Gurucul’s Threat Research team proactively develops countermeasures for a constantly evolving threat landscape. Our multidisciplinary approach, leveraging diverse expertise, ensures comprehensive detection coverage.
The Gurucul Threat Research team uses diverse public threat intelligence sources to gain insight into threat actor tactics and attack patterns.
This intelligence, when combined with commercial data and anonymized customer information, empowers our threat hunters, researchers, and data scientists to proactively identify and mitigate emerging threats.
Platforms like MISP, NIST, MITRE, and SIGMA serve as rich repositories to aid in the creation of new detection models and stay ahead of the adversary.
Gurucul maintains a dedicated team of threat researchers, data scientists, and threat hunters who meticulously analyze a vast array of threat intelligence, encompassing open-source, commercial, and proprietary data.
Our threat hunting and research teams leverage this intelligence to investigate emerging threats, uncovering their origins, scope, and potential impact. By meticulously cataloging Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs), our experts develop robust countermeasures and mitigation strategies.
This comprehensive threat intelligence is shared with our data science team, who employ advanced analytics to build predictive models and algorithms.
Our detection engineering team is the culmination point for the collective efforts of our threat research, threat hunting, and data science teams. This fusion of intelligence, coupled with advanced models and algorithms, results in a robust Threat Content-as-a-Service offering, updated weekly. We share these insights with the broader community through the Gurucul Community and platforms like MITRE to bolster collective defense against evolving threats.
Beyond threat indicators, we provide pre-built threat hunting queries to accelerate investigations. Our detection engineering team meticulously crafts comprehensive threat content, including detections, classifications, pre-built reports, automated response actions, investigation tools, and alerts.
Intel Name: Aadinternals powershell cmdlets execution – proccesscreation
Date of Scan: 02/18/25
Impact: High
Summary: Detects the execution of AADInternals Cmdlet, a tool used for administering Azure AD and Office 365. Threat actors can exploit this tool to target Azure AD or Office 365 environments for malicious activities.
Intel Name: Kalambur backdoor curl tor socks proxy execution
Date of Scan: 02/18/25
Impact: Medium
Summary: “Kalambur Backdoor Curl TOR SOCKS Proxy Execution” refers to a method used by the Kalambur backdoor malware where it executes the “curl.exe” command to connect to remote servers via TOR and SOCKS proxies. This behavior typically involves accessing “.onion” domains, often used for anonymized communication. Such activity is indicative of malicious actions, as the malware uses these techniques to hide its communication and evade detection
Intel Name: Kapeka backdoor scheduled task creation
Date of Scan: 02/17/25
Impact: High
Summary: Detects the creation of a scheduled task associated with the Kapeka backdoor by analyzing attributes like file paths, command-line flags, and other indicators.
Intel Name: Ransomware roundup – lynx
Date of Scan: 02/17/25
Impact: High
Summary: The “Ransomware Roundup – Lynx” reveals that the first sample of Lynx ransomware surfaced in early July 2024, coinciding with other reports of its availability. Research shows that Lynx shares similarities with the earlier INC ransomware, which debuted in July 2023. While INC ransomware offers fewer execution options, it appears to be a predecessor to Lynx. Notably, while INC ransomware targets both Windows and ESXi platforms, Lynx is currently only found on Windows environments.
Intel Name: One step ahead in cyber hide-and-seek: automating malicious infrastructure discovery with graph neural networks
Date of Scan: 02/14/25
Impact: High
Summary: Threat actors often leave behind traces when conducting large-scale attacks, reusing and rotating parts of their infrastructure during campaign setup. Defenders can exploit this behavior to pivot from known indicators and uncover new infrastructure. This article highlights the benefits of automated pivoting through three case studies: a postal services phishing campaign, a credit card skimmer campaign, and a financial services phishing campaign. By using a network crawler and graph neural network (GNN), we identified artifacts around known domains and detected additional malicious ones.
Intel Name: Technical analysis of xloader versions 6 and 7
Date of Scan: 02/14/25
Impact: Medium
Summary: “Technical Analysis of Xloader Versions 6 and 7 | Part 2” examines the advanced obfuscation techniques used by Xloader versions 6 and 7 to conceal critical code and data. The malware continues to employ hardcoded decoy lists to blend malicious C2 traffic with legitimate website traffic. These decoy lists and the actual C2 server are encrypted using separate keys and algorithms. Both versions use the same network protocol and are secured by multiple layers of encryption.
Intel Name: Newly registered domains for sports-themed crypto scams
Date of Scan: 02/13/25
Impact: Medium
Summary: “Newly Registered Domains for Sports-Themed Crypto Scams” highlights the discovery of recently registered domains leading up to the 2025 Super Bowl, which are promoting fraudulent meme coins and pump-and-dump crypto schemes. These scams exploit celebrity imagery, misleading tokenomics, and aggressive marketing tactics to deceive victims.
Intel Name: Potential kamikakabot activity – winlogon shell persistence
Date of Scan: 02/13/25
Impact: High
Summary: Detects modifications to the “Winlogon” registry key, where the “Shell” value is set to a value associated with KamiKakaBot samples to establish persistence.
Intel Name: Kernel memory dump via livekd
Date of Scan: 02/12/25
Impact: High
Summary: “Kernel Memory Dump via LiveKD” refers to the detection of LiveKD execution with the “-m” flag, which is used to potentially dump the kernel memory. This action may indicate an attempt to access sensitive system information or perform unauthorized analysis of the kernel memory.
Intel Name: Potential kamikakabot activity – lure document execution
Date of Scan: 02/12/25
Impact: Medium
Summary: Detects the execution of a Word document through the WinWord Start Menu shortcut. This technique has been observed in KamiKakaBot samples to trigger the second stage of infection.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
The DisGoMoji malware operates under the control of its creators through the popular messaging platform Discord. To maintain secrecy, the attackers have ingeniously devised a system of using emojis within Discord messages to transmit commands to the malware.
Lockkey is a ransomware variant written in the Go programming language, making it potentially more cross-platform and resilient than ransomware traditionally written in languages like C++. While the specifics of its technical mechanisms are unavailable due to the restricted source.