DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers

Threat Research – Sophos News

By:gallagherseanm

27 May 2025 at 05:00

Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network

DragonForce targets rivals in a play for dominance

Threat Research – Sophos News

By:Angela Gunn

21 May 2025 at 08:00

Not content with attacking retailers, this aggressive group is fighting a turf war with other ransomware operators

A screen capture of the 19 March 2025 announcement; the intro reads "Today I would like to present to you our new direction, we are starting to work in a new vein, according to a new principle. You no longer have to work under our brand, now you can create your own brand under the auspices of an already proven partner time! We the DragonForce Ransomware cartel present to you 'projects' now you create yourself."

Two screens showing the BlackLock and Mamona defacements as described in text

A screen capture showing the DragonForce mention on RansomHub as described in text

A screen capture showing the "collaboration" -- text reads "DragonForce & RansomHub -- Hi. Don't worry RansomHub will be up soon, they just decided to move to our infrastructure! We are reliable partners. A good example of how 'projects' work, a new option from The DragonForce Ransomware Cartel!" A postscript at the bottom reads "P.S. -- RansomHub hope you are doing well, consider our offer! We are waiting for everyone in our ranks."

An image showing a crossed-out DragonForce logo and three derpy-looking cartoon dragons

A pair of images; on the left, DragonForce announcement reads "We will be up soon -- Our blog and files server will be up on 29.04.2025 00:00 UTC Thank you for your patience." On the right, the RansomHub announcement reads "Went on a journey... We're still in search for a pirates!"

A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist

Threat Research – Sophos News

By:gallagherseanm

20 May 2025 at 12:30

Another adversary picks up the email bombing / vishing Storm-1811 playbook, doing thorough reconnaissance to target specific employees with fake help desk call—this time, over the phone.

A timeline of the 3AM Ransomware actor’s attack.

Figure 2: Discussion about Blacksuit (now rebranded as 3AM) in the leaked BlackBasta chat logs

Beyond the kill chain: What cybercriminals do with their money (Part 5)

Threat Research – Sophos News

By:Matt Wixey

15 May 2025 at 07:00

In the last of our five-part series, Sophos X-Ops explores the implications and opportunities arising from threat actors’ involvement in real-world industries and crimes

Beyond the kill chain: What cybercriminals do with their money (Part 4)

Threat Research – Sophos News

By:Matt Wixey

15 May 2025 at 07:00

In the fourth of our five-part series, Sophos X-Ops explores threat actors’ real-world criminal business interests

A screenshot from a criminal forum, including a photographs of a sarcophagus

A screenshot of a phishing platform, showing various buttons/links with Russian text

Beyond the kill chain: What cybercriminals do with their money (Part 3)

Threat Research – Sophos News

By:Matt Wixey

15 May 2025 at 07:00

In the third of our five-part series, Sophos X-Ops explores the more legally and ethically dubious business interests of financially motivated threat actors

A screenshot of a winning 'cryptocurrency lottery' ticket

A photograph of two bunk beds with white sheets and grey metal frames. In the background is a green cabinet, a window, and a small green desk and stool,

Beyond the kill chain: What cybercriminals do with their money (Part 2)

Threat Research – Sophos News

By:Matt Wixey

15 May 2025 at 07:00

In the second of our five-part series, Sophos X-Ops investigates the so-called ‘white’ (legitimate) business interests of threat actors

A photograph, partially redacted, of a paper statement of company infomation along with a mobile phone showing messages on a criminal forum

A photograph of a small house/outbuilding in a wooded area, with a bench and barbeque in the foreground on a patio surface

A screenshot of a messaging app conversation. One of the messages is a picture of a construction site, along with a PDF attachment from a bank

Beyond the kill chain: What cybercriminals do with their money (Part 1)

Threat Research – Sophos News

By:Matt Wixey

15 May 2025 at 07:00

Sophos X-Ops investigates what financially motivated threat actors invest their ill-gotten profits in, once the dust has settled

Microsoft primes 71 fixes for May Patch Tuesday

Threat Research – Sophos News

By:Angela Gunn

14 May 2025 at 10:26

Five issues actively exploited in the wild, but the real excitement may have been handled in advance

a bar chart showing distribution of May's patches by impact, further color-coded by severity; information in text

A bar chart showing distribution of May's patches, sorted by product family; information covered in text

A bar chart showing the cumulative patch counts for 2025, sorted by impact and further indicating severity

Lumma Stealer, coming and going

Threat Research – Sophos News

By:Angela Gunn

9 May 2025 at 04:12

The high-profile information stealer switches up its TTPs, but keeps the CAPTCHA tactic; we take a deep dive

A legitimate-seeming verification challenge

A second verification challenge, described in text

A flow chart depicting attack flow for Lumma Stealer

A listing of assorted files dropped by the malicious downloader

Log activity caused by the described EXE

An apparently legitimately "PDF," with a warning visible

A system message indicating that authorship of the alleged "PDF cannot be verified

A view of the shortcut showing a great deal of obfuscation

A CyberChef screen showing the code under examination

The questionable file, semi-decoded, now seen in Base64

Another obfuscated view, this time of the execution instruction

A large block of obfuscation with many amusing words, mainly concerning snacks

February Patch Tuesday delivers 57 packages

Threat Research – Sophos News

By:Angela Gunn

11 February 2025 at 14:17

After January’s deluge, a calmer update volume returns

Scalable Vector Graphics files pose a novel phishing threat

Threat Research – Sophos News

By:Andrew Brandt

5 February 2025 at 11:01

The SVG file format can harbor malicious HTML, scripts, and malware

Update: Cybercriminals still not fully on board the AI train (yet)

Threat Research – Sophos News

By:Matt Wixey

28 January 2025 at 07:00

A year after our initial research on threat actors’ attitudes to generative AI, we revisit some underground forums and find that many cybercriminals are still skeptical – although there has been a slight shift

Reading view