APT Archives

Threat Intelligence

Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows

April 22, 2025

Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, and Tom Lancaster

Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted […]

Threat Intelligence

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

February 13, 2025

Charlie Gardner, Steven Adair, and Tom Lancaster

Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack campaigns were highly targeted and carried […]

Threat Intelligence

The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access

November 22, 2024

Sean Koessel, Steven Adair, and Tom Lancaster

In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had […]

Threat Intelligence

BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

November 15, 2024

Callum Roxan, Charlie Gardner, and Paul Rascagneres

[Update: At the time of publication, this vulnerability had not been addressed by Fortinet. On December 18, 2024, Fortinet published a public acknowledgement of the issue, affected versions, as well […]

Threat Intelligence

StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms

August 2, 2024

Ankur Saini, Paul Rascagneres, Steven Adair, and Tom Lancaster

In mid-2023, Volexity detected and responded to multiple incidents involving systems becoming infected with malware linked to StormBamboo (aka Evasive Panda, and previously tracked by Volexity under “StormCloud”). In those […]

Threat Intelligence

DISGOMOJI Malware Used to Target Indian Government

June 13, 2024

Volexity Threat Research

Note: Volexity has reported the activity described in this blog and details of the impacted systems to CERT at the National Informatics Centre (NIC) in India. In 2024, Volexity identified […]

Memory Forensics

Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices

May 15, 2024

Volexity Threat Research

Last month, Volexity reported on its discovery of zero-day, in-the-wild exploitation of CVE-2024-3400 in the GlobalProtect feature of Palo Alto Networks PAN-OS by a threat actor Volexity tracks as UTA0218. Palo […]

Threat Intelligence

Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)

April 12, 2024

Volexity Threat Research

Volexity would like to thank Palo Alto Networks for their partnership, cooperation, and rapid response to this critical issue. Their research can be found here. On April 10, 2024, Volexity […]

Threat Intelligence

CharmingCypress: Innovating Persistence

February 13, 2024

Ankur Saini, Callum Roxan, Charlie Gardner, and Damien Cash

Through its managed security services offerings, Volexity routinely identifies spear-phishing campaigns targeting its customers. One persistent threat actor, whose campaigns Volexity frequently observes, is the Iranian-origin threat actor CharmingCypress (aka […]

Memory Forensics

How Memory Forensics Revealed Exploitation of Ivanti Connect Secure VPN Zero-Day Vulnerabilities

February 1, 2024

Andrew Case, Michael Hale Ligh, and Volexity Volcano Team

In a recent series of blog posts related to two zero-day vulnerabilities in Ivanti Connect Secure VPN, Volexity shared details of active in-the-wild exploitation; provided an update on how exploitation […]