Resurgence of Voicemail-themed Phishing Attacks Targeting Key Industry Verticals in US

Summary Since May 2022, ThreatLabz has been closely monitoring the activities of a threat actor which targets users in various US-based organizations with malicious voicemail-notification-themed emails in an attempt to steal their Office365 and Outlook credentials. The tactics, techniques, and procedures (TTPs) of this threat actor have a high overlap ... Read More

Vidar distributed through backdoored Windows 11 downloads and abusing Telegram

Summary In April 2022, ThreatLabz discovered several newly registered domains, which were created by a threat actor to spoof the official Microsoft Windows 11 OS download portal. We discovered these domains by monitoring suspicious traffic in our Zscaler cloud. The spoofed sites were created to distribute malicious ISO files which ... Read More

CloudFall Targets Researchers and Scientists Invited to International Military Conferences in Central Asia and Eastern Europe

In August 2021, Zscaler ThreatLabz identified several malicious Microsoft Word documents which used a multi-stage attack-chain abusing Cloudflare Workers and features of MS Office Word to target users in Central Asia and Eastern Europe. Based on the social engineering lures used in the decoy content, we conclude with a moderate ... Read More

Demystifying the full attack chain of MineBridge RAT

Introduction In March 2021, threat actors started distributing MineBridge RAT with an updated distribution mechanism. Morphisec blogged about the partial attack chain of this new attack but they could not find the origin or initial stages of the attack chain. In May 2021, Zscaler ThreatLabz was able to uncover all ... Read More

Threat Actors Distribute Malicious VPN Apps Masquerading as Popular Vendors

Introduction In May 2021, Zscaler ThreatLabZ observed several new domains registered by a threat actor for distribution of spoofed and malicious versions of popular VPN softwares. Threat actors have shifted their tactics, techniques, and procedures (TTPs) to target VPN users over the past year, taking advantage of the increase in ... Read More

Low-volume multi-stage attack leveraging AzureEdge and Shopify CDNs

Introduction In Feb 2021, Threatlabz observed a few instances of a low-volume multi-stage web attack in Zscaler cloud. This web attack leveraged legitimate servers of Microsoft (, Dropbox and content delivery network of Shopify ( to host the malicious files. The attack chain started from a Wordpress site with a ... Read More

Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures

Introduction In Jan 2021, Zscaler ThreatLabZ discovered new instances of the MINEBRIDGE remote-access Trojan (RAT) embedded in macro-based Word document files crafted to look like valid job resumes (CVs). Such lures are used as social engineering schemes by threat actors; in this case, the malware was targeted at security researchers ... Read More

DevSecOps Poll

Step 1 of 6

What is the biggest roadblock implementing DevSecOps practices?