Abuse of hidden “well-known” directory in HTTPS sites

WordPress and Joomla are among the most popular Content Management Systems (CMSs). They have also become popular for malicious actors, as cybercriminals target sites on these platforms for hacking and injecting malicious content. During the past few weeks, ThreatLabZ researchers have detected several WordPress and Joomla sites that were serving ... Read More

Qealler – a new JAR-based information stealer

Recently, the Zscaler ThreatLabZ team came across a new type of malware called Qealler, which is written in Java and designed to silently steal sensitive information from an infected machine. Qealler is a highly obfuscated Java loader that deploys a Python credential harvester. We first saw this payload hit Zscaler ... Read More

Spam campaigns leveraging .tk domains

For the last couple quarters, the Zscaler ThreatLabZ research team has been closely monitoring services that provide free domain names. We’ve identified a campaign utilizing '.tk' TLD (top level domain) domains that starts with compromised sites as the initial vector to redirect users to either fake blog sites to generate ... Read More

CVE-2017-8570 and CVE-2018-0802 exploits being used to spread LokiBot

Zscaler ThreatLabZ has been tracking the usage of malicious RTF documents that leverage CVE-2017-8570 and more recently CVE-2018-0802 vulnerability exploits to install malicious payload on the victim machine. In this blog, we'll share our analysis of a campaign leveraging these two exploits to deliver LokiBot. These malicious documents spread by ... Read More