The report details a ransomware campaign that modifies legitimate security software files from vendors like Sophos, AVG, BitDefender, Emsisoft, and Microsoft by overwriting their entry-point code and inserting decrypted payloads as resources. This allows the malicious files to masquerade as trusted binaries and potentially avoid detection. The eventual payloads observed include malware like Cobalt Strike, Brute Ratel, Qakbot, and Latrodectus. The campaign involves abuse of expired digital signatures, malicious downloaders, and fake installers, suggesting involvement of multiple threat groups.

Click for details.