Subscribe to ThreatSTOP feed
Updated: 1 hour 16 min ago

Bi-Weekly Security Update 3/15/2017

Wed, 03/15/2017 - 17:02


Malicious Content Identified and Inserted:

  • IPs – 3680
  • Domains – 603

Target List Content Updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking

EITest – The Long Living Campaign

Wed, 03/08/2017 - 13:22

EITest is a campaign initially discovered in 2014 by Malwarebytes. It distributes malware (that uses iframes) through a flash file on a compromised site, followed by exploitation through an Exploit Kit. In the past, this campaign was used to distribute malware including Cerber, CryptoMix, CryptoShield, Gootkit and the Chthonic banking Trojan, all using various types of Exploit Kits.

3 New Targets Protecting Against Drive-By Attacks

Thu, 03/02/2017 - 15:55

We are happy to announce the release of 3 new targets, specifically protecting against Drive-By attacks. In a drive-by attack, web sites are used as malware droppers. The targets include manually identified domains, as well as domains identified by running known botnet domain generation algorithms. These 3 new targets are built for users to choose the level of protection that accommodates their needs.

The 3 new targets are:

ThreatSTOP Bi-weekly Security Update

Wed, 03/01/2017 - 21:32

Malicious content identified and inserted:

  • IPs – 3967
  • Domains – 391

Target list content updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking

Magic Hound Sniffs Out Trouble

Tue, 02/28/2017 - 17:51


Magic Hound, as dubbed by researchers at Palo Alto Networks, is a targeted espionage campaign against Saudi Arabian government, energy and technology industries. The campaign utilized a common phishing tactic, embedding macros into Word and Excel documents. If the victim enabled macros on the document, Powershell scripts downloaded additional malware onto their computer, such as the open-source Python RAT, Pupy.

Highlights, Trends & Predictions from RSA 2017

Thu, 02/23/2017 - 19:03

We’re back!

It was a fun, productive week in San Francisco exhibiting and chatting with attendees about our product suite, including the soon-to-be ThreatSTOP family member, Roaming Endpoint.



ThreatSTOP at RSA 2017

Thu, 02/16/2017 - 16:38

Hello again, San Francisco! We can’t believe it’s already the third day of RSA, but we’ve had a great time exhibiting and talking to attendees and partners about our newest product, Roaming Endpoint. (And our existing products, DNS and IP Firewall Services)

Bi-weekly Security Update 2/15/2017

Wed, 02/15/2017 - 22:00

Malicious content identified and inserted:

  • IPs – 1318
  • Domains – 323

Target list content updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking

ThreatSTOP Launches New Roaming DNS Protection Service at RSA

Tue, 02/14/2017 - 19:51

The Cyber Security Start Up’s Answer to Roaming Security

CARLSBAD, CA: Feb 8, 2017:  Cyber security company ThreatSTOP announced today a Cloud-based offering that quickly detects and automatically blocks DNS attacks on laptops outside a secured company network, without using external 3rd party DNS servers or requiring a VPN connection. This new SaaS offering, Roaming Endpoint, is ThreatSTOP’s answer to a growing mobile workforce, protecting devices when they leave the corporate network, anywhere and anytime.

Locky Back in Action

Thu, 02/09/2017 - 17:43

Locky, the infamous ransomware plaguing computers worldwide since it was first seen early last year, has recently made a comeback after a severe drop in activity over the holiday season. The Necurs botnet, which is Locky's primary distributor, was offline for the final weeks of 2016, equating to an 81% decrease in the number of Locky attacks.

CryptXXX Ransomware Spread Through SoakSoak Botnet: Two Big Actors As One

Tue, 01/31/2017 - 20:55

CryptXXX and SoakSoak are huge threats individually.

One Email: Countless Phishing Domains

Mon, 01/30/2017 - 22:42

We often analyze indictors of phishing-related compromise from These lists contain a large number of indicators, usually not all related to one campaign, but to countless ones that have already spread before the lists were updated.

dga updates

Thu, 01/26/2017 - 14:23

In December, we introduced a target list of more than 20 malware family DGAs provided by our friends over at 360 Research Team. Continuing their great work, we are happy to integrate 7 new malware DGAs:

The “TelePort Crew” Evolves from Carbanak

Tue, 01/24/2017 - 17:49

The "Digital Plagiarist" campaign, dubbed by researchers at the tr1adx team, was run by the "TelePort Crew” and appears to be an evolution of the Carbanak cybercrime group. This group is infamous for a large-scale campaign against banks, leading to the 2015 theft of hundreds of millions of dollars and the Carbanak/Anunak malware that targets point of sale machines.

Sure, Just a Threat Feed Works. Like Biden Without Ray-Bans.

Mon, 01/23/2017 - 19:18


Sure, just any old threat feed will do. Like those one-size-fits-all “I Heart NY” shirts in Times Square. Just like Chipotle without guac (if you’re obsessed with both Chipotle and guac, like me) or Caesar salad with no… dressing. Laverne without Shirley, Biden without Ray-Bans, or maybe the internet without a politically topical meme. I’m going somewhere with this…. I promise.

Bi-weekly Security Update

Thu, 01/19/2017 - 18:52

Bi-weekly Security Update

Malicious content identified and inserted:

  • IPs – 960
  • Domains – 1653

How much would you pay in bitcoin to watch that cat video?

Mon, 01/16/2017 - 22:00

Where do security professionals draw the line between protecting their company’s network, and delivering a free-range internet experience for their fellow employees? This quandary came up at ThreatSTOP recently, spurred by a support request we received from a customer who posed this very question to himself, his peers, and to us. It got us thinking, and made us wonder what the consensus is among security professionals who constantly wrestle with balancing the scales of security and user friction.

Switcher Android Malware - The Road From Android App to Hijacking DNS Server

Thu, 01/12/2017 - 19:13

One of the most recent campaigns highlighting the importance of router security is Mirai (The botnet that had large scale attacks by infected IoT devices). Even before this, reports emphasized the importance and vulnerability of these devices. For example, Report by Malware Researcher Kafeine revealed the use of an exploit kit aimed to exploit routers. This method showed Google Chrome users were redirected to a malicious server that loaded code designed to determine router models. (While changing the DNS servers configured to the router)

Crime As a Service: The Gritty Details & How to Prevent It

Thu, 01/12/2017 - 17:52


“Crime as a Service” (CaaS): It’s not just a recently ramped up buzzword, it has actual backing and won't quietly fade into the night anytime soon. It’s a service that has the potential to mature into a larger organizational unit, which is telling of the cyber security issues we’ll be up against in the future.