{"id":6499,"date":"2021-07-14T12:28:19","date_gmt":"2021-07-14T19:28:19","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6499"},"modified":"2024-04-26T13:20:32","modified_gmt":"2024-04-26T20:20:32","slug":"fake-kaseya-patch-malspam-campaign","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/","title":{"rendered":"Fake Kaseya Patch Malspam Campaign"},"content":{"rendered":"<h3><strong>Author: Nick Sundvall<\/strong><\/h3>\n<h3><strong>TLP: WHITE<\/strong><\/h3>\n<p>On 6 July, we observed a malspam campaign that was distributing an executable file containing Cobalt Strike: a legitimate, commercially available penetration-testing tool frequently abused by threat actors. Taking advantage of the recent ransomware attack on users of Kaseya\u2019s remote monitoring and management service VSA, the campaign attempts to get its targets to download and run a file that it claims is the update meant to patch a recently exploited vulnerability in VSA.<\/p>\n<p>We have previously reported on the ransomware attack on Kaseya\u2019s VSA.<sup>1<\/sup><sup>,<\/sup><sup>2<\/sup> While Malwarebytes has also reported on this malspam campaign, we have observed additional emails and malicious files.<sup>3<\/sup><\/p>\n<p>The company HelpSystems owns Cobalt Strike and sells it online. Cobalt Strike is a legitimate penetration-testing tool, but it is frequently abused by threat actors and used for malicious purposes. Cobalt Strike can log keystrokes, launch exploits for privilege escalation, connect to command and controls (C&amp;Cs), and more.<strong>\u00a0<\/strong><\/p>\n<p>In this campaign, the threat actor uses a topical lure that takes advantage of the recent ransomware attack on Kaseya\u2019s VSA.<sup>4<\/sup><\/p>\n<ul>\n<li>On 4 July, Kaseya stated they would email customers after releasing the patch.<\/li>\n<li>On 6 July, the threat actor began sending malspam.<\/li>\n<li>On 8 July, Kaseya responded by warning users of emails that contain malware and by releasing the following statement: \u201cKaseya email updates will not contain any links or attachments.\u201d<sup>5<\/sup><\/li>\n<\/ul>\n<p>The subjects of the emails distributed by the campaign are rather generic, such as \u201cPackage Delivery Status #\u201d or \u201cOur Shipping Renewal 2021 INS,\u201d which is followed by five to ten seemingly random numbers, such as \u201c2887437.\u201d However, the bodies of the emails contain a spoofed conversation, where the most recent message says: \u201cplease install the update from microsoft to protect against ransomware as soon as possible. This is fixing a vulnerability in Kaseya.\u201d<\/p>\n<p>The threat actor attempts to deliver the malicious payload in two ways. Each delivers the same payload.<\/p>\n<ol>\n<li>They attach the malicious executable <em>SecurityUpdates.exe <\/em>to the email, in hopes that the target will run the file.<\/li>\n<li>The body of the email includes a hyperlink that appears to go to a legitimate Kaseya site.<\/li>\n<\/ol>\n<p>A vigilant reader might notice that when the cursor hovers over the hyperlink, the tooltip shows one of two unrelated, malicious URLs, which represent the two files we observed in the campaign.<\/p>\n<p>Infoblox\u2019s full report on this campaign will be available soon on our<a href=\"https:\/\/insights.infoblox.com\/threat-intelligence-reports\"> Threat Intelligence Reports<\/a> page.<\/p>\n<h3><strong>Endnotes<\/strong><\/h3>\n<ol>\n<li><a href=\"https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/kaseya-revil-ransomware-attack\/\">https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/kaseya-revil-ransomware-attack\/<\/a><\/li>\n<li><a href=\"https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/cyber-threat-advisory-kaseya-ransomware-attack-update-patch-available\/\">https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/cyber-threat-advisory-kaseya-ransomware-attack-update-patch-available\/<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/social-engineering\/2021\/07\/malspam-banks-on-kaseya-ransomware-attack\/\">https:\/\/blog.malwarebytes.com\/social-engineering\/2021\/07\/malspam-banks-on-kaseya-ransomware-attack\/<\/a><\/li>\n<li><a href=\"https:\/\/news.sophos.com\/en-us\/2021\/07\/04\/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses\/\">https:\/\/news.sophos.com\/en-us\/2021\/07\/04\/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses\/<\/a><\/li>\n<li><a href=\"https:\/\/helpdesk.kaseya.com\/hc\/en-gb\/articles\/4403440684689-Important-Notice-July-3rd-2021\">https:\/\/helpdesk.kaseya.com\/hc\/en-gb\/articles\/4403440684689-Important-Notice-July-3rd-2021<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Author: Nick Sundvall TLP: WHITE On 6 July, we observed a malspam campaign that was distributing an executable file containing Cobalt Strike: a legitimate, commercially available penetration-testing tool frequently abused by threat actors. Taking advantage of the recent ransomware attack on users of Kaseya\u2019s remote monitoring and management service VSA, the campaign attempts to get [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":4338,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254],"tags":[461,525,294],"class_list":{"0":"post-6499","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"tag-cobalt-strike","9":"tag-kaseya","10":"tag-malspam","11":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Fake Kaseya Patch Malspam Campaign<\/title>\n<meta name=\"description\" content=\"Fake Kaseya Patch Malspam Campaign. On 6 July, we observed a malspam campaign that was distributing an executable file containing Cobalt Strike: a legitimate, commercially available penetration-testing tool frequently abused by threat actors. Taking advantage of the recent ransomware attack on users of Kaseya\u2019s remote monitoring and management service VSA, the campaign attempts to get its targets to download and run a file that it claims is the update meant to patch a recently exploited vulnerability in VSA.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Fake Kaseya Patch Malspam Campaign\" \/>\n<meta property=\"og:description\" content=\"Fake Kaseya Patch Malspam Campaign. On 6 July, we observed a malspam campaign that was distributing an executable file containing Cobalt Strike: a legitimate, commercially available penetration-testing tool frequently abused by threat actors. Taking advantage of the recent ransomware attack on users of Kaseya\u2019s remote monitoring and management service VSA, the campaign attempts to get its targets to download and run a file that it claims is the update meant to patch a recently exploited vulnerability in VSA.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-14T19:28:19+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/cybersecurity-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"613\" \/>\n\t<meta property=\"og:image:height\" content=\"343\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-kaseya-patch-malspam-campaign\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-kaseya-patch-malspam-campaign\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Fake Kaseya Patch Malspam Campaign\",\"datePublished\":\"2021-07-14T19:28:19+00:00\",\"dateModified\":\"2024-04-26T20:20:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-kaseya-patch-malspam-campaign\\\/\"},\"wordCount\":439,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-kaseya-patch-malspam-campaign\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/cybersecurity-featured-image.jpg\",\"keywords\":[\"Cobalt Strike\",\"Kaseya\",\"Malspam\"],\"articleSection\":[\"Infoblox Threat Intel\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-kaseya-patch-malspam-campaign\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-kaseya-patch-malspam-campaign\\\/\",\"name\":\"Fake Kaseya Patch Malspam Campaign\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-kaseya-patch-malspam-campaign\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-kaseya-patch-malspam-campaign\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/cybersecurity-featured-image.jpg\",\"datePublished\":\"2021-07-14T19:28:19+00:00\",\"dateModified\":\"2024-04-26T20:20:32+00:00\",\"description\":\"Fake Kaseya Patch Malspam Campaign. On 6 July, we observed a malspam campaign that was distributing an executable file containing Cobalt Strike: a legitimate, commercially available penetration-testing tool frequently abused by threat actors. Taking advantage of the recent ransomware attack on users of Kaseya\u2019s remote monitoring and management service VSA, the campaign attempts to get its targets to download and run a file that it claims is the update meant to patch a recently exploited vulnerability in VSA.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-kaseya-patch-malspam-campaign\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-kaseya-patch-malspam-campaign\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-kaseya-patch-malspam-campaign\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/cybersecurity-featured-image.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/cybersecurity-featured-image.jpg\",\"width\":613,\"height\":343},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/fake-kaseya-patch-malspam-campaign\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Fake Kaseya Patch Malspam Campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Fake Kaseya Patch Malspam Campaign","description":"Fake Kaseya Patch Malspam Campaign. On 6 July, we observed a malspam campaign that was distributing an executable file containing Cobalt Strike: a legitimate, commercially available penetration-testing tool frequently abused by threat actors. Taking advantage of the recent ransomware attack on users of Kaseya\u2019s remote monitoring and management service VSA, the campaign attempts to get its targets to download and run a file that it claims is the update meant to patch a recently exploited vulnerability in VSA.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/","og_locale":"en_US","og_type":"article","og_title":"Fake Kaseya Patch Malspam Campaign","og_description":"Fake Kaseya Patch Malspam Campaign. On 6 July, we observed a malspam campaign that was distributing an executable file containing Cobalt Strike: a legitimate, commercially available penetration-testing tool frequently abused by threat actors. Taking advantage of the recent ransomware attack on users of Kaseya\u2019s remote monitoring and management service VSA, the campaign attempts to get its targets to download and run a file that it claims is the update meant to patch a recently exploited vulnerability in VSA.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/","og_site_name":"Infoblox Blog","article_published_time":"2021-07-14T19:28:19+00:00","article_modified_time":"2024-04-26T20:20:32+00:00","og_image":[{"width":613,"height":343,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/cybersecurity-featured-image.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Fake Kaseya Patch Malspam Campaign","datePublished":"2021-07-14T19:28:19+00:00","dateModified":"2024-04-26T20:20:32+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/"},"wordCount":439,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/cybersecurity-featured-image.jpg","keywords":["Cobalt Strike","Kaseya","Malspam"],"articleSection":["Infoblox Threat Intel"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/","name":"Fake Kaseya Patch Malspam Campaign","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/cybersecurity-featured-image.jpg","datePublished":"2021-07-14T19:28:19+00:00","dateModified":"2024-04-26T20:20:32+00:00","description":"Fake Kaseya Patch Malspam Campaign. On 6 July, we observed a malspam campaign that was distributing an executable file containing Cobalt Strike: a legitimate, commercially available penetration-testing tool frequently abused by threat actors. Taking advantage of the recent ransomware attack on users of Kaseya\u2019s remote monitoring and management service VSA, the campaign attempts to get its targets to download and run a file that it claims is the update meant to patch a recently exploited vulnerability in VSA.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/cybersecurity-featured-image.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/cybersecurity-featured-image.jpg","width":613,"height":343},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/fake-kaseya-patch-malspam-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Fake Kaseya Patch Malspam Campaign"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6499","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=6499"}],"version-history":[{"count":2,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6499\/revisions"}],"predecessor-version":[{"id":6501,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6499\/revisions\/6501"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/4338"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=6499"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=6499"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=6499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}