LAB52, the intelligence team at S2 Group, has uncovered a new phishing campaign deploying DeedRAT—a modular backdoor attributed to Chinese threat actors—through adversary tracking efforts. The campaign leverages the legitimate signed binary MambaSafeModeUI.exe, part of the VIPRE Antivirus Premium software, which is vulnerable to DLL side-loading. This technique allows the attackers to load the DeedRAT […]
New book NOW available: Cyber GRU. Russian military intelligence in cyberspace
Finally, CYBER GRU: Russian military intelligence in cyberspace, the new book that I announced some days ago, was published last Friday, July 4th. In the previous post, the structure of the book was presented, together with its table of contents. Both the editor and the printer have worked quickly, and it is ready earlier than […]
Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations
The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victims, such as companies, governments or individuals. The campaign has been identified as using spearphishing emails offering oil products. These emails will contain a zipped attachment that […]
CYBER GRU: Russian military intelligence in cyberspace
I am excited to share that today I sent a new book to the printer titled CYBER GRU: Russian military intelligence in cyberspace. As this title states, it is a book where I delve into the GRU in cyberspace, ended in May and that, after some retouches and a foreword, is being printed to arrive […]
Some thoughts about Laundry Bear
Today, Dutch intelligence (AIVD and MIVD) and Microsoft have published two reports unveiling a potential new Russian threat actor: Laundry Bear, or Void Blizzard. This actor was discovered through a recent compromise of the Dutch Police, and it has been targeting Western organizations since at least 2024, including armed forces, government organizations and defense contractors, […]
Grandoreiro Stealer Targeting Spain and Latin America: Malware Analysis and Decryption Insights
A new campaign targeting Spain and Latin American countries, utilizing the Brazilian stealer Grandoreiro, was detected during March 2025. This report provides detailed insights into the malware’s behavior, along with an explanation of the string obfuscation and decryption techniques employed in this campaign. Grandoreiro Grandoreiro is a Brazilian-origin stealer malware that has been active since […]