Detection of Recent RMM Distribution Cases Using AhnLab EDR
AhnLab SEcurity intelligence Center (ASEC) has recently observed an increase in attack cases exploiting Remote Monitoring and Management (RMM) tools. Whereas attackers previously exploited remote control tools during the process of seizing control after initial penetration, they now increasingly leverage RMM tools even during the initial distribution phase across diverse
React2Shell: Serious RCE Vulnerability Threatening the Latest Web Frameworks (CVE-2025-55182)
Overview In December 2025, a serious security vulnerability named Reach2Shell was disclosed, shaking the web development ecosystem. This vulnerability affects applications using React Server Components and the Flight protocol, allowing threat actors to execute arbitrary code on the server with a single HTTP request. It has been given a Common
Detecting Akira Ransomware Attack Using AhnLab EDR
Akira is a relatively new ransomware threat actor that has been active since March 2023. Like other ransomware threat actors, they breach organizations and not only encrypt their files but also exfiltrate sensitive information to use in negotiations. As shown in the following 2024 statistics, the number of companies affected
AhnLab EDR Detects CoinMiner Propagated via USB in South Korea
1. Overview CoinMiners typically secretly use the CPU and GPU resources of users’ computers to mine cryptocurrencies, which slows down the performance of the affected computers. CoinMiners are usually distributed through phishing emails, malicious websites, system vulnerabilities, and other means. For analysis of this malware, please refer to the AhnLab
Moxa Product Security Update Advisory
Overview We have released a security update to fix vulnerabilities in Moxa products. Users of...
Proxy Tools Detected by AhnLab EDR
After gaining control over infected systems, threat actors may also perform remote screen control using RDP. This is partly for convenience but can also serve the purpose of maintaining persistence. If the RDP service is not active during the attack process, threat actors may install RDP Wrappers, steal existing account
BlueKeep Attack Detected by AhnLab EDR
BlueKeep (CVE-2019-0708) is a vulnerability revealed in May 2019, occurring during the Remote Desktop Protocol (RDP) connection process between a client and server. When a client sends a malicious packet through a specific channel (MS_T120), a Use-After-Free vulnerability occurs, allowing remote code execution.[1] This vulnerability has been discussed on the
Linux Persistence Techniques Detected by AhnLab EDR (1)
Persistence techniques refer to methods employed by threat actors to maintain a connection to the target system after infiltration. As a single breach may not be enough to achieve all their goals, threat actors look for ways to re-access the system. Persistence can be maintained by configuring the malware to
SnakeKeylogger Malware Detected by AhnLab EDR
1. Overview SnakeKeylogger, an Infostealer created with .NET, can leak data using emails, FTP, SMTP, or Telegram. The malware has been consistently distributed and was covered in a previous ASEC Blog post. [1] This post will reveal the trace of the malicious behaviors of SnakeKeylogger analyzed in the previous post
Linux Defense Evasion Techniques Detected by AhnLab EDR (2)
The blog post “Linux Defense Evasion Techniques Detected by AhnLab EDR (1)” [1] covered methods where the threat actors and malware strains attacked Linux servers before incapacitating security services such as firewalls and security modules and then concealing the installed malware. This post will cover additional defense evasion techniques against
