Zero-Dwell Threat Intelligence Reports

MSIL/Formbook Hybrid Communicating Through Telegram and checkip.dyndns.org.exe

spreader assembly

Overlay-Packed SFX Drops Secondary Payloads and Modifies Autorun.exe

signed overlay

Spreader-Enabled Lumma Binary Using WMI Calls and DPAPI Access.exe

calls-wmi spreader executes-dropped-file persistence

Heracles/Mardom Dropper Harvests Clipboard and Browser Credentials.exe

long-sleeps calls-wmi spreader checks-bios clipboard

Courier-Themed Installer Executes FormBook Payload and Contacts C2.exe

upx

Convagent Variant Harvests Browser Credentials and Exfiltrates Over C2.exe

long-sleeps calls-wmi spreader assembly checks-bios

Game-Crack Installer Adds Defender Exclusions and Beacons to IP Lookup APIs.exe

checks-user-input executes-dropped-file obfuscated

Trojan Installer with UAC-Bypass Indicators and Rmc-H21NWQ Registry Keys.exe

long-sleeps detect-debug-environment spreader

Trojanized .NET Keylogger with Startup Persistence and Remote Exfiltration.exe

long-sleeps spreader assembly persistence

Trojanized Invoicer Binary Drops Remcos with Rmc-5SDT03 Mutex.exe

long-sleeps detect-debug-environment persistence

Stealer with Autorun Persistence and Encrypted SSL Command Channel.exe

64bits long-sleeps calls-wmi spreader persistence

RAR SFX Loader Executes Batch Chains to Kill Defender and Deploy Payload.exe

overlay detect-debug-environment calls-wmi