[2013] - [2014] - [2015] - [2016] - [2017] - [2018] - [2019] - [2020] - [2021] - [2022] - [2023] - [2024] - [2025]

• Still working on restoring these 2017 blog posts.

• 2017-12-29 -- Dreambot infection
• 2017-12-29 -- Necurs Botnet malspam pushes GlobeImposter ransomware
• 2017-12-28 -- Seamless campaign Rig EK sends Ramnit
• 2017-12-27 -- Emotet infection with Zeus Panda Banker
• 2017-12-26 -- EITest campaign HoeflerText popups or fake AV alerts
• 2017-12-26 -- Necurs Botnet malspam pushes GlobeImposter ransomware
• 2017-12-22 -- Remcos RAT infection from RTF using CVE-2017-0199 exploit
• 2017-12-21 -- Hancitor infection with Zeus Panda Banker
• 2017-12-21 -- Necurs Botnet malspam pushes GlobeImposter ransomware
• 2017-12-20 -- Quick post: Hancitor infection with Zeus Panda Banker
• 2017-12-19 -- Quick post: EITest HoeflerText popups or fake anti-virus pages
• 2017-12-19 -- Quick post: Hancitor infection with Zeus Panda Banker
• 2017-12-19 -- Quick post: Necurs Botnet malspam pushes GlobeImposter ransomware
• 2017-12-18 -- Quick post: Hancitor infection with Zeus Panda Banker
• 2017-12-18 -- A weekend's worth of phishing emails from my inbox
• 2017-12-14 -- Ngay campaign Rig EK pushes Quant Loader & Monero (XMR) coin miner
• 2017-12-13 -- Hancitor infection with IcedID
• 2017-12-13 -- Necurs Botnet malspam pushes Trickbot or GlobeImposter ransomware
• 2017-12-13 -- Lokibot infection from RTF exploiting CVE-2017-11882
• 2017-12-12 -- EITest HoeflerText popups and fake anti-virus pages
• 2017-12-12 -- Ngay campaign Rig EK pushes Quant Loader & Monero (XMR) coin miner
• 2017-12-11 -- Hancitor infection with Zeus Panda Banker
• 2017-12-08 -- Fobos campaign Rig EK sends Bunitu
• 2017-12-06 -- Quick post: Nymaim infection from UK vehicle violation-themed malspam
• 2017-12-06 -- Hancitor infection with IcedID
• 2017-12-06 -- Quick post: Necurs Botnet malspam pushes GlobeImposter ransomware
• 2017-12-06 -- Quick post: EITest HoeflerText popup pushes NetSupport Manager RAT
• 2017-12-05 -- Quick post: Hancitor infection with Zeus Panda Banker
• 2017-12-05 -- Quick post: Necurs Botnet malspam pushes GlobeImposter ransomware
• 2017-12-04 -- Dridex is back, Baby! - Necurs Botnet malspam pushes Dridex
• 2017-12-04 -- Necurs Botnet malspam pushes GlobeImposter ransomware
• 2017-12-01 -- Phishing emails for shopping job at Target
• 2017-12-01 -- Fake anti-virus page from EITest campaign

• 2017-11-30 -- Necurs Botnet malspam pushes GlobeImposter ransomware
• 2017-11-29 -- Files for an ISC diary (Emotet)
• 2017-11-28 -- Revenge RAT, Luminosity RAT, and Predator Pain infection from payment slip-themed malspam
• 2017-11-28 -- Hancitor infection with Zeus Panda Banker
• 2017-11-28 -- Fake Netflix login pages from phishing emails
• 2017-11-27 -- "Tungsten Rounded" popup on Chrome/Firefox pushes Monero cryptocurrency miner
• 2017-11-23 -- Necurs Botnet malspam pushes "Scarab" ransomware
• 2017-11-22 -- Netflix-themed phishing
• 2017-11-21 -- Zeus Panda Banker infection from Italian malspam
• 2017-11-21 -- Hancitor infection with IcedID (Bokbot)
• 2017-11-18 -- Files for an ISC diary (Smoke Loader)
• 2017-11-17 -- KaiXin EK still around, very Chinese, and acting like it's 2013
• 2017-11-16 -- Quick post: Hancitor infection with Zeus Panda Banker
• 2017-11-16 -- Lokibot infection from CVE-2017-0199 exploit
• 2017-11-15 -- Banload infection from Brazil malpsam
• 2017-11-12 -- "Mercury Text" popup on Chrome & Firefox pushes Monero cryptocurrency miner
• 2017-11-10 -- Phishing emails link to fake on-line banking pages
• 2017-11-09 -- Necurs Botnet malspam still pushing Locky ransomware
• 2017-11-08 -- Hancitor infection with Zeus Panda Banker
• 2017-11-07 -- A day in the life (of a researcher)
• 2017-11-06 -- Hancitor infection with Zeus Panda Banker
• 2017-11-03 -- Nymaim infection
• 2017-11-03 -- Banload infection from Brazil malpsam
• 2017-11-02 -- Adventures with Smoke Loader
• 2017-11-01 -- Hancitor infection with Zeus Panda Banker
• 2017-11-01 -- Necurs Botnet malspam continues pushing Locky ransomware

• 2017-10-31 -- Quick post: Hancitor infection with Zeus Panda Banker
• 2017-10-31 -- Necurs Botnet malspam stops using DDE, still uses Word docs
• 2017-10-30 -- Hancitor infection
• 2017-10-30 -- Necurs Botnet malspam uses DDE attack to push Locky ransomware
• 2017-10-27 -- Remcos RAT infection
• 2017-10-26 -- Hancitor infection with Zeus Panda Banker
• 2017-10-26 -- Quick post: EITest campaign sends HoeflerText popups or fake AV page
• 2017-10-24 -- Necurs Botnet malspam uses DDE attack to push Locky ransomware
• 2017-10-24 -- Compromised site has EITest campaign pushing fake AV, also has coinminer javascript
• 2017-10-24 -- Phishing website traffic
• 2017-10-23 -- Banload infection
• 2017-10-23 -- A RAT's nest of activity
• 2017-10-19 -- Files for an ISC diary (Necurs Botnet malspam uses DDE attack)
• 2017-10-18 -- Files for an ISC diary (Lokibot)
• 2017-10-17 -- Terror EK sends Smoke Loader, Smoke Loader sends more malware
• 2017-10-16 -- Files for an ISC diary (Hancitor infection with DeLoader/ZLoader)
• 2017-10-13 -- Blank Slate campaign stops pushing Locky ransomware, starts pushing Sage 2.2 ransomware
• 2017-10-11 -- Banload infection
• 2017-10-11 -- FTFY: Necurs Botnet malspam pushing ".asasin" variant Locky ransomware
• 2017-10-11 -- Phishing website traffic
• 2017-10-10 -- Lokibot infection from CVE-2017-0199 exploit
• 2017-10-10 -- Emotet infection with spambot traffic
• 2017-10-09 -- Adwind/jRAT infection
• 2017-10-06 -- PowerShell-based infection from Brazil malspam
• 2017-10-05 -- Hancitor infection with DELoader/ZLoader
• 2017-10-04 -- Blank Slate campaign pushes ".ykcol" variant Locky ransomware
• 2017-10-04 -- EITest campaign sends NetSupport RAT
• 2017-10-03 -- Ursnif infection from Japanese malspam
• 2017-10-03 -- Infostealer infection via DLL side-loading from Brazil malspam
• 2017-10-03 -- Hancitor infection with ZLoader
• 2017-10-02 -- Files for an ISC diary (Formbook)
• 2017-10-02 -- Quick post: Hancitor infection with ZLoader
• 2017-10-02 -- Necurs Botnet malspam still pushing ".ykcol" variant Locky ransomware

• 2017-09-22 -- Infostealer infection from Boleto Malspam
• 2017-09-21 -- Files for an ISC diary (Hancitor)
• 2017-09-20 -- Files for an ISC diary (CVE-2017-8759)
• 2017-09-20 -- Lokibot infection
• 2017-09-18 -- Trickbot infection
• 2017-09-18 -- Hancitor infection with ZLoader
• 2017-09-18 -- Necurs Botnet malspam pushes ".ykcol" variant Locky ransomware
• 2017-09-18 -- Emotet infection
• 2017-09-15 -- More possible Coinbit malware
• 2017-09-15 -- Blank Slate campaign pushes Locky ransomware
• 2017-09-14 -- Possible Coinbit malware
• 2017-09-11 -- Blank Slate malspam pushes "Lukitus" variant Locky ransomware
• 2017-09-08 -- Locky ransomware infection
• 2017-09-08 -- EITest campaign fake AV alerts / HoeflerText popups
• 2017-09-07 -- "Lukitus" variant Locky ransomware
• 2017-09-07 -- EITest campaign still pushing HoeflerText popups for NetSupport RAT or pushing fake AV alerts
• 2017-09-06 -- Ursnif infection from Japanese malspam
• 2017-09-05 -- Grab bag
• 2017-09-04 -- Infostealer infection from Brazil malspam
• 2017-09-04 -- GlobeImposter ransomware (..txt file extensions)
• 2017-09-01 -- EITest campaign leads to HoflerText popups for NetSupport RAT or fake anti-virus pages

• 2017-08-31 -- Grab bag
• 2017-08-29 -- Terror EK seen using HTTPS
• 2017-08-28 -- Infostealer infection from Brazil malspam
• 2017-08-28 -- Fobos campaign Rig EK sends Bunitu
• 2017-08-25 -- Seamless campaign Rig EK sends Ramnit
• 2017-08-21 -- Hancitor infection with ZLoader
• 2017-08-21 -- Trickbot infection
• 2017-08-19 -- Infostealer infection from Brazil malspam
• 2017-08-16 -- Quick post: "Lukitus" variant Locky ransomware
• 2017-08-15 -- Files for an ISC diary (Trickbot)
• 2017-08-12 -- Trickbot activity
• 2017-08-11 -- "Diablo6" variant Locky ransomware
• 2017-08-10 -- Hancitor infection with ZLoader
• 2017-08-09 -- "Diablo6" variant of Locky ransomware
• 2017-08-08 -- Files for an ISC diary
• 2017-08-08 -- Quick post: GlobeImposter ransomware
• 2017-08-07 -- Infection from JavaScript (.js) file, possibly Ursnif
• 2017-08-04 -- Magnitude EK data dump
• 2017-08-03 -- Hancitor infection with ZLoader
• 2017-08-02 -- "Blank Slate" campaign pushes Gryphon ransomware (a BTCware variant)
• 2017-08-02 -- Malspam pushing GlobeImposter ransomware (.726 file extension)
• 2017-08-02 -- Hancitor infection
• 2017-08-02 -- Magnitude EK sends Cerber ransomware
• 2017-08-01 -- Rig EK from the HookAds campaign sends Dreambot

• 2017-07-31 -- GlobeImposter ransomware infection
• 2017-07-29 -- "Blank Slate" campaign pushes BTCware (Aleta variant) ransomware
• 2017-07-26 -- Files for an ISC diary (Emotet)
• 2017-07-24 -- Quick post: Hancitor infection with ZLoader
• 2017-07-24 -- Quick post: Trickbot
• 2017-07-23 -- EITest campaign HolflerText popup sends Mole ransomware
• 2017-07-21 -- Infostealer infection from Brazil malspam
• 2017-07-20 -- Hancitor infection with ZLoader
• 2017-07-18 -- NemucodAES ransomware
• 2017-07-17 -- Rig EK data dump (HookAds and Seamless campaigns)
• 2017-07-14 -- Another tech support scam popup message
• 2017-07-13 -- Files for an ISC diary (NemucodAES ransomware and Kovter)
• 2017-07-12 -- Infostealer infection from Brazil malspam
• 2017-07-10 -- Rig EK from the HookAds campaign
• 2017-07-10 -- Kovter and Nemucod ransomware infection
• 2017-07-07 -- Infostealer infection from Brazil malspam
• 2017-07-06 -- EITest campaign pushes tech support scam
• 2017-07-05 -- Malware infection from Japanese malspam
• 2017-07-04 -- Java-based RAT infection
• 2017-07-03 -- Kovter infection
• 2017-07-03 -- Hancitor infection with ZLoader

• 2017-06-30 -- Rig EK from HookAds campaign send Chthonic banking Trojan
• 2017-06-29 -- Kovter infection
• 2017-06-29 -- Hancitor infection with ZLoader
• 2017-06-28 -- Hancitor infection with ZLoader
• 2017-06-28 -- Files for an ISC diary ("Blank Slate" campaign)
• 2017-06-27 -- Hancitor infection with ZLoader
• 2017-06-26 -- Hancitor infection with ZLoader
• 2017-06-22 -- Locky ransomware infection
• 2017-06-21 -- Hancitor infection with ZLoader
• 2017-06-21 -- Rig EK sends Bunitu
• 2017-06-20 -- Rig EK from HookAds campaign sends Dreambot and Chthonic
• 2017-06-19 -- Rig EK from the HookAds campaign sends Dreambot
• 2017-06-16 -- Rig EK from the HookAds campaign
• 2017-06-16 -- Infostealer infection from Brazil malspam
• 2017-06-15 -- Hancitor infection with ZLoader
• 2017-06-15 -- Rig EK (HookAds and Seamless campaigns)
• 2017-06-14 -- Trickbot infection
• 2017-06-14 -- Hancitor infection with ZLoader
• 2017-06-13 -- Jaff ransomware infection
• 2017-06-12 -- Hancitor infection with ZLoader
• 2017-06-12 -- Trickbot infection
• 2017-06-12 -- Hawkeye infection
• 2017-06-12 -- Ursnif infection from Japanese malspam
• 2017-06-12 -- Lokibot infection
• 2017-06-09 -- EITest campaign still pushing tech support scams
• 2017-06-08 -- Hancitor infection with ZLoader
• 2017-06-08 -- Infostealer infection from Brazil malspam
• 2017-06-07 -- Hancitor infection with ZLoader
• 2017-06-07 -- Lokibot infection
• 2017-06-06 -- Hancitor infection with ZLoader
• 2017-06-06 -- Jaff ransomware infection
• 2017-06-06 -- RoughTed campaign Rig EK
• 2017-06-05 -- Dridex infection
• 2017-06-02 -- Seamless campaign continues using Rig EK to send Ramnit
• 2017-06-02 -- Dridex infection
• 2017-06-01 -- Hancitor infection with ZLoader
• 2017-06-01 -- Jaff ransomware infection
• 2017-06-01 -- Zeus Panda Banker infection

• 2017-05-31 -- Hancitor infection with ZLoader
• 2017-05-31 -- Luminosity RAT
• 2017-05-30 -- Rig EK sends Kovter
• 2017-05-30 -- Tech support scam from EITest campaign
• 2017-05-30 -- Hancitor infection with ZLoader
• 2017-05-26 -- EITest campaign pushes tech support scams, Rig EK, or HoeflerText popups
• 2017-05-26 -- Corebot infection
• 2017-05-25 -- EITest campaign pushing tech support scams in US and UK
• 2017-05-25 -- Jaff ransomware infection
• 2017-05-25 -- Hancitor infection with ZLoader
• 2017-05-24 -- Jaff ransomware infection
• 2017-05-23 -- Files for an ISC diary (Jaff ransomware)
• 2017-05-22 -- Jaff ransomware infection
• 2017-05-17 -- EITest HoeflerText popups sends Spora ransomware
• 2017-05-16 -- Hancitor infection with ZLoader
• 2017-05-16 -- More examples of Jaff ransomware
• 2017-05-15 -- My take on WannaCry ransomware
• 2017-05-15 -- The Jaff ransomware train keeps on rollin'
• 2017-05-12 -- Kovter infection
• 2017-05-12 -- Rig EK examples
• 2017-05-12 -- "Blank Slate" campaign continues pushing Cerber ransomware
• 2017-05-11 -- Jumping on the Jaff ransomware bandwagon
• 2017-05-11 -- Kovter infection
• 2017-05-10 -- Files for an ISC diary (Rig EK)
• 2017-05-10 -- Hancitor infection with ZLoader
• 2017-05-10 -- "Blank Slate" campaign pushes Cerber ransomware or GlobeImposter ransomware
• 2017-05-09 -- Hancitor infection with ZLoader
• 2017-05-09 -- Rig EK sends Bunitu
• 2017-05-05 -- "Blank Slate" campaign back to sending Cerber ransomware
• 2017-05-04 -- Hancitor infection with ZLoader
• 2017-05-04 -- Decimal IP campaign uses fake Flash Player site to send Smoke Loader
• 2017-05-03 -- "Blank Slate" campaign pushes GlobeImposter ransomware variant
• 2017-05-03 -- Unidentified malware from WhatsApp-themed malspam
• 2017-05-02 -- Hancitor infection with ZLoader
• 2017-05-02 -- Keeping it 100: "Blank Slate" campaign starts pushing Mordor ransomware
• 2017-05-01 -- Hancitor infection with ZLoader

• 2017-04-28 -- Corebot infection
• 2017-04-27 -- "Blank Slate" campaign still pushing Cerber ransomware, also exploiting CVE-2017-0199
• 2017-04-26 -- Hancitor infection with ZLoader
• 2017-04-26 -- Mole Ransomware and Kovter infections from emails impersonating USPS
• 2017-04-25 -- "Good Man" campaign Rig EK sends Latentbot
• 2017-04-24 -- Hancitor infection with ZLoader
• 2017-04-21 -- Locky ransomware infection
• 2017-04-21 -- Zeus Panda Banker, Kovter and Smoke Loader from fake Parking Service website
• 2017-04-20 -- "Blank Slate" campaign still pushing Cerber ransomware
• 2017-04-20 -- EITest campaign: Rig EK or HoeflerText Chrome popup
• 2017-04-19 -- Dridex infection
• 2017-04-19 -- Zeus Panda Banker, Kovter and Miuref infection
• 2017-04-18 -- Zeus Panda Banker, Kovter and Miuref infection
• 2017-04-18 -- EITest campaign: Rig EK or HoeflerText Chrome popup
• 2017-04-16 -- EITest campaign: Rig EK or HoeflerText Chrome popup
• 2017-04-15 -- EITest campaign: Rig EK or HoeflerText Chrome popup
• 2017-04-14 -- Gate leads to Terror EK, same gate later leads to Rig EK
• 2017-04-13 -- "Blank Slate" campaign still pushing Cerber ransomware, still using fake Chrome page
• 2017-04-13 -- What seems like Rig EK sends possible Smoke Loader payload
• 2017-04-11 -- Files for an ISC diary (Mole ransomware)
• 2017-04-10 -- Files for an ISC diary (Dridex)
• 2017-04-07 -- EITest campaign: Rig EK or HoeflerText Chrome popup
• 2017-04-06 -- EITest Rig EK from 109.234.36[.]165 sends Matrix ransomware variant
• 2017-04-06 -- "Blank Slate" campaign still pushing Cerber ransomware, still using fake Chrome page
• 2017-04-05 -- Hancitor infection
• 2017-04-05 -- Cerber ransomware and Kovter infection
• 2017-04-05 -- TeamViewer-based malware package (TeamSpy)
• 2017-04-05 -- Terror EK sends Andromeda
• 2017-04-04 -- Hancitor infection with ZLoader
• 2017-04-04 -- Cerber ransomware and Kovter infection
• 2017-04-03 -- EITest Rig EK from 5.101.77[.]137 sends MSIL/Matrix ransomware variant
• 2017-04-03 -- Ursnif and Pushdo infection
• 2017-04-03 -- Hancitor infection

• 2017-03-31 -- "Blank Slate" campaign still pushing Cerber ransomware
• 2017-03-30 -- Dridex infection
• 2017-03-30 -- Terror EK from 159.203.185[.]4
• 2017-03-29 -- Hancitor infection with ZLoader
• 2017-03-28 -- EITest Rig EK from 46.173.214[.]185 sends ransomware
• 2017-03-24 -- "Blank Slate" campaign tries fake Chrome install page
• 2017-03-23 -- "Quantum Code" scam

• Still working on restoring these 2017 blog posts.

 

Click here to return to the main page.