Martin Zugec
@martinzugec.bsky.social
InfoSec speaker/blogger/thinker at Bitdefender. PowerShell fan since 2004. Non-militant vegetarian. Excited gamer since 1985.
An unusual ransom language 🤔
"Korean Leak is a reason to withdraw money from the country's stock market, because we have a volume of data whose publication will definitely deal a serious blow to the entire Korean market. And we will definitely do it."
www.bitdefender.com/en-us/blog/b...
"Korean Leak is a reason to withdraw money from the country's stock market, because we have a volume of data whose publication will definitely deal a serious blow to the entire Korean market. And we will definitely do it."
www.bitdefender.com/en-us/blog/b...
The Korean Leaks – Analyzing the Hybrid Geopolitical Campaign Targeting South Korean Financial Services With Qilin RaaS
TL;DR The "Korean Leaks" campaign showcases a sophisticated supply chain attack against South Korea's financial sector.
www.bitdefender.com
November 25, 2025 at 1:30 PM
An unusual ransom language 🤔
"Korean Leak is a reason to withdraw money from the country's stock market, because we have a volume of data whose publication will definitely deal a serious blow to the entire Korean market. And we will definitely do it."
www.bitdefender.com/en-us/blog/b...
"Korean Leak is a reason to withdraw money from the country's stock market, because we have a volume of data whose publication will definitely deal a serious blow to the entire Korean market. And we will definitely do it."
www.bitdefender.com/en-us/blog/b...
Curly COMrades APT now deploys a small Linux VM (120MB on disk, 256MB memory) on compromised Win10 machines (after enabling Hyper-V) that includes reverse shell + proxy to target environment: www.bitdefender.com/en-us/blog/b...
Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machines
I'd like to thank my coauthors Adrian Schipor and Martin Zugec for their invaluable contributions to this research.
www.bitdefender.com
November 4, 2025 at 2:24 PM
Curly COMrades APT now deploys a small Linux VM (120MB on disk, 256MB memory) on compromised Win10 machines (after enabling Hyper-V) that includes reverse shell + proxy to target environment: www.bitdefender.com/en-us/blog/b...
Our latest report analyzes a cyberattack by Chinese APT group targeting a military company in the Philippines. We found a new and advanced fileless malware toolset that we called EggStreme framework. Including GitHub repo for IOCs + live AMA
businessinsights.bitdefender.com/eggstreme-fi...
businessinsights.bitdefender.com/eggstreme-fi...
EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company
Bitdefender Labs uncovers details of a new, fileless malware framework called EggStreme. Read the blog to learn how this multi-stage toolset operates.
businessinsights.bitdefender.com
September 10, 2025 at 7:50 PM
Our latest report analyzes a cyberattack by Chinese APT group targeting a military company in the Philippines. We found a new and advanced fileless malware toolset that we called EggStreme framework. Including GitHub repo for IOCs + live AMA
businessinsights.bitdefender.com/eggstreme-fi...
businessinsights.bitdefender.com/eggstreme-fi...
Bitdefender Labs just published new research on a threat actor we've named "Curly COMrades" for their reliance on the curl.exe and COM hijacking for persistence. And because we don't want to glorify cybercriminals by giving them dramatic names :)
www.bitdefender.com/en-us/blog/b...
www.bitdefender.com/en-us/blog/b...
Curly COMrades: A New Threat Actor Targeting Geopolitical Hotbeds
This research from Bitdefender Labs details a cluster of malicious activity we've been tracking since mid-2024.
www.bitdefender.com
August 12, 2025 at 2:09 PM
Bitdefender Labs just published new research on a threat actor we've named "Curly COMrades" for their reliance on the curl.exe and COM hijacking for persistence. And because we don't want to glorify cybercriminals by giving them dramatic names :)
www.bitdefender.com/en-us/blog/b...
www.bitdefender.com/en-us/blog/b...
Bitdefender Labs has investigated a new ransomware family, QWCrypt, deployed by the RedCurl group (Earth Kapre/Red Wolf) for the first time. Notably, they're targeting hypervisors, not endpoints.
Also, not so sure if the "corporate espionage" label is accurate for this group
Also, not so sure if the "corporate espionage" label is accurate for this group
RedCurl's Ransomware Debut: A Technical Deep Dive
This research, conducted by Bitdefender Labs, presents the first documented analysis of a ransomware campaign attributed to the RedCurl group (also known as Earth Kapre or Red Wolf).
www.bitdefender.com
March 26, 2025 at 2:03 PM
Bitdefender Labs has investigated a new ransomware family, QWCrypt, deployed by the RedCurl group (Earth Kapre/Red Wolf) for the first time. Notably, they're targeting hypervisors, not endpoints.
Also, not so sure if the "corporate espionage" label is accurate for this group
Also, not so sure if the "corporate espionage" label is accurate for this group
We're seeing a massive spike in CVE-2024-4577 attacks, with new campaigns launched in February/March. Bitdefender Labs analyzed over 10K detections.
Also, an interesting battle of control, with some cryptojacking threat actors attempting to add firewall rules to block others.
Also, an interesting battle of control, with some cryptojacking threat actors attempting to add firewall rules to block others.
Technical Advisory: Mass Exploitation of CVE-2024-4577
Bitdefender is tracking new campaigns as threat actors exploit a vulnerability we first highlighted in June 2024.
sprou.tt
March 17, 2025 at 8:25 PM
We're seeing a massive spike in CVE-2024-4577 attacks, with new campaigns launched in February/March. Bitdefender Labs analyzed over 10K detections.
Also, an interesting battle of control, with some cryptojacking threat actors attempting to add firewall rules to block others.
Also, an interesting battle of control, with some cryptojacking threat actors attempting to add firewall rules to block others.
Bitdefender Labs warns of an active cyber-espionage campaign targeting organizations in Central Asia and European countries by UAC-0063. Primary target are government organizations (including embassies).
www.bitdefender.com/en-us/blog/b...
www.bitdefender.com/en-us/blog/b...
UAC-0063: Cyber Espionage Operation Expanding from Central Asia
Bitdefender Labs warns of an active cyber-espionage campaign targeting organizations in Central Asia and European countries.
www.bitdefender.com
January 28, 2025 at 2:25 PM
Bitdefender Labs warns of an active cyber-espionage campaign targeting organizations in Central Asia and European countries by UAC-0063. Primary target are government organizations (including embassies).
www.bitdefender.com/en-us/blog/b...
www.bitdefender.com/en-us/blog/b...
I started reading various prediction pieces this year, and oh boy, it's an orgy of AI-infused buzzwords. Here are my predictions, wondering if there could be some significant changes to the RaaS ecosystem this year (hacktivists/lone wolves/APTs)
www.bitdefender.com/en-us/blog/b...
www.bitdefender.com/en-us/blog/b...
Cybersecurity Predictions 2025: Hype vs. Reality
Cybersecurity predictions are abundant this time each year, many filled with sensationalism and exaggerated threats.
www.bitdefender.com
January 15, 2025 at 12:15 PM
I started reading various prediction pieces this year, and oh boy, it's an orgy of AI-infused buzzwords. Here are my predictions, wondering if there could be some significant changes to the RaaS ecosystem this year (hacktivists/lone wolves/APTs)
www.bitdefender.com/en-us/blog/b...
www.bitdefender.com/en-us/blog/b...
MITRE ATT&CK Evaluations - Round 6 full results for 3 core metrics (volume + FPs were added for the first time).
December 11, 2024 at 4:16 PM
MITRE ATT&CK Evaluations - Round 6 full results for 3 core metrics (volume + FPs were added for the first time).