In a significant development in cybersecurity, the threat actor known as Stargazer Goblin has established a complex network of fake GitHub accounts to facilitate a Distribution-as-a-Service (DaaS) operation. This network, comprising over 3,000 inauthentic accounts, has been actively spreading various information-stealing malware and generating $100,000 in illicit profits over the past year.

Read also: A Scattered Spider member arrested in the UK, LockBit affiliates plead guilty, and more.

Don't worry, I'm not trying to conjure images in your mind of Rod Stewart in his iconic leopard print trousers. Instead, I want to warn you about a cybercrime group that has gained notoriety for attacking VMware ESXi servers since February 2024.

By Olivia Betts and Adam Price In July 2024, CloudFlare identified that it can take cybercriminals as little as 22 minutes to weaponise a publicly available Proof-of-Concept (PoC) exploit following its release. The IT services management company noted an increase in scanning for disclosed Common and in attempts to weaponise available PoCs across 2023 and 2024.

MuddyWater deploys BugSleep malware, researchers discover malicious files on the npm registry, and Void Banshee exploits a Microsoft MHTML flaw.

On July 23, 2024, CrowdStrike Intelligence identified the phishing domain crowdstrike-office365com, which impersonates CrowdStrike and delivers malicious ZIP and RAR files containing a Microsoft Installer (MSI) loader. The loader ultimately executes Lumma Stealer packed with CypherIt.

The Chinese espionage group Daggerfly, also known as Evasive Panda or Bronze Highland, has significantly upgraded its malware arsenal, allowing it to target a wide range of operating systems including Windows, Linux, macOS, and Android. This development marks a notable escalation in the group's cyber capabilities, as detailed in a recent analysis by Symantec.

Beginning in early July 2024, Arctic Wolf responded to multiple SocGholish/FakeUpdate intrusions that resulted in a seemingly benign payload being delivered as a second-stage download. The zip file payload contained software from the Berkeley Open Infrastructure for Network Computing (BOINC) project, open-source software that allows users to contribute computing power to scientific research projects focused on solving complex calculations.

On July 23, 2024, CrowdStrike Intelligence identified a malicious ZIP file containing a Python-based information stealer now tracked as Connecio. A threat actor distributed this file days after the July 19, 2024, single content update for CrowdStrike’s Falcon sensor — which impacted Windows operating systems — was identified and a fix was deployed. The ZIP file uses the filename CrowdStrike Falcon.zip in an attempt to masquerade as a Falcon update.

The modus operandi of cybercriminals is constantly changing. It comes as no surprise that, every so often, hackers switch up their methods to become more evasive. However, contrary to what we might imagine, these changes don’t always have to be innovative, or involve new attack strategies. Cybercriminals are increasingly opting to employ old-school techniques, and couple this with minimal investment.