Low

6,574

Threat Intelligence · July 1, 2024

Boost your MSSP’s competitive edge: New strategies for leveraging Threat Intelligence

How to best empower your business clients’ cybersecurity with critical cyber threat intelligence

Vladimir Goliashev

Zlata Greenberg

1,056

Malware Analysis · June 26, 2024

Craxs Rat, the master tool behind fake app scams and banking fraud

The scam schemes enabled by Craxs Rat malware provide complete remote control of the victims’ devices. Defend yourself from being next.

31,062

Malware Analysis · June 21, 2024

Boolka Unveiled: From web attacks to modular malware

Uncovering the operations of threat actor Boolka, driven by the creation of malicious scripts, malware trojans, sophisticated malware delivery platforms, and more.

Rustam Mirkasymov

Martijn van den Berk

4,278

Malware Analysis · June 5, 2024

GoldPickaxe exposed: How Group-IB analyzed the face-stealing iOS Trojan and how to do it yourself

Learn how to protect your devices against evolving iOS threats

Sergey Nikitin

7,779

Threat Landscape Overview · May 27, 2024

Reorienting Cybersecurity: To GenAI or not to GenAI?

Amidst the GenAI revolution, how can you harness its potential to boost cybersecurity?

Jasmine Kharbanda

8,573

Fraud Protection · May 20, 2024

GDPR: A shield for consumers, a shackle for fraud fighters?

Does the GDPR, designed to protect customer data, unintentionally create opportunities for cybercriminals to exploit it?

Julien Laurent

4,736

Fraud Protection · May 6, 2024

Generative AI: Raising the stakes for fraud in iGaming

Fraudsters see potential in generative AI to defraud the gambling industry. Here’s how.

Julien Laurent

3,486

Threat Intelligence · April 18, 2024

Phishy Business: Unraveling LabHost’s scam ecosystem

Group-IB takes part in a global operation to cripple Canadian Phishing-as-a-Service provider LabHost

Alexander Sychev

15,048

Hunting Rituals · March 29, 2024

Hunting Rituals #4: Threat hunting for execution via Windows Management Instrumentation

Actionable insights on hunting for Windows Management Instrumentation (WMI) execution abuse

Roman Rezvukhin

2,496

Malware Analysis · March 15, 2024

In-Depth Analysis of Pegasus Spyware and How To Detect It on Your Mobile Devices

How does Pegasus and other spyware work discreetly to access everything on your iOS device?

Sergey Nikitin

29,246

Cyber Investigations · February 21, 2024

Extra credit: VietCredCare information stealer takes aim at Vietnamese businesses

Group-IB discovers new information stealer targeting Vietnam with rare functionality to filter out Facebook accounts with advertising credits

Hai Ha Phan

Vesta Matveeva

3,474

Malware Analysis · February 15, 2024

Face Off: Group-IB identifies first iOS trojan stealing facial recognition data

Group-IB uncovers the first iOS Trojan harvesting facial recognition data used for unauthorized access to bank accounts. The GoldDigger family grows

Andrey Polovinkin

Sharmine Low

32,333

Threat Intelligence · February 6, 2024

Dead-end job: ResumeLooters infect websites in APAC through SQL injection and XSS attacks

ResumeLooters gang infects websites with XSS scripts and SQL injections to vacuum up job seekers' personal data and CVs

Nikita Rostovcev

34,610

Cyber Investigations · January 16, 2024

Inferno Drainer: A Deep Dive into Crypto Wallet-Draining Malware

Inferno Drainer may have shut down in November 2023, but users of the devastating scam-as-a-service platform still pose a risk as they look for other avenues.

Vyacheslav Shevchenko

10,658

Hunting Rituals · December 29, 2023

Hunting Rituals #3: Threat hunting for scheduled tasks

Actionable guide to hunting for the scheduled tasks by using Group-IB MXDR

Roman Rezvukhin

14,149

Technologies · December 27, 2023

The future is now: Watch out for these 20 trends that will change the course of cybersecurity (Part 2)

Cybersecurity is changing, and changing fast. Learn how Group-IB can help you lead the change instead of being carried by it.

Dmitry Volkov

9,651

Technologies · December 20, 2023

The future is now: Watch out for these 20 trends that will change the course of cybersecurity (Part 1)

Cybersecurity is changing, and changing fast. Learn how Group-IB can help you lead the change instead of being carried by it.

Dmitry Volkov

13,939

Technologies · December 15, 2023

You versus adversaries: How to become unbeatable in 20 cybersecurity moves (Part 2)

Cybersecurity essentials that ensure your business stays undisrupted in the upcoming year.

4,858

Threat Intelligence · December 14, 2023

Ace in the Hole: exposing GambleForce, an SQL injection gang

Analysis of TTPs tied to GambleForce, which carried out SQL injection attacks against companies in the APAC region

Nikita Rostovcev

5,004

Technologies · December 8, 2023

You versus adversaries: How to become unbeatable in 20 cybersecurity moves (Part 1)

Cybersecurity essentials that will ensure your business stays undisrupted in the upcoming year.

7,613

Malware Analysis · December 7, 2023

Curse of the Krasue: New Linux Remote Access Trojan targets Thailand

This piece of malware has an insatiable appetite. Group-IB's Threat Intelligence unit offers their insights on the new RAT used in attacks against Thai companies.

Sharmine Low

7,305

Hunting Rituals · November 22, 2023

Hunting Rituals #2.2: Threat hunting for abuse of Windows Services

Actionable guide to hunting for the Windows Services abuse by using Group-IB MXDR.
Part 2: Execution of Windows Services

Roman Rezvukhin

8,077

Threat Intelligence · November 8, 2023

Ransomware manager: Investigation into farnetwork, a threat actor linked to five strains of ransomware

Take a deep dive into the operations of one of the most active players in the Ransomware-as-a-Service market.

Nikolay Kichatov

12,758

Digital Forensics & Incident Response · October 24, 2023

The untold story of incident response: Insider’s Gambit

Get a close look at details of the most notable cases faced by Group-IB’s Digital Forensics and Incident Response (DFIR) team

Zlata Greenberg

2,271

Threat Intelligence · October 17, 2023

Analyzing cyber activity surrounding the conflict in the Middle East

Hacktivists take center stage with DDoS, defacement attacks – summary of Week 1 and 2 of the conflict.
The blog was updated on Oct. 24, 2023.

2,651

Digital Forensics & Incident Response · October 16, 2023

The untold story of incident response: A Christmas Miracle

Twas the night before Christmas, when out came the cry, a cyberattack is happening, so stop them, won’t you try?

Artem Artemov

Zlata Greenberg

13,308

Fraud Protection · October 5, 2023

Let’s dig deeper: dissecting the new Android Trojan GoldDigger with Group-IB Fraud Matrix

Delve into the tactics of the GoldDigger Trojan and discover ways to safeguard your customers

5,752

Threat Intelligence · September 26, 2023

Dusting for fingerprints: ShadowSyndicate, a new RaaS player?

No sleep until the Cybercrime Fighters Club is done with finding the answer as to who is behind this new ransomware-as-a-service affiliate.

Eline Switzer

Joshua Penny

Michael Koczwara

10,696

Threat Landscape Overview · September 22, 2023

It’s a trap: Detecting a cryptominer on a popular website using Group-IB MXDR

Group-IB analysts discovered and analyzed a cryptojacking campaign on a popular educational resource using Group-IB Managed XDR.

2,363

Hunting Rituals · September 20, 2023

Hunting Rituals #2: Threat hunting for abuse of Windows Services

Actionable guide to hunting for the Windows Services abuse by using Group-IB MXDR.
Part 1: Creation/modification of Windows Services

Roman Rezvukhin

4,518

Digital Forensics & Incident Response · September 18, 2023

Incident Response through an opportunity lens: In conversation with Dmitry Volkov (CEO, Group-IB)

Gather valuable insights on how incident response can be a make-or-break factor in securing your business.

Dmitry Volkov

3,517

Scam & Phishing · September 7, 2023

From Rags to Riches: The illusion of quick wealth in investment scams

Group-IB Digital Risk Protection uncovers malicious campaign leveraging almost 900 scam pages with potential financial damage estimated at $280,000 over four-month span

Olga Ulchenko

Anton Varygin

2,161

Fraud Protection · September 5, 2023

Stealing the extra mile: How fraudsters target global airlines in air miles and customer service scams

Uncover the vulnerabilities crippling the airline industry and learn how to implement appropriate countermeasures

Dmitry Pisarev

Gleb Malkov

Julien Laurent

4,842

Scam & Phishing · August 31, 2023

New hierarchy, heightened threat: Classiscam’s sustained global campaign

The automated scam-as-a-service program designed to steal your money and data is still going strong four years after launch

4,315

Threat Intelligence · August 23, 2023

Traders’ dollars in danger: CVE-2023-38831 zero-day vulnerability in WinRAR exploited by cybercriminals to target traders

Spoof extensions help cybercriminals target users on trading forums as 130 devices still infected at time of writing

Andrey Polovinkin

42,904

Hunting Rituals · August 17, 2023

Hunting Rituals #1: Threat hunting for DLL side-loading

Actionable guide to hunting for the DLL side-loading threat by using Group-IB MXDR.

Roman Rezvukhin

4,901

Fraud Protection · August 14, 2023

Breaking down Gigabud banking malware with Group-IB Fraud Matrix

Uncover the disruptive nature of Gigabud malware and take proactive measures to mitigate the associated risks

Pavel Naumov

Artem Grischenko

6,123

Threat Landscape Overview · August 4, 2023

JOIN THE CYBERCRIME FIGHTERS CLUB

Fighting cybercrime is more effective when we work together. Find out more about how you can work with Group-IB to document emerging threats.

2,442

Threat Intelligence · August 3, 2023

Demystifying Mysterious Team Bangladesh

Analysis of a highly active hacktivist group with global reach

7,210

Threat Landscape Overview · July 10, 2023

Clouded Judgment: how mismanaged cloud infrastructure can expose users to cyber risks

Discover how organizations unwittingly create vulnerabilities by misconfiguring their cloud infrastructure

Zakhar Kornyakov

2,215

Cyber Investigations · June 15, 2023

Busting CryptosLabs: a scam ring targeting French speakers for millions

Get all the undisclosed details that our investigators uncovered on CryptosLabs' full scope of fraudulent schemes

Anton Ushakov

3,532

Threat Landscape Overview · June 2, 2023

Operation Triangulation: Mapping the threat

What we know about APT campaign to date and how to detect it

2,578

Advanced Persistent Threats · May 31, 2023

Dark Pink. Episode 2

APT Dark Pink is back with 5 victims in new countries.

Andrey Polovinkin

8,352

Threat Landscape Overview · May 30, 2023

Bridging the gap: How to leverage API security best practices to combat top 3 vulnerability types

Security misconfiguration, excessive data exposure, and injections top three API vulnerability types for financial and tech firms

Konstantin Damotsev

1,284

Advanced Persistent Threats · May 17, 2023

The distinctive rattle of APT SideWinder

Bridewell and Group-IB expose the APT’s unknown infrastructure

Nikita Rostovcev

Joshua Penny

Yashraj Solanki

10,697

Ransomware · May 15, 2023

The Qilin Ransomware: Analysis and Protection Strategies

All you need to know about Qilin ransomware and its operations targeting critical sectors.

Nikolay Kichatov

17,172

Technologies · May 2, 2023

Managed upgrades. Enhance malware analysis efficiency with Group-IB Malware Detonation Platform updates

New and modified malware detonation capabilities in Group-IB’s Managed XDR and Business Email Protection solutions for precise threat detection and analysis

1,291

Scam & Phishing · April 25, 2023

Tech (non)support: Scammers pose as Meta in Facebook account grab ploy

Group-IB Digital Risk Protection discovers more than 3,200 fake Facebook profiles in ongoing phishing campaign that sees scammers impersonate Meta support staff

Sharef Hlal

Karam Chatra

18,427

Cyber Investigations · April 21, 2023

Investigation into PostalFurious: a Chinese-speaking phishing gang targeting Singapore and Australia

How to investigate phishing campaigns

Jennifer Soh

Kristina Ivanova

4,826

Threat Intelligence · April 18, 2023

SimpleHarm: Tracking MuddyWater’s infrastructure

Group-IB analysts discovered the new MuddyWater infrastructure while researching the pro-state group’s use of the legitimate SimpleHelp tool.

Nikita Rostovcev

11,147

Ransomware · April 4, 2023

The old way: BabLock, new ransomware quietly cruising around Europe, Middle East, and Asia

Group-IB uncovers a new stealthy ransomware strain

Andrey Zhdanov

Vladislav Azersky

9,382

Threat Landscape Overview · March 31, 2023

36gate: supply chain attack

What is known about the 3CX supply chain incident and how to defend against it?

Ivan Pisarev

Victor Belov

3,613

Scam & Phishing · March 21, 2023

Venomous vacancies: Job seekers across MEA hit by sting in scammers’ tail

Group-IB uncovers more than 2,400 scam job pages in ongoing campaign targeting users in Egypt, KSA, Algeria, and 10 other MEA countries.

Sharef Hlal

Olga Ulchenko

2,751

Threat Landscape Overview · March 17, 2023

Bleak outlook: Mitigating CVE-2023-23397

Microsoft Outlook Elevation of Privilege Vulnerability

2,397

Fraud Protection · February 20, 2023

Bad Behaviour: How to detect banking trojans

Mobile banking users are being manipulated by attackers to authorize fraudulent transactions. Learn what financial service providers can do to render these organized crimes powerless.

Julien Laurent

4,735

Ransomware · February 17, 2023

Package deal: Malware bundles causing disruption and damage across EMEA

What happens when you combine ransomware with information stealers, remote access Trojans, and other malware in one easy-to-download package?

Svetlana Ostrovskaya

Andrey Zhdanov

3,001

Advanced Persistent Threats · February 13, 2023

Nice Try Tonto Team

How a nation-state APT attempted to attack Group-IB

Anastasia Tikhonova

9,924

Threat Landscape Overview · February 10, 2023

Know Thy Enemy: unraveling the “Hi-Tech Crime Trends 2022/2023” report

Which cybercrimes will dominate the threat landscape for 2023 and beyond? Find out!

Jasmine Kharbanda

2,088

Advanced Persistent Threats · January 11, 2023

Dark Pink

New APT hitting Asia-Pacific, Europe that goes deeper and darker

Andrey Polovinkin

22,372

Malware Analysis · December 21, 2022

Godfather Trojan – mobile banking malware that is impossible to refuse

Group-IB discovers banking Trojan targeting users of more than 400 apps in 16 countries

Artem Grischenko

13,688

Scam & Phishing · December 16, 2022

Scam-free Christmas

8 online scams to protect your customers from

1,590

Fraud Protection · November 28, 2022

Understanding Money Mules: The Hidden Link in Cybercrime

A money mule is someone who moves stolen funds across bank accounts on behalf of cybercriminals. Learn how money mules operate and how you can proactively counteract mule accounts.

Dmitry Pisarev

Julien Laurent

3,516

Scam & Phishing · November 9, 2022

Hired hand: Scammers mimic Saudi manpower provider

Group-IB uncovers one thousand (and one) fake domains part of a scam campaign targeting users in KSA

Mark Alpatsky

Sharef Hlal

2,298

Threat Intelligence · November 3, 2022

Armés et dangereux : une soif d’argent inextinguible L’APT OPERA1ER en Afrique

En 2019, l'équipe Threat Intelligence de Group-IB a détecté une série d'attaques ciblant des organisations financières en Afrique.

Rustam Mirkasymov

2,168

Threat Intelligence · November 3, 2022

Financially motivated, dangerously activated: OPERA1ER APT in Africa

The French-speaking gang managed to carry out over 30 successful attacks on banks, financial services and telecommunications companies, mainly located in Africa.

Rustam Mirkasymov

7,406

Threat Intelligence · October 24, 2022

Treasure trove. Alive and well point-of-sale malware

Analysis of months-long MajikPOS and Treasure Hunter campaign that infected dozens of terminals

v

Nikolay Shelekhov

5,378

Ransomware · October 19, 2022

Deadbolt ransomware decryption: unlock your data

The Group-IB Incident Response Team investigated an incident related to a DeadBolt attack and analyzed a DeadBolt ransomware sample

Andrey Zhdanov

Vladislav Azersky

7,981

Scam & Phishing · October 17, 2022

Scam is rising

With well-set digital marketing campaigns and professional call-centres

1,598

Technologies · September 28, 2022

Take control of your shadow IT

How Group-IB Attack Surface Management ensures full mastery of your external attack surface

2,460

Scam & Phishing · September 13, 2022

Letting off steam

Hackers use the browser-in-the-browser technique to steal Steam accounts

Dmitry Eroshev

Ivan Lebedev

6,487

Threat Intelligence · August 25, 2022

Roasting 0ktapus: The phishing campaign going after Okta identity credentials

Over 130 organizations have been compromised in a sophisticated attack using simple phishing kits

Rustam Mirkasymov

Roberto Martinez

37,917

Advanced Persistent Threats · August 18, 2022

APT41 World Tour 2021 on a tight schedule

4 malicious campaigns, 13 confirmed victims, and a new wave of Cobalt Strike infections

Nikita Rostovcev

15,238

Threat Intelligence · August 17, 2022

Switching side jobs

Links between ATMZOW JS-sniffer and Hancitor

Victor Okorokov

2,828

Fraud Protection · August 11, 2022

Challenge accepted

Detecting MaliBot, a fresh Android banking trojan, with a Fraud Protection solution

1,753

Scam & Phishing · July 29, 2022

Fake investment scams in Europe

How we almost got rich

14,375

Technologies · July 25, 2022

Under the Hood. Group-IB Managed XDR

What Group-IB’s new all-in-one solution offers: cybersecurity management, network event analysis, and lightning-fast stops to attacks

3,366

Technologies · June 30, 2022

Group-IB introduces the Unified Risk Platform

Group-IB’s platform allows organizations to overcome cyber risks

3,649

Malware Analysis · June 24, 2022

We see you, Gozi

Hunting the latest TTPs used for delivering the Trojan

Albert Priego

1,760

Threat Intelligence · June 16, 2022

“We find many things that others do not even see”

Nikita Rostovtsev on current cyber threats and his profession

Nikita Rostovcev

1,696

Threat Intelligence · June 16, 2022

Thousands of IDs exposed in yet another data breach in Brazil

Unsecured public-facing database allowed anyone to access ID selfies for months

Anastasia Tikhonova

3,224

Scam & Phishing · June 9, 2022

Swiss Army Knife Phishing

Group-IB identifies massive campaign capable of targeting clients of major Vietnamese banks

Ivan Lebedev

2,073

Advanced Persistent Threats · June 1, 2022

SideWinder.AntiBot.Script

APT SideWinder’s new tool that narrows their reach to Pakistan

Nikita Rostovcev

Alexander Badaev

6,941

Ransomware · April 14, 2022

Old Gremlins, new methods

Russian-speaking ransomware gang OldGremlin resumes attacks in Russia

Ivan Pisarev

4,646

Scam & Phishing · April 8, 2022

Scammers make off with $1.6 million in crypto

Fake giveaways hit bitcoiners again. Now on YouTube

Daniil Glukhov

2,097

Threat Landscape Overview · March 31, 2022

Mitigating Spring4Shell with Group-IB

What we know about Spring4Shell so far

2,711

Scam & Phishing · March 28, 2022

Empty Box

Group-IB unveils three groups of fraudsters behind delivery scams in Singapore

Ilia Rozhnov

1,560

Technologies · March 15, 2022

Lost & Found: Group-IB Unveils Attack Surface Management (ex. AssetZero)

Intelligence-Driven Attack Surface Management

1,930

Ransomware · February 18, 2022

Top 5 recommendations for preventing ransomware for 2022

With ransomware attacks on the rise, companies need to take a proactive approach to security. Group-IB has put together a list of actionable tips to help you protect your organization from the ransomware threats in 2022.

890

Technologies · February 7, 2022

Cleaning the atmosphere

Weak points in modern-day corporate email security

Ilya Pomerantcev

1,948

Cyber Investigations · January 28, 2022

Shedding light on the dark web

Cybersecurity analyst's guide on how to use machine learning to show cybercriminals' true colors

Vesta Matveeva

Yaroslav Polyanskiy

3,512

Threat Landscape Overview · December 23, 2021

Mitigating Log4Shell in Log4j with Group-IB

Group-IB's recommendations to mitigate this vulnerability and protect your organization.

1,164

Technologies · December 23, 2021

How MITRE ATT&CK® helps users of Threat Intelligence

The MITRE ATT&CK® framework became the industry standard to describe attack tactics and techniques.

Dmitry Volkov

2,636

Scam & Phishing · December 21, 2021

Ready-made fraud

Behind the scenes of targeted scams

Yakov Kravtsov

Yvgeny Egorov

1,710

Ransomware · December 9, 2021

Inside the Hive

Deep dive into Hive RaaS, analysis of latest samples

Dmitry Shestakov

Andrey Zhdanov

Nikolay Stepanov

10,184

Ransomware · November 3, 2021

The Darker Things

BlackMatter and their victims

Andrey Zhdanov

3,620

Threat Landscape Overview · October 28, 2021

Cannibal Carders

Group-IB uncovers largest networks of fake shops – phishing websites disguised as card shops

Ruslan Chebesov

Sergey Kokurin

5,028

Scam & Phishing · September 17, 2021

Scamdemic outbreak

Scammers attack users in Middle Eastern countries

Yvgeny Egorov

Yakov Kravtsov

1,518

Scam & Phishing · September 16, 2021

RUNLIR – phishing campaign targeting Netherlands

Phishers take an approach to bypass security controls never seen in the country

Ivan Lebedev

Reza Rafati

2,312

Technologies · August 13, 2021

Under the hood. Group-IB Threat Intelligence. Part 2

How we make Tailored Threat Intelligence

Dmitry Volkov

3,311

Threat Intelligence · August 6, 2021

Bold ad campaign

AWC joins illicit carding business by offering 1 Mln compromised cards for free

Sergey Kokurin

2,870

Ransomware · August 6, 2021

It’s alive!

The story behind the BlackMatter ransomware strain

Andrey Zhdanov

5,626

Threat Intelligence · August 5, 2021

Prometheus TDS

The key to success for Campo Loader, Hancitor, IcedID, and QBot

Victor Okorokov

Nikita Rostovcev

10,772

Advanced Persistent Threats · August 3, 2021

The Art of Cyberwarfare

Chinese APTs attack Russia

Anastasia Tikhonova

6,978

Technologies · July 29, 2021

Under the hood. Group-IB Threat Intelligence. Part 1

Dive into Breached DB section

Dmitry Volkov

3,385

Cyber Investigations · July 22, 2021

The Fraud Family

Fraud-as-a-Service operation targeting Dutch residents

Roberto Martinez

Anton Ushakov

3,892

Malware Analysis · July 2, 2021

The Brothers Grim

The reversing tale of GrimAgent malware used by Ryuk

3,918

Ransomware · June 30, 2021

REvil Twins: Ransomware-as-a-Service program

Deep Dive into Prolific RaaS Affiliates' TTPs

5,849

Advanced Persistent Threats · June 10, 2021

Big airline heist

APT41 likely behind a third-party attack on Air India

Nikita Rostovcev

18,199

Threat Intelligence · June 3, 2021

FontPack: A dangerous update

Attribution secrets: Who is behind stealing credentials and bank card data by asking to install fake Flash Player, browser or font updates?

Nikita Rostovcev

1,529

Ransomware · May 14, 2021

BlackCat Ransomware: Tactics, Techniques & Mitigation Strategies

An analysis of the BlackCat ransomware affiliate program

Andrey Zhdanov

6,330

Ransomware · May 7, 2021

Connecting the Bots

Hancitor fuels Cuba Ransomware Operations

Semyon Rogachev

2,567

Threat Intelligence · May 6, 2021

GrelosGTM group abuses Google Tag Manager to attack e-commerce websites

Group-IB specialists detected GrelosGTM group started to abuse Google Tag Manager legitimate functionality for their own purposes in infections of online shops.

Victor Okorokov

1,950

Threat Intelligence · April 14, 2021

Lazarus BTC Changer

Back in action with JS sniffers redesigned to steal crypto

Victor Okorokov

5,659

Scam & Phishing · April 12, 2021

Deep water: exploring phishing kits

Group-IB's Computer Emergency Response Team built a solid phishing kit database, which helps Group-IB fight phishing that targets specific brands.

Ivan Lebedev

2,239

Threat Intelligence · April 8, 2021

When Karma Comes Back

The rise and fall of illicit cardshop breached twice in two years

Sergey Kokurin

3,955

Threat Intelligence · April 5, 2021

Kremlin RATs from Nigeria

The analysis of phishing campaigns carried out by a new threat actor

1,795

Digital Forensics & Incident Response · March 17, 2021

Masters of disguise

Let's hunt some bootkits

Semyon Rogachev

1,931

Threat Intelligence · March 15, 2021

JavaScript sniffers’ new tricks

Analysis of the E1RB JS sniffer family

Victor Okorokov

2,256

Scam & Phishing · March 1, 2021

Inside Classiscam

A deep dive into Classiscam: automated scam as a service designed to steal money and payment data

Evgeny Ivanov

Yakov Kravtsov

4,280

Digital Forensics & Incident Response · January 26, 2021

The source of everything

Forensic examination of incidents involving source code leaks

Anatoly Tykushin

2,812

Threat Intelligence · December 23, 2020

New attacks by UltraRank group

As part of UltraRank's new campaign, Group-IB Threat Intelligence team discovered 12 eCommerce websites infected with their JavaScript-sniffer.

Victor Okorokov

1,973

Threat Intelligence · December 7, 2020

The footprints of Raccoon

A story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer

Nikita Rostovcev

2,623

Ransomware · November 20, 2020

The Locking Egregor

Analysis of TTPs employed by Egregor operators

Semyon Rogachev

1,987

Ransomware · November 1, 2020

Big Game Hunting: Now in Russia

Top Russian companies and banks under attack from OldGremlin - a group controlling TinyCryptor ransomware

Rustam Mirkasymov

4,667

Fraud Protection · October 10, 2020

Group-IB Fraud Protection (ex. Fraud Hunting Platform)

Keeping user digital identity safe

Dmitry Volkov

3,444

Ransomware · September 10, 2020

Lock Like a Pro

Dive in Recent ProLock's Big Game Hunting

Semyon Rogachev

1,257

Digital Forensics & Incident Response · July 5, 2020

Digital forensics specialist’s bookshelf

Top 11 books on digital forensics, incident response, and malware analysis

Igor Mikhailov

3,064

Threat Intelligence · May 29, 2020

IcedID: new malware version

When ice burns through bank accounts

Ivan Pisarev

4,781

Ransomware · May 14, 2020

ATT&CKing ProLock Ransomware

The success of enterprise ransomware attacks has motivated more and more threat actors to join the game.

2,249

Threat Intelligence · April 30, 2020

PerSwaysion Campaign

Playbook of Microsoft Document Sharing-Based Phishing Attack

Feixiang He

2,651

Digital Forensics & Incident Response · April 28, 2020

Reconstructing User Activity for Forensics with FeatureUsage

Useful feature that can help forensic analysts and incident responders to reconstruct user activities.

3,051

Digital Forensics & Incident Response · February 20, 2020

Chromium-based Microsoft Edge from a Forensic Point of View

Explore the forensic perspective of the Microsoft Edge Chromium-based version and its features, such as msedge_proxy, edge cache location, and more.

Svetlana Ostrovskaya

16,446

Digital Forensics & Incident Response · January 17, 2020

Hunting for Nextcloud Cloud Storage Forensic Artifacts on Endpoints

Forensic artifacts, which can be found during forensic examination of a Windows endpoint.

1,342

Digital Forensics & Incident Response · December 20, 2019

A Shortcut to Compromise: Cobalt Gang phishing campaign

Cobalt Gang is alive and well, and continued to attack financial institutions around the globe in 2019.

1,184

Digital Forensics & Incident Response · December 11, 2019

Hunting for Attacker’s Tactics and Techniques With Prefetch Files

Windows Prefetch files were introduced in Windows XP and since that time have helped digital forensics analysts and incident responders find evidence of execution.

2,724

Technologies · November 18, 2019

Group-IB unveils its Graph

The story about Group-IB searching for graph analysis solution and creating its own unique instrument

Dmitry Volkov

1,581

Threat Intelligence · November 8, 2019

Massive malicious campaign by FakeSecurity JS-sniffer

Group-IB specialists detected a new JS-sniffer family called FakeSecurity.

Victor Okorokov

1,831

Digital Forensics & Incident Response · November 7, 2019

WhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts

All about WhatsApp forensics and the wealth of data extracted from a device through forensic analysis.

Igor Mikhailov

77,757

Threat Intelligence · November 5, 2019

RDoS attacks by fake Fancy Bear hit banks in multiple locations

Group-IB experts have detected a massive email campaign spreading similar ransom demands sent to banks and financial organizations across the word.

Anastasia Tikhonova

1,439

Digital Forensics & Incident Response · October 4, 2019

No Time to Waste

How Windows 10 Timeline Can Help Forensic Experts

Igor Mikhailov

7,405

Ransomware · September 30, 2019

50 Shades of Ransomware

The following article examines forensic artifacts left by the Shade cryptolocker and maps used tactics and techniques to MITRE ATT&CK.

1,472

Digital Forensics & Incident Response · September 26, 2019

Tools up: the best software and hardware tools for computer forensics

Igor Mikhailov gave his review of the best software and hardware solutions for computer forensics.

Igor Mikhailov

15,982

Cyber Investigations · June 11, 2019

Voting results of “The Voice Kids Russia Season 6”

180

Threat Intelligence · May 29, 2019

Catching fish in muddy waters

How the hacker group MuddyWater attacked a Turkish manufacturer of military electronics

Anastasia Tikhonova

Nikita Rostovcev

1,217

Digital Forensics & Incident Response · May 8, 2019

Following the RTM

Forensic examination of a computer infected with a banking trojan

1,534

Threat Intelligence · April 26, 2019

Meet the JS-Sniffers 4: CoffeMokko Family

Group-IB researchers have discovered 38 families of JS-sniffers, whereas only 12 were known previously.

Victor Okorokov

1,662

Threat Intelligence · April 25, 2019

Meet the JS-Sniffers 3: Illum Family

Group-IB researchers discovered Illum JS-sniffers family designed to steal payment data of customers of online stores.

Victor Okorokov

807

Threat Intelligence · April 19, 2019

Meet the JS-Sniffers 2: G-Analytics Family

Group-IB discovered that the stolen payment cards data is sold through an underground store specially created for this purpose.

Victor Okorokov

1,044

Threat Intelligence · April 9, 2019

Meet the JS-Sniffers: ReactGet Family

ReactGet is one of the most interesting families of JS-sniffers, designed to steal banking cards data from online stores.

Victor Okorokov

1,432

Threat Intelligence · April 4, 2019

Gustuff: Weapon of Mass Infection

Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, a number of cryptocurrency and marketplace applications

Ivan Pisarev

1,591

Scam & Phishing · February 5, 2019

The end of torrents era in Russia

Currently, a total of 80% of pirated films and almost 90% of TV series are being watched online

1,407

Threat Intelligence · September 5, 2018

Silence: Moving into the Darkside

Group-IB has exposed the attacks committed by Silence cybercriminal group.

1,904

Threat Intelligence · May 29, 2018

Cobalt Renaissance

New attacks and joint operations

Rustam Mirkasymov

1,539

Threat Intelligence · December 11, 2017

MoneyTaker: in pursuit of the invisible

Group-IB has uncovered a hacker group attacking banks in the USA and Russia

1,424

Cyber Investigations · November 27, 2017

When Hackers are Quicker than Antiviruses: Cobalt Group Bypasses Antivirus Protection

Andrey Zosimov

433

Scam & Phishing · November 2, 2017

In a Queue for a Scam

How faudsters cash in on hype around new iPhones

769

Threat Intelligence · October 26, 2017

NotPetya pulls BadRabbit out of the hat

Research revealed that the BadRabbit code was compiled from NotPetya sources.

Rustam Mirkasymov

1,352

Threat Intelligence · October 24, 2017

BadRabbit: spread of new cryptolocker

There is a connection between BadRabbit and Not Petya

1,701

Scam & Phishing · October 19, 2017

‘Black spot’ for pirates

Russia has developed a strong legal framework to combat online piracy. All that is needed is for it to be used effectively (especially for Forbes.ru)

Ilya Sachkov

1,876

Scam & Phishing · September 26, 2017

Airline companies «landing» on fake pages

Top global airline companies have been compromised by fraudsters for the second time during the last six months.

1,709

Threat Intelligence · August 15, 2017

Secrets of Cobalt

How Cobalt hackers bypass your defenses

Vesta Matveeva

4,459

Threat Landscape Overview · August 10, 2017

Insecure venture

On the price of hacker attacks and the toxic cyber environment

1,398

Threat Intelligence · August 4, 2017

Kronos devouring its children

The man who "saved the world" from the WannaCry outbreak has been arrested on suspicion of being the author of Kronos banking Trojan

1,475

Threat Intelligence · August 2, 2017

Hacktivists unmasked

Group-IB reveals the identity of alleged members of the Islamic hacker group United Islamic Cyber Force

3,057

Threat Landscape Overview · July 24, 2017

Targeted attacks on banks

Russia as a testing ground

Ilya Sachkov

1,768

Ransomware · June 27, 2017

Petya starts with Ukraine and then goes global

Group-IB has identified the ransomware that has infected energy, telecommunications and financial companies

979

Scam & Phishing · June 5, 2017

Ghost flights

Top global airline companies have been compromised through fake links distributed by "friends" on Facebook

1,710

Advanced Persistent Threats · May 30, 2017

LAZARUS ARISEN

Group-IB reveals the unknown details of attacks from one of the most notorious APT groups: sophisticated espionage and APT techniques of the North Korean state-sponsored hackers

3,485