ISC Handlers

Back to Handlers

May 2021 Forensic Contest
April 2021 Forensic Quiz: Answers and Analysis
April 2021 Forensic Quiz
Analysis from March 2021 Traffic Analysis Quiz
March 2021 Traffic Analysis Quiz
Qakbot infection with Cobalt Strike
Malspam pushes GuLoader for Remcos RAT
Malspam pushing Trickbot gtag rob13
Phishing message to the ISC handlers email distro
Excel spreadsheets push SystemBC malware
TA551 (Shathak) Word docs push Qakbot (Qbot)
Qakbot activity resumes after holiday break
Throwback Friday: An Example of Rig Exploit Kit
Hancitor activity resumes after a hoilday break
Emotet infections and follow-up malware
End of Year Traffic Analysis Quiz
Recent Qakbot (Qbot) activity
Traffic Analysis Quiz: Mr Natural
Traffic Analysis Quiz: DESKTOP-FX23IK5
Emotet -> Qakbot -> more Emotet
Traffic Analysis Quiz: Ugly-Wolf.net
More TA551 (Shathak) Word docs push IcedID (Bokbot)
Traffic Analysis Quiz: Oh No... Another Infection!
Recent Dridex activity
TA551 (Shathak) Word docs push IcedID (Bokbot)
Traffic Analysis Quiz: What's the Malware From This Infection?
Word docs with macros for IcedID (Bokbot)
Excel spreasheet macro kicks off Formbook infection
Job application-themed malspam pushes ZLoader
Polish malspam pushes ZLoader malware
Microsoft Word document with malicious macro pushes IcedID (Bokbot)
Malspam with links to zip archives pushes Dridex malware
German malspam pushes ZLoader malware
Qakbot malspam sent from an infected Windows host
Recent Dridex activity
Trickbot gtag red5 distributed as a DLL file
Hancitor distributed through coronavirus-themed malspam
Malpsam pushes Ursnif through Italian language Word docs
Fake browser update pages are "still a thing"
Emotet epoch 1 infection with Trickbot gtag mor84
German language malspam pushes Ursnif
Malspam with links to Word docs pushes IcedID (Bokbot)
Emotet infection with spambot activity
German language malspam pushes yet another wave of Trickbot
Ursnif infection with Dridex
Finding an Agent Tesla malware sample
Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike
An example of malspam pushing Lokibot malware, November 2019
More malspam pushing Formbook
What data does Vidar malware steal from an infected host?
A recent example of Emotet malspam
Malspam pushing Quasar RAT
Emotet malspam is back
Malspam using password-protected Word docs to push Remcos RAT
Recent example of MedusaHTTP malware
Recent AZORult activity
Rig Exploit Kit sends Pitou.B Trojan
Malspam with password-protected Word docs pushing Dridex
An infection from Rig exploit kit
Email roulette, May 2019
Blue + Red: An Infosec Purple Pyramid
Malspam pushes Emotet with Qakbot as the follow-up malware
Malspam with password-protected word docs still pushing IcedID (Bokbot) with Trickbot
More Russian language malspam pushing Shade (Troldesh) ransomware
Fake Updates campaign still active in 2019
Hancitor malspam and infection traffic from Tuesday 2019-02-05
Malspam with Word docs uses macro to run Powershell script and steal system data
Heartbreaking Emails: "Love You" Malspam
Malspam links to password-protected Word docs that push IcedID (Bokbot)
Campaign evolution: Hancitor changes its Word macros
Malspam pushing Lokibot malware
Russian language malspam pushing Shade (Troldesh) ransomware
Emotet infection with IcedID banking Trojan
Day in the life of a researcher: Finding a wave of Trickbot malspam
More malspam using password-protected Word docs
Campaign evolution: Hancitor malspam starts pushing Ursnif this week
One Emotet infection leads to three follow-up malware infections
Sextortion Spam and the Infinite Monkey Theorem
More malspam pushing password-protected Word docs for AZORult and Hermes Ransomware
DHL-themed malspam reveals embedded malware in animated gif
Malspam with password-protected Word docs pushes Hermes ransomware
Recent Emotet activity
More malspam pushing Lokibot
Malspam pushing coin miner and other malware
Cryptocurrency-themed phishing emails
Phishing emails for fake MyEtherWallet login page
Malspam pushing Trickbot malware on Friday 2018-05-11
Malspam pushing ransomware using two layers of password protection to avoid detection
Glitch in malspam campaign temporarily reduces spread of GandCrab
Malspam pushing Sigma ransomware
Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there
Malspam pushing Formbook info stealer
GandCrab Ransomware: Now Coming From Malspam
3 examples of malspam pushing Loki-Bot malware
RTF files for Hancitor utilize exploit for CVE-2017-11882
Reviewing the spam filters: Malspam pushing Gozi-ISFB
Fake anti-virus pages popping up like weeds
Pornographic malspam pushes coin miner malware
More Malspam pushing Emotet malware
One month later, Magniber ransomware is still out there
Resume-themed malspam pushing Smoke Loader
Necurs Botnet malspam pushes Locky using DDE attack
HSBC-themed malspam uses ISO attachments to push Loki Bot malware
Hancitor malspam uses DDE attack
Malspam pushing Formbook info stealer
Malspam pushing Word documents with Hancitor malware
Emails threatening DDoS allegedly from Phantom Squad
Email attachment using CVE-2017-8759 exploit targets Argentina
Malspam pushing Locky ransomware tries HoeflerText notifications for Chrome and FireFox
Malspam pushing Trickbot banking Trojan
How are people fooled by this? Email to sign a contract provides malware instead.
Malspam pushing Emotet malware
NemucodAES and the malspam that distributes it
Catching up with Blank Slate: a malspam campaign still going strong
Petya? I hardly know ya! - an ISC update on the 2017-06-27 ransomware outbreak
Checking out the new Petya variant
Wide-scale Petya variant ransomware attack noted
A Tale of Two Phishies
Jaff ransomware gets a makeover
Seamless Campaign using Rig Exploit Kit to send Ramnit Trojan
Malspam on 2017-04-11 pushes yet another ransomware variant
April 2017 Microsoft Patch Tuesday
Dridex malspam seen on Monday 2017-04-10
"Blank Slate" malspam still pushing Cerber ransomware
Malspam with password-protected Word documents
Brazilian malspam sends Autoit-based malware
Hancitor/Pony malspam
CryptoShield Ransomware from Rig EK
Ticketbleed vulnerability affects some f5 appliances
Sage 2.0 Ransomware
Upatre/Dyre - the daily grind of botnet-based malspam
Traffic pattern change noted in Fiesta exploit kit
Dalexis/CTB-Locker malspam campaign
Actor using Fiesta exploit kit
Hancitor/Pony/Vawtrak malspam
Merry X-Mas ransomware from Sunday 2017-01-08
One, if by email, and two, if by EK: The Cerbers are coming!
Domaincop malpsam
2016-11-18 example of KaiXin EK activity
Malspam distributing Troldesh ransomware
Exploit kit roundup: Less Angler, more Nuclear
Malspam delivers NanoCore RAT
pseudoDarkleech Rig EK
Rig Exploit Kit from the Afraidgate Campaign
Those never-ending waves of Locky malspam
1 compromised site - 2 campaigns
Follow-up to: Stop calling it a ransomware "attack"
Stop calling it a ransomware "attack"
CryptXXX ransomware updated
Change in patterns for the pseudoDarkleech campaign
APT and why I don't like the term
Searching for malspam
Neutrino EK and CryptXXX
EITest campaign still going strong
ImageTragick: Another Vulnerability, Another Nickname
Neutrino exploit kit sends Cerber ransomware
Angler Exploit Kit, Bedep, and CryptXXX
The importance of ongoing dialog
Recent example of KaiXin exploit kit
Angler exploit kit generated by "admedia" gates
A trip through the spam filters: more malspam with zip attachments containing .js files
Dridex malspam example from January 2016
OpenSSH 7.1p2 released with security fix for CVE-2016-0777
CryptoWall sent by Angler and Neutrino exploit kits or through malicious spam
A recent example of wire transfer fraud
Actor using Rig EK to deliver Qbot - update
Actor using Rig EK to deliver Qbot
ScreenOS vulnerability affects Juniper firewalls
TeslaCrypt ransomware sent using malicious spam
Everything old is new again - Blackhole exploit kit since November 2015
New variant of CryptoWall - Is it right to call it 4.0?
Malicious spam - Subject: RE: Bill
BizCN gate actor sends CryptoWall 4.0
Actors using exploit kits - How they change tactics
Malicious spam with links to CryptoWall 3.0 - Subject: Domain [name] Suspension Notice
Botnets spreading Dridex still active
Compromised Magento sites led to Neutrino exploit kit
Malicious spam with Word document
BizCN gate actor update
Recent trends in Nuclear Exploit Kit activity
Mistakenly-deployed test patch leads to suspicious Windows update
Malicious spam with zip attachments containing .js files
A look through the spam filters - examining waves of Upatre malspam
Actor that tried Neutrino exploit kit now back to Angler
What's the situation this week for Neutrino and Angler EK?
A recent decline in traffic associated with Operation Windigo
Actor using Angler exploit kit switched to Neutrino
Adwind: another payload for botnet-based malspam
Nuclear EK traffic patterns in August 2015
Malicious spam continues to serve zip archives of javascript files
Bartalex malspam pushing Pony/Dyre
After Flash, what will exploit kits focus on next?
BizCN gate actor changes from Fiesta to Nuclear exploit kit
Another example of Angler exploit kit pushing CryptoWall 3.0
Botnet-based malicious spam seen this week
Updates to OpenSSL fix vulnerabilities related to Logjam
Increase in CryptoWall 3.0 from malicious spam and Angler exploit kit
Exploit kit roundup - early June 2015
Myfax malspam wave with links to malware and Neutrino exploit kit
Angler exploit kit pushing CryptoWall 3.0
Exploit kits delivering Necurs
Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS
Upatre/Dyre malspam - Subject: eFax message from "unknown"
Recent Dridex activity
Angler exploit kit pushes new variant of ransomware
SOC Analyst Pyramid
Exploit kits (still) pushing Teslacrypt ransomware
An example of the malicious emails sometimes sent to the ISC handler addresses
Angler Exploit Kit - Recent Traffic Patterns
Rig Exploit Kit Changes Traffic Patterns
Threatglass has pcap files with exploit kit activity
What Happened to You, Asprox Botnet?
An Example of Evolving Obfuscation