GURUCUL THREAT RESEARCH LABS

Gurucul Threat Research Labs
Engineering Threat Detections from Every Perspective

Gurucul’s Threat Research team proactively develops countermeasures for a constantly evolving threat landscape. Our multidisciplinary approach, leveraging diverse expertise, ensures comprehensive detection coverage.

 A powerful alliance of seasoned threat researchers and data scientists drives our innovation. By fusing external intelligence, internal expertise, and community insights, we develop cutting-edge detections to combat the most elusive threats.

How We Engineer Threat Detections

Multiple Teams, Sources and Disciplines

External Intelligence

The Gurucul Threat Research team uses diverse public threat intelligence sources to gain insight into threat actor tactics and attack patterns.

This intelligence, when combined with commercial data and anonymized customer information, empowers our threat hunters, researchers, and data scientists to proactively identify and mitigate emerging threats.

Platforms like MISP, NIST, MITRE, and SIGMA serve as rich repositories to aid in the creation of new detection models and stay ahead of the adversary.

Internal Expertise

Gurucul maintains a dedicated team of threat researchers, data scientists, and threat hunters who meticulously analyze a vast array of threat intelligence, encompassing open-source, commercial, and proprietary data.

Our threat hunting and research teams leverage this intelligence to investigate emerging threats, uncovering their origins, scope, and potential impact. By meticulously cataloging Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs), our experts develop robust countermeasures and mitigation strategies.

This comprehensive threat intelligence is shared with our data science team, who employ advanced analytics to build predictive models and algorithms.

Detection Output

Our detection engineering team is the culmination point for the collective efforts of our threat research, threat hunting, and data science teams. This fusion of intelligence, coupled with advanced models and algorithms, results in a robust Threat Content-as-a-Service offering, updated weekly. We share these insights with the broader community through the Gurucul Community and platforms like MITRE to bolster collective defense against evolving threats.

Beyond threat indicators, we provide pre-built threat hunting queries to accelerate investigations. Our detection engineering team meticulously crafts comprehensive threat content, including detections, classifications, pre-built reports, automated response actions, investigation tools, and alerts.

Latest Threat Research

02/18/25
Aadinternals powershell cmdlets execution – proccesscreation
High

Intel Name: Aadinternals powershell cmdlets execution – proccesscreation

Date of Scan: 02/18/25

Impact: High

Summary:
Detects the execution of AADInternals Cmdlet, a tool used for administering Azure AD and Office 365. Threat actors can exploit this tool to target Azure AD or Office 365 environments for malicious activities.

More Details

02/18/25
Kalambur backdoor curl tor socks proxy execution
Medium

Intel Name: Kalambur backdoor curl tor socks proxy execution

Date of Scan: 02/18/25

Impact: Medium

Summary:
“Kalambur Backdoor Curl TOR SOCKS Proxy Execution” refers to a method used by the Kalambur backdoor malware where it executes the “curl.exe” command to connect to remote servers via TOR and SOCKS proxies. This behavior typically involves accessing “.onion” domains, often used for anonymized communication. Such activity is indicative of malicious actions, as the malware uses these techniques to hide its communication and evade detection

More Details

02/17/25
Kapeka backdoor scheduled task creation
High

Intel Name: Kapeka backdoor scheduled task creation

Date of Scan: 02/17/25

Impact: High

Summary:
Detects the creation of a scheduled task associated with the Kapeka backdoor by analyzing attributes like file paths, command-line flags, and other indicators.

More Details

02/17/25
Ransomware roundup – lynx
High

Intel Name: Ransomware roundup – lynx

Date of Scan: 02/17/25

Impact: High

Summary:
The “Ransomware Roundup – Lynx” reveals that the first sample of Lynx ransomware surfaced in early July 2024, coinciding with other reports of its availability. Research shows that Lynx shares similarities with the earlier INC ransomware, which debuted in July 2023. While INC ransomware offers fewer execution options, it appears to be a predecessor to Lynx. Notably, while INC ransomware targets both Windows and ESXi platforms, Lynx is currently only found on Windows environments.

More Details

02/14/25
One step ahead in cyber hide-and-seek: automating malicious infrastructure discovery with graph neural networks
High

Intel Name: One step ahead in cyber hide-and-seek: automating malicious infrastructure discovery with graph neural networks

Date of Scan: 02/14/25

Impact: High

Summary:
Threat actors often leave behind traces when conducting large-scale attacks, reusing and rotating parts of their infrastructure during campaign setup. Defenders can exploit this behavior to pivot from known indicators and uncover new infrastructure. This article highlights the benefits of automated pivoting through three case studies: a postal services phishing campaign, a credit card skimmer campaign, and a financial services phishing campaign. By using a network crawler and graph neural network (GNN), we identified artifacts around known domains and detected additional malicious ones.

More Details

02/14/25
Technical analysis of xloader versions 6 and 7
Medium

Intel Name: Technical analysis of xloader versions 6 and 7

Date of Scan: 02/14/25

Impact: Medium

Summary:
“Technical Analysis of Xloader Versions 6 and 7 | Part 2” examines the advanced obfuscation techniques used by Xloader versions 6 and 7 to conceal critical code and data. The malware continues to employ hardcoded decoy lists to blend malicious C2 traffic with legitimate website traffic. These decoy lists and the actual C2 server are encrypted using separate keys and algorithms. Both versions use the same network protocol and are secured by multiple layers of encryption.

More Details

02/13/25
Newly registered domains for sports-themed crypto scams
Medium

Intel Name: Newly registered domains for sports-themed crypto scams

Date of Scan: 02/13/25

Impact: Medium

Summary:
“Newly Registered Domains for Sports-Themed Crypto Scams” highlights the discovery of recently registered domains leading up to the 2025 Super Bowl, which are promoting fraudulent meme coins and pump-and-dump crypto schemes. These scams exploit celebrity imagery, misleading tokenomics, and aggressive marketing tactics to deceive victims.

More Details

02/13/25
Potential kamikakabot activity – winlogon shell persistence
High

Intel Name: Potential kamikakabot activity – winlogon shell persistence

Date of Scan: 02/13/25

Impact: High

Summary:
Detects modifications to the “Winlogon” registry key, where the “Shell” value is set to a value associated with KamiKakaBot samples to establish persistence.

More Details

02/12/25
Kernel memory dump via livekd
High

Intel Name: Kernel memory dump via livekd

Date of Scan: 02/12/25

Impact: High

Summary:
“Kernel Memory Dump via LiveKD” refers to the detection of LiveKD execution with the “-m” flag, which is used to potentially dump the kernel memory. This action may indicate an attempt to access sensitive system information or perform unauthorized analysis of the kernel memory.

More Details

02/12/25
Potential kamikakabot activity – lure document execution
Medium

Intel Name: Potential kamikakabot activity – lure document execution

Date of Scan: 02/12/25

Impact: Medium

Summary:
Detects the execution of a Word document through the WinWord Start Menu shortcut. This technique has been observed in KamiKakaBot samples to trigger the second stage of infection.

More Details

Powering REVEAL: The Dynamic Security Analytics Platform

REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.

REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.

Learn More