- TA551 (Shathak) pushes IcedID (Bokbot)
- Emotet Returns
- October 2021 Forensic Contest: Answers and Analysis
- October 2021 Contest: Forensic Challenge
- "Stolen Images Evidence" campaign pushes Sliver-based malware
- Hancitor campaign abusing Microsoft's OneDrive
- "Stolen Images Evidence" Campaign Continues Pushing BazarLoader Malware
- STRRAT: a Java-based RAT that doesn't care if you have Java
- Example of Danabot distributed through malspam
- TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike
- Hancitor tries XLL as initial malware file
- June 2021 Forensic Contest: Answers and Analysis
- June 2021 Forensic Contest
- May 2021 Forensic Contest: Answers and Analysis
- May 2021 Forensic Contest
- April 2021 Forensic Quiz: Answers and Analysis
- April 2021 Forensic Quiz
- Analysis from March 2021 Traffic Analysis Quiz
- March 2021 Traffic Analysis Quiz
- Qakbot infection with Cobalt Strike
- Malspam pushes GuLoader for Remcos RAT
- Malspam pushing Trickbot gtag rob13
- Phishing message to the ISC handlers email distro
- Excel spreadsheets push SystemBC malware
- TA551 (Shathak) Word docs push Qakbot (Qbot)
- Qakbot activity resumes after holiday break
- Throwback Friday: An Example of Rig Exploit Kit
- Hancitor activity resumes after a hoilday break
- Emotet infections and follow-up malware
- End of Year Traffic Analysis Quiz
- Recent Qakbot (Qbot) activity
- Traffic Analysis Quiz: Mr Natural
- Traffic Analysis Quiz: DESKTOP-FX23IK5
- Emotet -> Qakbot -> more Emotet
- Traffic Analysis Quiz: Ugly-Wolf.net
- More TA551 (Shathak) Word docs push IcedID (Bokbot)
- Traffic Analysis Quiz: Oh No... Another Infection!
- Recent Dridex activity
- TA551 (Shathak) Word docs push IcedID (Bokbot)
- Traffic Analysis Quiz: What's the Malware From This Infection?
- Word docs with macros for IcedID (Bokbot)
- Excel spreasheet macro kicks off Formbook infection
- Job application-themed malspam pushes ZLoader
- Polish malspam pushes ZLoader malware
- Microsoft Word document with malicious macro pushes IcedID (Bokbot)
- Malspam with links to zip archives pushes Dridex malware
- German malspam pushes ZLoader malware
- Qakbot malspam sent from an infected Windows host
- Recent Dridex activity
- Trickbot gtag red5 distributed as a DLL file
- Hancitor distributed through coronavirus-themed malspam
- Malpsam pushes Ursnif through Italian language Word docs
- Fake browser update pages are "still a thing"
- Emotet epoch 1 infection with Trickbot gtag mor84
- German language malspam pushes Ursnif
- Malspam with links to Word docs pushes IcedID (Bokbot)
- Emotet infection with spambot activity
- German language malspam pushes yet another wave of Trickbot
- Ursnif infection with Dridex
- Finding an Agent Tesla malware sample
- Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike
- An example of malspam pushing Lokibot malware, November 2019
- More malspam pushing Formbook
- What data does Vidar malware steal from an infected host?
- A recent example of Emotet malspam
- Malspam pushing Quasar RAT
- Emotet malspam is back
- Malspam using password-protected Word docs to push Remcos RAT
- Recent example of MedusaHTTP malware
- Recent AZORult activity
- Rig Exploit Kit sends Pitou.B Trojan
- Malspam with password-protected Word docs pushing Dridex
- An infection from Rig exploit kit
- Email roulette, May 2019
- Blue + Red: An Infosec Purple Pyramid
- Malspam pushes Emotet with Qakbot as the follow-up malware
- Malspam with password-protected word docs still pushing IcedID (Bokbot) with Trickbot
- More Russian language malspam pushing Shade (Troldesh) ransomware
- Fake Updates campaign still active in 2019
- Hancitor malspam and infection traffic from Tuesday 2019-02-05
- Malspam with Word docs uses macro to run Powershell script and steal system data
- Heartbreaking Emails: "Love You" Malspam
- Malspam links to password-protected Word docs that push IcedID (Bokbot)
- Campaign evolution: Hancitor changes its Word macros
- Malspam pushing Lokibot malware
- Russian language malspam pushing Shade (Troldesh) ransomware
- Emotet infection with IcedID banking Trojan
- Day in the life of a researcher: Finding a wave of Trickbot malspam
- More malspam using password-protected Word docs
- Campaign evolution: Hancitor malspam starts pushing Ursnif this week
- One Emotet infection leads to three follow-up malware infections
- Sextortion Spam and the Infinite Monkey Theorem
- More malspam pushing password-protected Word docs for AZORult and Hermes Ransomware
- DHL-themed malspam reveals embedded malware in animated gif
- Malspam with password-protected Word docs pushes Hermes ransomware
- Recent Emotet activity
- More malspam pushing Lokibot
- Malspam pushing coin miner and other malware
- Cryptocurrency-themed phishing emails
- Phishing emails for fake MyEtherWallet login page
- Malspam pushing Trickbot malware on Friday 2018-05-11
- Malspam pushing ransomware using two layers of password protection to avoid detection
- Glitch in malspam campaign temporarily reduces spread of GandCrab
- Malspam pushing Sigma ransomware
- Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there
- Malspam pushing Formbook info stealer
- GandCrab Ransomware: Now Coming From Malspam
- 3 examples of malspam pushing Loki-Bot malware
- RTF files for Hancitor utilize exploit for CVE-2017-11882
- Reviewing the spam filters: Malspam pushing Gozi-ISFB
- Fake anti-virus pages popping up like weeds
- Pornographic malspam pushes coin miner malware
- More Malspam pushing Emotet malware
- One month later, Magniber ransomware is still out there
- Resume-themed malspam pushing Smoke Loader
- Necurs Botnet malspam pushes Locky using DDE attack
- HSBC-themed malspam uses ISO attachments to push Loki Bot malware
- Hancitor malspam uses DDE attack
- Malspam pushing Formbook info stealer
- Malspam pushing Word documents with Hancitor malware
- Emails threatening DDoS allegedly from Phantom Squad
- Email attachment using CVE-2017-8759 exploit targets Argentina
- Malspam pushing Locky ransomware tries HoeflerText notifications for Chrome and FireFox
- Malspam pushing Trickbot banking Trojan
- How are people fooled by this? Email to sign a contract provides malware instead.
- Malspam pushing Emotet malware
- NemucodAES and the malspam that distributes it
- Catching up with Blank Slate: a malspam campaign still going strong
- Petya? I hardly know ya! - an ISC update on the 2017-06-27 ransomware outbreak
- Checking out the new Petya variant
- Wide-scale Petya variant ransomware attack noted
- A Tale of Two Phishies
- Jaff ransomware gets a makeover
- Seamless Campaign using Rig Exploit Kit to send Ramnit Trojan
- Malspam on 2017-04-11 pushes yet another ransomware variant
- April 2017 Microsoft Patch Tuesday
- Dridex malspam seen on Monday 2017-04-10
- "Blank Slate" malspam still pushing Cerber ransomware
- Malspam with password-protected Word documents
- Brazilian malspam sends Autoit-based malware
- Hancitor/Pony malspam
- CryptoShield Ransomware from Rig EK
- Ticketbleed vulnerability affects some f5 appliances
- Sage 2.0 Ransomware
- Upatre/Dyre - the daily grind of botnet-based malspam
- Traffic pattern change noted in Fiesta exploit kit
- Dalexis/CTB-Locker malspam campaign
- Actor using Fiesta exploit kit
- Hancitor/Pony/Vawtrak malspam
- Merry X-Mas ransomware from Sunday 2017-01-08
- One, if by email, and two, if by EK: The Cerbers are coming!
- Domaincop malpsam
- 2016-11-18 example of KaiXin EK activity
- Malspam distributing Troldesh ransomware
- Exploit kit roundup: Less Angler, more Nuclear
- Malspam delivers NanoCore RAT
- pseudoDarkleech Rig EK
- Rig Exploit Kit from the Afraidgate Campaign
- Those never-ending waves of Locky malspam
- 1 compromised site - 2 campaigns
- Follow-up to: Stop calling it a ransomware "attack"
- Stop calling it a ransomware "attack"
- CryptXXX ransomware updated
- Change in patterns for the pseudoDarkleech campaign
- APT and why I don't like the term
- Searching for malspam
- Neutrino EK and CryptXXX
- EITest campaign still going strong
- ImageTragick: Another Vulnerability, Another Nickname
- Neutrino exploit kit sends Cerber ransomware
- Angler Exploit Kit, Bedep, and CryptXXX
- The importance of ongoing dialog
- Recent example of KaiXin exploit kit
- Angler exploit kit generated by "admedia" gates
- A trip through the spam filters: more malspam with zip attachments containing .js files
- Dridex malspam example from January 2016
- OpenSSH 7.1p2 released with security fix for CVE-2016-0777
- CryptoWall sent by Angler and Neutrino exploit kits or through malicious spam
- A recent example of wire transfer fraud
- Actor using Rig EK to deliver Qbot - update
- Actor using Rig EK to deliver Qbot
- ScreenOS vulnerability affects Juniper firewalls
- TeslaCrypt ransomware sent using malicious spam
- Everything old is new again - Blackhole exploit kit since November 2015
- New variant of CryptoWall - Is it right to call it 4.0?
- Malicious spam - Subject: RE: Bill
- BizCN gate actor sends CryptoWall 4.0
- Actors using exploit kits - How they change tactics
- Malicious spam with links to CryptoWall 3.0 - Subject: Domain [name] Suspension Notice
- Botnets spreading Dridex still active
- Compromised Magento sites led to Neutrino exploit kit
- Malicious spam with Word document
- BizCN gate actor update
- Recent trends in Nuclear Exploit Kit activity
- Mistakenly-deployed test patch leads to suspicious Windows update
- Malicious spam with zip attachments containing .js files
- A look through the spam filters - examining waves of Upatre malspam
- Actor that tried Neutrino exploit kit now back to Angler
- What's the situation this week for Neutrino and Angler EK?
- A recent decline in traffic associated with Operation Windigo
- Actor using Angler exploit kit switched to Neutrino
- Adwind: another payload for botnet-based malspam
- Nuclear EK traffic patterns in August 2015
- Malicious spam continues to serve zip archives of javascript files
- Bartalex malspam pushing Pony/Dyre
- After Flash, what will exploit kits focus on next?
- BizCN gate actor changes from Fiesta to Nuclear exploit kit
- Another example of Angler exploit kit pushing CryptoWall 3.0
- Botnet-based malicious spam seen this week
- Updates to OpenSSL fix vulnerabilities related to Logjam
- Increase in CryptoWall 3.0 from malicious spam and Angler exploit kit
- Exploit kit roundup - early June 2015
- Myfax malspam wave with links to malware and Neutrino exploit kit
- Angler exploit kit pushing CryptoWall 3.0
- Exploit kits delivering Necurs
- Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS
- Upatre/Dyre malspam - Subject: eFax message from "unknown"
- Recent Dridex activity
- Angler exploit kit pushes new variant of ransomware
- SOC Analyst Pyramid
- Exploit kits (still) pushing Teslacrypt ransomware
- An example of the malicious emails sometimes sent to the ISC handler addresses
- Angler Exploit Kit - Recent Traffic Patterns
- Rig Exploit Kit Changes Traffic Patterns
- Threatglass has pcap files with exploit kit activity
- What Happened to You, Asprox Botnet?
- An Example of Evolving Obfuscation
Threat Level: green
Handler on Duty: Guy Bruneau
SANS ISC: ISC Handlers ISC Handlers
https://www.sans.edu
Questions? Feedback?
Use our contact form or
report bugs here
For interactive help and to chat with other users, try our Slack group.
Use our contact form or
report bugs here
For interactive help and to chat with other users, try our Slack group.
