Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Italian Organizations Targeted by WikiLoader

August 1, 2023
Reading Time: 2 mins read
in Alerts
Italian Organizations Targeted by WikiLoader

A sophisticated malware campaign has been detected by researchers, focusing on Italian organizations such as the tax agency, with the use of a downloader called WikiLoader.

Researchers from Proofpoint revealed that this downloader employs various evasion mechanisms to avoid detection and is likely developed by a financially motivated threat actor known as TA544, with intentions to rent it to other cybercriminals. The ultimate goal of WikiLoader is to deliver the infamous Ursnif banking Trojan, a threat that TA544 particularly favors.

The name “WikiLoader” derives from the malware’s behavior, as it makes a request to Wikipedia and checks for the presence of the string “The Free” in the response content. Since December 2022, at least eight campaigns distributing WikiLoader have been observed. These campaigns often initiate with emails containing malicious attachments, such as Microsoft Excel or OneNote files, and regular PDFs. The malware has been distributed by two primary threat actors, TA544 and TA551, both of which target Italian entities.

While some hackers have shifted away from using malicious Microsoft Office macros, TA544 continues to employ them in its attack chains. The Microsoft Excel attachments used by TA544 contained characteristic Visual Basic for Applications (VBA) macros, which, if enabled, would download and execute WikiLoader. The constant modifications to WikiLoader suggest that its authors are actively attempting to remain undetected and evade scrutiny.

Proofpoint’s senior threat intelligence analyst, Selena Larson, speculates that more criminal threat actors, including initial access brokers, might exploit this malware for activities leading to ransomware attacks.

The Ursnif banking Trojan, also known as DreamBot and Gozi ISFB, has been a significant concern since its source code leaked online in 2015. This leak has allowed attackers to create customized and harder-to-detect versions of the Trojan.

Ursnif’s primary focus is on stealing passwords and credentials from victims, specifically targeting the banking and financial sectors. A recent February campaign by TA544 involved an updated version of WikiLoader, spoofing an Italian courier service, which featured additional stalling mechanisms to evade automated analysis and the use of encoded strings. The emergence of such sophisticated campaigns highlights the ongoing challenges in cybersecurity and the importance of staying vigilant against evolving threats.

Reference:
  • Out of the Sandbox: WikiLoader Digs Sophisticated Evasion
Tags: August 2023Cyber AlertCyber Alerts 2023CyberattackCybersecurityHackersItalyMalwareTA544WikiLoader
ADVERTISEMENT

Related Posts

Water Curse Group Hits Developers Via GitHub

Water Curse Group Hits Developers Via GitHub

June 17, 2025
Water Curse Group Hits Developers Via GitHub

XDSpy Exploits Windows LNK Zero Day

June 17, 2025
Water Curse Group Hits Developers Via GitHub

CISA Warns Of Apple Zero Click Exploit

June 17, 2025
PyPI Malware Steals AWS, CI/CD, macOS Data

PyPI Malware Steals AWS, CI/CD, macOS Data

June 16, 2025
PyPI Malware Steals AWS, CI/CD, macOS Data

Image Hiding in DNS TXT Records

June 16, 2025
PyPI Malware Steals AWS, CI/CD, macOS Data

IBM Backup Service Flaw Allows Elevated Access

June 16, 2025

Latest Alerts

Water Curse Group Hits Developers Via GitHub

XDSpy Exploits Windows LNK Zero Day

CISA Warns Of Apple Zero Click Exploit

PyPI Malware Steals AWS, CI/CD, macOS Data

IBM Backup Service Flaw Allows Elevated Access

Image Hiding in DNS TXT Records

Subscribe to our newsletter

    Latest Incidents

    Zoomcar Data Breach Hits 8.4 Million Users

    Qilin Gang Leaks Asefa FC Barcelona Data

    Gunra Claims 45TB Hack On Colombia Justice

    Hackers Leak 10K VirtualMacOSX Customer Data

    Canada WestJet Airline Contains Cyberattack

    Washington Post Investigates Cyberattack on Emails

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial