Vanja Svajcer

BeaverTail and OtterCookie evolve with a new Javascript module Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK).

Famous Chollima and the evolution of OtterCookie

blog.talosintelligence.com/beavertail-a...

Famous Chollima deploying Python version of GolangGhost RAT Learn how the North Korean-aligned Famous Chollima is using the a new Python-based RAT, "PylangGhost," to target cryptocurrency and blockchain jobseekers in a campaign affecting users primarily in Ind...

We published our findings about a Python variant of a Golang RAT used by Famous Chollima (aka Wagemole). This has been recently used with limited success.

blog.talosintelligence.com/python-versi...

Exploring vulnerable Windows drivers This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about  malicious Windows drivers.

Some documentation on the learning process for BYOVD drivers. I presented this at the AVAR conference so this is a follow up post blog.talosintelligence.com/exploring-vu...

Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date ...

I started looking at this because a document uploaded to VT was similar to documents with Picasso loader and I thought it could be a new variant. It turns out there is generator MacroPack generating these docs.

blog.talosintelligence.com/threat-actor...