| WhatsApp QR Code Phishing |
Star Blizzard uses broken QR codes in initial emails to elicit responses, then sends follow-up emails with malicious t[.]ly shortened links that redirect to fake WhatsApp group join pages containing device linking QR codes for account takeover 1 |
Email security logs, URL filtering logs, DNS queries for t[.]ly domains, browser history for WhatsApp Web access patterns |
| DLL Side-Loading via PowerPoint |
APT29 GRAPELOADER campaign uses legitimate PowerPoint executable (wine.exe) to side-load malicious DLL (ppcore.dll) through delayed imports, with bloated dependency DLL (AppvIsvSubsystems64.dll) 3 |
Process creation logs (Event ID 4688), DLL loading events, file creation in POWERPNT directory, registry modifications to Run keys |
| Wine-Themed Diplomatic Phishing |
APT29 impersonates European Ministry of Foreign Affairs sending wine tasting event invitations with malicious links downloading wine.zip archives containing GRAPELOADER 3 |
Email logs from bakenhof[.]com and silry[.]com domains, file downloads of wine.zip, process execution of wine.exe |
| RegSvr32 QakBot Deployment |
FIN7 uses ISO files containing LNK shortcuts to execute QakBot via RegSvr32, bypassing Mark-of-the-Web protections 2 |
Process creation for regsvr32.exe from TEMP directories, ISO mounting events, scheduled task creation |
| Reflective DLL Injection |
FIN7 employs reflective DLL loading into own process memory space using CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW APIs for process discovery 2 |
Memory allocation events, VirtualAlloc/VirtualProtect API calls, unusual process behaviors from explorer.exe or svchost.exe |
| ADSI-Based Discovery |
Threat actors have shifted from PowerShell tools to Active Directory Service Interfaces (ADSI) for internal reconnaissance to evade detection 6 |
LDAP queries, ADSI object access logs, unusual authentication patterns to domain controllers |
| EDR Bypass Tool Usage |
Manufacturing-targeted ransomware groups use EDR bypass tools like KillAV, TrueSightKiller, and EDR Kill Shifter alongside BYOVD techniques instead of traditional obfuscators 6 |
Security product service stops, driver loading events, unsigned driver installations, process termination of security tools |
| RMM Tool Persistence |
Increased use of legitimate Remote Monitoring and Management tools like AnyDesk, ConnectWise, and SimpleHelp for persistence and command execution 6 |
Installation of RMM software, network connections to RMM services, process execution via RMM tools |
| Cloud Exfiltration via Rclone |
Threat actors use Rclone, MEGAcmd, and cloud provider tools for data exfiltration to cloud services 6 |
Process execution of rclone.exe or MEGAcmd, large data transfers to cloud services, configuration files for cloud sync tools |
| VPN Vulnerability Exploitation |
APT28 exploits CVE-2023-23397 (Outlook privilege escalation) and CVE-2023-20273 (Cisco ASA/FTD RCE) for initial access into NATO-aligned organizations 5 |
VPN authentication logs, Outlook process anomalies, exploitation attempts against CVE-2023-23397 and CVE-2023-20273 |
| Password Spraying Campaigns |
APT28 conducts password spraying attacks against OWA and VPN services targeting logistics and defense supply chains 5 |
Authentication failure patterns (Event ID 4625), multiple login attempts from single IP, OWA and VPN access logs |
| String Obfuscation Evasion |
GRAPELOADER and new WINELOADER variants use three-function string processing (retrieve encrypted blob, decrypt with custom algorithm, immediately zero memory) to defeat automated string extraction tools 3 |
Memory allocation patterns, API calls to string manipulation functions, process memory analysis |
| Shellcode Execution Evasion |
GRAPELOADER implements memory protection changes (PAGE_READWRITE → PAGE_NOACCESS → PAGE_EXECUTE_READWRITE) with 10-second sleep to evade AV/EDR memory scanning 3 |
VirtualProtect API calls, memory protection changes, CreateThread with suspended threads, ResumeThread calls |
| Dave Loader to Minodo Deployment |
FIN7 collaboration with former Conti members uses Dave Loader to deploy Minodo backdoor, which gathers system information via GetUserNameA, GetComputerNameExA, and GetNativeSystemInfo APIs 2 |
API calls to user/computer name functions, system information queries, network connections to C2 infrastructure |
| Black Basta Ransomware Deployment |
FIN7 deploys Black Basta ransomware after QakBot infection, immediately deleting Volume Shadow Copies using vssadmin.exe and encrypting files with ChaCha20/RSA-2096 2 |
vssadmin.exe execution for shadow copy deletion, file system enumeration via FindFirstFileW/FindNextFileW, file encryption activities |